[pve-devel] [PATCH manager 2/2] pve7to8: add check for dropped Permissions.Modify

Fabian Grünbichler f.gruenbichler at proxmox.com
Tue Jun 13 13:50:24 CEST 2023


as a warning only - depending on desired privileges, no action might be
necessary.

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
 PVE/CLI/pve7to8.pm | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/PVE/CLI/pve7to8.pm b/PVE/CLI/pve7to8.pm
index 7dc66499a..82441b0f8 100644
--- a/PVE/CLI/pve7to8.pm
+++ b/PVE/CLI/pve7to8.pm
@@ -695,7 +695,7 @@ sub check_cifs_credential_location {
 }
 
 sub check_custom_pool_roles {
-    log_info("Checking custom role IDs for clashes with new 'PVE' namespace..");
+    log_info("Checking permission system changes..");
 
     if (! -f "/etc/pve/user.cfg") {
 	log_skip("user.cfg does not exist");
@@ -731,9 +731,17 @@ sub check_custom_pool_roles {
 	    foreach my $priv (split_list($privlist)) {
 		$roles->{$role}->{$priv} = 1;
 	    }
+	} elsif ($et eq 'acl') {
+	    my ($propagate, $pathtxt, $uglist, $rolelist) = @data;
+	    foreach my $role (split_list($rolelist)) {
+		if ($role eq 'PVESysAdmin' || $role eq 'PVEAdmin') {
+		    log_warn("found ACL entry on '$pathtxt' for '$uglist' with role '$role' - this role will no longer have 'Permissions.Modify' after the upgrade!");
+		}
+	    }
 	}
     }
 
+    log_info("Checking custom role IDs for clashes with new 'PVE' namespace..");
     my ($custom_roles, $pve_namespace_clashes) = (0, 0);
     for my $role (sort keys %{$roles}) {
 	next if PVE::AccessControl::role_is_special($role);
-- 
2.39.2






More information about the pve-devel mailing list