Currently, guest replication is guarded with Datastore.Allocate on
'/storage', which is rather surprising. One could require
Datastore.AllocateSpace on all involved storages, but having a
dedicated privilege like for other VM operations like migration and
snapshot seems to be more natural.
Signed-off-by: Fiona Ebner <f.eb...@proxmox.com>
---
PVE/API2/Replication.pm | 8 +++++++-
PVE/API2/ReplicationConfig.pm | 25 +++++++++++++++++++++----
2 files changed, 28 insertions(+), 5 deletions(-)
diff --git a/PVE/API2/Replication.pm b/PVE/API2/Replication.pm
index c8416239..c23649f3 100644
--- a/PVE/API2/Replication.pm
+++ b/PVE/API2/Replication.pm
@@ -402,7 +402,8 @@ __PACKAGE__->register_method({
proxyto => 'node',
protected => 1,
permissions => {
- check => ['perm', '/storage', ['Datastore.Allocate']],
+ description => "Requires the VM.Replicate permission on /vms/<vmid>.",
+ user => 'all',
},
parameters => {
additionalProperties => 0,
@@ -417,7 +418,12 @@ __PACKAGE__->register_method({
code => sub {
my ($param) = @_;
+ my $rpcenv = PVE::RPCEnvironment::get();
+ my $authuser = $rpcenv->get_user();
+
my $jobid = $param->{id};
+ my ($vmid) = PVE::ReplicationConfig::parse_replication_job_id($jobid);
+ $rpcenv->check($authuser, "/vms/$vmid", ['VM.Replicate']);
my $cfg = PVE::ReplicationConfig->new();
my $jobcfg = $cfg->{ids}->{$jobid};
diff --git a/PVE/API2/ReplicationConfig.pm b/PVE/API2/ReplicationConfig.pm
index 1c6ac765..307ebe69 100644
--- a/PVE/API2/ReplicationConfig.pm
+++ b/PVE/API2/ReplicationConfig.pm
@@ -107,19 +107,24 @@ __PACKAGE__->register_method({
method => 'POST',
description => "Create a new replication job",
permissions => {
- check => ['perm', '/storage', ['Datastore.Allocate']],
+ description => "Requires the VM.Replicate permission on /vms/<vmid>.",
+ user => 'all',
},
parameters => PVE::ReplicationConfig->createSchema(),
returns => { type => 'null' },
code => sub {
my ($param) = @_;
+ my $rpcenv = PVE::RPCEnvironment::get();
+ my $authuser = $rpcenv->get_user();
+
my $type = extract_param($param, 'type');
my $plugin = PVE::ReplicationConfig->lookup($type);
my $id = extract_param($param, 'id');
# extract guest ID from job ID
my ($guest) = PVE::ReplicationConfig::parse_replication_job_id($id);
+ $rpcenv->check($authuser, "/vms/$guest", ['VM.Replicate']);
my $nodelist = PVE::Cluster::get_members();
my $vmlist = PVE::Cluster::get_vmlist();
@@ -176,17 +181,24 @@ __PACKAGE__->register_method({
method => 'PUT',
description => "Update replication job configuration.",
permissions => {
- check => ['perm', '/storage', ['Datastore.Allocate']],
+ description => "Requires the VM.Replicate permission on /vms/<vmid>.",
+ user => 'all',
},
parameters => PVE::ReplicationConfig->updateSchema(),
returns => { type => 'null' },
code => sub {
my ($param) = @_;
+ my $rpcenv = PVE::RPCEnvironment::get();
+ my $authuser = $rpcenv->get_user();
+
my $id = extract_param($param, 'id');
my $digest = extract_param($param, 'digest');
my $delete = extract_param($param, 'delete');
+ my ($vmid) = PVE::ReplicationConfig::parse_replication_job_id($id);
+ $rpcenv->check($authuser, "/vms/$vmid", ['VM.Replicate']);
+
my $code = sub {
my $cfg = PVE::ReplicationConfig->new();
@@ -231,7 +243,8 @@ __PACKAGE__->register_method({
method => 'DELETE',
description => "Mark replication job for removal.",
permissions => {
- check => ['perm', '/storage', ['Datastore.Allocate']],
+ description => "Requires the VM.Replicate permission on /vms/<vmid>.",
+ user => 'all',
},
parameters => {
additionalProperties => 0,
@@ -256,11 +269,15 @@ __PACKAGE__->register_method({
my ($param) = @_;
my $rpcenv = PVE::RPCEnvironment::get();
+ my $authuser = $rpcenv->get_user();
+
+ my $id = extract_param($param, 'id');
+ my ($vmid) = PVE::ReplicationConfig::parse_replication_job_id($id);
+ $rpcenv->check($authuser, "/vms/$vmid", ['VM.Replicate']);
my $code = sub {
my $cfg = PVE::ReplicationConfig->new();
- my $id = $param->{id};
if ($param->{force}) {
raise_param_exc({ 'keep' => "conflicts with parameter 'force'"
})
if $param->{keep};
--
2.47.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
