Fabian Grünbichler
2fc45a97a9
privs: remove PRIV_REMOVE_PRUNE
...
it's not used anywhere, and not needed either until the day we might
implement push syncs.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-10-30 16:42:26 +01:00
Fabian Grünbichler
b7ce2e575f
verify jobs: add permissions
...
equivalent to verifying a whole datastore, except for reading job
(entries), which is accessible to regular Datastore.Audit/Backup users
as well.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-10-30 16:36:52 +01:00
Fabian Grünbichler
09f6a24078
verify: introduce & use new Datastore.Verify privilege
...
for verifying a whole datastore. Datastore.Backup now allows verifying
only backups owned by the triggering user.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-10-30 16:36:52 +01:00
Fabian Grünbichler
b728a69e7d
privs: use Datastore.Modify|Backup to set backup notes
...
Datastore.Backup is limited to owned groups, as usual.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-10-30 16:36:52 +01:00
Fabian Grünbichler
1401f4be5f
privs: allow reading notes with Datastore.Audit
...
they are returned when reading the manifest, which just requires
Datastore.Audit as well. Datastore.Read is for reading backup contents,
not metadata.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-10-30 16:36:52 +01:00
Thomas Lamprecht
fdb4416bae
ui: permission path selector: cbind typeAhead to editable
...
ExtJS throws an exception if 'typeAhead' is true but 'editable' is
false.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-10-30 16:31:53 +01:00
Wolfgang Bumiller
abe1edfc95
update d/control
...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2020-10-30 16:11:50 +01:00
Wolfgang Bumiller
e4a864bd21
impl From<Authid> for Userid
...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2020-10-30 15:19:07 +01:00
Wolfgang Bumiller
7a7368ee08
bump proxmox dependency to 0.7.0 for totp udpates
...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2020-10-30 15:19:07 +01:00
Dominik Csapak
e707fd2b3b
ui: Utils: add product specific task descriptions
...
and sort them alphabetically
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2020-10-30 14:05:17 +01:00
Thomas Lamprecht
625a56b75e
server/rest: accept also = as token separator
...
Like we do in Proxmox VE
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-10-30 13:34:26 +01:00
Thomas Lamprecht
6d8a1ac9e4
server/rest: user constants for HTTP headers
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-10-30 13:33:36 +01:00
Fabian Grünbichler
362739054e
api tokens: add authorization method
...
and properly decode secret (which is a no-op with the current scheme).
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-10-30 13:15:14 +01:00
Thomas Lamprecht
2762481cc8
proxmox-backup-manager: add subscription commands
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-10-30 13:03:58 +01:00
Thomas Lamprecht
652506e6b8
api: define subscription module and methods as public
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-10-30 13:03:58 +01:00
Thomas Lamprecht
926d253126
api: define subscription key schema and use it
...
nicer to have the correct regex checked in parameter verification
already
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-10-30 12:57:14 +01:00
Fabian Grünbichler
1cd951c93e
proxy: fix warnings
...
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-10-30 12:49:43 +01:00
Dietmar Maurer
3b707fbb8f
proxy: split out code to run garbage collection job
2020-10-30 11:01:45 +01:00
Dietmar Maurer
b15751bf55
check_schedule cleanup: use &str instead of String
...
This way we can avoid many clone() calls.
2020-10-30 09:49:50 +01:00
Hannes Laimer
82c05b41fa
proxy: extract commonly used logic for scheduling into new function
...
Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
2020-10-30 09:49:50 +01:00
Hannes Laimer
b8d9079835
proxy: move prune logic into new file
...
Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
2020-10-30 09:49:50 +01:00
Thomas Lamprecht
f8a682a873
ui: user menu: allow changing language while logged in
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-10-30 09:46:04 +01:00
Thomas Lamprecht
b03a19b6e8
bump version to 0.9.4-2
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-10-29 20:25:37 +01:00
Thomas Lamprecht
603a6bd183
d/postinst: followup: grep and sed use different regex escaping ..
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-10-29 20:25:37 +01:00
Thomas Lamprecht
83b039af35
d/postinst: make more resilient
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-10-29 19:58:41 +01:00
Thomas Lamprecht
c9299e76fc
bump version to 0.9.3-2
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-10-29 17:20:04 +01:00
Thomas Lamprecht
2f1a46f748
ui: move user, token and permissions into an access control tab panel
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-10-29 16:47:18 +01:00
Thomas Lamprecht
2b38dfb456
d/control: update
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-10-29 16:18:40 +01:00
Thomas Lamprecht
f487a622ce
ui: datastore summary: handle missing snapshot of a types
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-10-29 15:52:53 +01:00
Wolfgang Bumiller
906ef6c5bd
api2/access/user: fix return type schema
...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2020-10-29 15:20:10 +01:00
Wolfgang Bumiller
ea1853a17b
api2/access/user: drop Option, treat empty Vec as None
...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2020-10-29 15:17:54 +01:00
Wolfgang Bumiller
221177ba41
fixup hardcoded paths
...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2020-10-29 15:15:17 +01:00
Fabian Grünbichler
184a37635b
gui: add API token ACLs
...
and the needed API token selector.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-10-29 15:14:27 +01:00
Fabian Grünbichler
b2da7fbd1c
acls: allow viewing/editing user's token ACLs
...
even for otherwise unprivileged users.
since effective privileges of an API token are always intersected with
those of their owning user, this does not allow an unprivileged user to
elevate their privileges in practice, but avoids the need to involve a
privileged user to deploy API tokens.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-10-29 15:14:27 +01:00
Fabian Grünbichler
7fe76d3491
gui: add API token UI
...
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-10-29 15:14:27 +01:00
Fabian Grünbichler
e6b5bf69a3
gui: add permissions button to user view
...
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-10-29 15:14:27 +01:00
Fabian Grünbichler
4615325f9e
manager: add user permissions command
...
useful for debugging complex ACL setups.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-10-29 15:14:27 +01:00
Fabian Grünbichler
2156dec5a9
manager: add token commands
...
to generate, list and delete tokens. adding them to ACLs already works
out of the box.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-10-29 15:14:27 +01:00
Fabian Grünbichler
16245d540c
tasks: allow unpriv users to read their tokens' tasks
...
and tighten down the return schema while we're at it.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-10-29 15:14:27 +01:00
Fabian Grünbichler
bff8557298
owner checks: handle backups owned by API tokens
...
a user should be allowed to read/list/overwrite backups owned by their
own tokens, but a token should not be able to read/list/overwrite
backups owned by their owning user.
when changing ownership of a backup group, a user should be able to
transfer ownership to/from their own tokens if the backup is owned by
them (or one of their tokens).
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-10-29 15:14:27 +01:00
Fabian Grünbichler
34aa8e13b6
client/remote: allow using ApiToken + secret
...
in place of user + password.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-10-29 15:14:27 +01:00
Fabian Grünbichler
babab85b56
api: add permissions endpoint
...
and adapt privilege calculation to return propagate flag
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-10-29 15:14:27 +01:00
Fabian Grünbichler
6746bbb1a2
api: allow listing users + tokens
...
since it's not possible to extend existing structs, UserWithTokens
duplicates most of user::User.. to avoid duplicating user::ApiToken as
well, this returns full API token IDs, not just the token name part.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-10-29 15:14:27 +01:00
Fabian Grünbichler
942078c40b
api: add API token endpoints
...
beneath the user endpoint.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-10-29 15:14:27 +01:00
Fabian Grünbichler
c30816c1f8
REST: extract and handle API tokens
...
and refactor handling of headers in the REST server while we're at it.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-10-29 15:14:27 +01:00
Fabian Grünbichler
e6dc35acb8
replace Userid with Authid
...
in most generic places. this is accompanied by a change in
RpcEnvironment to purposefully break existing call sites.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-10-29 15:11:39 +01:00
Wolfgang Bumiller
e10c5c74f6
bump proxmox dependency to 0.6.0 for api tokens and tfa
...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2020-10-29 15:11:39 +01:00
Fabian Grünbichler
f8adf8f83f
config: add token.shadow file
...
containing pairs of token ids and hashed secret values.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-10-29 15:11:39 +01:00
Fabian Grünbichler
e0538349e2
api: add Authid as wrapper around Userid
...
with an optional Tokenname, appended with '!' as delimiter in the string
representation like for PVE.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2020-10-29 15:11:39 +01:00
Thomas Lamprecht
0903403ce7
bump version to 0.9.3-1
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-10-29 14:58:21 +01:00