[pve-devel] [PATCH access-control 4/4] domain sync: add 'no-write' parameter

Dominik Csapak d.csapak at proxmox.com
Mon Apr 6 13:54:46 CEST 2020



On 4/6/20 1:39 PM, Thomas Lamprecht wrote:
> On 4/6/20 1:31 PM, Dominik Csapak wrote:
>> this can be used to test the resulting config before actually changing
>> anything
> 
> I mean we print all action out already, I explicitly changed the task log
> to avoid printing "delete user" if it would be re-added again, so my idea
> for the dry run was to just omit the cfs write and print a not about the
> sync being a dry run one at the end?
> 
> You do not get extra information when printing everything, or?

well yes actually, you can see the information about the properties
which you could not before (e.g. a users email, etc.)
we could of course simply print all properties, but i found this
approach a little better, since an admin can now see what would really
get written out to the config

>>
>> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
>> ---
>>   PVE/API2/Domains.pm | 50 +++++++++++++++++++++++++++++++++++++++++----
>>   1 file changed, 46 insertions(+), 4 deletions(-)
>>
>> diff --git a/PVE/API2/Domains.pm b/PVE/API2/Domains.pm
>> index b42d4f6..1a5700e 100644
>> --- a/PVE/API2/Domains.pm
>> +++ b/PVE/API2/Domains.pm
>> @@ -341,6 +341,33 @@ my $update_groups = sub {
>>       }
>>   };
>>   
>> +my $print_users_and_groups = sub {
>> +    my ($config, $realm, $scope) = @_;
>> +
>> +    my $tmp_config = {
>> +	users => {},
>> +	groups => {},
>> +    };
>> +
>> +    if ($scope eq 'users' || $scope eq 'both') {
>> +	foreach my $userid (sort keys %{$config->{users}}) {
>> +	    next if $userid !~ m/\@$realm$/;
>> +	    $tmp_config->{users}->{$userid} = $config->{users}->{$userid};
>> +	}
>> +    }
>> +    if ($scope eq 'groups' || $scope eq 'both') {
>> +	foreach my $groupid (sort keys %{$config->{groups}}) {
>> +	    next if $groupid !~ m/-$realm$/;
>> +	    $tmp_config->{groups}->{$groupid} = $config->{groups}->{$groupid};
>> +	}
>> +    }
>> +
>> +    my $res = PVE::AccessControl::write_user_config("", $tmp_config);
>> +    $res =~ s/\n{2,}$/\n/m; # remove trailing empty lines
>> +    $res =~ s/^\n+//m; # remove preceding empty lines
>> +    print $res;
>> +};
>> +
>>   my $parse_sync_opts = sub {
>>       my ($param, $realmconfig) = @_;
>>   
>> @@ -386,7 +413,13 @@ __PACKAGE__->register_method ({
>>   	additionalProperties => 0,
>>   	properties => get_standard_option('realm-sync-options', {
>>   	    realm => get_standard_option('realm'),
>> -	})
>> +	    'no-write' => {
>> +		description => "If set, does not write anything.",
>> +		type => 'boolean',
>> +		optional => 1,
>> +		default => 0,
>> +	    },
>> +	}),
>>       },
>>       returns => {
>>   	description => 'Worker Task-UPID',
>> @@ -398,6 +431,8 @@ __PACKAGE__->register_method ({
>>   	my $rpcenv = PVE::RPCEnvironment::get();
>>   	my $authuser = $rpcenv->get_user();
>>   
>> +	my $write = !(extract_param($param, 'no-write'));
>> +
>>   	my $realm = $param->{realm};
>>   	my $cfg = cfs_read_file($domainconfigfile);
>>   	my $realmconfig = $cfg->{ids}->{$realm};
>> @@ -437,12 +472,19 @@ __PACKAGE__->register_method ({
>>   		    $update_groups->($usercfg, $realm, $synced_groups, $opts);
>>   		}
>>   
>> -		cfs_write_file("user.cfg", $usercfg);
>> -		print "successfully updated $whatstring configuration\n";
>> +		cfs_write_file("user.cfg", $usercfg) if $write;
>> +		print "successfully updated $whatstring configuration\n" if $write;
>> +		if (!$write) {
>> +		    print "\nresulting user/group config lines:\n";
>> +		    print "-----------\n";
>> +		    $print_users_and_groups->($usercfg, $realm, $scope);
>> +		    print "-----------\n";
>> +		}
>>   	    }, "syncing $whatstring failed");
>>   	};
>>   
>> -	return $rpcenv->fork_worker('auth-realm-sync', $realm, $authuser, $worker);
>> +	my $workerid = $write ? 'auth-realm-sync' : 'auth-realm-sync-test';
>> +	return $rpcenv->fork_worker($workerid, $realm, $authuser, $worker);
>>       }});
>>   
>>   1;
>>
> 




More information about the pve-devel mailing list