api: don't use PRUNE perms for prune jobs
just stick to MODIFY so we don't need to give the prune jobs an owner for now Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
parent
451da4923b
commit
d4dd7ac842
|
@ -11,7 +11,7 @@ use proxmox_sys::sortable;
|
||||||
|
|
||||||
use pbs_api_types::{
|
use pbs_api_types::{
|
||||||
Authid, PruneJobConfig, PruneJobStatus, DATASTORE_SCHEMA, JOB_ID_SCHEMA, PRIV_DATASTORE_AUDIT,
|
Authid, PruneJobConfig, PruneJobStatus, DATASTORE_SCHEMA, JOB_ID_SCHEMA, PRIV_DATASTORE_AUDIT,
|
||||||
PRIV_DATASTORE_MODIFY, PRIV_DATASTORE_PRUNE,
|
PRIV_DATASTORE_MODIFY,
|
||||||
};
|
};
|
||||||
use pbs_config::prune;
|
use pbs_config::prune;
|
||||||
use pbs_config::CachedUserInfo;
|
use pbs_config::CachedUserInfo;
|
||||||
|
@ -49,7 +49,7 @@ pub fn list_prune_jobs(
|
||||||
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
|
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
|
||||||
let user_info = CachedUserInfo::new()?;
|
let user_info = CachedUserInfo::new()?;
|
||||||
|
|
||||||
let required_privs = PRIV_DATASTORE_AUDIT | PRIV_DATASTORE_MODIFY | PRIV_DATASTORE_PRUNE;
|
let required_privs = PRIV_DATASTORE_AUDIT | PRIV_DATASTORE_MODIFY;
|
||||||
|
|
||||||
let (config, digest) = prune::config()?;
|
let (config, digest) = prune::config()?;
|
||||||
|
|
||||||
|
@ -117,12 +117,7 @@ pub fn run_prune_job(
|
||||||
let (config, _digest) = prune::config()?;
|
let (config, _digest) = prune::config()?;
|
||||||
let prune_job: PruneJobConfig = config.lookup("prune", &id)?;
|
let prune_job: PruneJobConfig = config.lookup("prune", &id)?;
|
||||||
|
|
||||||
user_info.check_privs(
|
user_info.check_privs(&auth_id, &prune_job.acl_path(), PRIV_DATASTORE_MODIFY, true)?;
|
||||||
&auth_id,
|
|
||||||
&prune_job.acl_path(),
|
|
||||||
PRIV_DATASTORE_MODIFY | PRIV_DATASTORE_PRUNE,
|
|
||||||
true,
|
|
||||||
)?;
|
|
||||||
|
|
||||||
let job = Job::new("prunejob", &id)?;
|
let job = Job::new("prunejob", &id)?;
|
||||||
|
|
||||||
|
|
|
@ -8,7 +8,7 @@ use proxmox_schema::{api, param_bail};
|
||||||
|
|
||||||
use pbs_api_types::{
|
use pbs_api_types::{
|
||||||
Authid, PruneJobConfig, PruneJobConfigUpdater, JOB_ID_SCHEMA, PRIV_DATASTORE_AUDIT,
|
Authid, PruneJobConfig, PruneJobConfigUpdater, JOB_ID_SCHEMA, PRIV_DATASTORE_AUDIT,
|
||||||
PRIV_DATASTORE_MODIFY, PRIV_DATASTORE_PRUNE, PROXMOX_CONFIG_DIGEST_SCHEMA,
|
PRIV_DATASTORE_MODIFY, PROXMOX_CONFIG_DIGEST_SCHEMA,
|
||||||
};
|
};
|
||||||
use pbs_config::prune;
|
use pbs_config::prune;
|
||||||
|
|
||||||
|
@ -37,7 +37,7 @@ pub fn list_prune_jobs(
|
||||||
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
|
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
|
||||||
let user_info = CachedUserInfo::new()?;
|
let user_info = CachedUserInfo::new()?;
|
||||||
|
|
||||||
let required_privs = PRIV_DATASTORE_AUDIT | PRIV_DATASTORE_MODIFY | PRIV_DATASTORE_PRUNE;
|
let required_privs = PRIV_DATASTORE_AUDIT | PRIV_DATASTORE_MODIFY;
|
||||||
|
|
||||||
let (config, digest) = prune::config()?;
|
let (config, digest) = prune::config()?;
|
||||||
|
|
||||||
|
@ -79,12 +79,7 @@ pub fn create_prune_job(
|
||||||
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
|
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
|
||||||
let user_info = CachedUserInfo::new()?;
|
let user_info = CachedUserInfo::new()?;
|
||||||
|
|
||||||
user_info.check_privs(
|
user_info.check_privs(&auth_id, &config.acl_path(), PRIV_DATASTORE_MODIFY, true)?;
|
||||||
&auth_id,
|
|
||||||
&config.acl_path(),
|
|
||||||
PRIV_DATASTORE_MODIFY | PRIV_DATASTORE_PRUNE,
|
|
||||||
true,
|
|
||||||
)?;
|
|
||||||
|
|
||||||
let _lock = prune::lock_config()?;
|
let _lock = prune::lock_config()?;
|
||||||
|
|
||||||
|
@ -218,12 +213,7 @@ pub fn update_prune_job(
|
||||||
|
|
||||||
let mut data: PruneJobConfig = config.lookup("prune", &id)?;
|
let mut data: PruneJobConfig = config.lookup("prune", &id)?;
|
||||||
|
|
||||||
user_info.check_privs(
|
user_info.check_privs(&auth_id, &data.acl_path(), PRIV_DATASTORE_MODIFY, true)?;
|
||||||
&auth_id,
|
|
||||||
&data.acl_path(),
|
|
||||||
PRIV_DATASTORE_PRUNE | PRIV_DATASTORE_MODIFY,
|
|
||||||
true,
|
|
||||||
)?;
|
|
||||||
|
|
||||||
if let Some(delete) = delete {
|
if let Some(delete) = delete {
|
||||||
for delete_prop in delete {
|
for delete_prop in delete {
|
||||||
|
@ -275,12 +265,7 @@ pub fn update_prune_job(
|
||||||
}
|
}
|
||||||
|
|
||||||
if recheck_privs {
|
if recheck_privs {
|
||||||
user_info.check_privs(
|
user_info.check_privs(&auth_id, &data.acl_path(), PRIV_DATASTORE_MODIFY, true)?;
|
||||||
&auth_id,
|
|
||||||
&data.acl_path(),
|
|
||||||
PRIV_DATASTORE_PRUNE | PRIV_DATASTORE_MODIFY,
|
|
||||||
true,
|
|
||||||
)?;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
let mut schedule_changed = false;
|
let mut schedule_changed = false;
|
||||||
|
@ -364,12 +349,7 @@ pub fn delete_prune_job(
|
||||||
|
|
||||||
let job: PruneJobConfig = config.lookup("prune", &id)?;
|
let job: PruneJobConfig = config.lookup("prune", &id)?;
|
||||||
|
|
||||||
user_info.check_privs(
|
user_info.check_privs(&auth_id, &job.acl_path(), PRIV_DATASTORE_MODIFY, true)?;
|
||||||
&auth_id,
|
|
||||||
&job.acl_path(),
|
|
||||||
PRIV_DATASTORE_PRUNE | PRIV_DATASTORE_MODIFY,
|
|
||||||
true,
|
|
||||||
)?;
|
|
||||||
|
|
||||||
if let Some(ref digest) = digest {
|
if let Some(ref digest) = digest {
|
||||||
let digest = <[u8; 32]>::from_hex(digest)?;
|
let digest = <[u8; 32]>::from_hex(digest)?;
|
||||||
|
|
Loading…
Reference in New Issue