From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 0E158646D3 for ; Fri, 30 Oct 2020 12:37:04 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 0C0BF12FCD for ; Fri, 30 Oct 2020 12:37:04 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 83D5912FC2 for ; Fri, 30 Oct 2020 12:37:03 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 5149645DEF for ; Fri, 30 Oct 2020 12:37:03 +0100 (CET) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pbs-devel@lists.proxmox.com Date: Fri, 30 Oct 2020 12:36:40 +0100 Message-Id: <20201030113644.2044947-5-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20201030113644.2044947-1-f.gruenbichler@proxmox.com> References: <20201030113644.2044947-1-f.gruenbichler@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.027 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [verify.rs] Subject: [pbs-devel] [PATCH proxmox-backup 4/8] verify jobs: add permissions X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2020 11:37:04 -0000 equivalent to verifying a whole datastore, except for reading job (entries), which is accessible to regular Datastore.Audit/Backup users as well. Signed-off-by: Fabian Grünbichler --- Notes: modifying the config could also be guarded by Datastore.Modify, but I like the idea of scheduling an action and doing it now requiring the same permissions.. src/api2/config/verify.rs | 41 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 39 insertions(+), 2 deletions(-) diff --git a/src/api2/config/verify.rs b/src/api2/config/verify.rs index 32d83d17..0c5a6460 100644 --- a/src/api2/config/verify.rs +++ b/src/api2/config/verify.rs @@ -2,10 +2,17 @@ use anyhow::{bail, Error}; use serde_json::Value; use ::serde::{Deserialize, Serialize}; -use proxmox::api::{api, Router, RpcEnvironment}; +use proxmox::api::{api, Permission, Router, RpcEnvironment}; use proxmox::tools::fs::open_file_locked; use crate::api2::types::*; + +use crate::config::acl::{ + PRIV_DATASTORE_AUDIT, + PRIV_DATASTORE_BACKUP, + PRIV_DATASTORE_VERIFY, +}; + use crate::config::verify::{self, VerificationJobConfig}; #[api( @@ -17,6 +24,12 @@ use crate::config::verify::{self, VerificationJobConfig}; type: Array, items: { type: verify::VerificationJobConfig }, }, + access: { + permission: &Permission::Privilege( + &["datastore", "{store}"], + PRIV_DATASTORE_AUDIT | PRIV_DATASTORE_BACKUP | PRIV_DATASTORE_VERIFY, + true), + }, )] /// List all verification jobs pub fn list_verification_jobs( @@ -61,7 +74,13 @@ pub fn list_verification_jobs( schema: VERIFICATION_SCHEDULE_SCHEMA, }, } - } + }, + access: { + permission: &Permission::Privilege( + &["datastore", "{store}"], + PRIV_DATASTORE_VERIFY, + true), + }, )] /// Create a new verification job. pub fn create_verification_job(param: Value) -> Result<(), Error> { @@ -97,6 +116,12 @@ pub fn create_verification_job(param: Value) -> Result<(), Error> { description: "The verification job configuration.", type: verify::VerificationJobConfig, }, + access: { + permission: &Permission::Privilege( + &["datastore", "{store}"], + PRIV_DATASTORE_AUDIT | PRIV_DATASTORE_BACKUP | PRIV_DATASTORE_VERIFY, + true), + }, )] /// Read a verification job configuration. pub fn read_verification_job( @@ -167,6 +192,12 @@ pub enum DeletableProperty { }, }, }, + access: { + permission: &Permission::Privilege( + &["datastore", "{store}"], + PRIV_DATASTORE_VERIFY, + true), + }, )] /// Update verification job config. pub fn update_verification_job( @@ -238,6 +269,12 @@ pub fn update_verification_job( }, }, }, + access: { + permission: &Permission::Privilege( + &["datastore", "{store}"], + PRIV_DATASTORE_VERIFY, + true), + }, )] /// Remove a verification job configuration pub fn delete_verification_job(id: String, digest: Option) -> Result<(), Error> { -- 2.20.1