Commit Graph

6528 Commits

Author SHA1 Message Date
Fabian Grünbichler
ea2e91e52f move and unify namespace priv helpers
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler
77bd14f68a sync/pull: cleanup priv checks and logging
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler
d1fba4de1d include privilege names in check_privs error
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler
3e4994a54f api: tape: use check_privs instead of manual lookup
these all contain the path in the error message already, so no (new)
potential for leakage..

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler
75b377219d api: backup env: use check_privs
it includes the path, which might be helpful when users are switching to
using namespaces. datastore and namespace lookup happens after, so this
doesn't leak anything.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler
c8dc51e41f api: namespace: check privs directly
instead of doing a manual lookup and check - this changes the returned
error slightly since check_privs will include the checked ACL path, but
that is okay here, checks are before we even lookup the namespace/store,
so no chance to leak anything.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler
7d0dbaa013 priv checks: use priv_to_priv_names and include path
where appropriate. these should never leak anything sensitive, as we
check privs before checking existence or existence is already known at
that point via other privileges.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler
efa62d44d4 api: add new priv to priv name helper
for usage in permission check error messages, to allow easily indicating
which privs are missing.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler
210ded9803 priv handling: use DatastoreWithNamespace
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler
99e1399729 api: tape: restore: improve permission checks
no redundant store+namespace mapping, and synchronize namespace creation
check with that of manual creation and creation as part of sync.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler
0aa5815fb6 verify_job: fix priv check
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler
bb5c77fffa api2: reader env: fix priv checks
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler
ebfcf75e14 acl: fix handling of sub-components containing '/'
previously with an ACL for the path "/foo/bar" without propagation and a
check for `&["foo", "bar/baz"] this code would return the ACL (roles)
for "/foo/bar" for the path "/foo/bar/baz".

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler
83e3000349 sync job: don't require privs on datastore
syncing to a namespace only requires privileges on the namespace (and
potentially its children during execution).

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler
4a4dd66c26 api: list snapshots: fix log param order
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler
b9b2d635fe sync job: fix worker ID parsing
the namespace is optional, but should be captured to allow ACL checks
for unprivileged non-job-owners.

also add FIXME for other job types and workers that (might) need
updating.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-25 17:18:56 +02:00
Fabian Grünbichler
9f8aa8c5e2 debug: recover: allow overriding output-path
including to STDOUT.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Tested-by: Hannes Laimer <h.laimer@proxmox.com>
2022-05-24 11:46:04 +02:00
Fabian Grünbichler
b11693b2f7 debug: move outfile_or_stdout to module for reuse
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Tested-by: Hannes Laimer <h.laimer@proxmox.com>
2022-05-24 11:45:59 +02:00
Fabian Grünbichler
53435bc4d5 debug: recover: allow ignoring missing/corrupt chunks
replacing them with chunks of zero bytes.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Tested-by: Hannes Laimer <h.laimer@proxmox.com>
2022-05-24 11:45:54 +02:00
Dominik Csapak
8bec3ff691 tape/pool_writer: give proper types to 'contains_snapshot'
instead of a string. The underlying catalog implementation has to
care about how this is formatted, not the external caller

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2022-05-23 16:20:13 +02:00
Dominik Csapak
789e22d905 proxmox-tape: use correct api call for 'load-media-from-slot'
it's a 'post' api call, not 'put'

reported here:
https://forum.proxmox.com/threads/lto8.109946/
and here:
https://forum.proxmox.com/threads/cant-clear-tape.86454/

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2022-05-23 16:14:41 +02:00
Fabian Grünbichler
a1c30e0194 cargo fmt
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-23 16:12:22 +02:00
Fabian Grünbichler
d4c6e68bf0 fix typo
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-23 15:05:38 +02:00
Thomas Lamprecht
e642344f98 ui: datastore content: enable recursive/depth selector for prune all
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-19 13:35:01 +02:00
Thomas Lamprecht
d4574bb138 ui: prune input: support opt-in recursive/max-depth field
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-19 13:34:17 +02:00
Thomas Lamprecht
26b40687b3 prune datastore: add depth info to tak log
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-19 13:32:45 +02:00
Thomas Lamprecht
e3c26aea31 prune datastore: support max-depth and improve priv checks
use the relatively new variant of ListAccessibleBackupGroups to also
allow pruning the groups that one doesn't own but has the respective
privileges on their namespace level.

This was previously handled by the API endpoint itself, which was ok
as long as only one level was looked at.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-19 13:31:09 +02:00
Thomas Lamprecht
65aba79a9b prune datastore: rework tak log
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-19 13:23:24 +02:00
Thomas Lamprecht
4b6a653a0f verify filter: improve comment
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-19 12:36:51 +02:00
Thomas Lamprecht
3c41d86010 verify all: adhere to NS privs for non-owned groups
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-19 12:36:06 +02:00
Thomas Lamprecht
93821e87e6 accessible group iter: rename "new" to "new_owned"
to clarify that it's only returning owned backups that way.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-19 12:34:06 +02:00
Thomas Lamprecht
f12f408e91 api: datastore status: adhere to NS privs for non-owner
Not only check all owned backup groups, but also all that an auth_id
has DATASTORE_AUDIT or DATASTORE_READ on the whole namespace.

best viewed with whitespace change ignore (-w)

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-19 12:32:35 +02:00
Thomas Lamprecht
71cad8cac0 accessible group iter: add owner override and owner + extra priv handling
The "owner override" privs will skip the owner check completely if
the authid has a permission for any of the bitwise OR'd privs
requested on the namespace level.

The "owner and privs" are for the case where being the owner is not
enough, e.g., pruning, if set they need to match all, not just any,
on the namespace, otherwise we don't even look at the groups from the
current NS level.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-19 12:27:58 +02:00
Thomas Lamprecht
49bea6b5d9 accessible group iter: allow NS descending with DATASTORE_READ
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-19 12:26:48 +02:00
Thomas Lamprecht
f7247e2b84 ui: datastore content: add icons to top bar prune/verify buttons
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-18 18:37:20 +02:00
Thomas Lamprecht
5664b41c30 ui: acl view: make path column flex, but enforce minWidth
with namespaces the paths can get pretty complex, so make the path
column take some flex space too, but not too much to avoid making it
look odd for the short paths we have otherwise

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-18 18:22:17 +02:00
Thomas Lamprecht
33612525e1 ui: datastore permissions: allow ACL path edit & query namespaces
Without namespaces this had not much use, but now that we can have
permissions below we should allow so.

For convenience also query the namsepaces here and add them to the
list of available ACL paths, the read-dir shouldn't be that expensive
(albeit, we could cache them in the frontend)

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-18 18:14:37 +02:00
Thomas Lamprecht
a502bc5617 ui: small style cleanups/refactoring
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-18 18:04:16 +02:00
Thomas Lamprecht
8772ca727c api types: verify job: fix doc comment typo
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-18 15:45:55 +02:00
Thomas Lamprecht
7f3b4a94e6 api types: verify job: allow outdated-afer == 0 for backward compat
We can have those in existing verify jobs configs, and that'd break
stuff. So, even while the "bad" commit got released only recently
with `2.1.6-1` (14 April 2022), we still need to cope with those that
used it, and using some serde parser magic to transform on read only
is hard here due to section config (json-value and verify currently
happen before we can do anything about it)

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-18 15:39:59 +02:00
Thomas Lamprecht
327d14b3d1 Revert "verify: allow '0' days for reverification"
This reverts commit 7a1a5d206d.

We could already cause the behavior by simply setting ignore-verified
to false, aas that flag is basically an on/off switch for even
considering outdated-after or not.

So avoid the extra logic and just make the gui use the previously
existing way.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-18 12:53:08 +02:00
Thomas Lamprecht
0f8fd71093 cargo: update commented-out path patched dependencies
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-18 09:00:41 +02:00
Thomas Lamprecht
8d3b84e719 d/changelog: fixup last entry
as this obviously is released...

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-18 08:45:53 +02:00
Thomas Lamprecht
d1d328d582 bump version to 2.2.1-1
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-17 14:03:30 +02:00
Thomas Lamprecht
72e344a1b4 ui: namespace & maintenance mode: refer to onlineHelp
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-17 14:03:00 +02:00
Thomas Lamprecht
f71a4ce6d6 docs: client usage: add some hints for namespace
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-17 13:55:21 +02:00
Thomas Lamprecht
a3b1026753 docs: some textwidth cleanups
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-17 13:55:04 +02:00
Dominik Csapak
5e1b17018b ui: namespace selector: show picker empty text if no namespace
by filtering out the empty namespace from the api, and putting
manually a div with the grid-empty xclass around the gettext

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
 [ T: reword commit message ]
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-17 13:40:27 +02:00
Thomas Lamprecht
9615d9a6b6 ui: tape restore: reword comment w.r.t. mapping value
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-17 13:35:55 +02:00
Dominik Csapak
3ae4dab4b9 ui: tape restore: fix form validation for datastore mapping
'defaultStore' can be '' or null, so check for truthyness also, we
want the mapping to be a formField so that the validation triggers
and the restore button gets en/disabled accordingly. We still have to
call 'getValue' manually, because the onGetValues will get it as
string instead of an array

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-05-17 13:35:21 +02:00