yesBad/pve-storage
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

PVE::Storage: new helper check_volume_access()

Browse Source 
Copied from PVE::RPCEnvironment to avoid cyclic dependency
(pve-storgae => pve-access-control => pve-storage).
This commit is contained in:
Dietmar Maurer
2017-01-18 17:14:07 +01:00
parent ef881e10eb
commit 04a13668b9
3 changed files with 29 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
PVE/API2/Storage/Content.pm
View File

@ -72,7 +72,7 @@ __PACKAGE__->register_method ({
my $res = []; my $res = [];
foreach my $item (@$vollist) { foreach my $item (@$vollist) {
eval { $rpcenv->check_volume_access($authuser, $cfg, undef, $item->{volid}); }; eval { PVE::Storage::check_volume_access($rpcenv, $authuser, $cfg, undef, $item->{volid}); };
next if $@; next if $@;
push @$res, $item; push @$res, $item;
} }
@ -219,7 +219,7 @@ __PACKAGE__->register_method ({
my $cfg = PVE::Storage::config(); my $cfg = PVE::Storage::config();
$rpcenv->check_volume_access($authuser, $cfg, undef, $volid); PVE::Storage::check_volume_access($rpcenv, $rpcenv->$authuser, $cfg, undef, $volid);
my $path = PVE::Storage::path($cfg, $volid); my $path = PVE::Storage::path($cfg, $volid);
my ($size, $format, $used, $parent) = PVE::Storage::file_size_info($path); my ($size, $format, $used, $parent) = PVE::Storage::file_size_info($path);

2
PVE/CLI/pvesm.pm
View File

@ -86,7 +86,7 @@ __PACKAGE__->register_method ({
my $authuser = $rpcenv->get_user(); my $authuser = $rpcenv->get_user();
my $storage_cfg = PVE::Storage::config(); my $storage_cfg = PVE::Storage::config();
$rpcenv->check_volume_access($authuser, $storage_cfg, undef, $volume); PVE::Storage::check_volume_access($rpcenv, $authuser, $storage_cfg, undef, $volume);
my $config_raw = PVE::Storage::extract_vzdump_config($storage_cfg, $volume); my $config_raw = PVE::Storage::extract_vzdump_config($storage_cfg, $volume);

26
PVE/Storage.pm
View File

@ -344,6 +344,32 @@ sub parse_volume_id {
return PVE::Storage::Plugin::parse_volume_id($volid, $noerr); return PVE::Storage::Plugin::parse_volume_id($volid, $noerr);
} }
# test if we have read access to volid
sub check_volume_access {
my ($rpcenv, $user, $cfg, $vmid, $volid) = @_;
my ($sid, $volname) = parse_volume_id($volid, 1);
if ($sid) {
my ($vtype, undef, $ownervm) = parse_volname($cfg, $volid);
if ($vtype eq 'iso' || $vtype eq 'vztmpl') {
# we simply allow access
} elsif (defined($ownervm) && defined($vmid) && ($ownervm == $vmid)) {
# we are owner - allow access
} elsif ($vtype eq 'backup' && $ownervm) {
$rpcenv->check($user, "/storage/$sid", ['Datastore.AllocateSpace']);
$rpcenv->check($user, "/vms/$ownervm", ['VM.Backup']);
} else {
# allow if we are Datastore administrator
$rpcenv->check($user, "/storage/$sid", ['Datastore.Allocate']);
}
} else {
die "Only root can pass arbitrary filesystem paths."
if $user ne 'root@pam';
}
return undef;
}
my $volume_is_base_and_used__no_lock = sub { my $volume_is_base_and_used__no_lock = sub {
my ($scfg, $storeid, $plugin, $volname) = @_; my ($scfg, $storeid, $plugin, $volname) = @_;