[pve-devel] [PATCH access-control 4/4] domain sync: add 'no-write' parameter
Dominik Csapak
d.csapak at proxmox.com
Mon Apr 6 13:54:46 CEST 2020
On 4/6/20 1:39 PM, Thomas Lamprecht wrote:
> On 4/6/20 1:31 PM, Dominik Csapak wrote:
>> this can be used to test the resulting config before actually changing
>> anything
>
> I mean we print all action out already, I explicitly changed the task log
> to avoid printing "delete user" if it would be re-added again, so my idea
> for the dry run was to just omit the cfs write and print a not about the
> sync being a dry run one at the end?
>
> You do not get extra information when printing everything, or?
well yes actually, you can see the information about the properties
which you could not before (e.g. a users email, etc.)
we could of course simply print all properties, but i found this
approach a little better, since an admin can now see what would really
get written out to the config
>>
>> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
>> ---
>> PVE/API2/Domains.pm | 50 +++++++++++++++++++++++++++++++++++++++++----
>> 1 file changed, 46 insertions(+), 4 deletions(-)
>>
>> diff --git a/PVE/API2/Domains.pm b/PVE/API2/Domains.pm
>> index b42d4f6..1a5700e 100644
>> --- a/PVE/API2/Domains.pm
>> +++ b/PVE/API2/Domains.pm
>> @@ -341,6 +341,33 @@ my $update_groups = sub {
>> }
>> };
>>
>> +my $print_users_and_groups = sub {
>> + my ($config, $realm, $scope) = @_;
>> +
>> + my $tmp_config = {
>> + users => {},
>> + groups => {},
>> + };
>> +
>> + if ($scope eq 'users' || $scope eq 'both') {
>> + foreach my $userid (sort keys %{$config->{users}}) {
>> + next if $userid !~ m/\@$realm$/;
>> + $tmp_config->{users}->{$userid} = $config->{users}->{$userid};
>> + }
>> + }
>> + if ($scope eq 'groups' || $scope eq 'both') {
>> + foreach my $groupid (sort keys %{$config->{groups}}) {
>> + next if $groupid !~ m/-$realm$/;
>> + $tmp_config->{groups}->{$groupid} = $config->{groups}->{$groupid};
>> + }
>> + }
>> +
>> + my $res = PVE::AccessControl::write_user_config("", $tmp_config);
>> + $res =~ s/\n{2,}$/\n/m; # remove trailing empty lines
>> + $res =~ s/^\n+//m; # remove preceding empty lines
>> + print $res;
>> +};
>> +
>> my $parse_sync_opts = sub {
>> my ($param, $realmconfig) = @_;
>>
>> @@ -386,7 +413,13 @@ __PACKAGE__->register_method ({
>> additionalProperties => 0,
>> properties => get_standard_option('realm-sync-options', {
>> realm => get_standard_option('realm'),
>> - })
>> + 'no-write' => {
>> + description => "If set, does not write anything.",
>> + type => 'boolean',
>> + optional => 1,
>> + default => 0,
>> + },
>> + }),
>> },
>> returns => {
>> description => 'Worker Task-UPID',
>> @@ -398,6 +431,8 @@ __PACKAGE__->register_method ({
>> my $rpcenv = PVE::RPCEnvironment::get();
>> my $authuser = $rpcenv->get_user();
>>
>> + my $write = !(extract_param($param, 'no-write'));
>> +
>> my $realm = $param->{realm};
>> my $cfg = cfs_read_file($domainconfigfile);
>> my $realmconfig = $cfg->{ids}->{$realm};
>> @@ -437,12 +472,19 @@ __PACKAGE__->register_method ({
>> $update_groups->($usercfg, $realm, $synced_groups, $opts);
>> }
>>
>> - cfs_write_file("user.cfg", $usercfg);
>> - print "successfully updated $whatstring configuration\n";
>> + cfs_write_file("user.cfg", $usercfg) if $write;
>> + print "successfully updated $whatstring configuration\n" if $write;
>> + if (!$write) {
>> + print "\nresulting user/group config lines:\n";
>> + print "-----------\n";
>> + $print_users_and_groups->($usercfg, $realm, $scope);
>> + print "-----------\n";
>> + }
>> }, "syncing $whatstring failed");
>> };
>>
>> - return $rpcenv->fork_worker('auth-realm-sync', $realm, $authuser, $worker);
>> + my $workerid = $write ? 'auth-realm-sync' : 'auth-realm-sync-test';
>> + return $rpcenv->fork_worker($workerid, $realm, $authuser, $worker);
>> }});
>>
>> 1;
>>
>
More information about the pve-devel
mailing list