[pve-devel] [PATCH access-control v2 2/2] fix #3668: realm-sync: add mode 'sync'
Dominik Csapak
d.csapak at proxmox.com
Fri Feb 4 15:25:00 CET 2022
this mode behaves like the 'update' mode (so it updates users with
new data from the server, and adds new users), but also deletes
users and groups that do not exist anymore on the sync source.
this way, an admin can add custom data (e.g. keys) to the users in pve while
keeping only the users available at the source without having
to manage those attributes there
Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
src/PVE/API2/Domains.pm | 6 ++++--
src/PVE/Auth/Plugin.pm | 3 ++-
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/PVE/API2/Domains.pm b/src/PVE/API2/Domains.pm
index 2f351ad..e1280c0 100644
--- a/src/PVE/API2/Domains.pm
+++ b/src/PVE/API2/Domains.pm
@@ -313,10 +313,12 @@ my $update_users = sub {
my $users = $usercfg->{users};
my $oldusers = {};
- if ($opts->{mode} eq 'full') {
+ if ($opts->{mode} eq 'full' || $opts->{mode} eq 'sync') {
print "deleting outdated existing users first\n";
foreach my $userid (sort keys %$users) {
next if $userid !~ m/\@$realm$/;
+ # keep users (and their fields) in 'sync' mode
+ next if $opts->{mode} eq 'sync' && defined($synced_users->{$userid});
$oldusers->{$userid} = delete $users->{$userid};
if ($opts->{'purge'} && !$synced_users->{$userid}) {
@@ -367,7 +369,7 @@ my $update_groups = sub {
my $groups = $usercfg->{groups};
my $oldgroups = {};
- if ($opts->{mode} eq 'full') {
+ if ($opts->{mode} eq 'full' || $opts->{mode} eq 'sync') {
print "deleting outdated existing groups first\n";
foreach my $groupid (sort keys %$groups) {
next if $groupid !~ m/\-$realm$/;
diff --git a/src/PVE/Auth/Plugin.pm b/src/PVE/Auth/Plugin.pm
index 8a60062..24c1865 100755
--- a/src/PVE/Auth/Plugin.pm
+++ b/src/PVE/Auth/Plugin.pm
@@ -58,11 +58,12 @@ my $realm_sync_options_desc = {
},
mode => {
description => "Update (Default): Only updates/adds fields/users returned by the server. "
+ ."Sync: Updates/adds fields/users from the server and deletes vanished users. "
."Full: Removes any field/user that was not returned and overwrites all "
."existing users with information from the server. "
."If set, this parameter supersedes the parameter 'full'.",
type => 'string',
- enum => [qw(update full)],
+ enum => [qw(update sync full)],
optional => '1',
},
# TODO check/rewrite in pve7to8, and remove with 8.0
--
2.30.2
More information about the pve-devel
mailing list