[pve-devel] [PATCH access-control 4/4] domain sync: add 'no-write' parameter

Thomas Lamprecht t.lamprecht at proxmox.com
Mon Apr 6 13:39:47 CEST 2020


On 4/6/20 1:31 PM, Dominik Csapak wrote:
> this can be used to test the resulting config before actually changing
> anything

I mean we print all action out already, I explicitly changed the task log
to avoid printing "delete user" if it would be re-added again, so my idea
for the dry run was to just omit the cfs write and print a not about the
sync being a dry run one at the end?

You do not get extra information when printing everything, or?
> 
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
>  PVE/API2/Domains.pm | 50 +++++++++++++++++++++++++++++++++++++++++----
>  1 file changed, 46 insertions(+), 4 deletions(-)
> 
> diff --git a/PVE/API2/Domains.pm b/PVE/API2/Domains.pm
> index b42d4f6..1a5700e 100644
> --- a/PVE/API2/Domains.pm
> +++ b/PVE/API2/Domains.pm
> @@ -341,6 +341,33 @@ my $update_groups = sub {
>      }
>  };
>  
> +my $print_users_and_groups = sub {
> +    my ($config, $realm, $scope) = @_;
> +
> +    my $tmp_config = {
> +	users => {},
> +	groups => {},
> +    };
> +
> +    if ($scope eq 'users' || $scope eq 'both') {
> +	foreach my $userid (sort keys %{$config->{users}}) {
> +	    next if $userid !~ m/\@$realm$/;
> +	    $tmp_config->{users}->{$userid} = $config->{users}->{$userid};
> +	}
> +    }
> +    if ($scope eq 'groups' || $scope eq 'both') {
> +	foreach my $groupid (sort keys %{$config->{groups}}) {
> +	    next if $groupid !~ m/-$realm$/;
> +	    $tmp_config->{groups}->{$groupid} = $config->{groups}->{$groupid};
> +	}
> +    }
> +
> +    my $res = PVE::AccessControl::write_user_config("", $tmp_config);
> +    $res =~ s/\n{2,}$/\n/m; # remove trailing empty lines
> +    $res =~ s/^\n+//m; # remove preceding empty lines
> +    print $res;
> +};
> +
>  my $parse_sync_opts = sub {
>      my ($param, $realmconfig) = @_;
>  
> @@ -386,7 +413,13 @@ __PACKAGE__->register_method ({
>  	additionalProperties => 0,
>  	properties => get_standard_option('realm-sync-options', {
>  	    realm => get_standard_option('realm'),
> -	})
> +	    'no-write' => {
> +		description => "If set, does not write anything.",
> +		type => 'boolean',
> +		optional => 1,
> +		default => 0,
> +	    },
> +	}),
>      },
>      returns => {
>  	description => 'Worker Task-UPID',
> @@ -398,6 +431,8 @@ __PACKAGE__->register_method ({
>  	my $rpcenv = PVE::RPCEnvironment::get();
>  	my $authuser = $rpcenv->get_user();
>  
> +	my $write = !(extract_param($param, 'no-write'));
> +
>  	my $realm = $param->{realm};
>  	my $cfg = cfs_read_file($domainconfigfile);
>  	my $realmconfig = $cfg->{ids}->{$realm};
> @@ -437,12 +472,19 @@ __PACKAGE__->register_method ({
>  		    $update_groups->($usercfg, $realm, $synced_groups, $opts);
>  		}
>  
> -		cfs_write_file("user.cfg", $usercfg);
> -		print "successfully updated $whatstring configuration\n";
> +		cfs_write_file("user.cfg", $usercfg) if $write;
> +		print "successfully updated $whatstring configuration\n" if $write;
> +		if (!$write) {
> +		    print "\nresulting user/group config lines:\n";
> +		    print "-----------\n";
> +		    $print_users_and_groups->($usercfg, $realm, $scope);
> +		    print "-----------\n";
> +		}
>  	    }, "syncing $whatstring failed");
>  	};
>  
> -	return $rpcenv->fork_worker('auth-realm-sync', $realm, $authuser, $worker);
> +	my $workerid = $write ? 'auth-realm-sync' : 'auth-realm-sync-test';
> +	return $rpcenv->fork_worker($workerid, $realm, $authuser, $worker);
>      }});
>  
>  1;
> 





More information about the pve-devel mailing list