add roles to implement tape backup permissions

2021-03-03 11:09:02 +01:00 · 2021-03-03 11:09:02 +01:00 · d6c1e12c06
commit d6c1e12c06
parent d33d1c880b
1 changed files with 73 additions and 0 deletions
--- a/src/config/acl.rs
+++ b/src/config/acl.rs
@ -63,6 +63,15 @@ constnamedbitmap! {
        /// Sys.Console allows access to the system's console
        PRIV_SYS_CONSOLE("Sys.Console");
        /// Tape.Audit allows reading tape backup configuration and status
        PRIV_TAPE_AUDIT("Tape.Audit");
        /// Tape.Modify allows modifying tape backup configuration
        PRIV_TAPE_MODIFY("Tape.Modify");
        /// Tape.Write allows writing tape media
        PRIV_TAPE_WRITE("Tape.Write");
        /// Tape.Read allows reading tape backup configuration and media contents
        PRIV_TAPE_READ("Tape.Read");
    }
 }
@ -139,6 +148,36 @@ pub const ROLE_REMOTE_SYNC_OPERATOR: u64 = 0
    | PRIV_REMOTE_AUDIT
    | PRIV_REMOTE_READ;
 #[rustfmt::skip]
 #[allow(clippy::identity_op)]
 /// Tape.Audit can audit the tape backup configuration and media content
 pub const ROLE_TAPE_AUDIT: u64 = 0
    | PRIV_TAPE_AUDIT;
 #[rustfmt::skip]
 #[allow(clippy::identity_op)]
 /// Tape.Admin can do anything on the tape backup
 pub const ROLE_TAPE_ADMIN: u64 = 0
    | PRIV_TAPE_AUDIT
    | PRIV_TAPE_MODIFY
    | PRIV_TAPE_READ
    | PRIV_TAPE_WRITE;
 #[rustfmt::skip]
 #[allow(clippy::identity_op)]
 /// Tape.Operator can do tape backup and restore (but no configuration changes)
 pub const ROLE_TAPE_OPERATOR: u64 = 0
    | PRIV_TAPE_AUDIT
    | PRIV_TAPE_READ
    | PRIV_TAPE_WRITE;
 #[rustfmt::skip]
 #[allow(clippy::identity_op)]
 /// Tape.Reader can do read and inspect tape content
 pub const ROLE_TAPE_READER: u64 = 0
    | PRIV_TAPE_AUDIT
    | PRIV_TAPE_READ;
 /// NoAccess can be used to remove privileges from specific (sub-)paths
 pub const ROLE_NAME_NO_ACCESS: &str = "NoAccess";
@ -174,6 +213,14 @@ pub enum Role {
    RemoteAdmin = ROLE_REMOTE_ADMIN,
    /// Syncronisation Opertator
    RemoteSyncOperator = ROLE_REMOTE_SYNC_OPERATOR,
    /// Tape Auditor
    TapeAudit = ROLE_TAPE_AUDIT,
    /// Tape Administrator
    TapeAdmin = ROLE_TAPE_ADMIN,
    /// Tape Operator
    TapeOperator = ROLE_TAPE_OPERATOR,
    /// Tape Reader
    TapeReader = ROLE_TAPE_READER,
 }
 impl FromStr for Role {
@ -294,6 +341,32 @@ pub fn check_acl_path(path: &str) -> Result<(), Error> {
                _ => {}
            }
        }
        "tape" => {
            if components_len == 1 {
                return Ok(());
            }
            match components[1] {
                "drive" => {
                    // /tape/drive/{name}
                    if components_len <= 3 {
                        return Ok(());
                    }
                }
                "changer" => {
                    // /tape/changer/{name}
                    if components_len <= 3 {
                        return Ok(());
                    }
                }
                "pool" => {
                    // /tape/pool/{name}
                    if components_len <= 3 {
                        return Ok(());
                    }
                }
                _ => {}
            }
        }
        _ => {}
    }