* [pve-devel] [PATCH access-control/manager] improve realm sync
@ 2021-10-27 12:57 Dominik Csapak
2021-10-27 12:57 ` [pve-devel] [PATCH access-control 1/2] fix #3668: realm sync: add 'remove-vanished' parameter to delete non-existing users Dominik Csapak
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Dominik Csapak @ 2021-10-27 12:57 UTC (permalink / raw)
To: pve-devel
by improving wording in the api description and adding a
'remove-vanished' option
pve-access-control:
Dominik Csapak (2):
fix #3668: realm sync: add 'remove-vanished' parameter to delete
non-existing users
realm sync: improve wording in log and description
src/PVE/API2/Domains.pm | 14 ++++++++++----
src/PVE/Auth/Plugin.pm | 14 +++++++++++---
2 files changed, 21 insertions(+), 7 deletions(-)
pve-manager:
Dominik Csapak (1):
ui: realm sync: add 'remove-vanished' option
www/manager6/dc/AuthEditLDAP.js | 14 +++++++++++++-
www/manager6/dc/SyncWindow.js | 19 +++++++++++++++++++
2 files changed, 32 insertions(+), 1 deletion(-)
--
2.30.2
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH access-control 1/2] fix #3668: realm sync: add 'remove-vanished' parameter to delete non-existing users
2021-10-27 12:57 [pve-devel] [PATCH access-control/manager] improve realm sync Dominik Csapak
@ 2021-10-27 12:57 ` Dominik Csapak
2021-11-09 17:58 ` Thomas Lamprecht
2021-10-27 12:57 ` [pve-devel] [PATCH access-control 2/2] realm sync: improve wording in log and description Dominik Csapak
2021-10-27 12:57 ` [pve-devel] [PATCH manager 1/1] ui: realm sync: add 'remove-vanished' option Dominik Csapak
2 siblings, 1 reply; 5+ messages in thread
From: Dominik Csapak @ 2021-10-27 12:57 UTC (permalink / raw)
To: pve-devel
this way, users can use the 'non-full' mode to provide local
information (like tfa keys), but still remove the users not present in
the ldap anymore.
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
src/PVE/API2/Domains.pm | 5 +++--
src/PVE/Auth/Plugin.pm | 7 +++++++
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/PVE/API2/Domains.pm b/src/PVE/API2/Domains.pm
index 9c2b254..55bb7ae 100644
--- a/src/PVE/API2/Domains.pm
+++ b/src/PVE/API2/Domains.pm
@@ -279,10 +279,11 @@ my $update_users = sub {
my $users = $usercfg->{users};
my $oldusers = {};
- if ($opts->{'full'}) {
- print "full sync, deleting outdated existing users first\n";
+ if ($opts->{'full'} || $opts->{'remove-vanished'}) {
+ print "deleting outdated existing users first\n";
foreach my $userid (sort keys %$users) {
next if $userid !~ m/\@$realm$/;
+ next if !$opts->{full} && defined($synced_users->{$userid});
$oldusers->{$userid} = delete $users->{$userid};
if ($opts->{'purge'} && !$synced_users->{$userid}) {
diff --git a/src/PVE/Auth/Plugin.pm b/src/PVE/Auth/Plugin.pm
index 1413053..27d6294 100755
--- a/src/PVE/Auth/Plugin.pm
+++ b/src/PVE/Auth/Plugin.pm
@@ -64,6 +64,13 @@ my $realm_sync_options_desc = {
type => 'boolean',
optional => '1',
},
+ 'remove-vanished' => {
+ description => "Only for non-full mode. If set, removes users that are not"
+ ." present in the current synced data.",
+ type => 'boolean',
+ optional => '1',
+ default => '0',
+ },
'enable-new' => {
description => "Enable newly synced users immediately.",
type => 'boolean',
--
2.30.2
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH access-control 2/2] realm sync: improve wording in log and description
2021-10-27 12:57 [pve-devel] [PATCH access-control/manager] improve realm sync Dominik Csapak
2021-10-27 12:57 ` [pve-devel] [PATCH access-control 1/2] fix #3668: realm sync: add 'remove-vanished' parameter to delete non-existing users Dominik Csapak
@ 2021-10-27 12:57 ` Dominik Csapak
2021-10-27 12:57 ` [pve-devel] [PATCH manager 1/1] ui: realm sync: add 'remove-vanished' option Dominik Csapak
2 siblings, 0 replies; 5+ messages in thread
From: Dominik Csapak @ 2021-10-27 12:57 UTC (permalink / raw)
To: pve-devel
by
* differentiating 'updated' users in full sync ('overwrote')
* adding '(full)' in the log for full syncs
* making it more clear what full sync does and what happens otherwise
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
src/PVE/API2/Domains.pm | 9 +++++++--
src/PVE/Auth/Plugin.pm | 7 ++++---
2 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/src/PVE/API2/Domains.pm b/src/PVE/API2/Domains.pm
index 55bb7ae..7aff9cb 100644
--- a/src/PVE/API2/Domains.pm
+++ b/src/PVE/API2/Domains.pm
@@ -274,7 +274,12 @@ __PACKAGE__->register_method ({
my $update_users = sub {
my ($usercfg, $realm, $synced_users, $opts) = @_;
- print "syncing users\n";
+ if ($opts->{'full'}) {
+ print "syncing users (full)\n";
+ } else {
+ print "syncing users\n";
+ }
+
$usercfg->{users} = {} if !defined($usercfg->{users});
my $users = $usercfg->{users};
@@ -311,7 +316,7 @@ my $update_users = sub {
$user->{tokens} = $olduser->{tokens};
}
if (defined($oldusers->{$userid})) {
- print "updated user '$userid'\n";
+ print "overwrote user '$userid'\n";
} else {
print "added user '$userid'\n";
}
diff --git a/src/PVE/Auth/Plugin.pm b/src/PVE/Auth/Plugin.pm
index 27d6294..bf763ae 100755
--- a/src/PVE/Auth/Plugin.pm
+++ b/src/PVE/Auth/Plugin.pm
@@ -58,9 +58,10 @@ my $realm_sync_options_desc = {
},
full => {
description => "If set, uses the LDAP Directory as source of truth,"
- ." deleting users or groups not returned from the sync. Otherwise"
- ." only syncs information which is not already present, and does not"
- ." deletes or modifies anything else.",
+ ." deleting users or groups not returned from the sync and removing"
+ ." all locally modified properties of synced users. If not set,"
+ ." only syncs information which is present in the synced data, and does not"
+ ." delete or modify anything else.",
type => 'boolean',
optional => '1',
},
--
2.30.2
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH manager 1/1] ui: realm sync: add 'remove-vanished' option
2021-10-27 12:57 [pve-devel] [PATCH access-control/manager] improve realm sync Dominik Csapak
2021-10-27 12:57 ` [pve-devel] [PATCH access-control 1/2] fix #3668: realm sync: add 'remove-vanished' parameter to delete non-existing users Dominik Csapak
2021-10-27 12:57 ` [pve-devel] [PATCH access-control 2/2] realm sync: improve wording in log and description Dominik Csapak
@ 2021-10-27 12:57 ` Dominik Csapak
2 siblings, 0 replies; 5+ messages in thread
From: Dominik Csapak @ 2021-10-27 12:57 UTC (permalink / raw)
To: pve-devel
in default sync options and the sync window. There we disable it if
'full' sync is enabled to make it clear the combination does not make
sense.
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
www/manager6/dc/AuthEditLDAP.js | 14 +++++++++++++-
www/manager6/dc/SyncWindow.js | 19 +++++++++++++++++++
2 files changed, 32 insertions(+), 1 deletion(-)
diff --git a/www/manager6/dc/AuthEditLDAP.js b/www/manager6/dc/AuthEditLDAP.js
index 015a5a6e..2942ae64 100644
--- a/www/manager6/dc/AuthEditLDAP.js
+++ b/www/manager6/dc/AuthEditLDAP.js
@@ -100,7 +100,7 @@ Ext.define('PVE.panel.LDAPSyncInputPanel', {
xtype: 'pveAuthLDAPSyncPanel',
editableAttributes: ['email'],
- editableDefaults: ['scope', 'full', 'enable-new', 'purge'],
+ editableDefaults: ['scope', 'full', 'enable-new', 'purge', 'remove-vanished'],
default_opts: {},
sync_attributes: {},
@@ -216,6 +216,18 @@ Ext.define('PVE.panel.LDAPSyncInputPanel', {
name: 'full',
fieldLabel: gettext('Full'),
},
+ {
+ xtype: 'proxmoxKVComboBox',
+ value: '__default__',
+ deleteEmpty: false,
+ comboItems: [
+ ['__default__', Proxmox.Utils.NoneText],
+ ['1', Proxmox.Utils.yesText],
+ ['0', Proxmox.Utils.noText],
+ ],
+ name: 'remove-vanished',
+ fieldLabel: gettext('Remove vanished'),
+ },
],
column2: [
diff --git a/www/manager6/dc/SyncWindow.js b/www/manager6/dc/SyncWindow.js
index 25a42182..c988a4bf 100644
--- a/www/manager6/dc/SyncWindow.js
+++ b/www/manager6/dc/SyncWindow.js
@@ -12,6 +12,11 @@ Ext.define('PVE.dc.SyncWindow', {
xclass: 'Ext.app.ViewController',
control: {
+ 'field[name=full]': {
+ change: function(field, value) {
+ this.lookup('remove-vanished').setDisabled(value === '1');
+ },
+ },
'form': {
validitychange: function(field, valid) {
let me = this;
@@ -101,6 +106,20 @@ Ext.define('PVE.dc.SyncWindow', {
name: 'full',
fieldLabel: gettext('Full'),
},
+ {
+ xtype: 'proxmoxKVComboBox',
+ value: '',
+ emptyText: gettext('No default available'),
+ deleteEmpty: false,
+ allowBlank: false,
+ comboItems: [
+ ['1', Proxmox.Utils.yesText],
+ ['0', Proxmox.Utils.noText],
+ ],
+ name: 'remove-vanished',
+ reference: 'remove-vanished',
+ fieldLabel: gettext('Remove vanished'),
+ },
],
column2: [
--
2.30.2
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [pve-devel] [PATCH access-control 1/2] fix #3668: realm sync: add 'remove-vanished' parameter to delete non-existing users
2021-10-27 12:57 ` [pve-devel] [PATCH access-control 1/2] fix #3668: realm sync: add 'remove-vanished' parameter to delete non-existing users Dominik Csapak
@ 2021-11-09 17:58 ` Thomas Lamprecht
0 siblings, 0 replies; 5+ messages in thread
From: Thomas Lamprecht @ 2021-11-09 17:58 UTC (permalink / raw)
To: Proxmox VE development discussion, Dominik Csapak
On 27.10.21 14:57, Dominik Csapak wrote:
> this way, users can use the 'non-full' mode to provide local
> information (like tfa keys), but still remove the users not present in
> the ldap anymore.
ps. missing an patch for pve-docs, in any case...
https://d7.work.tlmp.it:8006/pve-docs/chapter-pveum.html#pveum_ldap_sync
The amount of sync related options is a bit confusing/crowded already now,
so did you thought about just expanding the value set of the `full` property
for that (possibly renaming it to "sync mode" or the like)?
Albeit purge and this new one could be chosen independently, that wouldn't make
the list of choises easier..
>
> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
> ---
> src/PVE/API2/Domains.pm | 5 +++--
> src/PVE/Auth/Plugin.pm | 7 +++++++
> 2 files changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/src/PVE/API2/Domains.pm b/src/PVE/API2/Domains.pm
> index 9c2b254..55bb7ae 100644
> --- a/src/PVE/API2/Domains.pm
> +++ b/src/PVE/API2/Domains.pm
> @@ -279,10 +279,11 @@ my $update_users = sub {
> my $users = $usercfg->{users};
>
> my $oldusers = {};
> - if ($opts->{'full'}) {
> - print "full sync, deleting outdated existing users first\n";
> + if ($opts->{'full'} || $opts->{'remove-vanished'}) {
> + print "deleting outdated existing users first\n";
> foreach my $userid (sort keys %$users) {
> next if $userid !~ m/\@$realm$/;
> + next if !$opts->{full} && defined($synced_users->{$userid});
>
> $oldusers->{$userid} = delete $users->{$userid};
> if ($opts->{'purge'} && !$synced_users->{$userid}) {
> diff --git a/src/PVE/Auth/Plugin.pm b/src/PVE/Auth/Plugin.pm
> index 1413053..27d6294 100755
> --- a/src/PVE/Auth/Plugin.pm
> +++ b/src/PVE/Auth/Plugin.pm
> @@ -64,6 +64,13 @@ my $realm_sync_options_desc = {
> type => 'boolean',
> optional => '1',
> },
> + 'remove-vanished' => {
> + description => "Only for non-full mode. If set, removes users that are not"
> + ." present in the current synced data.",
> + type => 'boolean',
> + optional => '1',
> + default => '0',
> + },
> 'enable-new' => {
> description => "Enable newly synced users immediately.",
> type => 'boolean',
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-11-09 17:59 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-27 12:57 [pve-devel] [PATCH access-control/manager] improve realm sync Dominik Csapak
2021-10-27 12:57 ` [pve-devel] [PATCH access-control 1/2] fix #3668: realm sync: add 'remove-vanished' parameter to delete non-existing users Dominik Csapak
2021-11-09 17:58 ` Thomas Lamprecht
2021-10-27 12:57 ` [pve-devel] [PATCH access-control 2/2] realm sync: improve wording in log and description Dominik Csapak
2021-10-27 12:57 ` [pve-devel] [PATCH manager 1/1] ui: realm sync: add 'remove-vanished' option Dominik Csapak
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal