public inbox for pbs-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Proxmox Backup Server development discussion
	<pbs-devel@lists.proxmox.com>
Subject: Re: [pbs-devel] [PATCH v5 proxmox-backup 17/31] api: config: extend modify access check by sync direction
Date: Fri, 25 Oct 2024 12:17:20 +0200	[thread overview]
Message-ID: <1729851395.wkxyk3ock5.astroid@yuna.none> (raw)
In-Reply-To: <20241018084242.144010-18-c.ebner@proxmox.com>

On October 18, 2024 10:42 am, Christian Ebner wrote:
> Add the sync direction as additional parameter for the priv helper to
> check for the required permissions in pull and push direction.
> 
> Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
> ---
> changes since version 4:
> - no changes
> 
> changes since version 3:
> - not present in previous version
> 
>  src/api2/admin/sync.rs  |   4 +-
>  src/api2/config/sync.rs | 136 +++++++++++++++++++++++++++++-----------
>  2 files changed, 100 insertions(+), 40 deletions(-)
> 
> diff --git a/src/api2/admin/sync.rs b/src/api2/admin/sync.rs
> index 7a4e38942..f2c0f0e85 100644
> --- a/src/api2/admin/sync.rs
> +++ b/src/api2/admin/sync.rs
> @@ -122,8 +122,8 @@ pub fn run_sync_job(
>      let sync_direction = sync_direction.unwrap_or_default();
>      let sync_job: SyncJobConfig = config.lookup(sync_direction.as_config_type_str(), &id)?;
>  
> -    if !check_sync_job_modify_access(&user_info, &auth_id, &sync_job) {
> -        bail!("permission check failed");
> +    if !check_sync_job_modify_access(&user_info, &auth_id, &sync_job, sync_direction) {
> +        bail!("permission check failed, '{auth_id}' is missing access");
>      }
>  
>      let job = Job::new("syncjob", &id)?;
> diff --git a/src/api2/config/sync.rs b/src/api2/config/sync.rs
> index e0d96afe5..cffcf429f 100644
> --- a/src/api2/config/sync.rs
> +++ b/src/api2/config/sync.rs
> @@ -9,8 +9,9 @@ use proxmox_schema::{api, param_bail};
>  
>  use pbs_api_types::{
>      Authid, SyncJobConfig, SyncJobConfigUpdater, JOB_ID_SCHEMA, PRIV_DATASTORE_AUDIT,
> -    PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_MODIFY, PRIV_DATASTORE_PRUNE, PRIV_REMOTE_AUDIT,
> -    PRIV_REMOTE_READ, PROXMOX_CONFIG_DIGEST_SCHEMA,
> +    PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_MODIFY, PRIV_DATASTORE_PRUNE, PRIV_DATASTORE_READ,
> +    PRIV_REMOTE_AUDIT, PRIV_REMOTE_DATASTORE_BACKUP, PRIV_REMOTE_DATASTORE_MODIFY,
> +    PRIV_REMOTE_DATASTORE_PRUNE, PRIV_REMOTE_READ, PROXMOX_CONFIG_DIGEST_SCHEMA,
>  };
>  use pbs_config::sync;
>  
> @@ -63,36 +64,77 @@ fn is_correct_owner(auth_id: &Authid, job: &SyncJobConfig) -> bool {
>      }
>  }
>  
> -/// checks whether user can run the corresponding pull job
> +/// checks whether user can run the corresponding sync job, depending on sync direction
>  ///
> -/// namespace creation/deletion ACL and backup group ownership checks happen in the pull code directly.
> +/// namespace creation/deletion ACL and backup group ownership checks happen in the pull/push code
> +/// directly.
>  /// remote side checks/filters remote datastore/namespace/group access.
>  pub fn check_sync_job_modify_access(
>      user_info: &CachedUserInfo,
>      auth_id: &Authid,
>      job: &SyncJobConfig,
> +    sync_direction: SyncDirection,
>  ) -> bool {
> -    let ns_anchor_privs = user_info.lookup_privs(auth_id, &job.acl_path());
> -    if ns_anchor_privs & PRIV_DATASTORE_BACKUP == 0 || ns_anchor_privs & PRIV_DATASTORE_AUDIT == 0 {
> -        return false;
> -    }
> +    match sync_direction {
> +        SyncDirection::Pull => {
> +            let ns_anchor_privs = user_info.lookup_privs(auth_id, &job.acl_path());
> +            if ns_anchor_privs & PRIV_DATASTORE_BACKUP == 0
> +                || ns_anchor_privs & PRIV_DATASTORE_AUDIT == 0
> +            {
> +                return false;
> +            }
> +
> +            if let Some(true) = job.remove_vanished {
> +                if ns_anchor_privs & PRIV_DATASTORE_PRUNE == 0 {
> +                    return false;
> +                }
> +            }
> +
> +            // same permission as changing ownership after syncing
> +            if !is_correct_owner(auth_id, job) && ns_anchor_privs & PRIV_DATASTORE_MODIFY == 0 {
> +                return false;
> +            }
>  
> -    if let Some(true) = job.remove_vanished {
> -        if ns_anchor_privs & PRIV_DATASTORE_PRUNE == 0 {
> -            return false;
> +            if let Some(remote) = &job.remote {
> +                let remote_privs =
> +                    user_info.lookup_privs(auth_id, &["remote", remote, &job.remote_store]);
> +                return remote_privs & PRIV_REMOTE_READ != 0;
> +            }
> +            true
>          }
> -    }
> +        SyncDirection::Push => {
> +            // Remote must always be present for sync in push direction, fail otherwise
> +            let target_privs = if let Some(target_acl_path) = job.remote_acl_path() {
> +                user_info.lookup_privs(auth_id, &target_acl_path)
> +            } else {
> +                return false;
> +            };
>  
> -    // same permission as changing ownership after syncing
> -    if !is_correct_owner(auth_id, job) && ns_anchor_privs & PRIV_DATASTORE_MODIFY == 0 {
> -        return false;
> -    }
> +            // check user is allowed to create backups on remote datastore
> +            if target_privs & PRIV_REMOTE_DATASTORE_BACKUP == 0 {
> +                return false;
> +            }
>  
> -    if let Some(remote) = &job.remote {
> -        let remote_privs = user_info.lookup_privs(auth_id, &["remote", remote, &job.remote_store]);
> -        return remote_privs & PRIV_REMOTE_READ != 0;
> +            if let Some(true) = job.remove_vanished {
> +                // check user is allowed to prune backup snapshots on remote datastore
> +                if target_privs & PRIV_REMOTE_DATASTORE_PRUNE == 0 {
> +                    return false;
> +                }
> +            }
> +
> +            // check user is not the owner of the sync job, but has remote datastore modify permissions
> +            if !is_correct_owner(auth_id, job) && target_privs & PRIV_REMOTE_DATASTORE_MODIFY == 0 {
> +                return false;
> +            }
> +
> +            // check user is allowed to read from (local) source datastore/namespace
> +            let source_privs = user_info.lookup_privs(auth_id, &job.acl_path());
> +            if source_privs & PRIV_DATASTORE_AUDIT == 0 {
> +                return false;
> +            }
> +            source_privs & PRIV_DATASTORE_READ != 0

wouldn't PRIV_DATASTORE_BACKUP be enough here? the user doesn't need to
be able to read the whole datastore, just their own backups? of course,
READ implies BACKUP, so you could check for either here..

> +        }
>      }
> -    true
>  }


_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel


  reply	other threads:[~2024-10-25 10:17 UTC|newest]

Thread overview: 68+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-10-18  8:42 [pbs-devel] [PATCH v5 proxmox-backup 00/31] fix #3044: push datastore to remote target Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 01/31] client: backup writer: refactor backup and upload stats counters Christian Ebner
2024-10-25 10:20   ` Fabian Grünbichler
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 02/31] client: backup writer: factor out merged chunk stream upload Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 03/31] client: backup writer: allow push uploading index and chunks Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 04/31] config: acl: refactor acl path component check for datastore Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 05/31] config: acl: allow namespace components for remote datastores Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 06/31] api types: implement remote acl path method for sync job Christian Ebner
2024-10-25 11:44   ` Fabian Grünbichler
2024-10-25 12:46     ` Christian Ebner
2024-10-28 11:04       ` Fabian Grünbichler
2024-10-28 15:13         ` Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 07/31] api types: define remote permissions and roles for push sync Christian Ebner
2024-10-25 10:15   ` Fabian Grünbichler
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 08/31] fix #3044: server: implement push support for sync operations Christian Ebner
2024-10-25 10:10   ` Fabian Grünbichler
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 09/31] api types/config: add `sync-push` config type for push sync jobs Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 10/31] api: push: implement endpoint for sync in push direction Christian Ebner
2024-10-25 11:45   ` Fabian Grünbichler
2024-10-30 13:48     ` Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 11/31] api: sync: move sync job invocation to server sync module Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 12/31] api: sync jobs: expose optional `sync-direction` parameter Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 13/31] api: admin: avoid duplicate name for list sync jobs api method Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 14/31] api: config: Require PRIV_DATASTORE_AUDIT to modify sync job Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 15/31] api: config: factor out sync job owner check Christian Ebner
2024-10-25 10:16   ` Fabian Grünbichler
2024-10-28 15:17     ` Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 16/31] api: config: extend read access check by sync direction Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 17/31] api: config: extend modify " Christian Ebner
2024-10-25 10:17   ` Fabian Grünbichler [this message]
2024-10-25 13:24     ` Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 18/31] bin: manager: add datastore push cli command Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 19/31] ui: group filter: allow to set namespace for local datastore Christian Ebner
2024-10-25 10:32   ` Dominik Csapak
2024-10-28 15:37     ` Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 20/31] ui: sync edit: source group filters based on sync direction Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 21/31] ui: add view with separate grids for pull and push sync jobs Christian Ebner
2024-10-25 10:39   ` Dominik Csapak
2024-10-28 15:52     ` Christian Ebner
2024-10-29  6:22       ` Dominik Csapak
2024-10-29  7:26         ` Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 22/31] ui: sync job: adapt edit window to be used for pull and push Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 23/31] ui: sync: pass sync-direction to allow removing push jobs Christian Ebner
2024-10-25 10:42   ` Dominik Csapak
2024-10-30 13:23     ` Christian Ebner
2024-10-30 13:33       ` Fabian Grünbichler
2024-10-30 13:50         ` Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 24/31] ui: sync view: do not use data model proxy for store Christian Ebner
2024-10-25 10:44   ` Dominik Csapak
2024-10-30 13:29     ` Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 25/31] ui: sync view: set sync direction when invoking run task via api Christian Ebner
2024-10-25 10:44   ` Dominik Csapak
2024-10-30 13:30     ` Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 26/31] datastore: move `BackupGroupDeleteStats` to api types Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 27/31] api types: implement api type for `BackupGroupDeleteStats` Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 28/31] api/api-types: refactor api endpoint version, add api types Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 29/31] datastore: increment deleted group counter when removing group Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 30/31] api: datastore/namespace: return backup groups delete stats on remove Christian Ebner
2024-10-25 10:10   ` Fabian Grünbichler
2024-10-30 13:37     ` Christian Ebner
2024-10-30 13:42       ` Fabian Grünbichler
2024-10-31  9:43         ` Christian Ebner
2024-10-31 12:12           ` Fabian Grünbichler
2024-10-31 12:26             ` Christian Ebner
2024-10-18  8:42 ` [pbs-devel] [PATCH v5 proxmox-backup 31/31] server: sync job: use delete stats provided by the api Christian Ebner
2024-10-25 10:17   ` Fabian Grünbichler
2024-10-30 13:44     ` Christian Ebner
2024-10-31 12:20 ` [pbs-devel] [PATCH v5 proxmox-backup 00/31] fix #3044: push datastore to remote target Christian Ebner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1729851395.wkxyk3ock5.astroid@yuna.none \
    --to=f.gruenbichler@proxmox.com \
    --cc=pbs-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal