src/api2/admin/datastore.rs: add access permissions - first try

We need to refine this later (introduce backup owner concept?)
This commit is contained in:
Dietmar Maurer 2020-04-17 14:36:27 +02:00
parent 5972def5ec
commit bb34b58910

View File

@ -8,8 +8,9 @@ use hyper::http::request::Parts;
use hyper::{header, Body, Response, StatusCode}; use hyper::{header, Body, Response, StatusCode};
use serde_json::{json, Value}; use serde_json::{json, Value};
use proxmox::api::api; use proxmox::api::{
use proxmox::api::{ApiResponseFuture, ApiHandler, ApiMethod, Router, RpcEnvironment, RpcEnvironmentType}; api, ApiResponseFuture, ApiHandler, ApiMethod, Router,
RpcEnvironment, RpcEnvironmentType, Permission};
use proxmox::api::router::SubdirMap; use proxmox::api::router::SubdirMap;
use proxmox::api::schema::*; use proxmox::api::schema::*;
use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions}; use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions};
@ -21,6 +22,7 @@ use crate::backup::*;
use crate::config::datastore; use crate::config::datastore;
use crate::server::WorkerTask; use crate::server::WorkerTask;
use crate::tools; use crate::tools;
use crate::config::acl::{PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_ALLOCATE_SPACE};
fn read_backup_index(store: &DataStore, backup_dir: &BackupDir) -> Result<Vec<BackupContent>, Error> { fn read_backup_index(store: &DataStore, backup_dir: &BackupDir) -> Result<Vec<BackupContent>, Error> {
@ -78,6 +80,9 @@ fn group_backups(backup_list: Vec<BackupInfo>) -> HashMap<String, Vec<BackupInfo
type: GroupListItem, type: GroupListItem,
} }
}, },
access: {
permission: &Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_AUDIT, false),
},
)] )]
/// List backup groups. /// List backup groups.
fn list_groups( fn list_groups(
@ -136,6 +141,9 @@ fn list_groups(
type: BackupContent, type: BackupContent,
} }
}, },
access: {
permission: &Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_AUDIT, false),
},
)] )]
/// List snapshot files. /// List snapshot files.
pub fn list_snapshot_files( pub fn list_snapshot_files(
@ -184,6 +192,9 @@ pub fn list_snapshot_files(
}, },
}, },
}, },
access: {
permission: &Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_ALLOCATE_SPACE, false),
},
)] )]
/// Delete backup snapshot. /// Delete backup snapshot.
fn delete_snapshot( fn delete_snapshot(
@ -227,6 +238,9 @@ fn delete_snapshot(
type: SnapshotListItem, type: SnapshotListItem,
} }
}, },
access: {
permission: &Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_AUDIT, false),
},
)] )]
/// List backup snapshots. /// List backup snapshots.
pub fn list_snapshots ( pub fn list_snapshots (
@ -291,6 +305,9 @@ pub fn list_snapshots (
returns: { returns: {
type: StorageStatus, type: StorageStatus,
}, },
access: {
permission: &Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_AUDIT, false),
},
)] )]
/// Get datastore status. /// Get datastore status.
pub fn status( pub fn status(
@ -389,7 +406,7 @@ const API_METHOD_PRUNE: ApiMethod = ApiMethod::new(
("store", false, &DATASTORE_SCHEMA), ("store", false, &DATASTORE_SCHEMA),
]) ])
) )
); ).access(None, &Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_ALLOCATE_SPACE, false));
fn prune( fn prune(
param: Value, param: Value,
@ -512,6 +529,9 @@ fn prune(
returns: { returns: {
schema: UPID_SCHEMA, schema: UPID_SCHEMA,
}, },
access: {
permission: &Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_ALLOCATE_SPACE, false),
},
)] )]
/// Start garbage collection. /// Start garbage collection.
fn start_garbage_collection( fn start_garbage_collection(
@ -546,7 +566,10 @@ fn start_garbage_collection(
}, },
returns: { returns: {
type: GarbageCollectionStatus, type: GarbageCollectionStatus,
} },
access: {
permission: &Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_AUDIT, false),
},
)] )]
/// Garbage collection status. /// Garbage collection status.
pub fn garbage_collection_status( pub fn garbage_collection_status(
@ -562,7 +585,12 @@ pub fn garbage_collection_status(
Ok(status) Ok(status)
} }
#[api(
access: {
permission: &Permission::Privilege(&["datastore"], PRIV_DATASTORE_AUDIT, false),
},
)]
/// Datastore list
fn get_datastore_list( fn get_datastore_list(
_param: Value, _param: Value,
_info: &ApiMethod, _info: &ApiMethod,
@ -587,7 +615,7 @@ pub const API_METHOD_DOWNLOAD_FILE: ApiMethod = ApiMethod::new(
("file-name", false, &BACKUP_ARCHIVE_NAME_SCHEMA), ("file-name", false, &BACKUP_ARCHIVE_NAME_SCHEMA),
]), ]),
) )
); ).access(None, &Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_ALLOCATE_SPACE, false));
fn download_file( fn download_file(
_parts: Parts, _parts: Parts,
@ -646,7 +674,7 @@ pub const API_METHOD_UPLOAD_BACKUP_LOG: ApiMethod = ApiMethod::new(
("backup-time", false, &BACKUP_TIME_SCHEMA), ("backup-time", false, &BACKUP_TIME_SCHEMA),
]), ]),
) )
); ).access(None, &Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_ALLOCATE_SPACE, false));
fn upload_backup_log( fn upload_backup_log(
_parts: Parts, _parts: Parts,
@ -751,10 +779,5 @@ const DATASTORE_INFO_ROUTER: Router = Router::new()
pub const ROUTER: Router = Router::new() pub const ROUTER: Router = Router::new()
.get( .get(&API_METHOD_GET_DATASTORE_LIST)
&ApiMethod::new(
&ApiHandler::Sync(&get_datastore_list),
&ObjectSchema::new("Directory index.", &[])
)
)
.match_all("store", &DATASTORE_INFO_ROUTER); .match_all("store", &DATASTORE_INFO_ROUTER);