Re: [pve-devel] [PATCH access-control] api: role: remove role references from acl rules on role deletion

From: Daniel Kral <d.kral@proxmox.com>
To: Fiona Ebner <f.ebner@proxmox.com>,
	Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH access-control] api: role: remove role references from acl rules on role deletion
Date: Wed, 5 Feb 2025 10:21:14 +0100	[thread overview]
Message-ID: <5448e8a5-db8c-4745-aab8-3d613c5d95f7@proxmox.com> (raw)
In-Reply-To: <64c46c18-1e31-45d7-88ba-12010bea2539@proxmox.com>

On 2/3/25 12:49, Fiona Ebner wrote:
> Am 04.12.24 um 16:11 schrieb Daniel Kral:
>> Let the API endpoint `DELETE /access/roles/{roleid}` or command
>> `pveum role delete <roleid>` remove any ACL rules in the user
>> configuration, which reference the removed role.
>>
>> Before this change, the removal of a role has caused the role to remain
>> in existing ACL rules, which referenced the removed role. Therefore, on
>> each parse of the user configuration, a warning was be displayed:
>>
>> user config - ignore invalid acl role '<role>'
>>
> 
> Might be good to note that the next modification of the configuration
> would drop the unknown role (even if a role with the same name is
> re-added right away).

Thanks, will mention that in the v2!

Just for clarification, what could be an/the use case of deleting and 
re-adding the role? It could be certainly beneficial to add a small 
reminder in the WebUI, that removing a user/group/role will also delete 
its dependents.

On 2/3/25 12:49, Fiona Ebner wrote:
> What would be really nice is to have some tests for various
> add/modify/delete sequences touching user.cfg :) I don't think current
> tests cover that yet.

I'll gladly provide these with a v2 to document the changes and also 
just enforce this behavior in the future :).

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel