From 5d9d7ab536130473cc962d076f25d0d6b6d620f2 Mon Sep 17 00:00:00 2001 From: Philipp Storz Date: Thu, 11 Mar 2021 15:25:04 +0100 Subject: [PATCH 1/5] systemtest bareos-acl: split up console config --- .../console/bareos-acl-none.conf.in | 7 ++++++ .../console/bareos-acl-restricted.conf.in | 14 +++++++++++ .../console/bareos-acl-status-conf.conf.in | 7 ++++++ .../console/bareos-acl-status.conf.in | 8 +++++++ .../bareos-dir.d/console/bareos-acl.conf.in | 23 ------------------- 5 files changed, 36 insertions(+), 23 deletions(-) create mode 100644 systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-none.conf.in create mode 100644 systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-restricted.conf.in create mode 100644 systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-status-conf.conf.in create mode 100644 systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-status.conf.in delete mode 100644 systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl.conf.in diff --git a/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-none.conf.in b/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-none.conf.in new file mode 100644 index 00000000000..f4011df5845 --- /dev/null +++ b/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-none.conf.in @@ -0,0 +1,7 @@ +Console { + Name = bareos-acl-none + Description = "Restricted console used by tray-monitor to get the status of the director." + Password = "@dir_password@" + #CommandACL = status, .status + #JobACL = *all* +} diff --git a/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-restricted.conf.in b/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-restricted.conf.in new file mode 100644 index 00000000000..9492f0a5530 --- /dev/null +++ b/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-restricted.conf.in @@ -0,0 +1,14 @@ +Console { + Name = bareos-acl-restricted + Description = "Restricted console." + Password = "@dir_password@" + CommandACL = restore, cancel, enable, disable, estimate, exit, gui, help, list, llist, messages, memory, quit, release, reload, rerun, restore, run, show, status, time, version, wait, whoami + Job ACL = *all* + Schedule ACL = all + Catalog ACL = all + Pool ACL = all + Storage ACL = all + Client ACL = all + FileSet ACL = all + Where ACL = all +} diff --git a/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-status-conf.conf.in b/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-status-conf.conf.in new file mode 100644 index 00000000000..8b0e8c1e4a8 --- /dev/null +++ b/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-status-conf.conf.in @@ -0,0 +1,7 @@ +Console { + Name = bareos-acl-status-conf + Description = "Restricted console used by tray-monitor to get the status of the director." + Password = "@dir_password@" + CommandACL = status, .status, configure + #JobACL = *all* +} diff --git a/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-status.conf.in b/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-status.conf.in new file mode 100644 index 00000000000..bf513eda2e6 --- /dev/null +++ b/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-status.conf.in @@ -0,0 +1,8 @@ +Console { + Name = bareos-acl-status + Description = "Restricted console used by tray-monitor to get the status of the director." + Password = "@dir_password@" + CommandACL = status, .status + #JobACL = *all* +} + diff --git a/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl.conf.in b/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl.conf.in deleted file mode 100644 index f337b50dcb5..00000000000 --- a/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl.conf.in +++ /dev/null @@ -1,23 +0,0 @@ -Console { - Name = bareos-acl-none - Description = "Restricted console used by tray-monitor to get the status of the director." - Password = "@dir_password@" - #CommandACL = status, .status - #JobACL = *all* -} - -Console { - Name = bareos-acl-status - Description = "Restricted console used by tray-monitor to get the status of the director." - Password = "@dir_password@" - CommandACL = status, .status - #JobACL = *all* -} - -Console { - Name = bareos-acl-status-conf - Description = "Restricted console used by tray-monitor to get the status of the director." - Password = "@dir_password@" - CommandACL = status, .status, configure - #JobACL = *all* -} From 24869da27899a51de301338e692e63347a01e3f2 Mon Sep 17 00:00:00 2001 From: Philipp Storz Date: Thu, 11 Mar 2021 15:50:32 +0100 Subject: [PATCH 2/5] systemtest bareos-acl: added bconsole-acl-restricted.conf.in --- .../etc/bareos/bconsole-acl-restricted.conf.in | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 systemtests/tests/bareos-acl/etc/bareos/bconsole-acl-restricted.conf.in diff --git a/systemtests/tests/bareos-acl/etc/bareos/bconsole-acl-restricted.conf.in b/systemtests/tests/bareos-acl/etc/bareos/bconsole-acl-restricted.conf.in new file mode 100644 index 00000000000..5a3eb737d49 --- /dev/null +++ b/systemtests/tests/bareos-acl/etc/bareos/bconsole-acl-restricted.conf.in @@ -0,0 +1,16 @@ +# +# Bareos User Agent (or Console) Configuration File +# + +Director { + Name = @basename@-dir + DIRport = @dir_port@ + Password = "@dir_password@" + Address = @hostname@ +} + +Console { + Name = bareos-acl-restricted + Password = "@dir_password@" + Director = @basename@-dir +} From 5f22dcee6e587b952f6c5905f599fd84207caa87 Mon Sep 17 00:00:00 2001 From: Alaa Eddine Elamri Date: Tue, 30 Mar 2021 09:48:31 +0100 Subject: [PATCH 3/5] systemtest bareos-acl: cleanup deleted descriptions and commented out directives --- .../etc/bareos/bareos-dir.d/console/bareos-acl-none.conf.in | 3 --- .../bareos/bareos-dir.d/console/bareos-acl-status-conf.conf.in | 2 -- .../etc/bareos/bareos-dir.d/console/bareos-acl-status.conf.in | 2 -- .../etc/bareos/bareos-dir.d/console/bareos-mon.conf.in | 1 - 4 files changed, 8 deletions(-) diff --git a/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-none.conf.in b/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-none.conf.in index f4011df5845..aa69fd8e82a 100644 --- a/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-none.conf.in +++ b/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-none.conf.in @@ -1,7 +1,4 @@ Console { Name = bareos-acl-none - Description = "Restricted console used by tray-monitor to get the status of the director." Password = "@dir_password@" - #CommandACL = status, .status - #JobACL = *all* } diff --git a/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-status-conf.conf.in b/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-status-conf.conf.in index 8b0e8c1e4a8..67201ec12a2 100644 --- a/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-status-conf.conf.in +++ b/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-status-conf.conf.in @@ -1,7 +1,5 @@ Console { Name = bareos-acl-status-conf - Description = "Restricted console used by tray-monitor to get the status of the director." Password = "@dir_password@" CommandACL = status, .status, configure - #JobACL = *all* } diff --git a/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-status.conf.in b/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-status.conf.in index bf513eda2e6..6e8f4403895 100644 --- a/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-status.conf.in +++ b/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-status.conf.in @@ -1,8 +1,6 @@ Console { Name = bareos-acl-status - Description = "Restricted console used by tray-monitor to get the status of the director." Password = "@dir_password@" CommandACL = status, .status - #JobACL = *all* } diff --git a/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-mon.conf.in b/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-mon.conf.in index d276adcb87d..a0a4679f5ac 100644 --- a/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-mon.conf.in +++ b/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-mon.conf.in @@ -1,6 +1,5 @@ Console { Name = bareos-mon - Description = "Restricted console used by tray-monitor to get the status of the director." Password = "@mon_dir_password@" CommandACL = status, .status JobACL = *all* From d80bd67e063ece034d11f4e0c216c4f647e65dd3 Mon Sep 17 00:00:00 2001 From: Alaa Eddine Elamri Date: Fri, 12 Mar 2021 12:27:09 +0100 Subject: [PATCH 4/5] director: Fix messages bug in restricted mode Fixes #1329: If CommandACL limits any command, no messages can be read but "you have messages" is displayed. --- core/src/dird/ua_output.cc | 6 +++--- .../bareos/bareos-dir.d/console/bareos-acl-status.conf.in | 1 - 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/core/src/dird/ua_output.cc b/core/src/dird/ua_output.cc index 94c0263357c..c5b5693948c 100644 --- a/core/src/dird/ua_output.cc +++ b/core/src/dird/ua_output.cc @@ -3,7 +3,7 @@ Copyright (C) 2000-2012 Free Software Foundation Europe e.V. Copyright (C) 2011-2016 Planets Communications B.V. - Copyright (C) 2013-2020 Bareos GmbH & Co. KG + Copyright (C) 2013-2021 Bareos GmbH & Co. KG This program is Free Software; you can redistribute it and/or modify it under the terms of version three of the GNU Affero General Public @@ -1498,7 +1498,7 @@ void DoMessages(UaContext* ua, const char* cmd) bool DotMessagesCmd(UaContext* ua, const char* cmd) { - if (console_msg_pending && ua->AclNoRestrictions(Command_ACL) + if (console_msg_pending && ua->AclAccessOk(Command_ACL, cmd) && ua->auto_display_messages) { DoMessages(ua, cmd); } @@ -1507,7 +1507,7 @@ bool DotMessagesCmd(UaContext* ua, const char* cmd) bool MessagesCmd(UaContext* ua, const char* cmd) { - if (console_msg_pending && ua->AclNoRestrictions(Command_ACL)) { + if (console_msg_pending && ua->AclAccessOk(Command_ACL, cmd)) { DoMessages(ua, cmd); } else { ua->send->Decoration(_("You have no messages.\n")); diff --git a/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-status.conf.in b/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-status.conf.in index 6e8f4403895..0d7a57d2458 100644 --- a/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-status.conf.in +++ b/systemtests/tests/bareos-acl/etc/bareos/bareos-dir.d/console/bareos-acl-status.conf.in @@ -3,4 +3,3 @@ Console { Password = "@dir_password@" CommandACL = status, .status } - From 0d0180b10fcf170a28ce592fd3f3f18897a64d19 Mon Sep 17 00:00:00 2001 From: Philipp Storz Date: Mon, 15 Mar 2021 13:08:52 +0100 Subject: [PATCH 5/5] update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index eab2438cdb2..9ff86da6ef6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ and since Bareos version 20 this project adheres to [Semantic Versioning](https: - fix volume-pruning to be reliable on all test platforms [PR #761] - fix memory leak in python module constants [PR #778] - fix systemtests: reduce the number of broken tests to two [PR #771] +- [Issue #1329]: If CommandACL limits any command, no messages can be read but "you have messages" is displayed. [PR #763] ### Added - systemtests for S3 functionalities (droplet, libcloud) now use https [PR #765]