[pve-devel] [PATCH storage] fix #5008: prevent adding pbs storage with invalid namespace
Philipp Hufnagl
p.hufnagl at proxmox.com
Wed Nov 15 10:37:54 CET 2023
On 11/15/23 09:31, Fiona Ebner wrote:
> Am 14.11.23 um 15:27 schrieb Philipp Hufnagl:
>> Currently, when adding a PBS storage with a namespace that does not
>> exist, the storage gets added normally, but browsing/using it only
>> returns a cryptic error message.
>>
>> This change checks if the namespace entered when adding is valid and
>> prompts an error if it is not. If no namespace is provided, the storage
>> will be added without error.
>
> Does not fully describe the change: It checks if the namespace is valid
> each time the storage is activated, not just when adding.
>
Sorry. Ill try to elaborate more.
>>
>> Signed-off-by: Philipp Hufnagl <p.hufnagl at proxmox.com>
>> ---
>> src/PVE/Storage/PBSPlugin.pm | 21 ++++++++++++++++++++-
>> 1 file changed, 20 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/PVE/Storage/PBSPlugin.pm b/src/PVE/Storage/PBSPlugin.pm
>> index 4320974..aceb2c4 100644
>> --- a/src/PVE/Storage/PBSPlugin.pm
>> +++ b/src/PVE/Storage/PBSPlugin.pm
>> @@ -817,6 +817,17 @@ sub scan_datastores {
>> return $response;
>> }
>>
>> +sub scan_namespaces {
>> + my ($scfg, $datastore, $password) = @_;
>> +
>> + my $conn = pbs_api_connect($scfg, $password);
>
> Not super important, but would be nice to have a way to re-use the same
> connection in scan_datastores() and here, since activate_storage() will
> call both of them.
scan_datastores() seem to be called somewhere else as well. I see if I
can find a way to reuse the connection but not break the code there.
>
>> +
>> + my $namespaces = eval { $conn->get("/api2/json/admin/datastore/$datastore/namespace", {}); };
>> + die "error fetching namespaces - $@" if $@;
>> +
>> + return $namespaces;
>> +}
>> +
>> sub activate_storage {
>> my ($class, $storeid, $scfg, $cache) = @_;
>>
>> @@ -826,10 +837,18 @@ sub activate_storage {
>> die "$storeid: $@" if $@;
>>
>> my $datastore = $scfg->{datastore};
>> + my $namespace = $scfg->{namespace};
>>
>> for my $ds (@$datastores) {
>> if ($ds->{store} eq $datastore) {
>> - return 1;
>> + return 1 if !defined($namespace);
>> + my $namespaces = eval { scan_namespaces($scfg, $datastore, $password) };
>
> Why use eval and ignore the error here? Like that users (and we) won't
> know if the api request or connection failed and just get the error
> message from below about permissions/existence then.
I tried to mimic the behavior from scan_datastores(). Did I make a
mistake there? Is the way of scan_datastores() deprecated or bad practice?
>
>> + for my $ns (@$namespaces) {
>> + if ($ns->{ns} eq $namespace) {
>> + return 1;
>> + }
>> + }
>> + die "$storeid: Cannot find namespace '$namespace', check permissions and existence!\n";
>> }
>> }
>>
More information about the pve-devel
mailing list