proxmox-mirrors/qemu-server
1
0
Fork 0
mirror of https://git.proxmox.com/git/qemu-server synced 2025-05-02 17:20:30 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

suspend to disk: check more permissions

Browse Source 
only VM.PowerMgmt is not enough, since we allocate space on a storage,
so we need VM.Config.Disk on the vm and Datastore.AllocateSpace on the storage

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
This commit is contained in:
Dominik Csapak 2019-12-09 15:26:59 +01:00 committed by Thomas Lamprecht
parent 66cebc4671
commit 75c24bba0a
2 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
PVE/API2/Qemu.pm
View File

@ -2387,6 +2387,9 @@ __PACKAGE__->register_method({
proxyto => 'node', proxyto => 'node',
description => "Suspend virtual machine.", description => "Suspend virtual machine.",
permissions => { permissions => {
description => "You need 'VM.PowerMgmt' on /vms/{vmid}, and if you have set 'todisk',".
" you need also 'VM.Config.Disk' on /vms/{vmid} and 'Datastore.AllocateSpace'".
" on the storage for the vmstate.",
check => ['perm', '/vms/{vmid}', [ 'VM.PowerMgmt' ]], check => ['perm', '/vms/{vmid}', [ 'VM.PowerMgmt' ]],
}, },
parameters => { parameters => {
@ -2435,6 +2438,20 @@ __PACKAGE__->register_method({
die "Cannot suspend HA managed VM to disk\n" die "Cannot suspend HA managed VM to disk\n"
if $todisk && PVE::HA::Config::vm_is_ha_managed($vmid); if $todisk && PVE::HA::Config::vm_is_ha_managed($vmid);
# early check for storage permission, for better user feedback
if ($todisk) {
$rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Disk']);
if (!$statestorage) {
# get statestorage from config if none is given
my $conf = PVE::QemuConfig->load_config($vmid);
my $storecfg = PVE::Storage::config();
$statestorage = PVE::QemuServer::find_vmstate_storage($conf, $storecfg);
}
$rpcenv->check($authuser, "/storage/$statestorage", ['Datastore.AllocateSpace']);
}
my $realcmd = sub { my $realcmd = sub {
my $upid = shift; my $upid = shift;

12
PVE/QemuServer.pm
View File

@ -5742,6 +5742,7 @@ sub vm_reboot {
}); });
} }
# note: if using the statestorage parameter, the caller has to check privileges
sub vm_suspend { sub vm_suspend {
my ($vmid, $skiplock, $includestate, $statestorage) = @_; my ($vmid, $skiplock, $includestate, $statestorage) = @_;
@ -5765,6 +5766,17 @@ sub vm_suspend {
$conf->{lock} = 'suspending'; $conf->{lock} = 'suspending';
my $date = strftime("%Y-%m-%d", localtime(time())); my $date = strftime("%Y-%m-%d", localtime(time()));
$storecfg = PVE::Storage::config(); $storecfg = PVE::Storage::config();
if (!$statestorage) {
$statestorage = find_vmstate_storage($conf, $storecfg);
# check permissions for the storage
my $rpcenv = PVE::RPCEnvironment::get();
if ($rpcenv->{type} ne 'cli') {
my $authuser = $rpcenv->get_user();
$rpcenv->check($authuser, "/storage/$statestorage", ['Datastore.AllocateSpace']);
}
}
$vmstate = PVE::QemuConfig->__snapshot_save_vmstate($vmid, $conf, "suspend-$date", $storecfg, $statestorage, 1); $vmstate = PVE::QemuConfig->__snapshot_save_vmstate($vmid, $conf, "suspend-$date", $storecfg, $statestorage, 1);
$path = PVE::Storage::path($storecfg, $vmstate); $path = PVE::Storage::path($storecfg, $vmstate);
PVE::QemuConfig->write_config($vmid, $conf); PVE::QemuConfig->write_config($vmid, $conf);