[pve-devel] [PATCH access-control 4/4] domain sync: add 'no-write' parameter
Thomas Lamprecht
t.lamprecht at proxmox.com
Mon Apr 6 13:39:47 CEST 2020
On 4/6/20 1:31 PM, Dominik Csapak wrote:
> this can be used to test the resulting config before actually changing
> anything
I mean we print all action out already, I explicitly changed the task log
to avoid printing "delete user" if it would be re-added again, so my idea
for the dry run was to just omit the cfs write and print a not about the
sync being a dry run one at the end?
You do not get extra information when printing everything, or?
>
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
> PVE/API2/Domains.pm | 50 +++++++++++++++++++++++++++++++++++++++++----
> 1 file changed, 46 insertions(+), 4 deletions(-)
>
> diff --git a/PVE/API2/Domains.pm b/PVE/API2/Domains.pm
> index b42d4f6..1a5700e 100644
> --- a/PVE/API2/Domains.pm
> +++ b/PVE/API2/Domains.pm
> @@ -341,6 +341,33 @@ my $update_groups = sub {
> }
> };
>
> +my $print_users_and_groups = sub {
> + my ($config, $realm, $scope) = @_;
> +
> + my $tmp_config = {
> + users => {},
> + groups => {},
> + };
> +
> + if ($scope eq 'users' || $scope eq 'both') {
> + foreach my $userid (sort keys %{$config->{users}}) {
> + next if $userid !~ m/\@$realm$/;
> + $tmp_config->{users}->{$userid} = $config->{users}->{$userid};
> + }
> + }
> + if ($scope eq 'groups' || $scope eq 'both') {
> + foreach my $groupid (sort keys %{$config->{groups}}) {
> + next if $groupid !~ m/-$realm$/;
> + $tmp_config->{groups}->{$groupid} = $config->{groups}->{$groupid};
> + }
> + }
> +
> + my $res = PVE::AccessControl::write_user_config("", $tmp_config);
> + $res =~ s/\n{2,}$/\n/m; # remove trailing empty lines
> + $res =~ s/^\n+//m; # remove preceding empty lines
> + print $res;
> +};
> +
> my $parse_sync_opts = sub {
> my ($param, $realmconfig) = @_;
>
> @@ -386,7 +413,13 @@ __PACKAGE__->register_method ({
> additionalProperties => 0,
> properties => get_standard_option('realm-sync-options', {
> realm => get_standard_option('realm'),
> - })
> + 'no-write' => {
> + description => "If set, does not write anything.",
> + type => 'boolean',
> + optional => 1,
> + default => 0,
> + },
> + }),
> },
> returns => {
> description => 'Worker Task-UPID',
> @@ -398,6 +431,8 @@ __PACKAGE__->register_method ({
> my $rpcenv = PVE::RPCEnvironment::get();
> my $authuser = $rpcenv->get_user();
>
> + my $write = !(extract_param($param, 'no-write'));
> +
> my $realm = $param->{realm};
> my $cfg = cfs_read_file($domainconfigfile);
> my $realmconfig = $cfg->{ids}->{$realm};
> @@ -437,12 +472,19 @@ __PACKAGE__->register_method ({
> $update_groups->($usercfg, $realm, $synced_groups, $opts);
> }
>
> - cfs_write_file("user.cfg", $usercfg);
> - print "successfully updated $whatstring configuration\n";
> + cfs_write_file("user.cfg", $usercfg) if $write;
> + print "successfully updated $whatstring configuration\n" if $write;
> + if (!$write) {
> + print "\nresulting user/group config lines:\n";
> + print "-----------\n";
> + $print_users_and_groups->($usercfg, $realm, $scope);
> + print "-----------\n";
> + }
> }, "syncing $whatstring failed");
> };
>
> - return $rpcenv->fork_worker('auth-realm-sync', $realm, $authuser, $worker);
> + my $workerid = $write ? 'auth-realm-sync' : 'auth-realm-sync-test';
> + return $rpcenv->fork_worker($workerid, $realm, $authuser, $worker);
> }});
>
> 1;
>
More information about the pve-devel
mailing list