From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id A770F70525 for ; Fri, 2 Apr 2021 14:28:22 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 92D86EAEA for ; Fri, 2 Apr 2021 14:27:52 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 82A32EADD for ; Fri, 2 Apr 2021 14:27:51 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 4E207435DE for ; Fri, 2 Apr 2021 14:27:51 +0200 (CEST) To: Thomas Lamprecht , Proxmox VE development discussion References: <20210311092208.27221-1-f.ebner@proxmox.com> <20210311092208.27221-2-f.ebner@proxmox.com> From: Fabian Ebner Message-ID: Date: Fri, 2 Apr 2021 14:27:45 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.9.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.007 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -0.001 Looks like a legit reply (A) RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com, vzdump.pm] Subject: Re: [pve-devel] [PATCH v3 manager 2/4] api: vzdump: add call to get currently configured vzdump defaults X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Apr 2021 12:28:22 -0000 Am 01.04.21 um 15:40 schrieb Thomas Lamprecht: > On 11.03.21 10:22, Fabian Ebner wrote: >> on a given node (and storage). >> >> Signed-off-by: Fabian Ebner >> --- >> >> New in v3 >> >> PVE/API2/VZDump.pm | 89 ++++++++++++++++++++++++++++++++++++++++++++++ >> 1 file changed, 89 insertions(+) >> >> diff --git a/PVE/API2/VZDump.pm b/PVE/API2/VZDump.pm >> index 44376106..109e178b 100644 >> --- a/PVE/API2/VZDump.pm >> +++ b/PVE/API2/VZDump.pm >> @@ -146,6 +146,95 @@ __PACKAGE__->register_method ({ >> return $rpcenv->fork_worker('vzdump', $taskid, $user, $worker); >> }}); >> >> +__PACKAGE__->register_method ({ >> + name => 'defaults', >> + path => 'defaults', >> + method => 'GET', >> + description => "Get the currently configured vzdump defaults.", >> + permissions => { >> + description => "The user needs 'Datastore.Audit' or " . >> + "'Datastore.AllocateSpace' permissions for the specified storage " . >> + "(or default storage if none specified). Some properties are only " . >> + "returned when the user has 'Sys.Audit' permissions for the node.", > > style nit: you can go up to 100 character columns here, also we > Ok >> + user => 'all', >> + }, >> + proxyto => 'node', >> + parameters => { >> + additionalProperties => 0, >> + properties => { >> + node => get_standard_option('pve-node'), >> + storage => get_standard_option('pve-storage-id', { optional => 1 }), >> + }, >> + }, >> + returns => { >> + type => 'object', >> + additionalProperties => 0, >> + properties => PVE::VZDump::Common::json_config_properties(), > > above may suggest that all those properties are returned, but we delete some > out flat, so even if one would access this as root@pam they won't get all of > those and may get confused due to API schema/return value mismatch. > > Maybe we could derive a hash from above list at module scope, and delete those > keys that never will be returned. That list could also be reused below for > filtering out those unwanted keys too then. > The only key that is always dropped is the deprecated 'size' key. For privileged users, all others are returned. And the schema says that all properties are optional. We could create a new hash and drop the 'optional' for those with a default value that are never dropped, but not sure if that's worth it... >> + }, >> + code => sub { >> + my ($param) = @_; >> + >> + my $node = extract_param($param, 'node'); >> + my $storage = extract_param($param, 'storage'); >> + >> + my $rpcenv = PVE::RPCEnvironment::get(); >> + my $authuser = $rpcenv->get_user(); >> + >> + my $res = PVE::VZDump::read_vzdump_defaults(); >> + >> + $res->{storage} = $storage if defined($storage); >> + >> + if (!defined($res->{dumpdir}) && !defined($res->{storage})) { >> + $res->{storage} = 'local'; >> + } >> + >> + if (defined($res->{storage})) { >> + $rpcenv->check_any( >> + $authuser, >> + "/storage/$res->{storage}", >> + ['Datastore.Audit', 'Datastore.AllocateSpace'], >> + ); >> + >> + my $info = PVE::VZDump::storage_info($res->{storage}); >> + foreach my $key (qw(dumpdir prune-backups)) { > > style nit, for new code use `for`, `foreach` has no additional value/functionality > over `for` since a long time (if ever, actually not too sure from top of my head). > Will do, but might be worth updating the style guide: "use either of foreach or for when looping over a list of elements." https://pve.proxmox.com/wiki/Perl_Style_Guide#Perl_syntax_choices >> + $res->{$key} = $info->{$key} if defined($info->{$key}); >> + } >> + } >> + >> + if (defined($res->{'prune-backups'})) { >> + $res->{'prune-backups'} = PVE::JSONSchema::print_property_string( >> + $res->{'prune-backups'}, >> + 'prune-backups', >> + ); >> + } >> + >> + $res->{mailto} = join(",", @{$res->{mailto}}) >> + if defined($res->{mailto}); >> + >> + $res->{'exclude-path'} = join(",", @{$res->{'exclude-path'}}) >> + if defined($res->{'exclude-path'}); >> + >> + # normal backup users don't need to know these >> + if (!$rpcenv->check($authuser, "/nodes/$node", ['Sys.Audit'], 1)) { >> + delete $res->{mailto}; >> + delete $res->{tmpdir}; >> + delete $res->{dumpdir}; >> + delete $res->{script}; >> + delete $res->{bwlimit}; > > The bwlimit could be exposed though, similarly to how we do already on backup restore. > For not so privileged user we may want to do something like getting the > min($api_bwlimit, $storage_or_dc_options_bwlimit) to ensure an user cannot weasel > themself out of admin imposed restrictions... Also, this does not needs to be in > that series, just a general idea... > Ok. From the top of my head, it should be enough to do a get_bandwith_limit call for the storage together with the potential override, i.e. res->{bwlimit}. I mean the admin imposed restriction would still take place on the vzdump call afterwards, but of course better if the value returned here is actually what's to be expected afterwards. >> + delete $res->{ionice}; >> + } >> + >> + my $pool = $res->{pool}; >> + if (defined($pool) && >> + !$rpcenv->check($authuser, "/pool/$pool", ['Pool.Allocate'], 1)) { >> + delete $res->{pool}; >> + } >> + >> + delete $res->{size}; # deprecated, to be dropped with PVE 7.0 >> + >> + return $res; >> + }}); >> + >> __PACKAGE__->register_method ({ >> name => 'extractconfig', >> path => 'extractconfig', >> >