[pve-devel] [PATCH access-control 07/13] ticket: use clinfo to get cluster name

Thomas Lamprecht t.lamprecht at proxmox.com
Fri Nov 8 12:41:25 CET 2019


On 11/6/19 1:36 PM, Fabian Grünbichler wrote:
> instead of parsing corosync.conf, and avoid coupling the access-control
> API with PVE::Corosync. if corosync.conf and pmxcfs don't agree on how
> the cluster is called, there is a bigger issue anyway..

hmm, but that's really not an excuse? Exactly at the time when I have
issues in my physical datacenter I may want to be sure to operate on
a node of the correct cluster. Or find out what cluster has issues when
logging in.. IIRC, I explicitly used the corosync one as this was not
an issue with that.. I mean, that one may naturally be wrecked too,
but that needs manual intervention while a non-quorate situation is
more likely.. 

But I tested this to see what happens with your patch. So quorum losses
are not an issue itself, the clinfo is still kept there, after an pmxcfs
restart with still staying unquorate the info will be lost though, but
that's an acceptable trade-off IMO, so applied!

> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
>  PVE/API2/AccessControl.pm | 15 +++------------
>  1 file changed, 3 insertions(+), 12 deletions(-)
> 
> diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm
> index 6d0ea82..c2324e8 100644
> --- a/PVE/API2/AccessControl.pm
> +++ b/PVE/API2/AccessControl.pm
> @@ -10,7 +10,6 @@ use PVE::Exception qw(raise raise_perm_exc);
>  use PVE::SafeSyslog;
>  use PVE::RPCEnvironment;
>  use PVE::Cluster qw(cfs_read_file);
> -use PVE::Corosync;
>  use PVE::RESTHandler;
>  use PVE::AccessControl;
>  use PVE::JSONSchema qw(get_standard_option);
> @@ -314,17 +313,9 @@ __PACKAGE__->register_method ({
>  	$res->{cap} = &$compute_api_permission($rpcenv, $username)
>  	    if !defined($res->{NeedTFA});
>  
> -	if (PVE::Corosync::check_conf_exists(1)) {
> -	    if ($rpcenv->check($username, '/', ['Sys.Audit'], 1)) {
> -		eval {
> -		    my $conf = cfs_read_file('corosync.conf');
> -		    my $totem = PVE::Corosync::totem_config($conf);
> -		    if ($totem->{cluster_name}) {
> -			$res->{clustername} = $totem->{cluster_name};
> -		    }
> -		};
> -		warn "$@\n" if $@;
> -	    }
> +	my $clinfo = PVE::Cluster::get_clinfo();
> +	if ($clinfo->{cluster}->{name} && $rpcenv->check($username, '/', ['Sys.Audit'], 1)) {
> +	    $res->{clustername} = $clinfo->{cluster}->{name};
>  	}
>  
>  	PVE::Cluster::log_msg('info', 'root at pam', "successful auth for user '$username'");
> 






More information about the pve-devel mailing list