public inbox for pbs-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Christian Ebner <c.ebner@proxmox.com>, pbs-devel@lists.proxmox.com
Subject: Re: [pbs-devel] [PATCH v6 proxmox-backup 19/29] api: sync jobs: expose optional `sync-direction` parameter
Date: Wed, 06 Nov 2024 16:20:35 +0100	[thread overview]
Message-ID: <173090643519.79072.2923413753129715762@yuna.proxmox.com> (raw)
In-Reply-To: <20241031121519.434337-20-c.ebner@proxmox.com>

Quoting Christian Ebner (2024-10-31 13:15:09)
> Exposes and switch the config type for sync job operations based
> on the `sync-direction` parameter, exposed on required api endpoints.
> 
> If not set, the default config type is `sync` and the default sync
> direction is `pull` for full backwards compatibility. Whenever
> possible, deterimne the sync direction and config type from the sync

typo "determine"

> job config directly rather than requiring it as optional api
> parameter.
> 
> Further, extend read and modify access checks by sync direction to
> conditionally check for the required permissions in pull and push
> direction.
> 
> Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
> ---
> changes since version 5:
> - Squashed permission check patches into this one, as they make not much
>   sense without this
> - Only expose optional sync-direction parameter for api endpoints which
>   require them, use the job config to determine sync-direction and/or
>   config-type otherwise.
> 
>  src/api2/admin/sync.rs               |  34 ++--
>  src/api2/config/datastore.rs         |  11 +-
>  src/api2/config/notifications/mod.rs |  19 +-
>  src/api2/config/sync.rs              | 280 ++++++++++++++++++++-------
>  src/bin/proxmox-backup-proxy.rs      |  11 +-
>  5 files changed, 261 insertions(+), 94 deletions(-)
> 
> diff --git a/src/api2/admin/sync.rs b/src/api2/admin/sync.rs
> index be324564c..8a242b1c3 100644
> --- a/src/api2/admin/sync.rs
> +++ b/src/api2/admin/sync.rs
> @@ -1,6 +1,7 @@
>  //! Datastore Synchronization Job Management
>  
>  use anyhow::{bail, format_err, Error};
> +use serde::Deserialize;
>  use serde_json::Value;
>  
>  use proxmox_router::{
> @@ -29,6 +30,10 @@ use crate::{
>                  schema: DATASTORE_SCHEMA,
>                  optional: true,
>              },
> +            "sync-direction": {
> +                type: SyncDirection,
> +                optional: true,
> +            },
>          },
>      },
>      returns: {
> @@ -44,6 +49,7 @@ use crate::{
>  /// List all sync jobs
>  pub fn list_sync_jobs(
>      store: Option<String>,
> +    sync_direction: Option<SyncDirection>,
>      _param: Value,
>      rpcenv: &mut dyn RpcEnvironment,
>  ) -> Result<Vec<SyncJobStatus>, Error> {
> @@ -52,8 +58,9 @@ pub fn list_sync_jobs(
>  
>      let (config, digest) = sync::config()?;
>  
> +    let sync_direction = sync_direction.unwrap_or_default();
>      let job_config_iter = config
> -        .convert_to_typed_array("sync")?
> +        .convert_to_typed_array(sync_direction.as_config_type_str())?
>          .into_iter()
>          .filter(|job: &SyncJobConfig| {
>              if let Some(store) = &store {
> @@ -62,7 +69,9 @@ pub fn list_sync_jobs(
>                  true
>              }
>          })
> -        .filter(|job: &SyncJobConfig| check_sync_job_read_access(&user_info, &auth_id, job));
> +        .filter(|job: &SyncJobConfig| {
> +            check_sync_job_read_access(&user_info, &auth_id, job, sync_direction)
> +        });
>  
>      let mut list = Vec::new();
>  
> @@ -106,24 +115,23 @@ pub fn run_sync_job(
>      let user_info = CachedUserInfo::new()?;
>  
>      let (config, _digest) = sync::config()?;
> -    let sync_job: SyncJobConfig = config.lookup("sync", &id)?;
> +    let (config_type, config_section) = config
> +        .sections
> +        .get(&id)
> +        .ok_or_else(|| format_err!("No sync job with id '{id}' found in config"))?;
> +
> +    let sync_direction = SyncDirection::from_config_type_str(config_type)?;
> +    let sync_job = SyncJobConfig::deserialize(config_section)?;
>  
> -    if !check_sync_job_modify_access(&user_info, &auth_id, &sync_job) {
> -        bail!("permission check failed");
> +    if !check_sync_job_modify_access(&user_info, &auth_id, &sync_job, sync_direction) {
> +        bail!("permission check failed, '{auth_id}' is missing access");
>      }
>  
>      let job = Job::new("syncjob", &id)?;
>  
>      let to_stdout = rpcenv.env_type() == RpcEnvironmentType::CLI;
>  
> -    let upid_str = do_sync_job(
> -        job,
> -        sync_job,
> -        &auth_id,
> -        None,
> -        SyncDirection::Pull,
> -        to_stdout,
> -    )?;
> +    let upid_str = do_sync_job(job, sync_job, &auth_id, None, sync_direction, to_stdout)?;
>  
>      Ok(upid_str)
>  }
> diff --git a/src/api2/config/datastore.rs b/src/api2/config/datastore.rs
> index ca6edf05a..c151eda10 100644
> --- a/src/api2/config/datastore.rs
> +++ b/src/api2/config/datastore.rs
> @@ -13,8 +13,9 @@ use proxmox_uuid::Uuid;
>  
>  use pbs_api_types::{
>      Authid, DataStoreConfig, DataStoreConfigUpdater, DatastoreNotify, DatastoreTuning, KeepOptions,
> -    MaintenanceMode, PruneJobConfig, PruneJobOptions, DATASTORE_SCHEMA, PRIV_DATASTORE_ALLOCATE,
> -    PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_MODIFY, PROXMOX_CONFIG_DIGEST_SCHEMA, UPID_SCHEMA,
> +    MaintenanceMode, PruneJobConfig, PruneJobOptions, SyncDirection, DATASTORE_SCHEMA,
> +    PRIV_DATASTORE_ALLOCATE, PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_MODIFY,
> +    PROXMOX_CONFIG_DIGEST_SCHEMA, UPID_SCHEMA,
>  };
>  use pbs_config::BackupLockGuard;
>  use pbs_datastore::chunk_store::ChunkStore;
> @@ -498,8 +499,10 @@ pub async fn delete_datastore(
>          for job in list_verification_jobs(Some(name.clone()), Value::Null, rpcenv)? {
>              delete_verification_job(job.config.id, None, rpcenv)?
>          }
> -        for job in list_sync_jobs(Some(name.clone()), Value::Null, rpcenv)? {
> -            delete_sync_job(job.config.id, None, rpcenv)?
> +        for direction in [SyncDirection::Pull, SyncDirection::Push] {
> +            for job in list_sync_jobs(Some(name.clone()), Some(direction), Value::Null, rpcenv)? {
> +                delete_sync_job(job.config.id, None, rpcenv)?
> +            }
>          }
>          for job in list_prune_jobs(Some(name.clone()), Value::Null, rpcenv)? {
>              delete_prune_job(job.config.id, None, rpcenv)?
> diff --git a/src/api2/config/notifications/mod.rs b/src/api2/config/notifications/mod.rs
> index dfe82ed03..31c4851c1 100644
> --- a/src/api2/config/notifications/mod.rs
> +++ b/src/api2/config/notifications/mod.rs
> @@ -9,7 +9,7 @@ use proxmox_schema::api;
>  use proxmox_sortable_macro::sortable;
>  
>  use crate::api2::admin::datastore::get_datastore_list;
> -use pbs_api_types::PRIV_SYS_AUDIT;
> +use pbs_api_types::{SyncDirection, PRIV_SYS_AUDIT};
>  
>  use crate::api2::admin::prune::list_prune_jobs;
>  use crate::api2::admin::sync::list_sync_jobs;
> @@ -154,13 +154,15 @@ pub fn get_values(
>          });
>      }
>  
> -    let sync_jobs = list_sync_jobs(None, param.clone(), rpcenv)?;
> -    for job in sync_jobs {
> -        values.push(MatchableValue {
> -            field: "job-id".into(),
> -            value: job.config.id,
> -            comment: job.config.comment,
> -        });
> +    for direction in [SyncDirection::Pull, SyncDirection::Push] {
> +        let sync_jobs = list_sync_jobs(None, Some(direction), param.clone(), rpcenv)?;
> +        for job in sync_jobs {
> +            values.push(MatchableValue {
> +                field: "job-id".into(),
> +                value: job.config.id,
> +                comment: job.config.comment,
> +            });
> +        }
>      }
>  
>      let verify_jobs = list_verification_jobs(None, param.clone(), rpcenv)?;
> @@ -184,6 +186,7 @@ pub fn get_values(
>          "package-updates",
>          "prune",
>          "sync",
> +        "sync-push",
>          "system-mail",
>          "tape-backup",
>          "tape-load",
> diff --git a/src/api2/config/sync.rs b/src/api2/config/sync.rs
> index 3963049e9..2f32aaccb 100644
> --- a/src/api2/config/sync.rs
> +++ b/src/api2/config/sync.rs
> @@ -1,6 +1,7 @@
>  use ::serde::{Deserialize, Serialize};
>  use anyhow::{bail, Error};
>  use hex::FromHex;
> +use pbs_api_types::SyncDirection;
>  use serde_json::Value;
>  
>  use proxmox_router::{http_bail, Permission, Router, RpcEnvironment};
> @@ -8,8 +9,9 @@ use proxmox_schema::{api, param_bail};
>  
>  use pbs_api_types::{
>      Authid, SyncJobConfig, SyncJobConfigUpdater, JOB_ID_SCHEMA, PRIV_DATASTORE_AUDIT,
> -    PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_MODIFY, PRIV_DATASTORE_PRUNE, PRIV_REMOTE_AUDIT,
> -    PRIV_REMOTE_READ, PROXMOX_CONFIG_DIGEST_SCHEMA,
> +    PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_MODIFY, PRIV_DATASTORE_PRUNE, PRIV_DATASTORE_READ,
> +    PRIV_REMOTE_AUDIT, PRIV_REMOTE_DATASTORE_BACKUP, PRIV_REMOTE_DATASTORE_MODIFY,
> +    PRIV_REMOTE_DATASTORE_PRUNE, PRIV_REMOTE_READ, PROXMOX_CONFIG_DIGEST_SCHEMA,
>  };
>  use pbs_config::sync;
>  
> @@ -20,18 +22,35 @@ pub fn check_sync_job_read_access(
>      user_info: &CachedUserInfo,
>      auth_id: &Authid,
>      job: &SyncJobConfig,
> +    sync_direction: SyncDirection,
>  ) -> bool {
> +    // check for audit access on datastore/namespace, applies for pull and push direction
>      let ns_anchor_privs = user_info.lookup_privs(auth_id, &job.acl_path());
>      if ns_anchor_privs & PRIV_DATASTORE_AUDIT == 0 {
>          return false;
>      }
>  
> -    if let Some(remote) = &job.remote {
> -        let remote_privs = user_info.lookup_privs(auth_id, &["remote", remote]);
> -        remote_privs & PRIV_REMOTE_AUDIT != 0
> -    } else {
> -        let source_ds_privs = user_info.lookup_privs(auth_id, &["datastore", &job.remote_store]);
> -        source_ds_privs & PRIV_DATASTORE_AUDIT != 0
> +    match sync_direction {
> +        SyncDirection::Pull => {
> +            if let Some(remote) = &job.remote {
> +                let remote_privs = user_info.lookup_privs(auth_id, &["remote", remote]);
> +                remote_privs & PRIV_REMOTE_AUDIT != 0
> +            } else {
> +                let source_ds_privs =
> +                    user_info.lookup_privs(auth_id, &["datastore", &job.remote_store]);
> +                source_ds_privs & PRIV_DATASTORE_AUDIT != 0
> +            }
> +        }
> +        SyncDirection::Push => {
> +            // check for audit access on remote/datastore/namespace
> +            if let Some(target_acl_path) = job.remote_acl_path() {
> +                let remote_privs = user_info.lookup_privs(auth_id, &target_acl_path);
> +                remote_privs & PRIV_REMOTE_AUDIT != 0

the other two checks above check the source side, this checks the the target
side.. should we check both here?

> +            } else {
> +                // Remote must always be present for sync in push direction, fail otherwise
> +                false
> +            }
> +        }
>      }
>  }
>  
> @@ -43,41 +62,93 @@ fn is_correct_owner(auth_id: &Authid, job: &SyncJobConfig) -> bool {
>      }
>  }
>  
> -/// checks whether user can run the corresponding pull job
> +/// checks whether user can run the corresponding sync job, depending on sync direction
>  ///
> -/// namespace creation/deletion ACL and backup group ownership checks happen in the pull code directly.
> +/// namespace creation/deletion ACL and backup group ownership checks happen in the pull/push code
> +/// directly.
>  /// remote side checks/filters remote datastore/namespace/group access.
>  pub fn check_sync_job_modify_access(
>      user_info: &CachedUserInfo,
>      auth_id: &Authid,
>      job: &SyncJobConfig,
> +    sync_direction: SyncDirection,
>  ) -> bool {
> -    let ns_anchor_privs = user_info.lookup_privs(auth_id, &job.acl_path());
> -    if ns_anchor_privs & PRIV_DATASTORE_BACKUP == 0 || ns_anchor_privs & PRIV_DATASTORE_AUDIT == 0 {
> -        return false;
> -    }
> +    match sync_direction {
> +        SyncDirection::Pull => {
> +            let ns_anchor_privs = user_info.lookup_privs(auth_id, &job.acl_path());
> +            if ns_anchor_privs & PRIV_DATASTORE_BACKUP == 0
> +                || ns_anchor_privs & PRIV_DATASTORE_AUDIT == 0
> +            {
> +                return false;
> +            }
> +
> +            if let Some(true) = job.remove_vanished {
> +                if ns_anchor_privs & PRIV_DATASTORE_PRUNE == 0 {
> +                    return false;
> +                }
> +            }
>  
> -    if let Some(true) = job.remove_vanished {
> -        if ns_anchor_privs & PRIV_DATASTORE_PRUNE == 0 {
> -            return false;
> +            // same permission as changing ownership after syncing
> +            if !is_correct_owner(auth_id, job) && ns_anchor_privs & PRIV_DATASTORE_MODIFY == 0 {
> +                return false;
> +            }
> +
> +            if let Some(remote) = &job.remote {
> +                let remote_privs =
> +                    user_info.lookup_privs(auth_id, &["remote", remote, &job.remote_store]);
> +                return remote_privs & PRIV_REMOTE_READ != 0;
> +            }
> +            true
>          }
> -    }
> +        SyncDirection::Push => {
> +            // Remote must always be present for sync in push direction, fail otherwise
> +            let target_privs = if let Some(target_acl_path) = job.remote_acl_path() {
> +                user_info.lookup_privs(auth_id, &target_acl_path)
> +            } else {
> +                return false;
> +            };
> +
> +            // check user is allowed to create backups on remote datastore
> +            if target_privs & PRIV_REMOTE_DATASTORE_BACKUP == 0 {
> +                return false;
> +            }
>  
> -    // same permission as changing ownership after syncing
> -    if !is_correct_owner(auth_id, job) && ns_anchor_privs & PRIV_DATASTORE_MODIFY == 0 {
> -        return false;
> -    }
> +            if let Some(true) = job.remove_vanished {
> +                // check user is allowed to prune backup snapshots on remote datastore
> +                if target_privs & PRIV_REMOTE_DATASTORE_PRUNE == 0 {
> +                    return false;
> +                }
> +            }
> +
> +            // check user is not the owner of the sync job, but has remote datastore modify permissions
> +            if !is_correct_owner(auth_id, job) && target_privs & PRIV_REMOTE_DATASTORE_MODIFY == 0 {
> +                return false;
> +            }

isn't this wrong? if I am modifying/running a sync job "owned" by somebody
else, then I need to have Datastore.Read or Datastore.Modify on the *local*
source datastore+namespace.. else I could use such a sync job to exfiltrate
backups I wouldn't otherwise have access to..

> +
> +            // check user is allowed to read from (local) source datastore/namespace
> +            let source_privs = user_info.lookup_privs(auth_id, &job.acl_path());
> +            if source_privs & PRIV_DATASTORE_AUDIT == 0 {
> +                return false;
> +            }
>  
> -    if let Some(remote) = &job.remote {
> -        let remote_privs = user_info.lookup_privs(auth_id, &["remote", remote, &job.remote_store]);
> -        return remote_privs & PRIV_REMOTE_READ != 0;
> +            // check for either datastore read or datastore backup access
> +            // (the later implying read access for owned snapshot groups)
> +            if source_privs & PRIV_DATASTORE_READ != 0 {
> +                return true;
> +            }
> +            source_privs & PRIV_DATASTORE_BACKUP != 0
> +        }
>      }
> -    true
>  }
>  
>  #[api(
>      input: {
> -        properties: {},
> +        properties: {
> +            "sync-direction": {
> +                type: SyncDirection,
> +                optional: true,
> +            },
> +        },
>      },
>      returns: {
>          description: "List configured jobs.",
> @@ -92,6 +163,7 @@ pub fn check_sync_job_modify_access(
>  /// List all sync jobs
>  pub fn list_sync_jobs(
>      _param: Value,
> +    sync_direction: Option<SyncDirection>,
>      rpcenv: &mut dyn RpcEnvironment,
>  ) -> Result<Vec<SyncJobConfig>, Error> {
>      let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
> @@ -99,13 +171,16 @@ pub fn list_sync_jobs(
>  
>      let (config, digest) = sync::config()?;
>  
> -    let list = config.convert_to_typed_array("sync")?;
> +    let sync_direction = sync_direction.unwrap_or_default();
> +    let list = config.convert_to_typed_array(sync_direction.as_config_type_str())?;
>  
>      rpcenv["digest"] = hex::encode(digest).into();
>  
>      let list = list
>          .into_iter()
> -        .filter(|sync_job| check_sync_job_read_access(&user_info, &auth_id, sync_job))
> +        .filter(|sync_job| {
> +            check_sync_job_read_access(&user_info, &auth_id, sync_job, sync_direction)
> +        })
>          .collect();
>      Ok(list)
>  }
> @@ -118,6 +193,10 @@ pub fn list_sync_jobs(
>                  type: SyncJobConfig,
>                  flatten: true,
>              },
> +            "sync-direction": {
> +                type: SyncDirection,
> +                optional: true,
> +            },
>          },
>      },
>      access: {
> @@ -128,14 +207,16 @@ pub fn list_sync_jobs(
>  /// Create a new sync job.
>  pub fn create_sync_job(
>      config: SyncJobConfig,
> +    sync_direction: Option<SyncDirection>,
>      rpcenv: &mut dyn RpcEnvironment,
>  ) -> Result<(), Error> {
>      let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
>      let user_info = CachedUserInfo::new()?;
> +    let sync_direction = sync_direction.unwrap_or_default();
>  
>      let _lock = sync::lock_config()?;
>  
> -    if !check_sync_job_modify_access(&user_info, &auth_id, &config) {
> +    if !check_sync_job_modify_access(&user_info, &auth_id, &config, sync_direction) {
>          bail!("permission check failed");
>      }
>  
> @@ -158,7 +239,7 @@ pub fn create_sync_job(
>          param_bail!("id", "job '{}' already exists.", config.id);
>      }
>  
> -    section_config.set_data(&config.id, "sync", &config)?;
> +    section_config.set_data(&config.id, sync_direction.as_config_type_str(), &config)?;
>  
>      sync::save_config(&section_config)?;
>  
> @@ -188,8 +269,17 @@ pub fn read_sync_job(id: String, rpcenv: &mut dyn RpcEnvironment) -> Result<Sync
>  
>      let (config, digest) = sync::config()?;
>  
> -    let sync_job = config.lookup("sync", &id)?;
> -    if !check_sync_job_read_access(&user_info, &auth_id, &sync_job) {
> +    let (sync_job, sync_direction) =
> +        if let Some((config_type, config_section)) = config.sections.get(&id) {
> +            (
> +                SyncJobConfig::deserialize(config_section)?,
> +                SyncDirection::from_config_type_str(config_type)?,
> +            )
> +        } else {
> +            http_bail!(NOT_FOUND, "job '{id}' does not exist.")
> +        };
> +
> +    if !check_sync_job_read_access(&user_info, &auth_id, &sync_job, sync_direction) {
>          bail!("permission check failed");
>      }
>  
> @@ -284,7 +374,15 @@ pub fn update_sync_job(
>          crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
>      }
>  
> -    let mut data: SyncJobConfig = config.lookup("sync", &id)?;
> +    let (mut data, sync_direction) =
> +        if let Some((config_type, config_section)) = config.sections.get(&id) {
> +            (
> +                SyncJobConfig::deserialize(config_section)?,
> +                SyncDirection::from_config_type_str(config_type)?,
> +            )
> +        } else {
> +            http_bail!(NOT_FOUND, "job '{id}' does not exist.")
> +        };
>  
>      if let Some(delete) = delete {
>          for delete_prop in delete {
> @@ -405,11 +503,11 @@ pub fn update_sync_job(
>          }
>      }
>  
> -    if !check_sync_job_modify_access(&user_info, &auth_id, &data) {
> +    if !check_sync_job_modify_access(&user_info, &auth_id, &data, sync_direction) {
>          bail!("permission check failed");
>      }
>  
> -    config.set_data(&id, "sync", &data)?;
> +    config.set_data(&id, sync_direction.as_config_type_str(), &data)?;
>  
>      sync::save_config(&config)?;
>  
> @@ -456,17 +554,16 @@ pub fn delete_sync_job(
>          crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
>      }
>  
> -    match config.lookup("sync", &id) {
> -        Ok(job) => {
> -            if !check_sync_job_modify_access(&user_info, &auth_id, &job) {
> -                bail!("permission check failed");
> -            }
> -            config.sections.remove(&id);
> -        }
> -        Err(_) => {
> -            http_bail!(NOT_FOUND, "job '{}' does not exist.", id)
> +    if let Some((config_type, config_section)) = config.sections.get(&id) {
> +        let sync_direction = SyncDirection::from_config_type_str(config_type)?;
> +        let job = SyncJobConfig::deserialize(config_section)?;
> +        if !check_sync_job_modify_access(&user_info, &auth_id, &job, sync_direction) {
> +            bail!("permission check failed");
>          }
> -    };
> +        config.sections.remove(&id);
> +    } else {
> +        http_bail!(NOT_FOUND, "job '{}' does not exist.", id)
> +    }
>  
>      sync::save_config(&config)?;
>  
> @@ -536,39 +633,67 @@ acl:1:/remote/remote1/remotestore1:write@pbs:RemoteSyncOperator
>      };
>  
>      // should work without ACLs
> -    assert!(check_sync_job_read_access(&user_info, root_auth_id, &job));
> -    assert!(check_sync_job_modify_access(&user_info, root_auth_id, &job));
> +    assert!(check_sync_job_read_access(
> +        &user_info,
> +        root_auth_id,
> +        &job,
> +        SyncDirection::Pull,
> +    ));
> +    assert!(check_sync_job_modify_access(
> +        &user_info,
> +        root_auth_id,
> +        &job,
> +        SyncDirection::Pull,
> +    ));
>  
>      // user without permissions must fail
>      assert!(!check_sync_job_read_access(
>          &user_info,
>          &no_perm_auth_id,
> -        &job
> +        &job,
> +        SyncDirection::Pull,
>      ));
>      assert!(!check_sync_job_modify_access(
>          &user_info,
>          &no_perm_auth_id,
> -        &job
> +        &job,
> +        SyncDirection::Pull,
>      ));
>  
>      // reading without proper read permissions on either remote or local must fail
> -    assert!(!check_sync_job_read_access(&user_info, &read_auth_id, &job));
> +    assert!(!check_sync_job_read_access(
> +        &user_info,
> +        &read_auth_id,
> +        &job,
> +        SyncDirection::Pull,
> +    ));
>  
>      // reading without proper read permissions on local end must fail
>      job.remote = Some("remote1".to_string());
> -    assert!(!check_sync_job_read_access(&user_info, &read_auth_id, &job));
> +    assert!(!check_sync_job_read_access(
> +        &user_info,
> +        &read_auth_id,
> +        &job,
> +        SyncDirection::Pull,
> +    ));
>  
>      // reading without proper read permissions on remote end must fail
>      job.remote = Some("remote0".to_string());
>      job.store = "localstore1".to_string();
> -    assert!(!check_sync_job_read_access(&user_info, &read_auth_id, &job));
> +    assert!(!check_sync_job_read_access(
> +        &user_info,
> +        &read_auth_id,
> +        &job,
> +        SyncDirection::Pull,
> +    ));
>  
>      // writing without proper write permissions on either end must fail
>      job.store = "localstore0".to_string();
>      assert!(!check_sync_job_modify_access(
>          &user_info,
>          &write_auth_id,
> -        &job
> +        &job,
> +        SyncDirection::Pull,
>      ));
>  
>      // writing without proper write permissions on local end must fail
> @@ -580,39 +705,54 @@ acl:1:/remote/remote1/remotestore1:write@pbs:RemoteSyncOperator
>      assert!(!check_sync_job_modify_access(
>          &user_info,
>          &write_auth_id,
> -        &job
> +        &job,
> +        SyncDirection::Pull,
>      ));
>  
>      // reset remote to one where users have access
>      job.remote = Some("remote1".to_string());
>  
>      // user with read permission can only read, but not modify/run
> -    assert!(check_sync_job_read_access(&user_info, &read_auth_id, &job));
> +    assert!(check_sync_job_read_access(
> +        &user_info,
> +        &read_auth_id,
> +        &job,
> +        SyncDirection::Pull,
> +    ));
>      job.owner = Some(read_auth_id.clone());
>      assert!(!check_sync_job_modify_access(
>          &user_info,
>          &read_auth_id,
> -        &job
> +        &job,
> +        SyncDirection::Pull,
>      ));
>      job.owner = None;
>      assert!(!check_sync_job_modify_access(
>          &user_info,
>          &read_auth_id,
> -        &job
> +        &job,
> +        SyncDirection::Pull,
>      ));
>      job.owner = Some(write_auth_id.clone());
>      assert!(!check_sync_job_modify_access(
>          &user_info,
>          &read_auth_id,
> -        &job
> +        &job,
> +        SyncDirection::Pull,
>      ));
>  
>      // user with simple write permission can modify/run
> -    assert!(check_sync_job_read_access(&user_info, &write_auth_id, &job));
> +    assert!(check_sync_job_read_access(
> +        &user_info,
> +        &write_auth_id,
> +        &job,
> +        SyncDirection::Pull,
> +    ));
>      assert!(check_sync_job_modify_access(
>          &user_info,
>          &write_auth_id,
> -        &job
> +        &job,
> +        SyncDirection::Pull,
>      ));
>  
>      // but can't modify/run with deletion
> @@ -620,7 +760,8 @@ acl:1:/remote/remote1/remotestore1:write@pbs:RemoteSyncOperator
>      assert!(!check_sync_job_modify_access(
>          &user_info,
>          &write_auth_id,
> -        &job
> +        &job,
> +        SyncDirection::Pull,
>      ));
>  
>      // unless they have Datastore.Prune as well
> @@ -628,7 +769,8 @@ acl:1:/remote/remote1/remotestore1:write@pbs:RemoteSyncOperator
>      assert!(check_sync_job_modify_access(
>          &user_info,
>          &write_auth_id,
> -        &job
> +        &job,
> +        SyncDirection::Pull,
>      ));
>  
>      // changing owner is not possible
> @@ -636,7 +778,8 @@ acl:1:/remote/remote1/remotestore1:write@pbs:RemoteSyncOperator
>      assert!(!check_sync_job_modify_access(
>          &user_info,
>          &write_auth_id,
> -        &job
> +        &job,
> +        SyncDirection::Pull,
>      ));
>  
>      // also not to the default 'root@pam'
> @@ -644,7 +787,8 @@ acl:1:/remote/remote1/remotestore1:write@pbs:RemoteSyncOperator
>      assert!(!check_sync_job_modify_access(
>          &user_info,
>          &write_auth_id,
> -        &job
> +        &job,
> +        SyncDirection::Pull,
>      ));
>  
>      // unless they have Datastore.Modify as well
> @@ -653,13 +797,15 @@ acl:1:/remote/remote1/remotestore1:write@pbs:RemoteSyncOperator
>      assert!(check_sync_job_modify_access(
>          &user_info,
>          &write_auth_id,
> -        &job
> +        &job,
> +        SyncDirection::Pull,
>      ));
>      job.owner = None;
>      assert!(check_sync_job_modify_access(
>          &user_info,
>          &write_auth_id,
> -        &job
> +        &job,
> +        SyncDirection::Pull,
>      ));
>  
>      Ok(())
> diff --git a/src/bin/proxmox-backup-proxy.rs b/src/bin/proxmox-backup-proxy.rs
> index 6f19a3fbd..70283510d 100644
> --- a/src/bin/proxmox-backup-proxy.rs
> +++ b/src/bin/proxmox-backup-proxy.rs
> @@ -589,7 +589,14 @@ async fn schedule_datastore_sync_jobs() {
>          Ok((config, _digest)) => config,
>      };
>  
> -    for (job_id, (_, job_config)) in config.sections {
> +    for (job_id, (job_type, job_config)) in config.sections {
> +        let sync_direction = match SyncDirection::from_config_type_str(&job_type) {
> +            Ok(direction) => direction,
> +            Err(err) => {
> +                eprintln!("unexpected config type in sync job config - {err}");
> +                continue;
> +            }
> +        };
>          let job_config: SyncJobConfig = match serde_json::from_value(job_config) {
>              Ok(c) => c,
>              Err(err) => {
> @@ -616,7 +623,7 @@ async fn schedule_datastore_sync_jobs() {
>                  job_config,
>                  &auth_id,
>                  Some(event_str),
> -                SyncDirection::Pull,
> +                sync_direction,
>                  false,
>              ) {
>                  eprintln!("unable to start datastore sync job {job_id} - {err}");
> -- 
> 2.39.5
> 
> 
> 
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
> 
>


_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel


  reply	other threads:[~2024-11-06 15:20 UTC|newest]

Thread overview: 51+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-10-31 12:14 [pbs-devel] [PATCH v6 proxmox-backup 00/29] fix #3044: push datastore to remote target Christian Ebner
2024-10-31 12:14 ` [pbs-devel] [PATCH v6 proxmox-backup 01/29] client: backup writer: refactor backup and upload stats counters Christian Ebner
2024-10-31 12:14 ` [pbs-devel] [PATCH v6 proxmox-backup 02/29] client: backup writer: factor out merged chunk stream upload Christian Ebner
2024-10-31 12:14 ` [pbs-devel] [PATCH v6 proxmox-backup 03/29] client: backup writer: allow push uploading index and chunks Christian Ebner
2024-10-31 12:14 ` [pbs-devel] [PATCH v6 proxmox-backup 04/29] config: acl: refactor acl path component check for datastore Christian Ebner
2024-10-31 12:14 ` [pbs-devel] [PATCH v6 proxmox-backup 05/29] config: acl: allow namespace components for remote datastores Christian Ebner
2024-10-31 12:14 ` [pbs-devel] [PATCH v6 proxmox-backup 06/29] api types: add remote acl path method for `BackupNamespace` Christian Ebner
2024-10-31 12:14 ` [pbs-devel] [PATCH v6 proxmox-backup 07/29] api types: implement remote acl path method for sync job Christian Ebner
2024-10-31 12:14 ` [pbs-devel] [PATCH v6 proxmox-backup 08/29] api types: define remote permissions and roles for push sync Christian Ebner
2024-11-06 11:58   ` Fabian Grünbichler
2024-10-31 12:14 ` [pbs-devel] [PATCH v6 proxmox-backup 09/29] datastore: move `BackupGroupDeleteStats` to api types Christian Ebner
2024-10-31 12:15 ` [pbs-devel] [PATCH v6 proxmox-backup 10/29] api types: implement api type for `BackupGroupDeleteStats` Christian Ebner
2024-10-31 12:15 ` [pbs-devel] [PATCH v6 proxmox-backup 11/29] datastore: increment deleted group counter when removing group Christian Ebner
2024-10-31 12:15 ` [pbs-devel] [PATCH v6 proxmox-backup 12/29] api/api-types: refactor api endpoint version, add api types Christian Ebner
2024-11-06 11:57   ` Fabian Grünbichler
2024-11-20 16:27     ` Thomas Lamprecht
2024-11-20 17:34       ` Christian Ebner
2024-11-21  9:23         ` Thomas Lamprecht
2024-11-21  9:38           ` Fabian Grünbichler
2024-11-21  9:58           ` Christian Ebner
2024-11-21 16:01             ` Thomas Lamprecht
2024-11-21 16:15               ` Christian Ebner
2024-11-22 12:42                 ` Thomas Lamprecht
2024-10-31 12:15 ` [pbs-devel] [PATCH v6 proxmox-backup 13/29] fix #3044: server: implement push support for sync operations Christian Ebner
2024-11-06 11:57   ` Fabian Grünbichler
2024-11-07  9:27     ` Christian Ebner
2024-10-31 12:15 ` [pbs-devel] [PATCH v6 proxmox-backup 14/29] api types/config: add `sync-push` config type for push sync jobs Christian Ebner
2024-10-31 12:15 ` [pbs-devel] [PATCH v6 proxmox-backup 15/29] api: push: implement endpoint for sync in push direction Christian Ebner
2024-11-06 15:10   ` Fabian Grünbichler
2024-11-07  9:18     ` Christian Ebner
2024-10-31 12:15 ` [pbs-devel] [PATCH v6 proxmox-backup 16/29] api: sync: move sync job invocation to server sync module Christian Ebner
2024-10-31 12:15 ` [pbs-devel] [PATCH v6 proxmox-backup 17/29] api: config: Require PRIV_DATASTORE_AUDIT to modify sync job Christian Ebner
2024-10-31 12:15 ` [pbs-devel] [PATCH v6 proxmox-backup 18/29] api: config: factor out sync job owner check Christian Ebner
2024-10-31 12:15 ` [pbs-devel] [PATCH v6 proxmox-backup 19/29] api: sync jobs: expose optional `sync-direction` parameter Christian Ebner
2024-11-06 15:20   ` Fabian Grünbichler [this message]
2024-11-07  9:10     ` Christian Ebner
2024-11-07  9:40       ` Fabian Grünbichler
2024-10-31 12:15 ` [pbs-devel] [PATCH v6 proxmox-backup 20/29] api: admin: avoid duplicate name for list sync jobs api method Christian Ebner
2024-10-31 12:15 ` [pbs-devel] [PATCH v6 proxmox-backup 21/29] bin: manager: add datastore push cli command Christian Ebner
2024-10-31 12:15 ` [pbs-devel] [PATCH v6 proxmox-backup 22/29] ui: group filter: allow to set namespace for local datastore Christian Ebner
2024-10-31 12:15 ` [pbs-devel] [PATCH v6 proxmox-backup 23/29] ui: sync edit: source group filters based on sync direction Christian Ebner
2024-10-31 12:15 ` [pbs-devel] [PATCH v6 proxmox-backup 24/29] ui: add view with separate grids for pull and push sync jobs Christian Ebner
2024-10-31 12:15 ` [pbs-devel] [PATCH v6 proxmox-backup 25/29] ui: sync job: adapt edit window to be used for pull and push Christian Ebner
2024-10-31 12:15 ` [pbs-devel] [PATCH v6 proxmox-backup 26/29] ui: sync view: set proxy on view instead of model Christian Ebner
2024-10-31 12:15 ` [pbs-devel] [PATCH v6 proxmox-backup 27/29] api: datastore/namespace: return backup groups delete stats on remove Christian Ebner
2024-11-21  9:27   ` Thomas Lamprecht
2024-11-21 10:00     ` Christian Ebner
2024-10-31 12:15 ` [pbs-devel] [PATCH v6 proxmox-backup 28/29] api: version: add 'prune-delete-stats' as supported feature Christian Ebner
2024-10-31 12:15 ` [pbs-devel] [PATCH v6 proxmox-backup 29/29] docs: add section for sync jobs in push direction Christian Ebner
2024-11-21 16:05   ` Maximiliano Sandoval
2024-11-11 15:46 ` [pbs-devel] [PATCH v6 proxmox-backup 00/29] fix #3044: push datastore to remote target Christian Ebner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=173090643519.79072.2923413753129715762@yuna.proxmox.com \
    --to=f.gruenbichler@proxmox.com \
    --cc=c.ebner@proxmox.com \
    --cc=pbs-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal