src/config/acl.rs: introduce more/better datastore privileges
This commit is contained in:
parent
9c7fe29dfc
commit
d00e1a216f
|
@ -22,7 +22,12 @@ use crate::backup::*;
|
||||||
use crate::config::datastore;
|
use crate::config::datastore;
|
||||||
use crate::server::WorkerTask;
|
use crate::server::WorkerTask;
|
||||||
use crate::tools;
|
use crate::tools;
|
||||||
use crate::config::acl::{PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_ALLOCATE_SPACE};
|
use crate::config::acl::{
|
||||||
|
PRIV_DATASTORE_AUDIT,
|
||||||
|
PRIV_DATASTORE_READ,
|
||||||
|
PRIV_DATASTORE_PRUNE,
|
||||||
|
PRIV_DATASTORE_CREATE_BACKUP,
|
||||||
|
};
|
||||||
|
|
||||||
fn read_backup_index(store: &DataStore, backup_dir: &BackupDir) -> Result<Vec<BackupContent>, Error> {
|
fn read_backup_index(store: &DataStore, backup_dir: &BackupDir) -> Result<Vec<BackupContent>, Error> {
|
||||||
|
|
||||||
|
@ -193,7 +198,7 @@ pub fn list_snapshot_files(
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
access: {
|
access: {
|
||||||
permission: &Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_ALLOCATE_SPACE, false),
|
permission: &Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_PRUNE, false),
|
||||||
},
|
},
|
||||||
)]
|
)]
|
||||||
/// Delete backup snapshot.
|
/// Delete backup snapshot.
|
||||||
|
@ -406,7 +411,7 @@ const API_METHOD_PRUNE: ApiMethod = ApiMethod::new(
|
||||||
("store", false, &DATASTORE_SCHEMA),
|
("store", false, &DATASTORE_SCHEMA),
|
||||||
])
|
])
|
||||||
)
|
)
|
||||||
).access(None, &Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_ALLOCATE_SPACE, false));
|
).access(None, &Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_PRUNE, false));
|
||||||
|
|
||||||
fn prune(
|
fn prune(
|
||||||
param: Value,
|
param: Value,
|
||||||
|
@ -530,7 +535,7 @@ fn prune(
|
||||||
schema: UPID_SCHEMA,
|
schema: UPID_SCHEMA,
|
||||||
},
|
},
|
||||||
access: {
|
access: {
|
||||||
permission: &Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_ALLOCATE_SPACE, false),
|
permission: &Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_PRUNE, false),
|
||||||
},
|
},
|
||||||
)]
|
)]
|
||||||
/// Start garbage collection.
|
/// Start garbage collection.
|
||||||
|
@ -615,7 +620,7 @@ pub const API_METHOD_DOWNLOAD_FILE: ApiMethod = ApiMethod::new(
|
||||||
("file-name", false, &BACKUP_ARCHIVE_NAME_SCHEMA),
|
("file-name", false, &BACKUP_ARCHIVE_NAME_SCHEMA),
|
||||||
]),
|
]),
|
||||||
)
|
)
|
||||||
).access(None, &Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_ALLOCATE_SPACE, false));
|
).access(None, &Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_READ, false));
|
||||||
|
|
||||||
fn download_file(
|
fn download_file(
|
||||||
_parts: Parts,
|
_parts: Parts,
|
||||||
|
@ -674,7 +679,7 @@ pub const API_METHOD_UPLOAD_BACKUP_LOG: ApiMethod = ApiMethod::new(
|
||||||
("backup-time", false, &BACKUP_TIME_SCHEMA),
|
("backup-time", false, &BACKUP_TIME_SCHEMA),
|
||||||
]),
|
]),
|
||||||
)
|
)
|
||||||
).access(None, &Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_ALLOCATE_SPACE, false));
|
).access(None, &Permission::Privilege(&["datastore", "{store}"], PRIV_DATASTORE_CREATE_BACKUP, false));
|
||||||
|
|
||||||
fn upload_backup_log(
|
fn upload_backup_log(
|
||||||
_parts: Parts,
|
_parts: Parts,
|
||||||
|
|
|
@ -14,7 +14,7 @@ use crate::tools::{self, WrappedReaderStream};
|
||||||
use crate::server::{WorkerTask, H2Service};
|
use crate::server::{WorkerTask, H2Service};
|
||||||
use crate::backup::*;
|
use crate::backup::*;
|
||||||
use crate::api2::types::*;
|
use crate::api2::types::*;
|
||||||
use crate::config::acl::PRIV_DATASTORE_ALLOCATE_SPACE;
|
use crate::config::acl::PRIV_DATASTORE_CREATE_BACKUP;
|
||||||
use crate::config::cached_user_info::CachedUserInfo;
|
use crate::config::cached_user_info::CachedUserInfo;
|
||||||
|
|
||||||
mod environment;
|
mod environment;
|
||||||
|
@ -41,7 +41,7 @@ pub const API_METHOD_UPGRADE_BACKUP: ApiMethod = ApiMethod::new(
|
||||||
)
|
)
|
||||||
).access(
|
).access(
|
||||||
// Note: parameter 'store' is no uri parameter, so we need to test inside function body
|
// Note: parameter 'store' is no uri parameter, so we need to test inside function body
|
||||||
Some("The user needs Datastore.AllocateSpace privilege on /datastore/{store}."),
|
Some("The user needs Datastore.CreateBackup privilege on /datastore/{store}."),
|
||||||
&Permission::Anybody
|
&Permission::Anybody
|
||||||
);
|
);
|
||||||
|
|
||||||
|
@ -61,7 +61,7 @@ fn upgrade_to_backup_protocol(
|
||||||
let store = tools::required_string_param(¶m, "store")?.to_owned();
|
let store = tools::required_string_param(¶m, "store")?.to_owned();
|
||||||
|
|
||||||
let user_info = CachedUserInfo::new()?;
|
let user_info = CachedUserInfo::new()?;
|
||||||
user_info.check_privs(&username, &["datastore", &store], PRIV_DATASTORE_ALLOCATE_SPACE, false)?;
|
user_info.check_privs(&username, &["datastore", &store], PRIV_DATASTORE_CREATE_BACKUP, false)?;
|
||||||
|
|
||||||
let datastore = DataStore::lookup_datastore(&store)?;
|
let datastore = DataStore::lookup_datastore(&store)?;
|
||||||
|
|
||||||
|
|
|
@ -16,7 +16,7 @@ use crate::backup::*;
|
||||||
use crate::client::*;
|
use crate::client::*;
|
||||||
use crate::config::remote;
|
use crate::config::remote;
|
||||||
use crate::api2::types::*;
|
use crate::api2::types::*;
|
||||||
use crate::config::acl::PRIV_DATASTORE_ALLOCATE_SPACE;
|
use crate::config::acl::{PRIV_DATASTORE_CREATE_BACKUP, PRIV_DATASTORE_READ};
|
||||||
use crate::config::cached_user_info::CachedUserInfo;
|
use crate::config::cached_user_info::CachedUserInfo;
|
||||||
|
|
||||||
// fixme: implement filters
|
// fixme: implement filters
|
||||||
|
@ -391,7 +391,7 @@ pub async fn pull_store(
|
||||||
},
|
},
|
||||||
access: {
|
access: {
|
||||||
// Note: used parameters are no uri parameters, so we need to test inside function body
|
// Note: used parameters are no uri parameters, so we need to test inside function body
|
||||||
description: "The user needs Datastore.AllocateSpace privilege on '/datastore/{store}' and '/remote/{remote}/{remote-store}'.",
|
description: "The user needs Datastore.CreateBackup privilege on '/datastore/{store}' and Datastore.Read on '/remote/{remote}/{remote-store}'.",
|
||||||
permission: &Permission::Anybody,
|
permission: &Permission::Anybody,
|
||||||
},
|
},
|
||||||
)]
|
)]
|
||||||
|
@ -408,8 +408,8 @@ async fn pull (
|
||||||
let user_info = CachedUserInfo::new()?;
|
let user_info = CachedUserInfo::new()?;
|
||||||
|
|
||||||
let username = rpcenv.get_user().unwrap();
|
let username = rpcenv.get_user().unwrap();
|
||||||
user_info.check_privs(&username, &["datastore", &store], PRIV_DATASTORE_ALLOCATE_SPACE, false)?;
|
user_info.check_privs(&username, &["datastore", &store], PRIV_DATASTORE_CREATE_BACKUP, false)?;
|
||||||
user_info.check_privs(&username, &["remote", &remote, &remote_store], PRIV_DATASTORE_ALLOCATE_SPACE, false)?;
|
user_info.check_privs(&username, &["remote", &remote, &remote_store], PRIV_DATASTORE_READ, false)?;
|
||||||
|
|
||||||
let delete = delete.unwrap_or(true);
|
let delete = delete.unwrap_or(true);
|
||||||
|
|
||||||
|
|
|
@ -15,7 +15,7 @@ use crate::api2::types::*;
|
||||||
use crate::backup::*;
|
use crate::backup::*;
|
||||||
use crate::server::{WorkerTask, H2Service};
|
use crate::server::{WorkerTask, H2Service};
|
||||||
use crate::tools;
|
use crate::tools;
|
||||||
use crate::config::acl::PRIV_DATASTORE_ALLOCATE_SPACE;
|
use crate::config::acl::PRIV_DATASTORE_READ;
|
||||||
use crate::config::cached_user_info::CachedUserInfo;
|
use crate::config::cached_user_info::CachedUserInfo;
|
||||||
|
|
||||||
mod environment;
|
mod environment;
|
||||||
|
@ -45,7 +45,7 @@ pub const API_METHOD_UPGRADE_BACKUP: ApiMethod = ApiMethod::new(
|
||||||
)
|
)
|
||||||
).access(
|
).access(
|
||||||
// Note: parameter 'store' is no uri parameter, so we need to test inside function body
|
// Note: parameter 'store' is no uri parameter, so we need to test inside function body
|
||||||
Some("The user needs Datastore.AllocateSpace privilege on /datastore/{store}."),
|
Some("The user needs Datastore.Read privilege on /datastore/{store}."),
|
||||||
&Permission::Anybody
|
&Permission::Anybody
|
||||||
);
|
);
|
||||||
|
|
||||||
|
@ -64,7 +64,7 @@ fn upgrade_to_backup_reader_protocol(
|
||||||
let store = tools::required_string_param(¶m, "store")?.to_owned();
|
let store = tools::required_string_param(¶m, "store")?.to_owned();
|
||||||
|
|
||||||
let user_info = CachedUserInfo::new()?;
|
let user_info = CachedUserInfo::new()?;
|
||||||
user_info.check_privs(&username, &["datastore", &store], PRIV_DATASTORE_ALLOCATE_SPACE, false)?;
|
user_info.check_privs(&username, &["datastore", &store], PRIV_DATASTORE_READ, false)?;
|
||||||
|
|
||||||
let datastore = DataStore::lookup_datastore(&store)?;
|
let datastore = DataStore::lookup_datastore(&store)?;
|
||||||
|
|
||||||
|
|
|
@ -17,9 +17,11 @@ pub const PRIV_SYS_POWER_MANAGEMENT: u64 = 1 << 2;
|
||||||
|
|
||||||
pub const PRIV_DATASTORE_AUDIT: u64 = 1 << 3;
|
pub const PRIV_DATASTORE_AUDIT: u64 = 1 << 3;
|
||||||
pub const PRIV_DATASTORE_MODIFY: u64 = 1 << 4;
|
pub const PRIV_DATASTORE_MODIFY: u64 = 1 << 4;
|
||||||
pub const PRIV_DATASTORE_ALLOCATE_SPACE: u64 = 1 << 5;
|
pub const PRIV_DATASTORE_CREATE_BACKUP: u64 = 1 << 5;
|
||||||
|
pub const PRIV_DATASTORE_READ: u64 = 1 << 6;
|
||||||
|
pub const PRIV_DATASTORE_PRUNE: u64 = 1 << 7;
|
||||||
|
|
||||||
pub const PRIV_PERMISSIONS_MODIFY: u64 = 1 << 6;
|
pub const PRIV_PERMISSIONS_MODIFY: u64 = 1 << 8;
|
||||||
|
|
||||||
pub const ROLE_ADMIN: u64 = std::u64::MAX;
|
pub const ROLE_ADMIN: u64 = std::u64::MAX;
|
||||||
pub const ROLE_NO_ACCESS: u64 = 0;
|
pub const ROLE_NO_ACCESS: u64 = 0;
|
||||||
|
@ -31,13 +33,16 @@ PRIV_DATASTORE_AUDIT;
|
||||||
pub const ROLE_DATASTORE_ADMIN: u64 =
|
pub const ROLE_DATASTORE_ADMIN: u64 =
|
||||||
PRIV_DATASTORE_AUDIT |
|
PRIV_DATASTORE_AUDIT |
|
||||||
PRIV_DATASTORE_MODIFY |
|
PRIV_DATASTORE_MODIFY |
|
||||||
PRIV_DATASTORE_ALLOCATE_SPACE;
|
PRIV_DATASTORE_CREATE_BACKUP |
|
||||||
|
PRIV_DATASTORE_READ |
|
||||||
|
PRIV_DATASTORE_PRUNE;
|
||||||
|
|
||||||
pub const ROLE_DATASTORE_USER: u64 =
|
pub const ROLE_DATASTORE_USER: u64 =
|
||||||
PRIV_DATASTORE_AUDIT |
|
PRIV_DATASTORE_CREATE_BACKUP;
|
||||||
PRIV_DATASTORE_ALLOCATE_SPACE;
|
|
||||||
|
pub const ROLE_DATASTORE_AUDIT: u64 =
|
||||||
|
PRIV_DATASTORE_AUDIT;
|
||||||
|
|
||||||
pub const ROLE_DATASTORE_AUDIT: u64 = PRIV_DATASTORE_AUDIT;
|
|
||||||
pub const ROLE_NAME_NO_ACCESS: &str ="NoAccess";
|
pub const ROLE_NAME_NO_ACCESS: &str ="NoAccess";
|
||||||
|
|
||||||
lazy_static! {
|
lazy_static! {
|
||||||
|
|
Loading…
Reference in New Issue