From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id CAE221FF173 for ; Mon, 11 Nov 2024 16:44:17 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id D9BC8FD6D; Mon, 11 Nov 2024 16:44:15 +0100 (CET) From: Christian Ebner To: pbs-devel@lists.proxmox.com Date: Mon, 11 Nov 2024 16:43:39 +0100 Message-Id: <20241111154353.482734-18-c.ebner@proxmox.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241111154353.482734-1-c.ebner@proxmox.com> References: <20241111154353.482734-1-c.ebner@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.032 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH v7 proxmox-backup 17/31] api: push: implement endpoint for sync in push direction X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" Expose the sync job in push direction via a dedicated API endpoint, analogous to the pull direction. Signed-off-by: Christian Ebner --- changes since version 6: - Allow access on Datastore.Read or Datastore.Backup - take remote namespace uncoditionally - use acl_path helper src/api2/mod.rs | 2 + src/api2/push.rs | 175 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 177 insertions(+) create mode 100644 src/api2/push.rs diff --git a/src/api2/mod.rs b/src/api2/mod.rs index a83e4c205..03596326b 100644 --- a/src/api2/mod.rs +++ b/src/api2/mod.rs @@ -12,6 +12,7 @@ pub mod helpers; pub mod node; pub mod ping; pub mod pull; +pub mod push; pub mod reader; pub mod status; pub mod tape; @@ -29,6 +30,7 @@ const SUBDIRS: SubdirMap = &sorted!([ ("nodes", &node::ROUTER), ("ping", &ping::ROUTER), ("pull", &pull::ROUTER), + ("push", &push::ROUTER), ("reader", &reader::ROUTER), ("status", &status::ROUTER), ("tape", &tape::ROUTER), diff --git a/src/api2/push.rs b/src/api2/push.rs new file mode 100644 index 000000000..bf846bb37 --- /dev/null +++ b/src/api2/push.rs @@ -0,0 +1,175 @@ +use anyhow::{format_err, Error}; +use futures::{future::FutureExt, select}; + +use pbs_api_types::{ + Authid, BackupNamespace, GroupFilter, RateLimitConfig, DATASTORE_SCHEMA, + GROUP_FILTER_LIST_SCHEMA, NS_MAX_DEPTH_REDUCED_SCHEMA, PRIV_DATASTORE_BACKUP, + PRIV_DATASTORE_READ, PRIV_REMOTE_DATASTORE_BACKUP, PRIV_REMOTE_DATASTORE_PRUNE, + REMOTE_ID_SCHEMA, REMOVE_VANISHED_BACKUPS_SCHEMA, TRANSFER_LAST_SCHEMA, +}; +use proxmox_rest_server::WorkerTask; +use proxmox_router::{Permission, Router, RpcEnvironment}; +use proxmox_schema::api; + +use pbs_config::CachedUserInfo; + +use crate::server::push::{push_store, PushParameters}; + +/// Check if the provided user is allowed to read from the local source and act on the remote +/// target for pushing content +fn check_push_privs( + auth_id: &Authid, + store: &str, + namespace: &BackupNamespace, + remote: &str, + remote_store: &str, + remote_ns: &BackupNamespace, + delete: bool, +) -> Result<(), Error> { + let user_info = CachedUserInfo::new()?; + + let target_acl_path = remote_ns.remote_acl_path(remote, remote_store); + + // Check user is allowed to backup to remote/// + user_info.check_privs( + auth_id, + &target_acl_path, + PRIV_REMOTE_DATASTORE_BACKUP, + false, + )?; + + if delete { + // Check user is allowed to prune remote datastore + user_info.check_privs( + auth_id, + &target_acl_path, + PRIV_REMOTE_DATASTORE_PRUNE, + false, + )?; + } + + // Check user is allowed to read source datastore + user_info.check_privs( + auth_id, + &namespace.acl_path(store), + PRIV_DATASTORE_READ | PRIV_DATASTORE_BACKUP, + true, + )?; + + Ok(()) +} + +#[api( + input: { + properties: { + store: { + schema: DATASTORE_SCHEMA, + }, + ns: { + type: BackupNamespace, + optional: true, + }, + remote: { + schema: REMOTE_ID_SCHEMA, + }, + "remote-store": { + schema: DATASTORE_SCHEMA, + }, + "remote-ns": { + type: BackupNamespace, + optional: true, + }, + "remove-vanished": { + schema: REMOVE_VANISHED_BACKUPS_SCHEMA, + optional: true, + }, + "max-depth": { + schema: NS_MAX_DEPTH_REDUCED_SCHEMA, + optional: true, + }, + "group-filter": { + schema: GROUP_FILTER_LIST_SCHEMA, + optional: true, + }, + limit: { + type: RateLimitConfig, + flatten: true, + }, + "transfer-last": { + schema: TRANSFER_LAST_SCHEMA, + optional: true, + }, + }, + }, + access: { + description: r###"The user needs (at least) Remote.DatastoreBackup on ". + "'/remote/{remote}/{remote-store}[/{remote-ns}]', and either Datastore.Backup or ". + "Datastore.Read on '/datastore/{store}[/{ns}]'. The 'remove-vanished' parameter might ". + "require additional privileges."###, + permission: &Permission::Anybody, + }, +)] +/// Push store to other repository +#[allow(clippy::too_many_arguments)] +async fn push( + store: String, + ns: Option, + remote: String, + remote_store: String, + remote_ns: Option, + remove_vanished: Option, + max_depth: Option, + group_filter: Option>, + limit: RateLimitConfig, + transfer_last: Option, + rpcenv: &mut dyn RpcEnvironment, +) -> Result { + let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?; + let delete = remove_vanished.unwrap_or(false); + let ns = ns.unwrap_or_default(); + let remote_ns = remote_ns.unwrap_or_default(); + + check_push_privs( + &auth_id, + &store, + &ns, + &remote, + &remote_store, + &remote_ns, + delete, + )?; + + let push_params = PushParameters::new( + &store, + ns, + &remote, + &remote_store, + remote_ns, + auth_id.clone(), + remove_vanished, + max_depth, + group_filter, + limit, + transfer_last, + ) + .await?; + + let upid_str = WorkerTask::spawn( + "sync", + Some(store.clone()), + auth_id.to_string(), + true, + move |worker| async move { + let push_future = push_store(push_params); + (select! { + success = push_future.fuse() => success, + abort = worker.abort_future().map(|_| Err(format_err!("push aborted"))) => abort, + })?; + Ok(()) + }, + )?; + + Ok(upid_str) +} + +pub const ROUTER: Router = Router::new().post(&API_METHOD_PUSH); -- 2.39.5 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel