api: don't use PRUNE perms for prune jobs

just stick to MODIFY so we don't need to give the prune jobs
an owner for now

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller 2022-05-30 14:33:05 +02:00
parent 451da4923b
commit d4dd7ac842
2 changed files with 9 additions and 34 deletions

View File

@ -11,7 +11,7 @@ use proxmox_sys::sortable;
use pbs_api_types::{ use pbs_api_types::{
Authid, PruneJobConfig, PruneJobStatus, DATASTORE_SCHEMA, JOB_ID_SCHEMA, PRIV_DATASTORE_AUDIT, Authid, PruneJobConfig, PruneJobStatus, DATASTORE_SCHEMA, JOB_ID_SCHEMA, PRIV_DATASTORE_AUDIT,
PRIV_DATASTORE_MODIFY, PRIV_DATASTORE_PRUNE, PRIV_DATASTORE_MODIFY,
}; };
use pbs_config::prune; use pbs_config::prune;
use pbs_config::CachedUserInfo; use pbs_config::CachedUserInfo;
@ -49,7 +49,7 @@ pub fn list_prune_jobs(
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?; let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
let user_info = CachedUserInfo::new()?; let user_info = CachedUserInfo::new()?;
let required_privs = PRIV_DATASTORE_AUDIT | PRIV_DATASTORE_MODIFY | PRIV_DATASTORE_PRUNE; let required_privs = PRIV_DATASTORE_AUDIT | PRIV_DATASTORE_MODIFY;
let (config, digest) = prune::config()?; let (config, digest) = prune::config()?;
@ -117,12 +117,7 @@ pub fn run_prune_job(
let (config, _digest) = prune::config()?; let (config, _digest) = prune::config()?;
let prune_job: PruneJobConfig = config.lookup("prune", &id)?; let prune_job: PruneJobConfig = config.lookup("prune", &id)?;
user_info.check_privs( user_info.check_privs(&auth_id, &prune_job.acl_path(), PRIV_DATASTORE_MODIFY, true)?;
&auth_id,
&prune_job.acl_path(),
PRIV_DATASTORE_MODIFY | PRIV_DATASTORE_PRUNE,
true,
)?;
let job = Job::new("prunejob", &id)?; let job = Job::new("prunejob", &id)?;

View File

@ -8,7 +8,7 @@ use proxmox_schema::{api, param_bail};
use pbs_api_types::{ use pbs_api_types::{
Authid, PruneJobConfig, PruneJobConfigUpdater, JOB_ID_SCHEMA, PRIV_DATASTORE_AUDIT, Authid, PruneJobConfig, PruneJobConfigUpdater, JOB_ID_SCHEMA, PRIV_DATASTORE_AUDIT,
PRIV_DATASTORE_MODIFY, PRIV_DATASTORE_PRUNE, PROXMOX_CONFIG_DIGEST_SCHEMA, PRIV_DATASTORE_MODIFY, PROXMOX_CONFIG_DIGEST_SCHEMA,
}; };
use pbs_config::prune; use pbs_config::prune;
@ -37,7 +37,7 @@ pub fn list_prune_jobs(
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?; let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
let user_info = CachedUserInfo::new()?; let user_info = CachedUserInfo::new()?;
let required_privs = PRIV_DATASTORE_AUDIT | PRIV_DATASTORE_MODIFY | PRIV_DATASTORE_PRUNE; let required_privs = PRIV_DATASTORE_AUDIT | PRIV_DATASTORE_MODIFY;
let (config, digest) = prune::config()?; let (config, digest) = prune::config()?;
@ -79,12 +79,7 @@ pub fn create_prune_job(
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?; let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
let user_info = CachedUserInfo::new()?; let user_info = CachedUserInfo::new()?;
user_info.check_privs( user_info.check_privs(&auth_id, &config.acl_path(), PRIV_DATASTORE_MODIFY, true)?;
&auth_id,
&config.acl_path(),
PRIV_DATASTORE_MODIFY | PRIV_DATASTORE_PRUNE,
true,
)?;
let _lock = prune::lock_config()?; let _lock = prune::lock_config()?;
@ -218,12 +213,7 @@ pub fn update_prune_job(
let mut data: PruneJobConfig = config.lookup("prune", &id)?; let mut data: PruneJobConfig = config.lookup("prune", &id)?;
user_info.check_privs( user_info.check_privs(&auth_id, &data.acl_path(), PRIV_DATASTORE_MODIFY, true)?;
&auth_id,
&data.acl_path(),
PRIV_DATASTORE_PRUNE | PRIV_DATASTORE_MODIFY,
true,
)?;
if let Some(delete) = delete { if let Some(delete) = delete {
for delete_prop in delete { for delete_prop in delete {
@ -275,12 +265,7 @@ pub fn update_prune_job(
} }
if recheck_privs { if recheck_privs {
user_info.check_privs( user_info.check_privs(&auth_id, &data.acl_path(), PRIV_DATASTORE_MODIFY, true)?;
&auth_id,
&data.acl_path(),
PRIV_DATASTORE_PRUNE | PRIV_DATASTORE_MODIFY,
true,
)?;
} }
let mut schedule_changed = false; let mut schedule_changed = false;
@ -364,12 +349,7 @@ pub fn delete_prune_job(
let job: PruneJobConfig = config.lookup("prune", &id)?; let job: PruneJobConfig = config.lookup("prune", &id)?;
user_info.check_privs( user_info.check_privs(&auth_id, &job.acl_path(), PRIV_DATASTORE_MODIFY, true)?;
&auth_id,
&job.acl_path(),
PRIV_DATASTORE_PRUNE | PRIV_DATASTORE_MODIFY,
true,
)?;
if let Some(ref digest) = digest { if let Some(ref digest) = digest {
let digest = <[u8; 32]>::from_hex(digest)?; let digest = <[u8; 32]>::from_hex(digest)?;