use crate::api2::types::*;
use crate::config::remote;
-use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_SYS_MODIFY};
+use crate::config::acl::{PRIV_REMOTE_AUDIT, PRIV_REMOTE_MODIFY};
#[api(
input: {
},
},
access: {
- permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false),
+ permission: &Permission::Privilege(&["remote"], PRIV_REMOTE_AUDIT, false),
},
)]
/// List all remotes
},
},
access: {
- permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+ permission: &Permission::Privilege(&["remote"], PRIV_REMOTE_MODIFY, false),
},
)]
/// Create new remote.
type: remote::Remote,
},
access: {
- permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false),
+ permission: &Permission::Privilege(&["remote", "{name}"], PRIV_REMOTE_AUDIT, false),
}
)]
/// Read remote configuration data.
},
},
access: {
- permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+ permission: &Permission::Privilege(&["remote", "{name}"], PRIV_REMOTE_MODIFY, false),
},
)]
/// Update remote configuration.
},
},
access: {
- permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+ permission: &Permission::Privilege(&["remote", "{name}"], PRIV_REMOTE_MODIFY, false),
},
)]
/// Remove a remote from the configuration file.
use crate::client::*;
use crate::config::remote;
use crate::api2::types::*;
-use crate::config::acl::{PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_READ};
+use crate::config::acl::{PRIV_DATASTORE_BACKUP, PRIV_REMOTE_READ};
use crate::config::cached_user_info::CachedUserInfo;
// fixme: implement filters
access: {
// Note: used parameters are no uri parameters, so we need to test inside function body
description: r###"The user needs Datastore.Backup privilege on '/datastore/{store}',
-and needs to own the backup group. Datastore.Read is required on '/remote/{remote}/{remote-store}'.
+and needs to own the backup group. Remote.Read is required on '/remote/{remote}/{remote-store}'.
"###,
permission: &Permission::Anybody,
},
let username = rpcenv.get_user().unwrap();
user_info.check_privs(&username, &["datastore", &store], PRIV_DATASTORE_BACKUP, false)?;
- user_info.check_privs(&username, &["remote", &remote, &remote_store], PRIV_DATASTORE_READ, false)?;
+ user_info.check_privs(&username, &["remote", &remote, &remote_store], PRIV_REMOTE_READ, false)?;
let delete = delete.unwrap_or(true);
"Datastore.Audit",
"Datastore.Backup",
"Datastore.PowerUser",
+ "Remote.Admin",
+ "Remote.Audit",
+ "Remote.SyncOperator",
"NoAccess",
]))
.schema();
pub const PRIV_PERMISSIONS_MODIFY: u64 = 1 << 8;
+pub const PRIV_REMOTE_AUDIT: u64 = 1 << 9;
+pub const PRIV_REMOTE_MODIFY: u64 = 1 << 10;
+pub const PRIV_REMOTE_READ: u64 = 1 << 11;
+pub const PRIV_REMOTE_PRUNE: u64 = 1 << 12;
+
pub const ROLE_ADMIN: u64 = std::u64::MAX;
pub const ROLE_NO_ACCESS: u64 = 0;
pub const ROLE_DATASTORE_AUDIT: u64 =
PRIV_DATASTORE_AUDIT;
+/// Remote.Audit can audit the remote
+pub const ROLE_REMOTE_AUDIT: u64 =
+PRIV_REMOTE_AUDIT;
+
+/// Remote.Admin can do anything on the remote.
+pub const ROLE_REMOTE_ADMIN: u64 =
+PRIV_REMOTE_AUDIT |
+PRIV_REMOTE_MODIFY |
+PRIV_REMOTE_READ |
+PRIV_REMOTE_PRUNE;
+
+/// Remote.SyncOperator can do read and prune on the remote.
+pub const ROLE_REMOTE_SYNC_OPERATOR: u64 =
+PRIV_REMOTE_AUDIT |
+PRIV_REMOTE_READ |
+PRIV_REMOTE_PRUNE;
+
pub const ROLE_NAME_NO_ACCESS: &str ="NoAccess";
lazy_static! {
"Datastore Auditor",
));
+ map.insert("Remote.Audit", (
+ ROLE_REMOTE_AUDIT,
+ "Remote Auditor",
+ ));
+ map.insert("Remote.Admin", (
+ ROLE_REMOTE_ADMIN,
+ "Remote Administrator",
+ ));
+ map.insert("Remote.SyncOperator", (
+ ROLE_REMOTE_SYNC_OPERATOR,
+ "Syncronisation Opertator",
+ ));
+
map
};
}