From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup 4/8] verify jobs: add permissions
Date: Fri, 30 Oct 2020 12:36:40 +0100 [thread overview]
Message-ID: <20201030113644.2044947-5-f.gruenbichler@proxmox.com> (raw)
In-Reply-To: <20201030113644.2044947-1-f.gruenbichler@proxmox.com>
equivalent to verifying a whole datastore, except for reading job
(entries), which is accessible to regular Datastore.Audit/Backup users
as well.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
Notes:
modifying the config could also be guarded by Datastore.Modify, but I like the
idea of scheduling an action and doing it now requiring the same permissions..
src/api2/config/verify.rs | 41 +++++++++++++++++++++++++++++++++++++--
1 file changed, 39 insertions(+), 2 deletions(-)
diff --git a/src/api2/config/verify.rs b/src/api2/config/verify.rs
index 32d83d17..0c5a6460 100644
--- a/src/api2/config/verify.rs
+++ b/src/api2/config/verify.rs
@@ -2,10 +2,17 @@ use anyhow::{bail, Error};
use serde_json::Value;
use ::serde::{Deserialize, Serialize};
-use proxmox::api::{api, Router, RpcEnvironment};
+use proxmox::api::{api, Permission, Router, RpcEnvironment};
use proxmox::tools::fs::open_file_locked;
use crate::api2::types::*;
+
+use crate::config::acl::{
+ PRIV_DATASTORE_AUDIT,
+ PRIV_DATASTORE_BACKUP,
+ PRIV_DATASTORE_VERIFY,
+};
+
use crate::config::verify::{self, VerificationJobConfig};
#[api(
@@ -17,6 +24,12 @@ use crate::config::verify::{self, VerificationJobConfig};
type: Array,
items: { type: verify::VerificationJobConfig },
},
+ access: {
+ permission: &Permission::Privilege(
+ &["datastore", "{store}"],
+ PRIV_DATASTORE_AUDIT | PRIV_DATASTORE_BACKUP | PRIV_DATASTORE_VERIFY,
+ true),
+ },
)]
/// List all verification jobs
pub fn list_verification_jobs(
@@ -61,7 +74,13 @@ pub fn list_verification_jobs(
schema: VERIFICATION_SCHEDULE_SCHEMA,
},
}
- }
+ },
+ access: {
+ permission: &Permission::Privilege(
+ &["datastore", "{store}"],
+ PRIV_DATASTORE_VERIFY,
+ true),
+ },
)]
/// Create a new verification job.
pub fn create_verification_job(param: Value) -> Result<(), Error> {
@@ -97,6 +116,12 @@ pub fn create_verification_job(param: Value) -> Result<(), Error> {
description: "The verification job configuration.",
type: verify::VerificationJobConfig,
},
+ access: {
+ permission: &Permission::Privilege(
+ &["datastore", "{store}"],
+ PRIV_DATASTORE_AUDIT | PRIV_DATASTORE_BACKUP | PRIV_DATASTORE_VERIFY,
+ true),
+ },
)]
/// Read a verification job configuration.
pub fn read_verification_job(
@@ -167,6 +192,12 @@ pub enum DeletableProperty {
},
},
},
+ access: {
+ permission: &Permission::Privilege(
+ &["datastore", "{store}"],
+ PRIV_DATASTORE_VERIFY,
+ true),
+ },
)]
/// Update verification job config.
pub fn update_verification_job(
@@ -238,6 +269,12 @@ pub fn update_verification_job(
},
},
},
+ access: {
+ permission: &Permission::Privilege(
+ &["datastore", "{store}"],
+ PRIV_DATASTORE_VERIFY,
+ true),
+ },
)]
/// Remove a verification job configuration
pub fn delete_verification_job(id: String, digest: Option<String>) -> Result<(), Error> {
--
2.20.1
next prev parent reply other threads:[~2020-10-30 11:37 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-30 11:36 [pbs-devel] [PATCH proxmox-backup 0/8] permission improvements Fabian Grünbichler
2020-10-30 11:36 ` [pbs-devel] [PATCH proxmox-backup 1/8] privs: allow reading notes with Datastore.Audit Fabian Grünbichler
2020-10-30 11:36 ` [pbs-devel] [PATCH proxmox-backup 2/8] privs: use Datastore.Modify|Backup to set backup notes Fabian Grünbichler
2020-10-30 11:36 ` [pbs-devel] [PATCH proxmox-backup 3/8] verify: introduce & use new Datastore.Verify privilege Fabian Grünbichler
2020-10-30 11:36 ` Fabian Grünbichler [this message]
2020-10-30 11:36 ` [pbs-devel] [PATCH proxmox-backup 5/8] fix #2864: add owner option to sync Fabian Grünbichler
2020-11-02 6:37 ` [pbs-devel] applied: " Dietmar Maurer
2020-10-30 11:36 ` [pbs-devel] [PATCH proxmox-backup 6/8] sync: allow sync for non-superusers Fabian Grünbichler
2020-11-02 6:39 ` [pbs-devel] applied: " Dietmar Maurer
2020-10-30 11:36 ` [pbs-devel] [PATCH proxmox-backup 7/8] privs: remove PRIV_REMOVE_PRUNE Fabian Grünbichler
2020-10-30 11:36 ` [pbs-devel] [PATCH proxmox-backup 8/8] privs: add some more comments explaining privileges Fabian Grünbichler
2020-10-30 15:44 ` [pbs-devel] partially-applied: [PATCH proxmox-backup 0/8] permission improvements Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201030113644.2044947-5-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.