Commit eaa70df1 authored by Dietmar Maurer's avatar Dietmar Maurer

set permissions for VZDump API

parent f4fd3ac4
...@@ -22,6 +22,10 @@ __PACKAGE__->register_method ({ ...@@ -22,6 +22,10 @@ __PACKAGE__->register_method ({
path => '', path => '',
method => 'POST', method => 'POST',
description => "Create backup.", description => "Create backup.",
permissions => {
description => "The user needs VM.Backup permissions on any VM.",
user => 'all',
},
protected => 1, protected => 1,
proxyto => 'node', proxyto => 'node',
parameters => { parameters => {
...@@ -99,6 +103,11 @@ __PACKAGE__->register_method ({ ...@@ -99,6 +103,11 @@ __PACKAGE__->register_method ({
die "you can only backup a single VM with option --stdout\n" die "you can only backup a single VM with option --stdout\n"
if $param->{stdout} && scalar(@vmids) != 1; if $param->{stdout} && scalar(@vmids) != 1;
foreach my $key (qw(maxfiles tmpdir dumpdir script size bwlimit ionice)) {
raise_param_exc({ $key => "Only root may set this option."})
if defined($param->{$key}) && ($user ne 'root@pam');
}
my $vzdump = PVE::VZDump->new($cmdline, $param, $skiplist); my $vzdump = PVE::VZDump->new($cmdline, $param, $skiplist);
my $worker = sub { my $worker = sub {
...@@ -115,7 +124,7 @@ __PACKAGE__->register_method ({ ...@@ -115,7 +124,7 @@ __PACKAGE__->register_method ({
PVE::VZDump::run_command(undef, "ionice -c2 -n$param->{ionice} -p $$"); PVE::VZDump::run_command(undef, "ionice -c2 -n$param->{ionice} -p $$");
} }
} }
$vzdump->exec_backup(); $vzdump->exec_backup($rpcenv, $user);
}; };
open STDOUT, '>/dev/null' if $param->{quiet} && !$param->{stdout}; open STDOUT, '>/dev/null' if $param->{quiet} && !$param->{stdout};
......
...@@ -10,6 +10,7 @@ use IO::Select; ...@@ -10,6 +10,7 @@ use IO::Select;
use IPC::Open3; use IPC::Open3;
use POSIX qw(strftime); use POSIX qw(strftime);
use File::Path; use File::Path;
use PVE::RPCEnvironment;
use PVE::Storage; use PVE::Storage;
use PVE::Cluster qw(cfs_read_file); use PVE::Cluster qw(cfs_read_file);
use PVE::VZDump::OpenVZ; use PVE::VZDump::OpenVZ;
...@@ -953,7 +954,7 @@ sub exec_backup_task { ...@@ -953,7 +954,7 @@ sub exec_backup_task {
} }
sub exec_backup { sub exec_backup {
my ($self) = @_; my ($rpcenv, $authuser, $self) = @_;
my $opts = $self->{opts}; my $opts = $self->{opts};
...@@ -968,6 +969,7 @@ sub exec_backup { ...@@ -968,6 +969,7 @@ sub exec_backup {
my $vmlist = $plugin->vmlist(); my $vmlist = $plugin->vmlist();
foreach my $vmid (sort @$vmlist) { foreach my $vmid (sort @$vmlist) {
next if grep { $_ eq $vmid } @{$opts->{exclude}}; next if grep { $_ eq $vmid } @{$opts->{exclude}};
next if !$rpcenv->check($authuser, "/vms/$vmid", [ 'VM.Backup' ], 1);
push @$tasklist, { vmid => $vmid, state => 'todo', plugin => $plugin }; push @$tasklist, { vmid => $vmid, state => 'todo', plugin => $plugin };
} }
} }
...@@ -981,6 +983,7 @@ sub exec_backup { ...@@ -981,6 +983,7 @@ sub exec_backup {
last; last;
} }
} }
$rpcenv->check($authuser, "/vms/$vmid", [ 'VM.Backup' ]);
push @$tasklist, { vmid => $vmid, state => 'todo', plugin => $plugin }; push @$tasklist, { vmid => $vmid, state => 'todo', plugin => $plugin };
} }
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment