Prevent unsafe uses of forget --keep-tag
#4764
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
`--keep-tag invalid-tag` was previously able to wipe all snapshots in a repository. As a user specified a `--keep-*` option this is likely unintentional. This forbid deleting all snapshot if a `--keep-*` option was specified to prevent data loss. (Not specifying such an option currently also causes the command to abort)
To prevent accidentally wiping all snapshots from a repository, that option can only be used if either a snapshot filter or a keep policy is specified. Essentially, the option allows `forget --tag something --unsafe-allow-remove-all` calls to remove all snapshots with a specific tag.
8 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR change? What problem does it solve?
Currently it is possible to accidentally remove all snapshots using e.g.
forget --keep-tag invalidwhereinvalidis a not existing tag. This is particularly problematic when making typos in the tag name.This PR changes the behavior as follows:
--keep-tag xwere to cause all snapshots in a snapshot group to be removed, thenforgetwill fail with an errorforgetfails with an error if no keep policy was specified instead of just printing a warning--unsafe-allow-remove-alloption. To use the--unsafe-allow-remove-alloption a snapshot filter (host, path or tag) must be specified.forget --tag x --unsafe-allow-remove-allcan for example be used to remove all snapshots with a specific tag.This is slightly more restrictive than my suggestion in #4568 (review) . That also allowed
forget --keep-tag invalid --unsafe-allow-remove-all(deletes the whole repository as is currently the case) which won't be allowed in the current version of the PR. It also blocksforget --keep-tag some --unsafe-allow-remove-allwheresomeis a tag only used by some snapshot groups. The latter might be relevant for some use cases, although I'm not sure what those would look like.I'll likely also split this PR into two parts, one to fix the
--keep-tagbug and one to add the--unsafe-allow-remove-alloption.Was the change previously discussed in an issue or on the forum?
Replaces #4568
Fixes #4569
See also https://forum.restic.net/t/delete-all-snapshots-in-one-command-is-this-feature-intentional/6923/3
Checklist
changelog/unreleased/that describes the changes for our users (see template).gofmton the code in all commits.