disk api: only ask for Datastore.Allocate if adding to storage config

The Proxmox VE storage systems doesn't cares at all if the
Datastore.Allocate privilege is present if no Proxmox VE storage will
be allocated.

Note, if we want to restrict this further as Sys.Modify on /, which
is already quite a powerful permission, we should probably add a new
one under the Sys. space, e.g., Sys.Disk.Use or the like.

This is a step in splitting the disk manage code out of the
pve-storage package, and maybe even repository

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/src/PVE/API2/Disks/Directory.pm b/src/PVE/API2/Disks/Directory.pm
index 5cddddb1e7a55acda29c575972875ace9ebc9957..099afae43092e95489006c4dc132580d8e31c95f 100644 (file)
--- a/src/PVE/API2/Disks/Directory.pm
+++ b/src/PVE/API2/Disks/Directory.pm
@@ -165,7 +165,8 @@ __PACKAGE__->register_method ({
     proxyto => 'node',
     protected => 1,
     permissions => {
-       check => ['perm', '/', ['Sys.Modify', 'Datastore.Allocate']],
+       description => "Requires additionally 'Datastore.Allocate' on /storage when setting 'add_storage'",
+       check => ['perm', '/', ['Sys.Modify']],
     },
     description => "Create a Filesystem on an unused disk. Will be mounted under '/mnt/pve/NAME'.",
     parameters => {
@@ -221,6 +222,8 @@ __PACKAGE__->register_method ({
        my $verify_params = [qw(path)];
 
        if ($param->{add_storage}) {
+           $rpcenv->check($user, "/storage", ['Datastore.Allocate']);
+
            # reserve the name and add as disabled, will be enabled below if creation works out
            PVE::API2::Storage::Config->create_or_update(
                $name, $node, $storage_params, $verify_params, 1);
@@ -317,7 +320,8 @@ __PACKAGE__->register_method ({
     proxyto => 'node',
     protected => 1,
     permissions => {
-       check => ['perm', '/', ['Sys.Modify', 'Datastore.Allocate']],
+       description => "Requires additionally 'Datastore.Allocate' on /storage when setting 'cleanup-config'",
+       check => ['perm', '/', ['Sys.Modify']],
     },
     description => "Unmounts the storage and removes the mount unit.",
     parameters => {
@@ -347,6 +351,8 @@ __PACKAGE__->register_method ({
        my $rpcenv = PVE::RPCEnvironment::get();
        my $user = $rpcenv->get_user();
 
+       $rpcenv->check($user, "/storage", ['Datastore.Allocate']) if $param->{'cleanup-config'};
+
        my $name = $param->{name};
        my $node = $param->{node};
 

diff --git a/src/PVE/API2/Disks/LVM.pm b/src/PVE/API2/Disks/LVM.pm
index f0419f6c590d9aed518a03df4733005b9740b311..3c5bdfa11d032d7889594960ac1dd15d7a493d97 100644 (file)
--- a/src/PVE/API2/Disks/LVM.pm
+++ b/src/PVE/API2/Disks/LVM.pm
@@ -117,7 +117,8 @@ __PACKAGE__->register_method ({
     proxyto => 'node',
     protected => 1,
     permissions => {
-       check => ['perm', '/', ['Sys.Modify', 'Datastore.Allocate']],
+       description => "Requires additionally 'Datastore.Allocate' on /storage when setting 'add_storage'",
+       check => ['perm', '/', ['Sys.Modify']],
     },
     description => "Create an LVM Volume Group",
     parameters => {
@@ -162,6 +163,8 @@ __PACKAGE__->register_method ({
        my $verify_params = [qw(vgname)];
 
        if ($param->{add_storage}) {
+           $rpcenv->check($user, "/storage", ['Datastore.Allocate']);
+
            # reserve the name and add as disabled, will be enabled below if creation works out
            PVE::API2::Storage::Config->create_or_update(
                $name, $node, $storage_params, $verify_params, 1);
@@ -199,7 +202,8 @@ __PACKAGE__->register_method ({
     proxyto => 'node',
     protected => 1,
     permissions => {
-       check => ['perm', '/', ['Sys.Modify', 'Datastore.Allocate']],
+       description => "Requires additionally 'Datastore.Allocate' on /storage when setting 'cleanup-config'",
+       check => ['perm', '/', ['Sys.Modify']],
     },
     description => "Remove an LVM Volume Group.",
     parameters => {
@@ -229,6 +233,8 @@ __PACKAGE__->register_method ({
        my $rpcenv = PVE::RPCEnvironment::get();
        my $user = $rpcenv->get_user();
 
+       $rpcenv->check($user, "/storage", ['Datastore.Allocate']) if $param->{'cleanup-config'};
+
        my $name = $param->{name};
        my $node = $param->{node};
 

diff --git a/src/PVE/API2/Disks/LVMThin.pm b/src/PVE/API2/Disks/LVMThin.pm
index bd6d47b0b6f9e37ee681a54c95d94038487c6434..f1c39577d3b4176879d57b459f54d7f7ed6ec94f 100644 (file)
--- a/src/PVE/API2/Disks/LVMThin.pm
+++ b/src/PVE/API2/Disks/LVMThin.pm
@@ -75,7 +75,8 @@ __PACKAGE__->register_method ({
     proxyto => 'node',
     protected => 1,
     permissions => {
-       check => ['perm', '/', ['Sys.Modify', 'Datastore.Allocate']],
+       description => "Requires additionally 'Datastore.Allocate' on /storage when setting 'add_storage'",
+       check => ['perm', '/', ['Sys.Modify']],
     },
     description => "Create an LVM thinpool",
     parameters => {
@@ -120,6 +121,8 @@ __PACKAGE__->register_method ({
        my $verify_params = [qw(vgname thinpool)];
 
        if ($param->{add_storage}) {
+           $rpcenv->check($user, "/storage", ['Datastore.Allocate']);
+
            # reserve the name and add as disabled, will be enabled below if creation works out
            PVE::API2::Storage::Config->create_or_update(
                $name, $node, $storage_params, $verify_params, 1);
@@ -178,7 +181,8 @@ __PACKAGE__->register_method ({
     proxyto => 'node',
     protected => 1,
     permissions => {
-       check => ['perm', '/', ['Sys.Modify', 'Datastore.Allocate']],
+       description => "Requires additionally 'Datastore.Allocate' on /storage when setting 'cleanup-config'",
+       check => ['perm', '/', ['Sys.Modify']],
     },
     description => "Remove an LVM thin pool.",
     parameters => {
@@ -209,6 +213,8 @@ __PACKAGE__->register_method ({
        my $rpcenv = PVE::RPCEnvironment::get();
        my $user = $rpcenv->get_user();
 
+       $rpcenv->check($user, "/storage", ['Datastore.Allocate']) if $param->{'cleanup-config'};
+
        my $vg = $param->{'volume-group'};
        my $lv = $param->{name};
        my $node = $param->{node};

diff --git a/src/PVE/API2/Disks/ZFS.pm b/src/PVE/API2/Disks/ZFS.pm
index 6a4381c9f10094d5071ccc4dbac39fabfdc10f98..6fb6bd6bea0d179ade0a11fed76cb3e042e2b15a 100644 (file)
--- a/src/PVE/API2/Disks/ZFS.pm
+++ b/src/PVE/API2/Disks/ZFS.pm
@@ -300,7 +300,8 @@ __PACKAGE__->register_method ({
     proxyto => 'node',
     protected => 1,
     permissions => {
-       check => ['perm', '/', ['Sys.Modify', 'Datastore.Allocate']],
+       description => "Requires additionally 'Datastore.Allocate' on /storage when setting 'add_storage'",
+       check => ['perm', '/', ['Sys.Modify']],
     },
     description => "Create a ZFS pool.",
     parameters => {
@@ -383,6 +384,8 @@ __PACKAGE__->register_method ({
        my $verify_params = [qw(pool)];
 
        if ($param->{add_storage}) {
+           $rpcenv->check($user, "/storage", ['Datastore.Allocate']);
+
            # reserve the name and add as disabled, will be enabled below if creation works out
            PVE::API2::Storage::Config->create_or_update(
                $name, $node, $storage_params, $verify_params, 1);
@@ -507,7 +510,8 @@ __PACKAGE__->register_method ({
     proxyto => 'node',
     protected => 1,
     permissions => {
-       check => ['perm', '/', ['Sys.Modify', 'Datastore.Allocate']],
+       description => "Requires additionally 'Datastore.Allocate' on /storage when setting 'cleanup-config'",
+       check => ['perm', '/', ['Sys.Modify']],
     },
     description => "Destroy a ZFS pool.",
     parameters => {
@@ -537,6 +541,8 @@ __PACKAGE__->register_method ({
        my $rpcenv = PVE::RPCEnvironment::get();
        my $user = $rpcenv->get_user();
 
+       $rpcenv->check($user, "/storage", ['Datastore.Allocate']) if $param->{'cleanup-config'};
+
        my $name = $param->{name};
        my $node = $param->{node};