[pve-devel] [PATCH manager 5/6] api: backup: require Datastore.Allocate on storage

Wed Nov 16 15:04:34 CET 2022

In particular this ensures that the user is allowed to remove data on
the storage, because configuring low retention results in removed
older backups. Of course setting the storage itself also needs to
require the same privilege then.

This is a breaking API change, but it seems sensible to require
permissions on the affected storage too.

Jobs with a dumpdir setting can be configured by root only.

Suggested-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
Signed-off-by: Fiona Ebner <f.ebner at proxmox.com>
---

Not sure about the dumpdir jobs, should those rather require
Sys.Modify on /? The dumpdir setting itself is still root-only.

 PVE/API2/Backup.pm | 33 +++++++++++++++++++++++++++++++--
 1 file changed, 31 insertions(+), 2 deletions(-)

diff --git a/PVE/API2/Backup.pm b/PVE/API2/Backup.pm
index 684a078e..74bf95ca 100644
--- a/PVE/API2/Backup.pm
+++ b/PVE/API2/Backup.pm
@@ -54,12 +54,39 @@ sub assert_param_permission_common {
     }
 }
 
+my sub assert_param_permission_create {
+    my ($rpcenv, $user, $param) = @_;
+    return if $user eq 'root at pam'; # always OK
+
+    assert_param_permission_common($rpcenv, $user, $param);
+
+    if (!$param->{dumpdir}) {
+	my $storeid = $param->{storage} || 'local';
+	$rpcenv->check($user, "/storage/$storeid", [ 'Datastore.Allocate' ]);
+    } # no else branch, because dumpdir is root-only
+}
+
 my sub assert_param_permission_update {
-    my ($rpcenv, $user, $update, $delete) = @_;
+    my ($rpcenv, $user, $update, $delete, $current) = @_;
     return if $user eq 'root at pam'; # always OK
 
     assert_param_permission_common($rpcenv, $user, $update);
     assert_param_permission_common($rpcenv, $user, $delete);
+
+    if ($update->{storage}) {
+	$rpcenv->check($user, "/storage/$update->{storage}", [ 'Datastore.Allocate' ])
+    } elsif ($delete->{storage}) {
+	$rpcenv->check($user, "/storage/local", [ 'Datastore.Allocate' ]);
+    }
+
+    return if !$current; # early check done
+
+    if ($current->{dumpdir}) {
+	die "only root\@pam may edit jobs with a 'dumpdir' option.";
+    } else {
+	my $storeid = $current->{storage} || 'local';
+	$rpcenv->check($user, "/storage/$storeid", [ 'Datastore.Allocate' ]);
+    }
 }
 
 my $convert_to_schedule = sub {
@@ -220,7 +247,7 @@ __PACKAGE__->register_method({
 	my $rpcenv = PVE::RPCEnvironment::get();
 	my $user = $rpcenv->get_user();
 
-	assert_param_permission_common($rpcenv, $user, $param);
+	assert_param_permission_create($rpcenv, $user, $param);
 
 	if (my $pool = $param->{pool}) {
 	    $rpcenv->check_pool_exist($pool);
@@ -473,6 +500,8 @@ __PACKAGE__->register_method({
 		die "no such vzdump job\n" if !$job || $job->{type} ne 'vzdump';
 	    }
 
+	    assert_param_permission_update($rpcenv, $user, $param, $delete, $job);
+
 	    my $deletable = {
 		comment => 1,
 		'repeat-missed' => 1,
-- 
2.30.2




