Commit Graph

6412 Commits

Author SHA1 Message Date
Dominik Csapak d0a0bad9d6 ui: tape/Drive{Config, Status} move actions to status panel
so that the 'DriveConfig' panel is purely for configuration

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-03-08 11:18:25 +01:00
Dominik Csapak a4003d9078 ui: tape/DriveStatus: add cartridge memory grid
that the user can load when a tape is inserted

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-03-08 11:18:01 +01:00
Dietmar Maurer 3f4a62de2f docs: fix note about global media pool namespace 2021-03-08 10:56:28 +01:00
Thomas Lamprecht bf23f63aa5 docs: alabaster theme: better contrast for background color of topics
The old value just was way to heavy, and notes/warnings/...
admonitions did not stick out anymore.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-03-08 10:19:22 +01:00
Dietmar Maurer fd641b99c3 ui: add online help to drive/changer status 2021-03-08 09:47:44 +01:00
Dietmar Maurer 225affc9ca tape: add docu link targets for online help 2021-03-08 09:37:40 +01:00
Dietmar Maurer 9ce2481a69 tape: clean - fix if cleaning tape is already loaded 2021-03-08 09:08:55 +01:00
Dietmar Maurer d95c74c6e7 tape: test tape alert flags after drive clean 2021-03-08 09:08:55 +01:00
Thomas Lamprecht 218ee3269f ui: images: simplify tape icon
1. Use same height as width
2. drop the top/bottom "frame" lines
3. instead of two "bearings" side by side, like VHS or music-compact
   tapes have, use a single bearing and an outer circle to denote the
   magnetic tape edge

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-03-08 09:02:32 +01:00
Dietmar Maurer 5ca5f8daf3 pmt: add tape-alert-flags command 2021-03-08 07:37:05 +01:00
Dietmar Maurer 98cdee781a docs: use code-block inside tape-backup.rst 2021-03-06 12:20:26 +01:00
Dietmar Maurer 9cf4504909 docs: document tape backup jobs 2021-03-06 12:10:39 +01:00
Dietmar Maurer 5f846a3fc1 add proxmox-tape bash-completion 2021-03-06 10:22:08 +01:00
Dominik Csapak c9793d47f9 api2/tape: add notify_user to backup(-jobs) and restore api calls
so that a user can be given that will be notified for
manual intervention (e.g. inserting a tape)

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-03-05 17:20:37 +01:00
Dominik Csapak be8adca115 ui: tape: add notify-user fields
to backup jobs, backups and restores

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-03-05 12:53:41 +01:00
Dominik Csapak 9152a0077f config/tape_job: add notify-user config to tape jobs
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2021-03-05 12:51:25 +01:00
Dietmar Maurer 0b90c67fb4 tape: avoid Updatable for now 2021-03-05 12:51:25 +01:00
Dietmar Maurer b4975d3102 tape: finish api permission checks 2021-03-05 11:49:07 +01:00
Dietmar Maurer ee33795b72 acl: use /tape/device instead of /tape/drive and /tape/changer 2021-03-05 10:06:19 +01:00
Dietmar Maurer 90e16be3ae tape: improve PoolWriter logging
Log reason why we allocate a new media set.
2021-03-05 09:59:38 +01:00
Dietmar Maurer cf90a369e2 cleanup: rename token_user into auth_id_filter 2021-03-05 08:36:18 +01:00
Dietmar Maurer 6b303323be ui: use shorter datetime format for encryption key creation time 2021-03-04 17:57:40 +01:00
Dietmar Maurer 1576c7a0d9 ui: do not show MediaSet Uuid in backup content grid 2021-03-04 17:09:57 +01:00
Dietmar Maurer cd5d6103ea tape: fix media_expire_time 2021-03-04 16:58:24 +01:00
Dylan Whyte 207f763d1a tfa docs: language fixup
Simplifies the introduction a bit and makes it more readable.
Also some other minor language fixes throughout the section.

Signed-off-by: Dylan Whyte <d.whyte@proxmox.com>
2021-03-04 15:22:09 +01:00
Dietmar Maurer 1bed3aedc8 tape: fix wrong media set expire time 2021-03-04 12:38:28 +01:00
Dietmar Maurer ab77d660cc tape: improve media status in list_media 2021-03-04 10:17:10 +01:00
Dietmar Maurer b74a1daae9 ui: add acl paths for tape permission 2021-03-04 08:33:26 +01:00
Dominik Csapak bec357e2cb ui: tape: add missing monStoreErrors calls for the grids
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-03-03 16:09:39 +01:00
Dominik Csapak 78593b5b5c tape/drive: improve error and email handling for requesting a tape load
Try once first to load the correct tape before sending an email to
insert the correct one. This way, the admin does not get a mail
if the correct tape is already inserted.

Also include the error we got that prompted the email to insert the
tape. This means that if the admin gets prompted to insert e.g.
"FOO" but inserts "BAR", he'll get an email that the wrong
tape is inserted.

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-03-03 16:09:39 +01:00
Dominik Csapak 7d6f03a7fe ui: tape: only add tapestore and nav element once
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-03-03 16:09:39 +01:00
Dominik Csapak f46573f8c3 add proxmox-tape zsh-completions
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-03-03 16:09:39 +01:00
Dominik Csapak b83e136fb6 ui: tape/DriveStatus: fix handler name for eject
We call 'ejectMedia' not 'eject', so rename the function.

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-03-03 16:09:39 +01:00
Thomas Lamprecht 5c4203b20c ui: webauthn registration: code cleanup long variable name
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-03-03 14:05:05 +01:00
Thomas Lamprecht 7f9eef1d47 ui: webauthn registration: adapt error messages
There are variuos hints that 'InvalidStateError' can be assumed to
come from an already registered token[0][1].

So indicate that more strongly, also omit the extra line and warning
triangle, there's already an error icon present.

[0]: step 2: https://w3c.github.io/webauthn/#sctn-registering-a-new-credential
[1]: step 3: https://w3c.github.io/webauthn/#sctn-op-make-cred

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-03-03 14:05:05 +01:00
Dominik Csapak a8a0132766 ui: LoginView: show webauthn errors in window
instead of silently discarding the error, else the user might be
confused because nothing happened

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-03-03 14:05:05 +01:00
Dominik Csapak 831c43c91b config/tfa: webauthn: disallow registering a token twice
by adding the existing credential id to the 'excludeCredentials' list

this prevents the browser from registering a token twice, which
lets authentication fail on some browser/token combinations
(e.g. onlykey/solokey+chromium)
while is seems this is currently a bug in chromium, in a future spec
update the underlying behaviour should be better defined, making this
an authenticator bug

also explicitly catch registering errors and show appropriate error messages

0: https://bugs.chromium.org/p/chromium/issues/detail?id=1087642

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-03-03 14:05:05 +01:00
Dominik Csapak b452e2df74 Revert "ui: window/Settings / WebAuthn: add browser setting for userVerificationo"
even if the options *could* be set in the frontend, the backend
actually has to do validation of those settings, thus we should not
make that a browser setting

additionally, having the value 'preferred' does not actually make sense,
since it does not add any security (the backend skips the
userverification check then)

This reverts commit aca4c2b5a9.

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-03-03 14:05:05 +01:00
Dominik Csapak 7f37cacfac config/tfa: set UserVerificationPolicy to Discouraged
the current default is 'Preferred', which is not really useful, as the
(web) client can simply change this to discouraged, since the
webauthn_rs crate does not verify the 'user_verified' bit of the
response in that case

setting this to 'Required' is not really useful either at the moment,
since a user can have a mix of different authenticators that may or
may not support user verification

there is ongoing discussion in the crate how to handle that[0]

we could probably expose this setting(discouraged/required) to the user/admin
and save it to the credential and allow only registering credentials
of the same type or filter them out on login (i.e. if there is an
authenticator that can handle userVerification, require it)

in any case, the current default is not helpful for security, but
makes loggin in harder, since the key will by default want to verify
the user

0: https://github.com/kanidm/webauthn-rs/pull/49

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-03-03 14:05:05 +01:00
Thomas Lamprecht 3bb7e62e88 zpool parsers: small code cleanup
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-03-03 14:05:05 +01:00
Thomas Lamprecht 3b060167f6 zpool parsers: fixup test value
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-03-03 14:05:05 +01:00
Dietmar Maurer 8a76e71129 tape: impl access permission for media content list 2021-03-03 13:16:15 +01:00
Dietmar Maurer 396fd747a6 tape: impl access permissions for tape jobs 2021-03-03 12:48:06 +01:00
Dietmar Maurer 16bd08b297 tape: add acl path /tape/job/{id} 2021-03-03 12:48:06 +01:00
Dietmar Maurer ccdf327ac8 tape: impl access permissions for encryption key config 2021-03-03 12:21:55 +01:00
Dietmar Maurer 8cd63df0dc tape: impl api permissions for drive/changer/pool configuration 2021-03-03 12:10:00 +01:00
Dietmar Maurer b90cb34fd6 complete_acl_path: add more paths 2021-03-03 11:09:54 +01:00
Dietmar Maurer d6c1e12c06 add roles to implement tape backup permissions 2021-03-03 11:09:02 +01:00
Dietmar Maurer d33d1c880b docs: mark tape backup as technology preview 2021-03-03 10:04:11 +01:00
Dylan Whyte 985e84e369 Fix 3321: fix interactive restore command explanation
The previous description in the docs was false. The restore command
with the pattern parameter will search the entire backup archive,
regardless of pwd.

Signed-off-by: Dylan Whyte <d.whyte@proxmox.com>
2021-03-03 09:34:19 +01:00