Merge pull request #277 from fbergkemper/dev/fbergkemper/master/story…

…-3193-command-acl-plugin

fix controller plugin: CommandACLPlugin

docs/manuals/source/DeveloperGuide.rst

@@ -26,3 +26,4 @@ Developer Guide
    DeveloperGuide/directorConsole.rst
    DeveloperGuide/reservation.rst
    DeveloperGuide/jobexec.rst
+   DeveloperGuide/Webui.rst

docs/manuals/source/DeveloperGuide/Webui.rst

@@ -0,0 +1,24 @@
+
+.. _section-dev-webui:
+
+Webui
+=====
+
+.. _section-dev-webui-command-usage-in-modules:
+
+Command usage in modules and the according ACL requirements
+-----------------------------------------------------------
+
+
+Following is a table of bconsole commands and |webui| modules.
+Commands are either marked as required, optional or empty if not used by the module.
+
+Required commands are mandatory for proper module functionality and access to them should
+not be denied by :config:option:`dir/profile/CommandACL` settings.
+
+Access to commands marked as optional may be denied by :config:option:`dir/profile/CommandACL` settings.
+
+
+.. csv-filter::
+   :header-rows: 1
+   :file: ../../../../webui/module/Application/config/commands.csv

docs/manuals/source/IntroductionAndTutorial/BareosWebui.rst

@@ -4,7 +4,276 @@
 Bareos Webui
 ============
 
-This chapter addresses the usage of the |webui|.
+.. _section-webui-command-acl-requirements:
+
+Command ACL Requirements
+------------------------
+
+The following tables show which commands are required and optional for each
+module of the |webui|.
+
+Optional commands may be denied by :config:option:`dir/profile/CommandACL`
+settings to limit specific functionality. If you deny a required command,
+the module will not work.
+
+.. note::
+
+   The commands :bcommand:`.api`, :bcommand:`.help` and :bcommand:`use` are essential commands
+   and should never be denied by :config:option:`dir/profile/CommandACL` settings in your
+   :config:option:`dir/console` or :config:option:`dir/profile` resources.
+
+.. csv-filter:: Client Module
+   :header-rows: 1
+   :included_cols: 0,1
+   :exclude: {1: '-'}
+   :file: ../../../../webui/module/Application/config/commands.csv
+
+.. csv-filter:: Dashboard Module
+   :header-rows: 1
+   :included_cols: 0,3
+   :exclude: {3: '-'}
+   :file: ../../../../webui/module/Application/config/commands.csv
+
+.. csv-filter:: Director Module
+   :header-rows: 1
+   :included_cols: 0,4
+   :exclude: {4: '-'}
+   :file: ../../../../webui/module/Application/config/commands.csv
+
+.. csv-filter:: Fileset Module
+   :header-rows: 1
+   :included_cols: 0,5
+   :exclude: {5: '-'}
+   :file: ../../../../webui/module/Application/config/commands.csv
+
+.. csv-filter:: Job Module
+   :header-rows: 1
+   :included_cols: 0,6
+   :exclude: {6: '-'}
+   :file: ../../../../webui/module/Application/config/commands.csv
+
+.. csv-filter:: Volume/Media Module
+   :header-rows: 1
+   :included_cols: 0,7
+   :exclude: {7: '-'}
+   :file: ../../../../webui/module/Application/config/commands.csv
+
+.. csv-filter:: Pool Module
+   :header-rows: 1
+   :included_cols: 0,8
+   :exclude: {8: '-'}
+   :file: ../../../../webui/module/Application/config/commands.csv
+
+.. csv-filter:: Restore Module
+   :header-rows: 1
+   :included_cols: 0,9
+   :exclude: {9: '-'}
+   :file: ../../../../webui/module/Application/config/commands.csv
+
+.. csv-filter:: Schedule Module
+   :header-rows: 1
+   :included_cols: 0,10
+   :exclude: {10: '-'}
+   :file: ../../../../webui/module/Application/config/commands.csv
+
+.. csv-filter:: Storage Module
+   :header-rows: 1
+   :included_cols: 0,11
+   :exclude: {11: '-'}
+   :file: ../../../../webui/module/Application/config/commands.csv
+
+A complete overview of bconsole command usage in the |webui| can be found in
+the Developer Guide chapter ":ref:`section-dev-webui-command-usage-in-modules`".
+
+.. _section-webui-access-control-configuration:
+
+Access Control Configuration
+----------------------------
+
+Access Control is configured in :config:option:`dir/profile`,
+:config:option:`dir/console` or :config:option:`dir/user` resources.
+
+Below are some example profile resources that should serve you as guidance to
+configure access to certain elements of the |webui| to your needs and use cases.
+
+Full Access
+~~~~~~~~~~~
+
+No restrictions are given by :config:option:`dir/profile`,
+everything is allowed. This profile is included in the |webui| package.
+
+.. code-block:: cfg
+   :caption: Profile Resource - Administrator Access Example
+
+   Profile {
+      Name = "webui-admin"
+      CommandACL = *all*
+      JobACL = *all*
+      ScheduleACL = *all*
+      CatalogACL = *all*
+      PoolACL = *all*
+      StorageACL = *all*
+      ClientACL = *all*
+      FilesetACL = *all*
+      WhereACL = *all*
+   }
+
+Limited Access
+~~~~~~~~~~~~~~~
+
+Users with the following profile example have limited access to various resources
+but they are allowed to :bcommand:`run`, :bcommand:`rerun` and :bcommand:`cancel`
+the jobs :strong:`backup-bareos-fd` and :strong:`backup-example-fd`.
+
+.. note::
+
+   Access to depending resources for the jobs set in the
+   :config:option:`dir/profile/JobACL` needs also be given by
+   :config:option:`dir/profile/ClientACL`,
+   :config:option:`dir/profile/PoolACL`,
+   :config:option:`dir/profile/StorageACL` and
+   :config:option:`dir/profile/FilesetACL` settings.
+
+Users of this profile are also able to do a restore from within the |webui| by
+having access to the RestoreFiles job resource, the required Bvfs API commands
+and the :bcommand:`restore` command itself.
+
+.. code-block:: cfg
+   :caption: Profile Resource - Limited Access Example
+
+   Profile {
+      Name = "webui-user"
+      # Multiple CommandACL directives as given below are concatenated
+      CommandACL = .api, .help, use, version, status, show
+      CommandACL = list, llist
+      CommandACL = run, rerun, cancel, restore
+      CommandACL = .clients, .jobs, .filesets, .pools, .storages, .defaults, .schedule
+      CommandACL = .bvfs_update, .bvfs_get_jobids, .bvfs_lsdirs, .bvfs_lsfiles
+      CommandACL = .bvfs_versions, .bvfs_restore, .bvfs_cleanup
+      JobACL = backup-bareos-fd, backup-example-fd, RestoreFiles
+      ScheduleACL = WeeklyCycle
+      CatalogACL = MyCatalog
+      PoolACL = Full, Differential, Incremental
+      StorageACL = File
+      ClientACL = bareos-fd, example-fd
+      FilesetACL = SelfTest, example-fileset
+      WhereACL = *all*
+   }
+
+Read-Only Access
+~~~~~~~~~~~~~~~~
+
+This example profile resource denies access to most of the commands and
+additionally restricts access to certain other resources like
+:config:option:`dir/Job`, :config:option:`dir/Schedule`,
+:config:option:`dir/Pool`, :config:option:`dir/Storage`,
+:config:option:`dir/Client`, :config:option:`dir/Fileset`, etc.
+
+Users of this profile would not be able to run or restore jobs, execute volume
+and autochanger related operations, enable or disable resources besides other
+restrictions.
+
+.. code-block:: cfg
+   :caption: Profile Resource - Read-Only Access Example 1
+
+   Profile {
+     Name = "webui-user-readonly-example-1"
+
+     # Deny general command access
+     CommandACL = !.bvfs_clear_cache, !.exit, !configure, !purge, !prune, !reload
+     CommandACL = !create, !update, !delete, !disable, !enable
+     CommandACL = !show, !status
+
+     # Deny job related command access
+     CommandACL = !run, !rerun, !restore, !cancel
+
+     # Deny autochanger related command access
+     CommandACL = !mount, !umount, !unmount, !export, !import, !move, !release, !automount
+
+     # Deny media/volume related command access
+     CommandACL = !add, !label, !relabel, !truncate
+
+     # Deny SQL related command access
+     CommandACL = !sqlquery, !query, !.sql
+
+     # Deny debugging related command access
+     CommandACL = !setdebug, !trace
+
+     # Deny network related command access
+     CommandACL = !setbandwidth, !setip, !resolve
+
+     # Allow non-excluded command access
+     CommandACL = *all*
+
+     # Allow access to the following job resources
+     Job ACL = backup-bareos-fd, RestoreFiles
+
+     # Allow access to the following schedule resources
+     Schedule ACL = WeeklyCycle
+
+     # Allow access to the following catalog resources
+     Catalog ACL = MyCatalog
+
+     # Deny access to the following pool resources
+     Pool ACL = !Scratch
+
+     # Allow access to non-excluded pool resources
+     Pool ACL = *all*
+
+     # Allow access to the following storage resources
+     Storage ACL = File
+
+     # Allow access to the following client resources
+     Client ACL = bareos-fd
+
+     # Allow access to the following filset resources
+     FileSet ACL = SelfTest
+
+     # Allow access to restore to any filesystem location
+     Where ACL = *all*
+   }
+
+Alternatively the example above can be configured as following if you prefer a
+shorter version.
+
+.. code-block:: cfg
+   :caption: Profile Resource - Read-Only Access Example 2
+
+   Profile {
+     Name = "webui-user-readonly-example-2"
+
+     # Allow access to the following commands
+     CommandACL = .api, .help, use, version, status
+     CommandACL = list, llist
+     CommandACL = .clients, .jobs, .filesets, .pools, .storages, .defaults, .schedule
+     CommandACL = .bvfs_lsdirs, .bvfs_lsfiles, .bvfs_update, .bvfs_get_jobids, .bvfs_versions, .bvfs_restore
+
+     # Allow access to the following job resources
+     Job ACL = backup-bareos-fd, RestoreFiles
+
+     # Allow access to the following schedule resources
+     Schedule ACL = WeeklyCycle
+
+     # Allow access to the following catalog resources
+     Catalog ACL = MyCatalog
+
+     # Allow access to the following  pool resources
+     Pool ACL = Full, Differential, Incremental
+
+     # Allow access to the following storage resources
+     Storage ACL = File
+
+     # Allow access to the following client resources
+     Client ACL = bareos-fd
+
+     # Allow access to the following filset resources
+     FileSet ACL = SelfTest
+
+     # Allow access to restore to any filesystem location
+     Where ACL = *all*
+   }
+
+For more details, please read :ref:`DirectorResourceProfile`.
 
 .. _section-webui-restore:
 

docs/manuals/source/IntroductionAndTutorial/InstallingBareosWebui.rst

@@ -15,9 +15,6 @@ Since :sinceVersion:`15.2.0: bareos-webui` |webui| is part of the Bareos project
 .. image:: /include/images/bareos-webui-jobs.*
    :width: 80.0%
 
-
-
-
 Features
 --------
 
@@ -227,7 +224,7 @@ This is the default profile, giving access to all Bareos resources and allowing
 
 The :config:option:`Dir/Profile`\  itself does not give any access to the |dir|, but can be used by :config:option:`Dir/Console`\ , which do give access to the |dir|, see :ref:`section-webui-console`.
 
-For details, please read :ref:`DirectorResourceProfile`.
+For details, please read :ref:`section-webui-access-control-configuration` and :ref:`DirectorResourceProfile`.
 
 .. _section-webui-selinux:
 

docs/manuals/source/conf.py

@@ -81,6 +81,7 @@
     'sphinxcontrib.nwdiag',
     'sphinxcontrib.plantuml',
     'sphinxcontrib.seqdiag',
+    'crate.sphinx.csv'
 ]
 
 #    'limitation',
@@ -214,7 +215,6 @@
     ]
 }
 
-
 # -- Options for HTMLHelp output ------------------------------------------
 
 # Output file base name for HTML help builder.

webui/CMakeLists.txt

@@ -111,6 +111,8 @@ IF(NOT client-only)
 
   INSTALL(FILES install/bareos/bareos-dir.d/console/admin.conf.example DESTINATION ${confdir}/bareos-dir.d/console/)
   INSTALL(FILES install/bareos/bareos-dir.d/profile/webui-admin.conf DESTINATION ${confdir}/bareos-dir.d/profile/)
+  INSTALL(FILES install/bareos/bareos-dir.d/profile/webui-limited.conf.example DESTINATION ${confdir}/bareos-dir.d/profile/)
+  INSTALL(FILES install/bareos/bareos-dir.d/profile/webui-readonly.conf DESTINATION ${confdir}/bareos-dir.d/profile/)
   INSTALL(FILES install/apache/bareos-webui.conf DESTINATION ${HTTPD_CONF}/)
 
   INSTALL(FILES install/directors.ini DESTINATION ${webuiconfdir})

webui/config/application.config.php

@@ -25,7 +25,6 @@
 
 $env = getenv('APPLICATION_ENV') ?: 'production';
 
-// Use the $env value to dtermine which module to load
 $modules = array(
    'Application',
    'Dashboard',
@@ -39,9 +38,10 @@
    'Job',
    'Restore',
    'Auth',
+   'Console',
 );
 
-
+// Use the $env value to determine which module to load
 if($env == 'development') {
    //$modules[] = 'ZendDeveloperTools';  // you may comment only this line out if ZendDeveloperTools are not installed e.g.
    ini_set('error_reporting', E_ALL);

webui/install/bareos/bareos-dir.d/profile/webui-limited.conf.example

@@ -0,0 +1,23 @@
+#
+# bareos-webui profile resource example: limited access
+#
+
+Profile {
+   Name = "webui-limited"
+   # Multiple CommandACL directives as given below are concatenated
+   CommandACL = .api, .help, use, version, status, show
+   CommandACL = list, llist
+   CommandACL = run, rerun, cancel, restore
+   CommandACL = .clients, .jobs, .filesets, .pools, .storages, .defaults, .schedule
+   CommandACL = .bvfs_update, .bvfs_get_jobids, .bvfs_lsdirs, .bvfs_lsfiles
+   CommandACL = .bvfs_versions, .bvfs_restore, .bvfs_cleanup
+
+   JobACL = backup-bareos-fd, RestoreFiles
+   ScheduleACL = WeeklyCycle
+   CatalogACL = MyCatalog
+   PoolACL = Full, Differential, Incremental
+   StorageACL = File
+   ClientACL = bareos-fd
+   FilesetACL = SelfTest
+   WhereACL = *all*
+}