[pve-devel] [PATCH-SERIES manager] backup permission improvements

[Fiona Ebner]

Am 05.04.23 um 09:43 schrieb Fiona Ebner:
> Am 16.11.22 um 15:04 schrieb Fiona Ebner:
>> Currently, suffenciently privileged users may edit a backup job, but
>> cannot run the very same job manually (via the vzdump API call). The
>> first patch addresses this by removing the root-only restriction from
>> retention and performance settings. Retention will require
>> Datastore.Allocate on the target storage, because it's essentially
>> removal of certain backups, while performance settings will require
>> Sys.Modify on / which is the permission required to edit backup jobs.
>>
>> The next three patches are for deletion of parameters when updating a
>> backup job. Allowing to only delete a setting (previously, update
>> would fail if no parameter was set) and adding a check for the delete
>> options.
>>
>> Patch 5/6 restricts backup editing by requiring that the user has
>> appropriate permissions on the job's storage (and eventual newly set
>> storage) as well as on the default 'local' storage when removing the
>> storage. Jobs with a dumpdir can only be edited by root. This is a
>> breaking API change, but requiring permission on the storage should
>> be sensible and allows for more flexible permission configurations.
>>
>> The last patch introduces a helper to have the "what's the storage"
>> logic in one place.
>>
> 
> Ping for the rest of the series, should still apply.
> 
> Just ran into the issue that 3/6 fixes with:
> pvesh set /cluster/backup/backup-4f2f3b87-0165 --delete script
> 
> Maybe we want to wait with 5/6 until to the next major release though.

Ping again, now that we're working towards the next major release :)