[pve-devel] [PATCH access-control + manager] version check for tfa.cfg update

all lists on lists.proxmox.com
 help / color / mirror / Atom feed

* [pve-devel] [PATCH access-control + manager] version check for tfa.cfg update
@ 2021-11-10 14:11 Wolfgang Bumiller
  2021-11-10 14:11 ` [pve-devel] [PATCH access-control 1/1] implement version checks for tfa Wolfgang Bumiller
  2021-11-10 14:11 ` [pve-devel] [PATCH manager] pvestatd: broadcast version info Wolfgang Bumiller
  0 siblings, 2 replies; 5+ messages in thread
From: Wolfgang Bumiller @ 2021-11-10 14:11 UTC (permalink / raw)
  To: pve-devel

Since we're updating the format of the tfa config, this implements the
check to make sure the cluster nodes are all new enough to understand
the new format.




^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pve-devel] [PATCH access-control 1/1] implement version checks for tfa
  2021-11-10 14:11 [pve-devel] [PATCH access-control + manager] version check for tfa.cfg update Wolfgang Bumiller
@ 2021-11-10 14:11 ` Wolfgang Bumiller
  2021-11-11 16:00   ` [pve-devel] applied: " Thomas Lamprecht
  2021-11-10 14:11 ` [pve-devel] [PATCH manager] pvestatd: broadcast version info Wolfgang Bumiller
  1 sibling, 1 reply; 5+ messages in thread
From: Wolfgang Bumiller @ 2021-11-10 14:11 UTC (permalink / raw)
  To: pve-devel

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 src/PVE/AccessControl.pm | 30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index cbf643d..f39ac9c 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -1581,8 +1581,8 @@ sub parse_priv_tfa_config {
 sub write_priv_tfa_config {
     my ($filename, $cfg) = @_;
 
-    # FIXME: Only allow this if the complete cluster has been upgraded to understand the json
-    # config format.
+    assert_new_tfa_config_available();
+
     return $cfg->write();
 }
 
@@ -1765,7 +1765,31 @@ my $USER_CONTROLLED_TFA_TYPES = {
 };
 
 sub assert_new_tfa_config_available() {
-    # FIXME: Assert cluster-wide new-tfa-config support!
+    PVE::Cluster::cfs_update();
+    my $version_info = PVE::Cluster::get_node_kv('version-info');
+    die "cannot update tfa config, please make sure all cluster nodes are up to date\n"
+	if !$version_info;
+    my $members = PVE::Cluster::get_members();
+    my $old = '';
+    foreach my $node (keys $members->%*) {
+	my $info = $version_info->{$node};
+	if (!$info) {
+	    $old .= "cluster node '$node' is too old, did not broadcast its version info\n";
+	    next;
+	}
+	$info = from_json($info);
+	my $ver = $info->{version};
+	if ($ver !~ /^(\d+\.\d+)-(\d+)$/) {
+	    $old .= "cluster node '$node' provided an invalid version string: '$ver'\n";
+	    next;
+	}
+	my ($maj, $rel) = ($1, $2);
+	if (!($maj > 7.0 || ($maj == 7.0 && $rel >= 15))) {
+	    $old .= "cluster node '$node' is too old\n";
+	    next;
+	}
+    }
+    die $old if length($old);
 }
 
 sub user_remove_tfa : prototype($) {
-- 
2.30.2





^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pve-devel] [PATCH manager] pvestatd: broadcast version info
  2021-11-10 14:11 [pve-devel] [PATCH access-control + manager] version check for tfa.cfg update Wolfgang Bumiller
  2021-11-10 14:11 ` [pve-devel] [PATCH access-control 1/1] implement version checks for tfa Wolfgang Bumiller
@ 2021-11-10 14:11 ` Wolfgang Bumiller
  2021-11-10 20:46   ` [pve-devel] applied: " Thomas Lamprecht
  1 sibling, 1 reply; 5+ messages in thread
From: Wolfgang Bumiller @ 2021-11-10 14:11 UTC (permalink / raw)
  To: pve-devel

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 PVE/Service/pvestatd.pm | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/PVE/Service/pvestatd.pm b/PVE/Service/pvestatd.pm
index 474b3ac0..b1e71ec8 100755
--- a/PVE/Service/pvestatd.pm
+++ b/PVE/Service/pvestatd.pm
@@ -28,6 +28,7 @@ use PVE::AutoBalloon;
 use PVE::AccessControl;
 use PVE::Ceph::Services;
 use PVE::Ceph::Tools;
+use PVE::pvecfg;
 
 use PVE::ExtMetric;
 use PVE::Status::Plugin;
@@ -490,6 +491,17 @@ sub update_sdn_status {
     }
 }
 
+my $broadcast_version_info_done = 0;
+my sub broadcast_version_info : prototype() {
+    if (!$broadcast_version_info_done) {
+	PVE::Cluster::broadcast_node_kv(
+	    'version-info',
+	    encode_json(PVE::pvecfg::version_info()),
+	);
+	$broadcast_version_info_done = 1;
+    }
+}
+
 sub update_status {
 
     # update worker list. This is not really required and
@@ -560,6 +572,11 @@ sub update_status {
     $err = $@;
     syslog('err', "sdn status update error: $err") if $err;
 
+    eval {
+	broadcast_version_info();
+    };
+    $err = $@;
+    syslog('err', "version info update error: $err") if $err;
 }
 
 my $next_update = 0;
-- 
2.30.2





^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pve-devel] applied: [PATCH manager] pvestatd: broadcast version info
  2021-11-10 14:11 ` [pve-devel] [PATCH manager] pvestatd: broadcast version info Wolfgang Bumiller
@ 2021-11-10 20:46   ` Thomas Lamprecht
  0 siblings, 0 replies; 5+ messages in thread
From: Thomas Lamprecht @ 2021-11-10 20:46 UTC (permalink / raw)
  To: Proxmox VE development discussion, Wolfgang Bumiller

On 10.11.21 15:11, Wolfgang Bumiller wrote:
> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
> ---
>  PVE/Service/pvestatd.pm | 17 +++++++++++++++++
>  1 file changed, 17 insertions(+)
> 
>

applied, thanks!




^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pve-devel] applied: [PATCH access-control 1/1] implement version checks for tfa
  2021-11-10 14:11 ` [pve-devel] [PATCH access-control 1/1] implement version checks for tfa Wolfgang Bumiller
@ 2021-11-11 16:00   ` Thomas Lamprecht
  0 siblings, 0 replies; 5+ messages in thread
From: Thomas Lamprecht @ 2021-11-11 16:00 UTC (permalink / raw)
  To: Proxmox VE development discussion, Wolfgang Bumiller

On 10.11.21 15:11, Wolfgang Bumiller wrote:
> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
> ---
>  src/PVE/AccessControl.pm | 30 +++++++++++++++++++++++++++---
>  1 file changed, 27 insertions(+), 3 deletions(-)
> 
>

applied, with some followups as showed/discussed off-list, thanks!




^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-11-11 16:00 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-10 14:11 [pve-devel] [PATCH access-control + manager] version check for tfa.cfg update Wolfgang Bumiller
2021-11-10 14:11 ` [pve-devel] [PATCH access-control 1/1] implement version checks for tfa Wolfgang Bumiller
2021-11-11 16:00   ` [pve-devel] applied: " Thomas Lamprecht
2021-11-10 14:11 ` [pve-devel] [PATCH manager] pvestatd: broadcast version info Wolfgang Bumiller
2021-11-10 20:46   ` [pve-devel] applied: " Thomas Lamprecht

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal