* [pve-devel] [PATCH manager 1/6] api: vzdump: soften parameter permission checks
2022-11-16 14:04 [pve-devel] [PATCH-SERIES manager] backup permission improvements Fiona Ebner
@ 2022-11-16 14:04 ` Fiona Ebner
2022-11-21 14:58 ` [pve-devel] applied: " Thomas Lamprecht
2022-11-16 14:04 ` [pve-devel] [PATCH manager 2/6] api: backup: update: turn delete into a hash Fiona Ebner
` (6 subsequent siblings)
7 siblings, 1 reply; 11+ messages in thread
From: Fiona Ebner @ 2022-11-16 14:04 UTC (permalink / raw)
To: pve-devel
Allows sufficiently privileged users to pass-in retention and
performance parameters for manual backup, but keeps tmpdir, dumpdir
and script root-only. Such users could already edit the job
accordingly, so essentially not granting anything new.
Suggested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
PVE/API2/Backup.pm | 15 ++++++++++-----
PVE/API2/VZDump.pm | 25 ++++++++++++++++++-------
2 files changed, 28 insertions(+), 12 deletions(-)
diff --git a/PVE/API2/Backup.pm b/PVE/API2/Backup.pm
index 3a079874..6aef5bb7 100644
--- a/PVE/API2/Backup.pm
+++ b/PVE/API2/Backup.pm
@@ -40,14 +40,19 @@ my $vzdump_job_id_prop = {
maxLength => 50
};
-my $assert_param_permission = sub {
- my ($param, $user) = @_;
+# NOTE: also used by the vzdump API call.
+sub assert_param_permission_common {
+ my ($rpcenv, $user, $param) = @_;
return if $user eq 'root@pam'; # always OK
for my $key (qw(tmpdir dumpdir script)) {
raise_param_exc({ $key => "Only root may set this option."}) if exists $param->{$key};
}
-};
+
+ if (defined($param->{bwlimit}) || defined($param->{ionice}) || defined($param->{performance})) {
+ $rpcenv->check($user, "/", [ 'Sys.Modify' ]);
+ }
+}
my $convert_to_schedule = sub {
my ($job) = @_;
@@ -207,7 +212,7 @@ __PACKAGE__->register_method({
my $rpcenv = PVE::RPCEnvironment::get();
my $user = $rpcenv->get_user();
- $assert_param_permission->($param, $user);
+ assert_param_permission_common($rpcenv, $user, $param);
if (my $pool = $param->{pool}) {
$rpcenv->check_pool_exist($pool);
@@ -419,7 +424,7 @@ __PACKAGE__->register_method({
my $rpcenv = PVE::RPCEnvironment::get();
my $user = $rpcenv->get_user();
- $assert_param_permission->($param, $user);
+ assert_param_permission_common($rpcenv, $user, $param);
if (my $pool = $param->{pool}) {
$rpcenv->check_pool_exist($pool);
diff --git a/PVE/API2/VZDump.pm b/PVE/API2/VZDump.pm
index 30d47825..8e873c05 100644
--- a/PVE/API2/VZDump.pm
+++ b/PVE/API2/VZDump.pm
@@ -14,12 +14,25 @@ use PVE::Tools qw(extract_param);
use PVE::VZDump::Common;
use PVE::VZDump;
+use PVE::API2::Backup;
use PVE::API2Tools;
use Data::Dumper; # fixme: remove
use base qw(PVE::RESTHandler);
+my sub assert_param_permission_vzdump {
+ my ($rpcenv, $user, $param) = @_;
+ return if $user eq 'root@pam'; # always OK
+
+ PVE::API2::Backup::assert_param_permission_common($rpcenv, $user, $param);
+
+ if (!$param->{dumpdir} && (defined($param->{maxfiles}) || defined($param->{'prune-backups'}))) {
+ my $storeid = $param->{storage} || 'local';
+ $rpcenv->check($user, "/storage/$storeid", [ 'Datastore.Allocate' ]);
+ } # no else branch, because dumpdir is root-only
+}
+
__PACKAGE__->register_method ({
name => 'vzdump',
path => '',
@@ -27,9 +40,10 @@ __PACKAGE__->register_method ({
description => "Create backup.",
permissions => {
description => "The user needs 'VM.Backup' permissions on any VM, and "
- ."'Datastore.AllocateSpace' on the backup storage. The 'maxfiles', 'prune-backups', "
- ."'tmpdir', 'dumpdir', 'script', 'bwlimit', 'performance' and 'ionice' parameters are "
- ."restricted to the 'root\@pam' user.",
+ ."'Datastore.AllocateSpace' on the backup storage. The 'tmpdir', 'dumpdir' and "
+ ."'script' parameters are restricted to the 'root\@pam' user. The 'maxfiles' and "
+ ."'prune-backups' settings require 'Datastore.Allocate' on the backup storage. The "
+ ."'bwlimit', 'performance' and 'ionice' parameters require 'Sys.Modify' on '/'.",
user => 'all',
},
protected => 1,
@@ -62,10 +76,7 @@ __PACKAGE__->register_method ({
if $param->{stdout};
}
- for my $key (qw(maxfiles prune-backups tmpdir dumpdir script bwlimit performance ionice)) {
- raise_param_exc({ $key => "Only root may set this option."})
- if defined($param->{$key}) && ($user ne 'root@pam');
- }
+ assert_param_permission_vzdump($rpcenv, $user, $param);
PVE::VZDump::verify_vzdump_parameters($param, 1);
--
2.30.2
^ permalink raw reply [flat|nested] 11+ messages in thread
* [pve-devel] applied: [PATCH manager 1/6] api: vzdump: soften parameter permission checks
2022-11-16 14:04 ` [pve-devel] [PATCH manager 1/6] api: vzdump: soften parameter permission checks Fiona Ebner
@ 2022-11-21 14:58 ` Thomas Lamprecht
0 siblings, 0 replies; 11+ messages in thread
From: Thomas Lamprecht @ 2022-11-21 14:58 UTC (permalink / raw)
To: Proxmox VE development discussion, Fiona Ebner
Am 16/11/2022 um 15:04 schrieb Fiona Ebner:
> Allows sufficiently privileged users to pass-in retention and
> performance parameters for manual backup, but keeps tmpdir, dumpdir
> and script root-only. Such users could already edit the job
> accordingly, so essentially not granting anything new.
>
> Suggested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
> Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
> ---
> PVE/API2/Backup.pm | 15 ++++++++++-----
> PVE/API2/VZDump.pm | 25 ++++++++++++++++++-------
> 2 files changed, 28 insertions(+), 12 deletions(-)
>
>
almost forgot: as talked off-list: applied this one for now as its relatively
nonintrusive and fixes the annoying "can edit job but cannot press run-no" issue,
thanks!
^ permalink raw reply [flat|nested] 11+ messages in thread
* [pve-devel] [PATCH manager 2/6] api: backup: update: turn delete into a hash
2022-11-16 14:04 [pve-devel] [PATCH-SERIES manager] backup permission improvements Fiona Ebner
2022-11-16 14:04 ` [pve-devel] [PATCH manager 1/6] api: vzdump: soften parameter permission checks Fiona Ebner
@ 2022-11-16 14:04 ` Fiona Ebner
2022-11-16 14:04 ` [pve-devel] [PATCH manager 3/6] api: backup: update: allow only deleting Fiona Ebner
` (5 subsequent siblings)
7 siblings, 0 replies; 11+ messages in thread
From: Fiona Ebner @ 2022-11-16 14:04 UTC (permalink / raw)
To: pve-devel
makes it easier to check for keys in the following patches.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
PVE/API2/Backup.pm | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/PVE/API2/Backup.pm b/PVE/API2/Backup.pm
index 6aef5bb7..1d3d6896 100644
--- a/PVE/API2/Backup.pm
+++ b/PVE/API2/Backup.pm
@@ -435,9 +435,7 @@ __PACKAGE__->register_method({
my $id = extract_param($param, 'id');
my $delete = extract_param($param, 'delete');
- if ($delete) {
- $delete = [PVE::Tools::split_list($delete)];
- }
+ $delete = { map { $_ => 1 } PVE::Tools::split_list($delete) } if $delete;
my $update_job = sub {
my $data = cfs_read_file('vzdump.cron');
@@ -472,7 +470,7 @@ __PACKAGE__->register_method({
'repeat-missed' => 1,
};
- foreach my $k (@$delete) {
+ for my $k (keys $delete->%*) {
if (!PVE::VZDump::option_exists($k) && !$deletable->{$k}) {
raise_param_exc({ delete => "unknown option '$k'" });
}
--
2.30.2
^ permalink raw reply [flat|nested] 11+ messages in thread
* [pve-devel] [PATCH manager 3/6] api: backup: update: allow only deleting
2022-11-16 14:04 [pve-devel] [PATCH-SERIES manager] backup permission improvements Fiona Ebner
2022-11-16 14:04 ` [pve-devel] [PATCH manager 1/6] api: vzdump: soften parameter permission checks Fiona Ebner
2022-11-16 14:04 ` [pve-devel] [PATCH manager 2/6] api: backup: update: turn delete into a hash Fiona Ebner
@ 2022-11-16 14:04 ` Fiona Ebner
2022-11-16 14:04 ` [pve-devel] [PATCH manager 4/6] api: backup: update: check permissions of delete params too Fiona Ebner
` (4 subsequent siblings)
7 siblings, 0 replies; 11+ messages in thread
From: Fiona Ebner @ 2022-11-16 14:04 UTC (permalink / raw)
To: pve-devel
Previously, it was required to set something at the same time.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
PVE/API2/Backup.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/PVE/API2/Backup.pm b/PVE/API2/Backup.pm
index 1d3d6896..c0800bac 100644
--- a/PVE/API2/Backup.pm
+++ b/PVE/API2/Backup.pm
@@ -443,7 +443,7 @@ __PACKAGE__->register_method({
my $jobs = $data->{jobs} || [];
- die "no options specified\n" if !scalar(keys %$param);
+ die "no options specified\n" if !scalar(keys $param->%*) && !scalar(keys $delete->%*);
PVE::VZDump::verify_vzdump_parameters($param);
my $opts = PVE::VZDump::JobBase->check_config($id, $param, 0, 1);
--
2.30.2
^ permalink raw reply [flat|nested] 11+ messages in thread
* [pve-devel] [PATCH manager 4/6] api: backup: update: check permissions of delete params too
2022-11-16 14:04 [pve-devel] [PATCH-SERIES manager] backup permission improvements Fiona Ebner
` (2 preceding siblings ...)
2022-11-16 14:04 ` [pve-devel] [PATCH manager 3/6] api: backup: update: allow only deleting Fiona Ebner
@ 2022-11-16 14:04 ` Fiona Ebner
2022-11-16 14:04 ` [pve-devel] [PATCH manager 5/6] api: backup: require Datastore.Allocate on storage Fiona Ebner
` (3 subsequent siblings)
7 siblings, 0 replies; 11+ messages in thread
From: Fiona Ebner @ 2022-11-16 14:04 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
PVE/API2/Backup.pm | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/PVE/API2/Backup.pm b/PVE/API2/Backup.pm
index c0800bac..684a078e 100644
--- a/PVE/API2/Backup.pm
+++ b/PVE/API2/Backup.pm
@@ -54,6 +54,14 @@ sub assert_param_permission_common {
}
}
+my sub assert_param_permission_update {
+ my ($rpcenv, $user, $update, $delete) = @_;
+ return if $user eq 'root@pam'; # always OK
+
+ assert_param_permission_common($rpcenv, $user, $update);
+ assert_param_permission_common($rpcenv, $user, $delete);
+}
+
my $convert_to_schedule = sub {
my ($job) = @_;
@@ -424,8 +432,6 @@ __PACKAGE__->register_method({
my $rpcenv = PVE::RPCEnvironment::get();
my $user = $rpcenv->get_user();
- assert_param_permission_common($rpcenv, $user, $param);
-
if (my $pool = $param->{pool}) {
$rpcenv->check_pool_exist($pool);
$rpcenv->check($user, "/pool/$pool", ['VM.Backup']);
@@ -437,6 +443,8 @@ __PACKAGE__->register_method({
my $delete = extract_param($param, 'delete');
$delete = { map { $_ => 1 } PVE::Tools::split_list($delete) } if $delete;
+ assert_param_permission_update($rpcenv, $user, $param, $delete);
+
my $update_job = sub {
my $data = cfs_read_file('vzdump.cron');
my $jobs_data = cfs_read_file('jobs.cfg');
--
2.30.2
^ permalink raw reply [flat|nested] 11+ messages in thread
* [pve-devel] [PATCH manager 5/6] api: backup: require Datastore.Allocate on storage
2022-11-16 14:04 [pve-devel] [PATCH-SERIES manager] backup permission improvements Fiona Ebner
` (3 preceding siblings ...)
2022-11-16 14:04 ` [pve-devel] [PATCH manager 4/6] api: backup: update: check permissions of delete params too Fiona Ebner
@ 2022-11-16 14:04 ` Fiona Ebner
2022-11-16 14:04 ` [pve-devel] [PATCH manager 6/6] api: backup/vzdump: add get_storage_param helper Fiona Ebner
` (2 subsequent siblings)
7 siblings, 0 replies; 11+ messages in thread
From: Fiona Ebner @ 2022-11-16 14:04 UTC (permalink / raw)
To: pve-devel
In particular this ensures that the user is allowed to remove data on
the storage, because configuring low retention results in removed
older backups. Of course setting the storage itself also needs to
require the same privilege then.
This is a breaking API change, but it seems sensible to require
permissions on the affected storage too.
Jobs with a dumpdir setting can be configured by root only.
Suggested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
Not sure about the dumpdir jobs, should those rather require
Sys.Modify on /? The dumpdir setting itself is still root-only.
PVE/API2/Backup.pm | 33 +++++++++++++++++++++++++++++++--
1 file changed, 31 insertions(+), 2 deletions(-)
diff --git a/PVE/API2/Backup.pm b/PVE/API2/Backup.pm
index 684a078e..74bf95ca 100644
--- a/PVE/API2/Backup.pm
+++ b/PVE/API2/Backup.pm
@@ -54,12 +54,39 @@ sub assert_param_permission_common {
}
}
+my sub assert_param_permission_create {
+ my ($rpcenv, $user, $param) = @_;
+ return if $user eq 'root@pam'; # always OK
+
+ assert_param_permission_common($rpcenv, $user, $param);
+
+ if (!$param->{dumpdir}) {
+ my $storeid = $param->{storage} || 'local';
+ $rpcenv->check($user, "/storage/$storeid", [ 'Datastore.Allocate' ]);
+ } # no else branch, because dumpdir is root-only
+}
+
my sub assert_param_permission_update {
- my ($rpcenv, $user, $update, $delete) = @_;
+ my ($rpcenv, $user, $update, $delete, $current) = @_;
return if $user eq 'root@pam'; # always OK
assert_param_permission_common($rpcenv, $user, $update);
assert_param_permission_common($rpcenv, $user, $delete);
+
+ if ($update->{storage}) {
+ $rpcenv->check($user, "/storage/$update->{storage}", [ 'Datastore.Allocate' ])
+ } elsif ($delete->{storage}) {
+ $rpcenv->check($user, "/storage/local", [ 'Datastore.Allocate' ]);
+ }
+
+ return if !$current; # early check done
+
+ if ($current->{dumpdir}) {
+ die "only root\@pam may edit jobs with a 'dumpdir' option.";
+ } else {
+ my $storeid = $current->{storage} || 'local';
+ $rpcenv->check($user, "/storage/$storeid", [ 'Datastore.Allocate' ]);
+ }
}
my $convert_to_schedule = sub {
@@ -220,7 +247,7 @@ __PACKAGE__->register_method({
my $rpcenv = PVE::RPCEnvironment::get();
my $user = $rpcenv->get_user();
- assert_param_permission_common($rpcenv, $user, $param);
+ assert_param_permission_create($rpcenv, $user, $param);
if (my $pool = $param->{pool}) {
$rpcenv->check_pool_exist($pool);
@@ -473,6 +500,8 @@ __PACKAGE__->register_method({
die "no such vzdump job\n" if !$job || $job->{type} ne 'vzdump';
}
+ assert_param_permission_update($rpcenv, $user, $param, $delete, $job);
+
my $deletable = {
comment => 1,
'repeat-missed' => 1,
--
2.30.2
^ permalink raw reply [flat|nested] 11+ messages in thread
* [pve-devel] [PATCH manager 6/6] api: backup/vzdump: add get_storage_param helper
2022-11-16 14:04 [pve-devel] [PATCH-SERIES manager] backup permission improvements Fiona Ebner
` (4 preceding siblings ...)
2022-11-16 14:04 ` [pve-devel] [PATCH manager 5/6] api: backup: require Datastore.Allocate on storage Fiona Ebner
@ 2022-11-16 14:04 ` Fiona Ebner
2023-04-05 7:43 ` [pve-devel] [PATCH-SERIES manager] backup permission improvements Fiona Ebner
2023-06-07 14:58 ` [pve-devel] applied: " Thomas Lamprecht
7 siblings, 0 replies; 11+ messages in thread
From: Fiona Ebner @ 2022-11-16 14:04 UTC (permalink / raw)
To: pve-devel
to capture the logic in a single place.
Suggested-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
PVE/API2/Backup.pm | 10 +++++-----
PVE/API2/VZDump.pm | 15 ++++++++-------
PVE/VZDump.pm | 11 +++++++++--
3 files changed, 22 insertions(+), 14 deletions(-)
diff --git a/PVE/API2/Backup.pm b/PVE/API2/Backup.pm
index 74bf95ca..25e615d1 100644
--- a/PVE/API2/Backup.pm
+++ b/PVE/API2/Backup.pm
@@ -60,10 +60,9 @@ my sub assert_param_permission_create {
assert_param_permission_common($rpcenv, $user, $param);
- if (!$param->{dumpdir}) {
- my $storeid = $param->{storage} || 'local';
+ if (my $storeid = PVE::VZDump::get_storage_param($param)) {
$rpcenv->check($user, "/storage/$storeid", [ 'Datastore.Allocate' ]);
- } # no else branch, because dumpdir is root-only
+ }
}
my sub assert_param_permission_update {
@@ -84,8 +83,9 @@ my sub assert_param_permission_update {
if ($current->{dumpdir}) {
die "only root\@pam may edit jobs with a 'dumpdir' option.";
} else {
- my $storeid = $current->{storage} || 'local';
- $rpcenv->check($user, "/storage/$storeid", [ 'Datastore.Allocate' ]);
+ if (my $storeid = PVE::VZDump::get_storage_param($current)) {
+ $rpcenv->check($user, "/storage/$storeid", [ 'Datastore.Allocate' ]);
+ }
}
}
diff --git a/PVE/API2/VZDump.pm b/PVE/API2/VZDump.pm
index 8e873c05..e3dcd0bd 100644
--- a/PVE/API2/VZDump.pm
+++ b/PVE/API2/VZDump.pm
@@ -27,10 +27,11 @@ my sub assert_param_permission_vzdump {
PVE::API2::Backup::assert_param_permission_common($rpcenv, $user, $param);
- if (!$param->{dumpdir} && (defined($param->{maxfiles}) || defined($param->{'prune-backups'}))) {
- my $storeid = $param->{storage} || 'local';
- $rpcenv->check($user, "/storage/$storeid", [ 'Datastore.Allocate' ]);
- } # no else branch, because dumpdir is root-only
+ if (defined($param->{maxfiles}) || defined($param->{'prune-backups'})) {
+ if (my $storeid = PVE::VZDump::get_storage_param($param)) {
+ $rpcenv->check($user, "/storage/$storeid", [ 'Datastore.Allocate' ]);
+ }
+ }
}
__PACKAGE__->register_method ({
@@ -108,9 +109,9 @@ __PACKAGE__->register_method ({
die "you can only backup a single VM with option --stdout\n"
if $param->{stdout} && scalar(@{$local_vmids}) != 1;
- # If the root-only dumpdir is used rather than a storage, the check will succeed anyways.
- my $storeid = $param->{storage} || 'local';
- $rpcenv->check($user, "/storage/$storeid", [ 'Datastore.AllocateSpace' ]);
+ if (my $storeid = PVE::VZDump::get_storage_param($param)) {
+ $rpcenv->check($user, "/storage/$storeid", [ 'Datastore.AllocateSpace' ]);
+ }
my $worker = sub {
my $upid = shift;
diff --git a/PVE/VZDump.pm b/PVE/VZDump.pm
index a04837e7..bd17c986 100644
--- a/PVE/VZDump.pm
+++ b/PVE/VZDump.pm
@@ -55,6 +55,13 @@ foreach my $plug (@pve_vzdump_classes) {
}
}
+sub get_storage_param {
+ my ($param) = @_;
+
+ return if $param->{dumpdir};
+ return $param->{storage} || 'local';
+}
+
# helper functions
sub debugmsg {
@@ -557,8 +564,8 @@ sub new {
die "cannot use options 'storage' and 'dumpdir' at the same time\n";
}
- if (!$opts->{dumpdir} && !$opts->{storage}) {
- $opts->{storage} = 'local';
+ if (my $storage = get_storage_param($opts)) {
+ $opts->{storage} = $storage;
}
# Enforced by the API too, but these options might come in via defaults. Drop them if necessary.
--
2.30.2
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [pve-devel] [PATCH-SERIES manager] backup permission improvements
2022-11-16 14:04 [pve-devel] [PATCH-SERIES manager] backup permission improvements Fiona Ebner
` (5 preceding siblings ...)
2022-11-16 14:04 ` [pve-devel] [PATCH manager 6/6] api: backup/vzdump: add get_storage_param helper Fiona Ebner
@ 2023-04-05 7:43 ` Fiona Ebner
2023-06-06 6:33 ` Fiona Ebner
2023-06-07 14:58 ` [pve-devel] applied: " Thomas Lamprecht
7 siblings, 1 reply; 11+ messages in thread
From: Fiona Ebner @ 2023-04-05 7:43 UTC (permalink / raw)
To: pve-devel
Am 16.11.22 um 15:04 schrieb Fiona Ebner:
> Currently, suffenciently privileged users may edit a backup job, but
> cannot run the very same job manually (via the vzdump API call). The
> first patch addresses this by removing the root-only restriction from
> retention and performance settings. Retention will require
> Datastore.Allocate on the target storage, because it's essentially
> removal of certain backups, while performance settings will require
> Sys.Modify on / which is the permission required to edit backup jobs.
>
> The next three patches are for deletion of parameters when updating a
> backup job. Allowing to only delete a setting (previously, update
> would fail if no parameter was set) and adding a check for the delete
> options.
>
> Patch 5/6 restricts backup editing by requiring that the user has
> appropriate permissions on the job's storage (and eventual newly set
> storage) as well as on the default 'local' storage when removing the
> storage. Jobs with a dumpdir can only be edited by root. This is a
> breaking API change, but requiring permission on the storage should
> be sensible and allows for more flexible permission configurations.
>
> The last patch introduces a helper to have the "what's the storage"
> logic in one place.
>
Ping for the rest of the series, should still apply.
Just ran into the issue that 3/6 fixes with:
pvesh set /cluster/backup/backup-4f2f3b87-0165 --delete script
Maybe we want to wait with 5/6 until to the next major release though.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [pve-devel] [PATCH-SERIES manager] backup permission improvements
2023-04-05 7:43 ` [pve-devel] [PATCH-SERIES manager] backup permission improvements Fiona Ebner
@ 2023-06-06 6:33 ` Fiona Ebner
0 siblings, 0 replies; 11+ messages in thread
From: Fiona Ebner @ 2023-06-06 6:33 UTC (permalink / raw)
To: pve-devel
Am 05.04.23 um 09:43 schrieb Fiona Ebner:
> Am 16.11.22 um 15:04 schrieb Fiona Ebner:
>> Currently, suffenciently privileged users may edit a backup job, but
>> cannot run the very same job manually (via the vzdump API call). The
>> first patch addresses this by removing the root-only restriction from
>> retention and performance settings. Retention will require
>> Datastore.Allocate on the target storage, because it's essentially
>> removal of certain backups, while performance settings will require
>> Sys.Modify on / which is the permission required to edit backup jobs.
>>
>> The next three patches are for deletion of parameters when updating a
>> backup job. Allowing to only delete a setting (previously, update
>> would fail if no parameter was set) and adding a check for the delete
>> options.
>>
>> Patch 5/6 restricts backup editing by requiring that the user has
>> appropriate permissions on the job's storage (and eventual newly set
>> storage) as well as on the default 'local' storage when removing the
>> storage. Jobs with a dumpdir can only be edited by root. This is a
>> breaking API change, but requiring permission on the storage should
>> be sensible and allows for more flexible permission configurations.
>>
>> The last patch introduces a helper to have the "what's the storage"
>> logic in one place.
>>
>
> Ping for the rest of the series, should still apply.
>
> Just ran into the issue that 3/6 fixes with:
> pvesh set /cluster/backup/backup-4f2f3b87-0165 --delete script
>
> Maybe we want to wait with 5/6 until to the next major release though.
Ping again, now that we're working towards the next major release :)
^ permalink raw reply [flat|nested] 11+ messages in thread
* [pve-devel] applied: [PATCH-SERIES manager] backup permission improvements
2022-11-16 14:04 [pve-devel] [PATCH-SERIES manager] backup permission improvements Fiona Ebner
` (6 preceding siblings ...)
2023-04-05 7:43 ` [pve-devel] [PATCH-SERIES manager] backup permission improvements Fiona Ebner
@ 2023-06-07 14:58 ` Thomas Lamprecht
7 siblings, 0 replies; 11+ messages in thread
From: Thomas Lamprecht @ 2023-06-07 14:58 UTC (permalink / raw)
To: Proxmox VE development discussion, Fiona Ebner
Am 16/11/2022 um 15:04 schrieb Fiona Ebner:
> Currently, suffenciently privileged users may edit a backup job, but
> cannot run the very same job manually (via the vzdump API call). The
> first patch addresses this by removing the root-only restriction from
> retention and performance settings. Retention will require
> Datastore.Allocate on the target storage, because it's essentially
> removal of certain backups, while performance settings will require
> Sys.Modify on / which is the permission required to edit backup jobs.
>
> The next three patches are for deletion of parameters when updating a
> backup job. Allowing to only delete a setting (previously, update
> would fail if no parameter was set) and adding a check for the delete
> options.
>
> Patch 5/6 restricts backup editing by requiring that the user has
> appropriate permissions on the job's storage (and eventual newly set
> storage) as well as on the default 'local' storage when removing the
> storage. Jobs with a dumpdir can only be edited by root. This is a
> breaking API change, but requiring permission on the storage should
> be sensible and allows for more flexible permission configurations.
>
> The last patch introduces a helper to have the "what's the storage"
> logic in one place.
>
>
> Fiona Ebner (6):
> api: vzdump: soften parameter permission checks
> api: backup: update: turn delete into a hash
> api: backup: update: allow only deleting
> api: backup: update: check permissions of delete params too
> api: backup: require Datastore.Allocate on storage
> api: backup/vzdump: add get_storage_param helper
>
> PVE/API2/Backup.pm | 62 ++++++++++++++++++++++++++++++++++++++--------
> PVE/API2/VZDump.pm | 32 ++++++++++++++++--------
> PVE/VZDump.pm | 11 ++++++--
> 3 files changed, 82 insertions(+), 23 deletions(-)
>
applied remaining series, thanks!
fwiw, I did some small follow-up for "api: backup: update: check permissions
of delete params too", just to get the order of checking those params
before the pool as before and as the create endpoint has, I don't think
it has a practical effect, but it just felt slightly odd..
^ permalink raw reply [flat|nested] 11+ messages in thread