Skip to content

P
pve-manager
Commit b52133c4 authored by Dietmar Maurer's avatar Dietmar Maurer
Browse files
Options

fix bug #379: allow to overwrite existing CTs if user has VM.Backup permissions 

The requirement to have VM.Allocate it non-obvious and confusing
if the VM already exists. If the user can backup, he should also be able
to restore that backup.
parent 1056f33a
Show whitespace changes
Inline Side-by-side
Showing with 17 additions and 7 deletions
PVE/API2/OpenVZ.pm
View file @ b52133c4
...@@ -232,11 +232,10 @@ __PACKAGE__->register_method({ ...@@ -232,11 +232,10 @@ __PACKAGE__->register_method({
method => 'POST', method => 'POST',
description => "Create or restore a container.", description => "Create or restore a container.",
permissions => { permissions => {
description => "You need 'VM.Allocate' permissions on /vms/{vmid} or on the VM pool /pool/{pool}, and 'Datastore.AllocateSpace' on the storage.", user => 'all', # check inside
check => [ 'or', description => "You need 'VM.Allocate' permissions on /vms/{vmid} or on the VM pool /pool/{pool}. " .
[ 'perm', '/vms/{vmid}', ['VM.Allocate']], "For restore, it is enough if the user has 'VM.Backup' permission and the VM already exists. " .
[ 'perm', '/pool/{pool}', ['VM.Allocate'], require_param => 'pool'], "You also need 'Datastore.AllocateSpace' permissions on the storage.",
],
}, },
protected => 1, protected => 1,
proxyto => 'node', proxyto => 'node',
...@@ -306,6 +305,8 @@ __PACKAGE__->register_method({ ...@@ -306,6 +305,8 @@ __PACKAGE__->register_method({
my $private = PVE::Storage::get_private_dir($storage_cfg, $storage, $vmid); my $private = PVE::Storage::get_private_dir($storage_cfg, $storage, $vmid);
my $basecfg_fn = PVE::OpenVZ::config_file($vmid);
if (defined($pool)) { if (defined($pool)) {
$rpcenv->check_pool_exist($pool); $rpcenv->check_pool_exist($pool);
$rpcenv->check_perm_modify($authuser, "/pool/$pool"); $rpcenv->check_perm_modify($authuser, "/pool/$pool");
...@@ -313,6 +314,17 @@ __PACKAGE__->register_method({ ...@@ -313,6 +314,17 @@ __PACKAGE__->register_method({
$rpcenv->check($authuser, "/storage/$storage", ['Datastore.AllocateSpace']); $rpcenv->check($authuser, "/storage/$storage", ['Datastore.AllocateSpace']);
if ($rpcenv->check($authuser, "/vms/$vmid", ['VM.Allocate'], 1)) {
# OK
} elsif ($pool && $rpcenv->check($authuser, "/pool/$pool", ['VM.Allocate'], 1)) {
# OK
} elsif ($param->{restore} && $param->{force} && (-f $basecfg_fn) &&
$rpcenv->check($authuser, "/vms/$vmid", ['VM.Backup'], 1)) {
# OK: user has VM.Backup permissions, and want to restore an existing VM
} else {
raise_perm_exc();
}
&$check_ct_modify_config_perm($rpcenv, $authuser, $vmid, $pool, [ keys %$param]); &$check_ct_modify_config_perm($rpcenv, $authuser, $vmid, $pool, [ keys %$param]);
PVE::Storage::activate_storage($storage_cfg, $storage); PVE::Storage::activate_storage($storage_cfg, $storage);
...@@ -356,8 +368,6 @@ __PACKAGE__->register_method({ ...@@ -356,8 +368,6 @@ __PACKAGE__->register_method({
$param->{hostname} .= ".$param->{searchdomain}"; $param->{hostname} .= ".$param->{searchdomain}";
} }
my $basecfg_fn = PVE::OpenVZ::config_file($vmid);
my $check_vmid_usage = sub { my $check_vmid_usage = sub {
if ($param->{force}) { if ($param->{force}) {
die "cant overwrite mounted container\n" die "cant overwrite mounted container\n"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023