From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 19C611FF16F
	for <inbox@lore.proxmox.com>; Thu, 13 Feb 2025 18:21:41 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id B704FBC89;
	Thu, 13 Feb 2025 18:21:36 +0100 (CET)
Message-ID: <68d023cf-0e18-40ac-b7a2-8402f57d7ac4@proxmox.com>
Date: Thu, 13 Feb 2025 18:21:03 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
 Filip Schauer <f.schauer@proxmox.com>
References: <20250120112842.36450-1-f.schauer@proxmox.com>
 <20250120112842.36450-4-f.schauer@proxmox.com>
Content-Language: en-US
From: Fiona Ebner <f.ebner@proxmox.com>
In-Reply-To: <20250120112842.36450-4-f.schauer@proxmox.com>
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.046 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pve-devel] [PATCH storage v6 3/7] api: content: support moving
 backups between path based storages
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

Am 20.01.25 um 12:28 schrieb Filip Schauer:
> This commit adds the "backup+size" export format. When this format is
> used, the data stream starts with metadata of the backup (protected flag
> & notes) followed by the contents of the backup archive.
> 
> Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
> ---
>  src/PVE/API2/Storage/Content.pm | 15 ++++++++++--
>  src/PVE/Storage.pm              | 10 +++++++-
>  src/PVE/Storage/Plugin.pm       | 42 +++++++++++++++++++++++++++++----
>  3 files changed, 60 insertions(+), 7 deletions(-)
> 
> diff --git a/src/PVE/API2/Storage/Content.pm b/src/PVE/API2/Storage/Content.pm
> index ac451dc..9ee3c51 100644
> --- a/src/PVE/API2/Storage/Content.pm
> +++ b/src/PVE/API2/Storage/Content.pm
> @@ -548,10 +548,10 @@ __PACKAGE__->register_method ({
>  
>  	my $cfg = PVE::Storage::config();
>  
> -	my ($vtype) = PVE::Storage::parse_volname($cfg, $src_volid);
> +	my ($vtype, undef, $ownervm) = PVE::Storage::parse_volname($cfg, $src_volid);
>  	die "use pct move-volume or qm disk move" if $vtype eq 'images' || $vtype eq 'rootdir';
>  	die "moving volume of type '$vtype' not implemented\n"
> -	    if (!grep { $vtype eq $_ } qw(import iso snippets vztmpl));
> +	    if (!grep { $vtype eq $_ } qw(backup import iso snippets vztmpl));
>  
>  	my $rpcenv = PVE::RPCEnvironment::get();
>  	my $user = $rpcenv->get_user();
> @@ -560,10 +560,21 @@ __PACKAGE__->register_method ({
>  
>  	if ($delete) {
>  	    $rpcenv->check($user, "/storage/$src_storeid", ["Datastore.Allocate"]);
> +
> +	    if ($vtype eq 'backup') {
> +		my $src_cfg = PVE::Storage::storage_config($cfg, $src_storeid);
> +		my $src_plugin = PVE::Storage::Plugin->lookup($src_cfg->{type});
> +		my $protected = $src_plugin->get_volume_attribute($src_cfg, $src_storeid, $volname, 'protected');

I'd prefer this to use the function from the storage module rather than
calling into the plugin itself.

> +		die "cannot delete protected backup\n" if $protected;
> +	    }
>  	} else {
>  	    $rpcenv->check($user, "/storage/$dst_storeid", ["Datastore.AllocateSpace"]);
>  	}
>  
> +	if ($vtype eq 'backup' && $ownervm) {
> +	    $rpcenv->check($user, "/vms/$ownervm", ['VM.Backup']);
> +	}

Don't you just need to pass $ownervm to check_volume_access()? Because
having this check rules out a user with Datastore.Allocate to use the
API if they don't also have the backup permission.


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel