[pve-devel] [PATCH v3 access-control 20/20] user.cfg: skip inexisting roles when parsing ACLs
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Jan 21 13:54:18 CET 2020
we do the same for missing users, groups and tokens, and just like
groups, roles with an empty privilege set are explicitly allowed so
pre-generating placeholders is possible.
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
Notes:
new in v3
optional, could be considered a breaking change
PVE/AccessControl.pm | 5 +++++
test/parser_writer.pl | 6 +++++-
test/perm-test6.pl | 4 ++--
test/test6.cfg | 2 +-
4 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index a3990de..5e1185f 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -1079,6 +1079,11 @@ sub parse_user_config {
next;
}
+ if (!$cfg->{roles}->{$role}) {
+ warn "user config - ignore invalid acl role '$role'\n";
+ next;
+ }
+
foreach my $ug (split_list($uglist)) {
my ($group) = $ug =~ m/^@(\S+)$/;
diff --git a/test/parser_writer.pl b/test/parser_writer.pl
index 6bf6d72..0aa01b7 100755
--- a/test/parser_writer.pl
+++ b/test/parser_writer.pl
@@ -821,13 +821,17 @@ my $tests = [
config => {
users => default_users_with([$default_cfg->{test_pam}]),
roles => default_roles(),
- acl => default_acls_with([$default_cfg->{acl_missing_role}, $default_cfg->{acl_simple_user}]),
+ acl => default_acls_with([$default_cfg->{acl_simple_user}]),
},
raw => "".
$default_raw->{users}->{'root at pam'}."\n".
$default_raw->{users}->{'test_pam'}."\n\n\n\n\n".
$default_raw->{acl}->{'acl_simple_user'}."\n".
$default_raw->{acl}->{'acl_missing_role'}."\n",
+ expected_raw => "".
+ $default_raw->{users}->{'root at pam'}."\n".
+ $default_raw->{users}->{'test_pam'}."\n\n\n\n\n".
+ $default_raw->{acl}->{'acl_simple_user'}."\n",
},
{
name => "acl_complex_mixed",
diff --git a/test/perm-test6.pl b/test/perm-test6.pl
index 87d9bf7..dd433dd 100755
--- a/test/perm-test6.pl
+++ b/test/perm-test6.pl
@@ -55,10 +55,10 @@ check_roles('User2 at pve', '/vms/100', 'RoleTEST1');
check_roles('User3 at pve', '/vms/100', 'NoAccess');
check_roles('User4 at pve', '/vms/100', '');
-check_roles('User1 at pve', '/vms/300', 'Role1');
+check_roles('User1 at pve', '/vms/300', 'RoleTEST1');
check_roles('User2 at pve', '/vms/300', 'RoleTEST1');
check_roles('User3 at pve', '/vms/300', 'NoAccess');
-check_roles('User4 at pve', '/vms/300', 'Role1');
+check_roles('User4 at pve', '/vms/300', 'RoleTEST1');
check_permissions('User1 at pve', '/vms/500', 'VM.Console,VM.PowerMgmt');
check_permissions('User2 at pve', '/vms/500', 'VM.Console,VM.PowerMgmt');
diff --git a/test/test6.cfg b/test/test6.cfg
index 7af1895..4986910 100644
--- a/test/test6.cfg
+++ b/test/test6.cfg
@@ -15,7 +15,7 @@ acl:1:/pool/marketing:@MARKETING:RoleMARKETING:
acl:1:/vms:@DEVEL:RoleTEST1:
acl:1:/vms:User3 at pve:NoAccess:
-acl:1:/vms/300:@MARKETING:Role1:
+acl:1:/vms/300:@MARKETING:RoleTEST1:
pool:devel:MITS development:500,501,502:store1 store2:
pool:marketing:MITS marketing:600:store1:
--
2.20.1
More information about the pve-devel
mailing list