* [pbs-devel] [PATCH proxmox-backup] fix #3014: allow DataStoreAdmins to list DS config
@ 2020-09-18 9:45 Fabian Grünbichler
2020-09-18 10:08 ` [pbs-devel] applied: " Dietmar Maurer
0 siblings, 1 reply; 2+ messages in thread
From: Fabian Grünbichler @ 2020-09-18 9:45 UTC (permalink / raw)
To: pbs-devel
filtered by those they are privileged enough to read individually. this
allows such users to configure prune/GC schedules via the GUI (the API
already allowed it previously).
permission-wise, a user with this privilege can already:
- list all stores they have access to (returns just name/comment)
- read the config of each store they have access to individually
(returns full config of that datastore + digest of whole config)
but combines them to
- read configs of all datastores they have access to (returns full
config of those datastores + digest of whole config)
user that have AUDIT on just /datastore without propagate can now no
longer read all configurations (but this could be added it back, it just
seems to make little sense to me).
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
src/api2/config/datastore.rs | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/src/api2/config/datastore.rs b/src/api2/config/datastore.rs
index 1ee303f8..0f4021d6 100644
--- a/src/api2/config/datastore.rs
+++ b/src/api2/config/datastore.rs
@@ -9,6 +9,7 @@ use proxmox::tools::fs::open_file_locked;
use crate::api2::types::*;
use crate::backup::*;
+use crate::config::cached_user_info::CachedUserInfo;
use crate::config::datastore::{self, DataStoreConfig, DIR_NAME_SCHEMA};
use crate::config::acl::{PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_MODIFY};
@@ -22,7 +23,7 @@ use crate::config::acl::{PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_MODIFY};
items: { type: datastore::DataStoreConfig },
},
access: {
- permission: &Permission::Privilege(&["datastore"], PRIV_DATASTORE_AUDIT, false),
+ permission: &Permission::Anybody,
},
)]
/// List all datastores
@@ -33,11 +34,18 @@ pub fn list_datastores(
let (config, digest) = datastore::config()?;
- let list = config.convert_to_typed_array("datastore")?;
+ let userid: Userid = rpcenv.get_user().unwrap().parse()?;
+ let user_info = CachedUserInfo::new()?;
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
- Ok(list)
+ let list:Vec<DataStoreConfig> = config.convert_to_typed_array("datastore")?;
+ let filter_by_privs = |store: &DataStoreConfig| {
+ let user_privs = user_info.lookup_privs(&userid, &["datastore", &store.name]);
+ (user_privs & PRIV_DATASTORE_AUDIT) != 0
+ };
+
+ Ok(list.into_iter().filter(filter_by_privs).collect())
}
--
2.20.1
^ permalink raw reply [flat|nested] 2+ messages in thread
* [pbs-devel] applied: [PATCH proxmox-backup] fix #3014: allow DataStoreAdmins to list DS config
2020-09-18 9:45 [pbs-devel] [PATCH proxmox-backup] fix #3014: allow DataStoreAdmins to list DS config Fabian Grünbichler
@ 2020-09-18 10:08 ` Dietmar Maurer
0 siblings, 0 replies; 2+ messages in thread
From: Dietmar Maurer @ 2020-09-18 10:08 UTC (permalink / raw)
To: Proxmox Backup Server development discussion, Fabian Grünbichler
applied
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-09-18 10:09 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-18 9:45 [pbs-devel] [PATCH proxmox-backup] fix #3014: allow DataStoreAdmins to list DS config Fabian Grünbichler
2020-09-18 10:08 ` [pbs-devel] applied: " Dietmar Maurer
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal