Commit Graph

4470 Commits

Author SHA1 Message Date
Wolfgang Bumiller aa32a46171 api: disable setting prune options in datastore.cfg
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2022-05-30 14:48:15 +02:00
Wolfgang Bumiller 6283d7d13a stop executing datastore prune job
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2022-05-30 14:47:57 +02:00
Wolfgang Bumiller d4dd7ac842 api: don't use PRUNE perms for prune jobs
just stick to MODIFY so we don't need to give the prune jobs
an owner for now

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2022-05-30 14:33:06 +02:00
Wolfgang Bumiller 134779664e manager: hidden command to move datastore prune opts into jobs
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2022-05-30 13:58:43 +02:00
Wolfgang Bumiller dba37e212b add prune jobs api
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2022-05-30 13:58:43 +02:00
Wolfgang Bumiller 8721b42e2f api: add some missing sorted macro calls
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2022-05-30 13:58:43 +02:00
Thomas Lamprecht 2393943fbb api: namespace list: fix restrictive priv checking
This endpoint only lists all accessible namespace, and one doesn't
necessarily needs to have permissions on the parent itself just to
have OK ACLs on deeper down NS.

So, drop the upfront check on parent but explicitly avoid leaking if
a NS exists or not, i.e., only do so if they got access on the parent
NS.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-27 11:14:01 +02:00
Thomas Lamprecht 84de101272 api: status: include empty entry for stores with ns-only privs
I.e., for those that only got permissions on a sub namespace and
those that onlöy got BACKUP_READ, as both they could just list and
count themselves too after all, so not exactly secret info.

The UI needs some adaptions to cope with gc-stats and usage being
optional, will be done in a next commit.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-27 10:55:48 +02:00
Thomas Lamprecht de77a20d3d api: move can_access_any_namespace helper to hierarchy
to prepare for reuse

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-26 13:35:33 +02:00
Thomas Lamprecht 997c96d6a3 datastore status: impl empty-status constructor for item type
we can now use it for the error case and will further use it for the
can access namespace but not datastore case in a future patch

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-26 13:34:00 +02:00
Fabian Grünbichler abd8248520 tree-wide: remove DatastoreWithNamespace
instead move the acl_path helper to BackupNamespace, and introduce a new
helper for printing a store+ns when logging/generating error messages.

Suggested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-26 11:42:10 +02:00
Fabian Grünbichler 974a3e521a api: datastore: cleanup store/ns handling
this should just avoid some clones, no semantic changes intended.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler ea2e91e52f move and unify namespace priv helpers
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler 77bd14f68a sync/pull: cleanup priv checks and logging
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler 3e4994a54f api: tape: use check_privs instead of manual lookup
these all contain the path in the error message already, so no (new)
potential for leakage..

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler 75b377219d api: backup env: use check_privs
it includes the path, which might be helpful when users are switching to
using namespaces. datastore and namespace lookup happens after, so this
doesn't leak anything.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler c8dc51e41f api: namespace: check privs directly
instead of doing a manual lookup and check - this changes the returned
error slightly since check_privs will include the checked ACL path, but
that is okay here, checks are before we even lookup the namespace/store,
so no chance to leak anything.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler 7d0dbaa013 priv checks: use priv_to_priv_names and include path
where appropriate. these should never leak anything sensitive, as we
check privs before checking existence or existence is already known at
that point via other privileges.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler 210ded9803 priv handling: use DatastoreWithNamespace
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler 99e1399729 api: tape: restore: improve permission checks
no redundant store+namespace mapping, and synchronize namespace creation
check with that of manual creation and creation as part of sync.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler 0aa5815fb6 verify_job: fix priv check
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler bb5c77fffa api2: reader env: fix priv checks
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler 83e3000349 sync job: don't require privs on datastore
syncing to a namespace only requires privileges on the namespace (and
potentially its children during execution).

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler 4a4dd66c26 api: list snapshots: fix log param order
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler b9b2d635fe sync job: fix worker ID parsing
the namespace is optional, but should be captured to allow ACL checks
for unprivileged non-job-owners.

also add FIXME for other job types and workers that (might) need
updating.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler 9f8aa8c5e2 debug: recover: allow overriding output-path
including to STDOUT.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Tested-by: Hannes Laimer <h.laimer@proxmox.com>
2022-05-24 11:46:04 +02:00
Fabian Grünbichler b11693b2f7 debug: move outfile_or_stdout to module for reuse
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Tested-by: Hannes Laimer <h.laimer@proxmox.com>
2022-05-24 11:45:59 +02:00
Fabian Grünbichler 53435bc4d5 debug: recover: allow ignoring missing/corrupt chunks
replacing them with chunks of zero bytes.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Tested-by: Hannes Laimer <h.laimer@proxmox.com>
2022-05-24 11:45:54 +02:00
Dominik Csapak 8bec3ff691 tape/pool_writer: give proper types to 'contains_snapshot'
instead of a string. The underlying catalog implementation has to
care about how this is formatted, not the external caller

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2022-05-23 16:20:13 +02:00
Dominik Csapak 789e22d905 proxmox-tape: use correct api call for 'load-media-from-slot'
it's a 'post' api call, not 'put'

reported here:
https://forum.proxmox.com/threads/lto8.109946/
and here:
https://forum.proxmox.com/threads/cant-clear-tape.86454/

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2022-05-23 16:14:41 +02:00
Fabian Grünbichler a1c30e0194 cargo fmt
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-23 16:12:22 +02:00
Fabian Grünbichler d4c6e68bf0 fix typo
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-23 15:05:38 +02:00
Thomas Lamprecht 26b40687b3 prune datastore: add depth info to tak log
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-19 13:32:45 +02:00
Thomas Lamprecht e3c26aea31 prune datastore: support max-depth and improve priv checks
use the relatively new variant of ListAccessibleBackupGroups to also
allow pruning the groups that one doesn't own but has the respective
privileges on their namespace level.

This was previously handled by the API endpoint itself, which was ok
as long as only one level was looked at.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-19 13:31:09 +02:00
Thomas Lamprecht 65aba79a9b prune datastore: rework tak log
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-19 13:23:24 +02:00
Thomas Lamprecht 4b6a653a0f verify filter: improve comment
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-19 12:36:51 +02:00
Thomas Lamprecht 3c41d86010 verify all: adhere to NS privs for non-owned groups
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-19 12:36:06 +02:00
Thomas Lamprecht 93821e87e6 accessible group iter: rename "new" to "new_owned"
to clarify that it's only returning owned backups that way.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-19 12:34:06 +02:00
Thomas Lamprecht f12f408e91 api: datastore status: adhere to NS privs for non-owner
Not only check all owned backup groups, but also all that an auth_id
has DATASTORE_AUDIT or DATASTORE_READ on the whole namespace.

best viewed with whitespace change ignore (-w)

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-19 12:32:35 +02:00
Thomas Lamprecht 71cad8cac0 accessible group iter: add owner override and owner + extra priv handling
The "owner override" privs will skip the owner check completely if
the authid has a permission for any of the bitwise OR'd privs
requested on the namespace level.

The "owner and privs" are for the case where being the owner is not
enough, e.g., pruning, if set they need to match all, not just any,
on the namespace, otherwise we don't even look at the groups from the
current NS level.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-19 12:27:58 +02:00
Thomas Lamprecht 49bea6b5d9 accessible group iter: allow NS descending with DATASTORE_READ
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-19 12:26:48 +02:00
Thomas Lamprecht 327d14b3d1 Revert "verify: allow '0' days for reverification"
This reverts commit 7a1a5d206d.

We could already cause the behavior by simply setting ignore-verified
to false, aas that flag is basically an on/off switch for even
considering outdated-after or not.

So avoid the extra logic and just make the gui use the previously
existing way.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-18 12:53:08 +02:00
Fabian Grünbichler 3697161800 prune: fix workerid issues
properly encode the namespace as separate field both for manual prunes
and the job. fix the access checks as well now that the job doesn't use
the jobid as workerid anymore.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-16 18:49:19 +02:00
Fabian Grünbichler e13303fca6 tree-wide: prefer api-type BackupGroup for logging
together with DatastoreWithNamespace where needed, to not forget
namespace information.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-16 18:49:19 +02:00
Fabian Grünbichler 5ae393af15 tape/verify: use print_ns_and_snapshot
in those few places where we actually want to use/print the full,
NS-included path.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-16 18:49:19 +02:00
Fabian Grünbichler 1afce610c7 tree-wide: prefer api-type BackupDir for logging
in combination with DatastoreWithNamespace to not lose the namespace
information.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-16 18:49:19 +02:00
Thomas Lamprecht ebab1e5ed9 api: namespace create: lookup datastore with corret operation
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-16 18:26:55 +02:00
Fabian Grünbichler e3ea577011 pull: use API BackupDir for log messages
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-16 09:43:28 +02:00
Thomas Lamprecht 3aafa61362 namespace deletion: propagate delete-groups=false but ENOTEMPTY as error
after all we couldn't delete all that got requested, ideally this
should become a task where we can log what got deleted and what
not...

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-15 16:32:49 +02:00
Thomas Lamprecht b0166d4e8d api: cargo fmt
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-15 16:01:57 +02:00