From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup 2/3] verify: allow unprivileged access to admin API
Date: Fri, 6 Nov 2020 11:23:08 +0100 [thread overview]
Message-ID: <20201106102309.1458959-3-f.gruenbichler@proxmox.com> (raw)
In-Reply-To: <20201106102309.1458959-1-f.gruenbichler@proxmox.com>
which is the one used by the GUI.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
src/api2/admin/verify.rs | 33 +++++++++++++++++++++++++++++----
1 file changed, 29 insertions(+), 4 deletions(-)
diff --git a/src/api2/admin/verify.rs b/src/api2/admin/verify.rs
index 02c1eef4..6c345cd8 100644
--- a/src/api2/admin/verify.rs
+++ b/src/api2/admin/verify.rs
@@ -2,11 +2,16 @@ use anyhow::{format_err, Error};
use proxmox::api::router::SubdirMap;
use proxmox::{list_subdirs_api_method, sortable};
-use proxmox::api::{api, ApiMethod, Router, RpcEnvironment};
+use proxmox::api::{api, ApiMethod, Permission, Router, RpcEnvironment};
use crate::api2::types::*;
use crate::server::do_verification_job;
use crate::server::jobstate::{Job, JobState};
+use crate::config::acl::{
+ PRIV_DATASTORE_AUDIT,
+ PRIV_DATASTORE_VERIFY,
+};
+use crate::config::cached_user_info::CachedUserInfo;
use crate::config::verify;
use crate::config::verify::{VerificationJobConfig, VerificationJobStatus};
use serde_json::Value;
@@ -23,10 +28,14 @@ use crate::server::UPID;
},
},
returns: {
- description: "List configured jobs and their status.",
+ description: "List configured jobs and their status (filtered by access)",
type: Array,
items: { type: verify::VerificationJobStatus },
},
+ access: {
+ permission: &Permission::Anybody,
+ description: "Requires Datastore.Audit or Datastore.Verify on datastore.",
+ },
)]
/// List all verification jobs
pub fn list_verification_jobs(
@@ -34,6 +43,10 @@ pub fn list_verification_jobs(
_param: Value,
mut rpcenv: &mut dyn RpcEnvironment,
) -> Result<Vec<VerificationJobStatus>, Error> {
+ let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
+ let user_info = CachedUserInfo::new()?;
+
+ let required_privs = PRIV_DATASTORE_AUDIT | PRIV_DATASTORE_VERIFY;
let (config, digest) = verify::config()?;
@@ -41,6 +54,11 @@ pub fn list_verification_jobs(
.convert_to_typed_array("verification")?
.into_iter()
.filter(|job: &VerificationJobStatus| {
+ let privs = user_info.lookup_privs(&auth_id, &["datastore", &job.store]);
+ if privs & required_privs == 0 {
+ return false;
+ }
+
if let Some(store) = &store {
&job.store == store
} else {
@@ -90,7 +108,11 @@ pub fn list_verification_jobs(
schema: JOB_ID_SCHEMA,
}
}
- }
+ },
+ access: {
+ permission: &Permission::Anybody,
+ description: "Requires Datastore.Verify on job's datastore.",
+ },
)]
/// Runs a verification job manually.
fn run_verification_job(
@@ -98,10 +120,13 @@ fn run_verification_job(
_info: &ApiMethod,
rpcenv: &mut dyn RpcEnvironment,
) -> Result<String, Error> {
+ let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
+ let user_info = CachedUserInfo::new()?;
+
let (config, _digest) = verify::config()?;
let verification_job: VerificationJobConfig = config.lookup("verification", &id)?;
- let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
+ user_info.check_privs(&auth_id, &["datastore", &verification_job.store], PRIV_DATASTORE_VERIFY, true)?;
let job = Job::new("verificationjob", &id)?;
--
2.20.1
next prev parent reply other threads:[~2020-11-06 10:23 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-06 10:23 [pbs-devel] [PATCH proxmox-backup 0/3] job privileges Fabian Grünbichler
2020-11-06 10:23 ` [pbs-devel] [PATCH proxmox-backup 1/3] verify: fix unprivileged verification jobs Fabian Grünbichler
2020-11-06 10:23 ` Fabian Grünbichler [this message]
2020-11-06 10:23 ` [pbs-devel] [PATCH proxmox-backup 3/3] tasks: allow access to job tasks Fabian Grünbichler
2020-11-06 11:56 ` [pbs-devel] applied: [PATCH proxmox-backup 0/3] job privileges Dietmar Maurer
2020-11-06 12:06 ` [pbs-devel] applied: " Dietmar Maurer
2020-11-06 12:11 ` Dietmar Maurer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201106102309.1458959-3-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.