tyler/proxmox-backup
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
6,542 Commits 2 Branches 54 Tags
2393943fbbb8fa2754a823ef7cf2838dde232f5e
Commit Graph

12 Commits

Author SHA1 Message Date
Thomas Lamprecht
2393943fbb api: namespace list: fix restrictive priv checking 
This endpoint only lists all accessible namespace, and one doesn't
necessarily needs to have permissions on the parent itself just to
have OK ACLs on deeper down NS.

So, drop the upfront check on parent but explicitly avoid leaking if
a NS exists or not, i.e., only do so if they got access on the parent
NS.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 2022-05-27 11:14:01 +02:00
Thomas Lamprecht
de77a20d3d api: move can_access_any_namespace helper to hierarchy 
to prepare for reuse

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 2022-05-26 13:35:33 +02:00
Fabian Grünbichler
abd8248520 tree-wide: remove DatastoreWithNamespace 
instead move the acl_path helper to BackupNamespace, and introduce a new
helper for printing a store+ns when logging/generating error messages.

Suggested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2022-05-26 11:42:10 +02:00
Fabian Grünbichler
ea2e91e52f move and unify namespace priv helpers 
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2022-05-25 17:18:56 +02:00
Fabian Grünbichler
210ded9803 priv handling: use DatastoreWithNamespace 
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2022-05-25 17:18:56 +02:00
Thomas Lamprecht
93821e87e6 accessible group iter: rename "new" to "new_owned" 
to clarify that it's only returning owned backups that way.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 2022-05-19 12:34:06 +02:00
Thomas Lamprecht
71cad8cac0 accessible group iter: add owner override and owner + extra priv handling 
The "owner override" privs will skip the owner check completely if
the authid has a permission for any of the bitwise OR'd privs
requested on the namespace level.

The "owner and privs" are for the case where being the owner is not
enough, e.g., pruning, if set they need to match all, not just any,
on the namespace, otherwise we don't even look at the groups from the
current NS level.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 2022-05-19 12:27:58 +02:00
Thomas Lamprecht
49bea6b5d9 accessible group iter: allow NS descending with DATASTORE_READ 
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 2022-05-19 12:26:48 +02:00
Thomas Lamprecht
7da520ae46 hierachy: ListAccessibleBackupGroups make store also a lifetime'd ref 
avoid some extra Arc::clone, even if they're not really expensive
(just some atomics)

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 2022-05-14 14:56:34 +02:00
Thomas Lamprecht
8122eaadaa cargo fmt 
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 2022-05-13 16:59:32 +02:00
Thomas Lamprecht
de27ebc6b6 hierachy: add lifetime to ListAccessibleBackupGroups so that owner can be ref 
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 2022-05-13 16:48:56 +02:00
Thomas Lamprecht
8e82cc807c add ns-recursive and acl/authid aware backup group iter 
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 2022-05-12 09:33:50 +02:00