From: Christian Ebner <c.ebner@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH v4 proxmox 17/31] api: config: extend modify access check by sync direction
Date: Thu, 17 Oct 2024 15:27:02 +0200 [thread overview]
Message-ID: <20241017132716.385234-18-c.ebner@proxmox.com> (raw)
In-Reply-To: <20241017132716.385234-1-c.ebner@proxmox.com>
Add the sync direction as additional parameter for the priv helper to
check for the required permissions in pull and push direction.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
---
changes since version 3:
- not present in previous version
src/api2/admin/sync.rs | 4 +-
src/api2/config/sync.rs | 136 +++++++++++++++++++++++++++++-----------
2 files changed, 100 insertions(+), 40 deletions(-)
diff --git a/src/api2/admin/sync.rs b/src/api2/admin/sync.rs
index 7a4e38942..f2c0f0e85 100644
--- a/src/api2/admin/sync.rs
+++ b/src/api2/admin/sync.rs
@@ -122,8 +122,8 @@ pub fn run_sync_job(
let sync_direction = sync_direction.unwrap_or_default();
let sync_job: SyncJobConfig = config.lookup(sync_direction.as_config_type_str(), &id)?;
- if !check_sync_job_modify_access(&user_info, &auth_id, &sync_job) {
- bail!("permission check failed");
+ if !check_sync_job_modify_access(&user_info, &auth_id, &sync_job, sync_direction) {
+ bail!("permission check failed, '{auth_id}' is missing access");
}
let job = Job::new("syncjob", &id)?;
diff --git a/src/api2/config/sync.rs b/src/api2/config/sync.rs
index e0d96afe5..cffcf429f 100644
--- a/src/api2/config/sync.rs
+++ b/src/api2/config/sync.rs
@@ -9,8 +9,9 @@ use proxmox_schema::{api, param_bail};
use pbs_api_types::{
Authid, SyncJobConfig, SyncJobConfigUpdater, JOB_ID_SCHEMA, PRIV_DATASTORE_AUDIT,
- PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_MODIFY, PRIV_DATASTORE_PRUNE, PRIV_REMOTE_AUDIT,
- PRIV_REMOTE_READ, PROXMOX_CONFIG_DIGEST_SCHEMA,
+ PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_MODIFY, PRIV_DATASTORE_PRUNE, PRIV_DATASTORE_READ,
+ PRIV_REMOTE_AUDIT, PRIV_REMOTE_DATASTORE_BACKUP, PRIV_REMOTE_DATASTORE_MODIFY,
+ PRIV_REMOTE_DATASTORE_PRUNE, PRIV_REMOTE_READ, PROXMOX_CONFIG_DIGEST_SCHEMA,
};
use pbs_config::sync;
@@ -63,36 +64,77 @@ fn is_correct_owner(auth_id: &Authid, job: &SyncJobConfig) -> bool {
}
}
-/// checks whether user can run the corresponding pull job
+/// checks whether user can run the corresponding sync job, depending on sync direction
///
-/// namespace creation/deletion ACL and backup group ownership checks happen in the pull code directly.
+/// namespace creation/deletion ACL and backup group ownership checks happen in the pull/push code
+/// directly.
/// remote side checks/filters remote datastore/namespace/group access.
pub fn check_sync_job_modify_access(
user_info: &CachedUserInfo,
auth_id: &Authid,
job: &SyncJobConfig,
+ sync_direction: SyncDirection,
) -> bool {
- let ns_anchor_privs = user_info.lookup_privs(auth_id, &job.acl_path());
- if ns_anchor_privs & PRIV_DATASTORE_BACKUP == 0 || ns_anchor_privs & PRIV_DATASTORE_AUDIT == 0 {
- return false;
- }
+ match sync_direction {
+ SyncDirection::Pull => {
+ let ns_anchor_privs = user_info.lookup_privs(auth_id, &job.acl_path());
+ if ns_anchor_privs & PRIV_DATASTORE_BACKUP == 0
+ || ns_anchor_privs & PRIV_DATASTORE_AUDIT == 0
+ {
+ return false;
+ }
+
+ if let Some(true) = job.remove_vanished {
+ if ns_anchor_privs & PRIV_DATASTORE_PRUNE == 0 {
+ return false;
+ }
+ }
+
+ // same permission as changing ownership after syncing
+ if !is_correct_owner(auth_id, job) && ns_anchor_privs & PRIV_DATASTORE_MODIFY == 0 {
+ return false;
+ }
- if let Some(true) = job.remove_vanished {
- if ns_anchor_privs & PRIV_DATASTORE_PRUNE == 0 {
- return false;
+ if let Some(remote) = &job.remote {
+ let remote_privs =
+ user_info.lookup_privs(auth_id, &["remote", remote, &job.remote_store]);
+ return remote_privs & PRIV_REMOTE_READ != 0;
+ }
+ true
}
- }
+ SyncDirection::Push => {
+ // Remote must always be present for sync in push direction, fail otherwise
+ let target_privs = if let Some(target_acl_path) = job.remote_acl_path() {
+ user_info.lookup_privs(auth_id, &target_acl_path)
+ } else {
+ return false;
+ };
- // same permission as changing ownership after syncing
- if !is_correct_owner(auth_id, job) && ns_anchor_privs & PRIV_DATASTORE_MODIFY == 0 {
- return false;
- }
+ // check user is allowed to create backups on remote datastore
+ if target_privs & PRIV_REMOTE_DATASTORE_BACKUP == 0 {
+ return false;
+ }
- if let Some(remote) = &job.remote {
- let remote_privs = user_info.lookup_privs(auth_id, &["remote", remote, &job.remote_store]);
- return remote_privs & PRIV_REMOTE_READ != 0;
+ if let Some(true) = job.remove_vanished {
+ // check user is allowed to prune backup snapshots on remote datastore
+ if target_privs & PRIV_REMOTE_DATASTORE_PRUNE == 0 {
+ return false;
+ }
+ }
+
+ // check user is not the owner of the sync job, but has remote datastore modify permissions
+ if !is_correct_owner(auth_id, job) && target_privs & PRIV_REMOTE_DATASTORE_MODIFY == 0 {
+ return false;
+ }
+
+ // check user is allowed to read from (local) source datastore/namespace
+ let source_privs = user_info.lookup_privs(auth_id, &job.acl_path());
+ if source_privs & PRIV_DATASTORE_AUDIT == 0 {
+ return false;
+ }
+ source_privs & PRIV_DATASTORE_READ != 0
+ }
}
- true
}
#[api(
@@ -166,10 +208,11 @@ pub fn create_sync_job(
) -> Result<(), Error> {
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
let user_info = CachedUserInfo::new()?;
+ let sync_direction = sync_direction.unwrap_or_default();
let _lock = sync::lock_config()?;
- if !check_sync_job_modify_access(&user_info, &auth_id, &config) {
+ if !check_sync_job_modify_access(&user_info, &auth_id, &config, sync_direction) {
bail!("permission check failed");
}
@@ -192,7 +235,6 @@ pub fn create_sync_job(
param_bail!("id", "job '{}' already exists.", config.id);
}
- let sync_direction = sync_direction.unwrap_or_default();
section_config.set_data(&config.id, sync_direction.as_config_type_str(), &config)?;
sync::save_config(§ion_config)?;
@@ -455,7 +497,7 @@ pub fn update_sync_job(
}
}
- if !check_sync_job_modify_access(&user_info, &auth_id, &data) {
+ if !check_sync_job_modify_access(&user_info, &auth_id, &data, sync_direction) {
bail!("permission check failed");
}
@@ -514,7 +556,7 @@ pub fn delete_sync_job(
let sync_direction = sync_direction.unwrap_or_default();
match config.lookup(sync_direction.as_config_type_str(), &id) {
Ok(job) => {
- if !check_sync_job_modify_access(&user_info, &auth_id, &job) {
+ if !check_sync_job_modify_access(&user_info, &auth_id, &job, sync_direction) {
bail!("permission check failed");
}
config.sections.remove(&id);
@@ -598,7 +640,12 @@ acl:1:/remote/remote1/remotestore1:write@pbs:RemoteSyncOperator
&job,
SyncDirection::Pull,
));
- assert!(check_sync_job_modify_access(&user_info, root_auth_id, &job));
+ assert!(check_sync_job_modify_access(
+ &user_info,
+ root_auth_id,
+ &job,
+ SyncDirection::Pull,
+ ));
// user without permissions must fail
assert!(!check_sync_job_read_access(
@@ -610,7 +657,8 @@ acl:1:/remote/remote1/remotestore1:write@pbs:RemoteSyncOperator
assert!(!check_sync_job_modify_access(
&user_info,
&no_perm_auth_id,
- &job
+ &job,
+ SyncDirection::Pull,
));
// reading without proper read permissions on either remote or local must fail
@@ -645,7 +693,8 @@ acl:1:/remote/remote1/remotestore1:write@pbs:RemoteSyncOperator
assert!(!check_sync_job_modify_access(
&user_info,
&write_auth_id,
- &job
+ &job,
+ SyncDirection::Pull,
));
// writing without proper write permissions on local end must fail
@@ -657,7 +706,8 @@ acl:1:/remote/remote1/remotestore1:write@pbs:RemoteSyncOperator
assert!(!check_sync_job_modify_access(
&user_info,
&write_auth_id,
- &job
+ &job,
+ SyncDirection::Pull,
));
// reset remote to one where users have access
@@ -674,19 +724,22 @@ acl:1:/remote/remote1/remotestore1:write@pbs:RemoteSyncOperator
assert!(!check_sync_job_modify_access(
&user_info,
&read_auth_id,
- &job
+ &job,
+ SyncDirection::Pull,
));
job.owner = None;
assert!(!check_sync_job_modify_access(
&user_info,
&read_auth_id,
- &job
+ &job,
+ SyncDirection::Pull,
));
job.owner = Some(write_auth_id.clone());
assert!(!check_sync_job_modify_access(
&user_info,
&read_auth_id,
- &job
+ &job,
+ SyncDirection::Pull,
));
// user with simple write permission can modify/run
@@ -699,7 +752,8 @@ acl:1:/remote/remote1/remotestore1:write@pbs:RemoteSyncOperator
assert!(check_sync_job_modify_access(
&user_info,
&write_auth_id,
- &job
+ &job,
+ SyncDirection::Pull,
));
// but can't modify/run with deletion
@@ -707,7 +761,8 @@ acl:1:/remote/remote1/remotestore1:write@pbs:RemoteSyncOperator
assert!(!check_sync_job_modify_access(
&user_info,
&write_auth_id,
- &job
+ &job,
+ SyncDirection::Pull,
));
// unless they have Datastore.Prune as well
@@ -715,7 +770,8 @@ acl:1:/remote/remote1/remotestore1:write@pbs:RemoteSyncOperator
assert!(check_sync_job_modify_access(
&user_info,
&write_auth_id,
- &job
+ &job,
+ SyncDirection::Pull,
));
// changing owner is not possible
@@ -723,7 +779,8 @@ acl:1:/remote/remote1/remotestore1:write@pbs:RemoteSyncOperator
assert!(!check_sync_job_modify_access(
&user_info,
&write_auth_id,
- &job
+ &job,
+ SyncDirection::Pull,
));
// also not to the default 'root@pam'
@@ -731,7 +788,8 @@ acl:1:/remote/remote1/remotestore1:write@pbs:RemoteSyncOperator
assert!(!check_sync_job_modify_access(
&user_info,
&write_auth_id,
- &job
+ &job,
+ SyncDirection::Pull,
));
// unless they have Datastore.Modify as well
@@ -740,13 +798,15 @@ acl:1:/remote/remote1/remotestore1:write@pbs:RemoteSyncOperator
assert!(check_sync_job_modify_access(
&user_info,
&write_auth_id,
- &job
+ &job,
+ SyncDirection::Pull,
));
job.owner = None;
assert!(check_sync_job_modify_access(
&user_info,
&write_auth_id,
- &job
+ &job,
+ SyncDirection::Pull,
));
Ok(())
--
2.39.5
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next prev parent reply other threads:[~2024-10-17 13:27 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-17 13:26 [pbs-devel] [PATCH v4 proxmox 00/31] fix #3044: push datastore to remote target Christian Ebner
2024-10-17 13:26 ` [pbs-devel] [PATCH v4 proxmox 01/31] client: backup writer: refactor backup and upload stats counters Christian Ebner
2024-10-17 13:26 ` [pbs-devel] [PATCH v4 proxmox 02/31] client: backup writer: factor out merged chunk stream upload Christian Ebner
2024-10-17 13:26 ` [pbs-devel] [PATCH v4 proxmox 03/31] client: backup writer: allow push uploading index and chunks Christian Ebner
2024-10-17 13:26 ` [pbs-devel] [PATCH v4 proxmox 04/31] config: acl: refactor acl path component check for datastore Christian Ebner
2024-10-17 13:26 ` [pbs-devel] [PATCH v4 proxmox 05/31] config: acl: allow namespace components for remote datastores Christian Ebner
2024-10-17 13:26 ` [pbs-devel] [PATCH v4 proxmox 06/31] api types: implement remote acl path method for sync job Christian Ebner
2024-10-17 13:26 ` [pbs-devel] [PATCH v4 proxmox 07/31] api types: define remote permissions and roles for push sync Christian Ebner
2024-10-17 13:26 ` [pbs-devel] [PATCH v4 proxmox 08/31] fix #3044: server: implement push support for sync operations Christian Ebner
2024-10-17 13:26 ` [pbs-devel] [PATCH v4 proxmox 09/31] api types/config: add `sync-push` config type for push sync jobs Christian Ebner
2024-10-17 13:26 ` [pbs-devel] [PATCH v4 proxmox 10/31] api: push: implement endpoint for sync in push direction Christian Ebner
2024-10-17 13:26 ` [pbs-devel] [PATCH v4 proxmox 11/31] api: sync: move sync job invocation to server sync module Christian Ebner
2024-10-17 13:26 ` [pbs-devel] [PATCH v4 proxmox 12/31] api: sync jobs: expose optional `sync-direction` parameter Christian Ebner
2024-10-17 13:26 ` [pbs-devel] [PATCH v4 proxmox 13/31] api: admin: avoid duplicate name for list sync jobs api method Christian Ebner
2024-10-17 13:26 ` [pbs-devel] [PATCH v4 proxmox 14/31] api: config: Require PRIV_DATASTORE_AUDIT to modify sync job Christian Ebner
2024-10-17 13:27 ` [pbs-devel] [PATCH v4 proxmox 15/31] api: config: factor out sync job owner check Christian Ebner
2024-10-17 13:27 ` [pbs-devel] [PATCH v4 proxmox 16/31] api: config: extend read access check by sync direction Christian Ebner
2024-10-17 13:27 ` Christian Ebner [this message]
2024-10-17 13:27 ` [pbs-devel] [PATCH v4 proxmox 18/31] bin: manager: add datastore push cli command Christian Ebner
2024-10-17 13:27 ` [pbs-devel] [PATCH v4 proxmox 19/31] ui: group filter: allow to set namespace for local datastore Christian Ebner
2024-10-17 13:27 ` [pbs-devel] [PATCH v4 proxmox 20/31] ui: sync edit: source group filters based on sync direction Christian Ebner
2024-10-17 13:27 ` [pbs-devel] [PATCH v4 proxmox 21/31] ui: add view with separate grids for pull and push sync jobs Christian Ebner
2024-10-17 13:27 ` [pbs-devel] [PATCH v4 proxmox 22/31] ui: sync job: adapt edit window to be used for pull and push Christian Ebner
2024-10-17 13:27 ` [pbs-devel] [PATCH v4 proxmox 23/31] ui: sync: pass sync-direction to allow removing push jobs Christian Ebner
2024-10-17 13:27 ` [pbs-devel] [PATCH v4 proxmox 24/31] ui: sync view: do not use data model proxy for store Christian Ebner
2024-10-17 13:27 ` [pbs-devel] [PATCH v4 proxmox 25/31] ui: sync view: set sync direction when invoking run task via api Christian Ebner
2024-10-17 13:27 ` [pbs-devel] [PATCH v4 proxmox 26/31] datastore: move `BackupGroupDeleteStats` to api types Christian Ebner
2024-10-17 13:27 ` [pbs-devel] [PATCH v4 proxmox 27/31] api types: implement api type for `BackupGroupDeleteStats` Christian Ebner
2024-10-17 13:27 ` [pbs-devel] [PATCH v4 proxmox 28/31] api/api-types: refactor api endpoint version, add api types Christian Ebner
2024-10-17 13:27 ` [pbs-devel] [PATCH v4 proxmox 29/31] datastore: increment deleted group counter when removing group Christian Ebner
2024-10-17 13:27 ` [pbs-devel] [PATCH v4 proxmox 30/31] api: datastore/namespace: return backup groups delete stats on remove Christian Ebner
2024-10-17 13:27 ` [pbs-devel] [PATCH v4 proxmox 31/31] server: sync job: use delete stats provided by the api Christian Ebner
2024-10-18 6:55 ` [pbs-devel] [PATCH v4 proxmox 00/31] fix #3044: push datastore to remote target Christian Ebner
2024-10-18 8:44 ` Christian Ebner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241017132716.385234-18-c.ebner@proxmox.com \
--to=c.ebner@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox