Re: [pve-devel] [PATCH access-control/manager v2] fix #3668: improving realm sync

[Thomas Lamprecht <t.lamprecht@proxmox.com>]

On 22.03.22 07:11, Thomas Lamprecht wrote:
> On 04.02.22 15:24, Dominik Csapak wrote:
>> this deprecates the 'full' sync option and replaces it with
>> a 'mode' option, where we add a third one that updates
>> the current users (while retaining their custom set attributes not
>> exisiting in the source) and removing users that don't exist anymore
>> in the source
>>
> I'm not yet 100% sure about the specific mode names, as sync normally means
> 100% sync, I'll see if I find some other tool (rsync?) with similar option naming
> problems. Independent from the specific names, this really needs a docs patch,
> ideally with a table listing the modi as rows and having the various "user added",
> "user removed", "properties added/updated", "properties removed" as columns, for a
> better understanding of the effects..
> 
A thought (train): what we decide with this isn't what gets added/updated, that's
always the same, only what gets removed if vanished on the source, so maybe:

remove-vanished: < none | user | user-and-properties >

Or if we can actually also remove either user *or* group then: s/user/entity/ ?

ps. the web interface should probably do a s/Purge/Purge ACLs/ too; or with that
in mind we could actually drop that do and have:

remove-vanished: < none | user | user-and-properties | user-and-properties-and-acl >

And with that, we could go the separate semicolon-endcoded-flag-list like we do for
some CT features (or mount options) IIRC:

remove-vanished: [<user>];[<properties>];[acls]

I.e., those three flags would replace your new mode + purge like:

+--------+--------+---------------------+
|  Mode  | Purge  | -> removed-vanished |
+--------+--------+---------------------+
| update |      0 | "" (none)           |
| sync   |      0 | user                |
| full   |      0 | user;properties     |
| update |      1 | acl                 |
| sync   |      1 | acl;user            |
| full   |      1 | acl;user;properties |
+--------+--------+---------------------+

The selector for them could be either three check boxes on one line (similar to the
privilege level radio buttons from CT restore) or even a full blown combobox with all
the options spelled out.

It's only slightly weird for acl, as there the "remove-vanished" somewhat implies that
we import acl's in the first place, if we really don't want that we could keep
"Purge ACLs" as separate option that is only enabled if "remove-vanished" "user" flag
is set, put IMO not _that_ of a big problem to understand compared to the status quo.

Does (any of) this make sense to you?