all lists on lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH manager 1/2] pve7to8: refactor user.cfg loop
@ 2023-06-13 11:50 Fabian Grünbichler
  2023-06-13 11:50 ` [pve-devel] [PATCH manager 2/2] pve7to8: add check for dropped Permissions.Modify Fabian Grünbichler
  2023-06-16 12:39 ` [pve-devel] applied-series: [PATCH manager 1/2] pve7to8: refactor user.cfg loop Thomas Lamprecht
  0 siblings, 2 replies; 3+ messages in thread
From: Fabian Grünbichler @ 2023-06-13 11:50 UTC (permalink / raw)
  To: pve-devel

next patch adds acl-related checks

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 PVE/CLI/pve7to8.pm | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/PVE/CLI/pve7to8.pm b/PVE/CLI/pve7to8.pm
index 6b51e98eb..7dc66499a 100644
--- a/PVE/CLI/pve7to8.pm
+++ b/PVE/CLI/pve7to8.pm
@@ -720,17 +720,17 @@ sub check_custom_pool_roles {
 	}
 
 	my $et = shift @data;
-	next if $et ne 'role';
-
-	my ($role, $privlist) = @data;
-	if (!PVE::AccessControl::verify_rolename($role, 1)) {
-	    warn "user config - ignore role '$role' - invalid characters in role name\n";
-	    next;
-	}
+	if ($et eq 'role') {
+	    my ($role, $privlist) = @data;
+	    if (!PVE::AccessControl::verify_rolename($role, 1)) {
+		warn "user config - ignore role '$role' - invalid characters in role name\n";
+		next;
+	    }
 
-	$roles->{$role} = {} if !$roles->{$role};
-	foreach my $priv (split_list($privlist)) {
-	    $roles->{$role}->{$priv} = 1;
+	    $roles->{$role} = {} if !$roles->{$role};
+	    foreach my $priv (split_list($privlist)) {
+		$roles->{$role}->{$priv} = 1;
+	    }
 	}
     }
 
-- 
2.39.2





^ permalink raw reply	[flat|nested] 3+ messages in thread

* [pve-devel] [PATCH manager 2/2] pve7to8: add check for dropped Permissions.Modify
  2023-06-13 11:50 [pve-devel] [PATCH manager 1/2] pve7to8: refactor user.cfg loop Fabian Grünbichler
@ 2023-06-13 11:50 ` Fabian Grünbichler
  2023-06-16 12:39 ` [pve-devel] applied-series: [PATCH manager 1/2] pve7to8: refactor user.cfg loop Thomas Lamprecht
  1 sibling, 0 replies; 3+ messages in thread
From: Fabian Grünbichler @ 2023-06-13 11:50 UTC (permalink / raw)
  To: pve-devel

as a warning only - depending on desired privileges, no action might be
necessary.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 PVE/CLI/pve7to8.pm | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/PVE/CLI/pve7to8.pm b/PVE/CLI/pve7to8.pm
index 7dc66499a..82441b0f8 100644
--- a/PVE/CLI/pve7to8.pm
+++ b/PVE/CLI/pve7to8.pm
@@ -695,7 +695,7 @@ sub check_cifs_credential_location {
 }
 
 sub check_custom_pool_roles {
-    log_info("Checking custom role IDs for clashes with new 'PVE' namespace..");
+    log_info("Checking permission system changes..");
 
     if (! -f "/etc/pve/user.cfg") {
 	log_skip("user.cfg does not exist");
@@ -731,9 +731,17 @@ sub check_custom_pool_roles {
 	    foreach my $priv (split_list($privlist)) {
 		$roles->{$role}->{$priv} = 1;
 	    }
+	} elsif ($et eq 'acl') {
+	    my ($propagate, $pathtxt, $uglist, $rolelist) = @data;
+	    foreach my $role (split_list($rolelist)) {
+		if ($role eq 'PVESysAdmin' || $role eq 'PVEAdmin') {
+		    log_warn("found ACL entry on '$pathtxt' for '$uglist' with role '$role' - this role will no longer have 'Permissions.Modify' after the upgrade!");
+		}
+	    }
 	}
     }
 
+    log_info("Checking custom role IDs for clashes with new 'PVE' namespace..");
     my ($custom_roles, $pve_namespace_clashes) = (0, 0);
     for my $role (sort keys %{$roles}) {
 	next if PVE::AccessControl::role_is_special($role);
-- 
2.39.2





^ permalink raw reply	[flat|nested] 3+ messages in thread

* [pve-devel] applied-series: [PATCH manager 1/2] pve7to8: refactor user.cfg loop
  2023-06-13 11:50 [pve-devel] [PATCH manager 1/2] pve7to8: refactor user.cfg loop Fabian Grünbichler
  2023-06-13 11:50 ` [pve-devel] [PATCH manager 2/2] pve7to8: add check for dropped Permissions.Modify Fabian Grünbichler
@ 2023-06-16 12:39 ` Thomas Lamprecht
  1 sibling, 0 replies; 3+ messages in thread
From: Thomas Lamprecht @ 2023-06-16 12:39 UTC (permalink / raw)
  To: Proxmox VE development discussion, Fabian Grünbichler

Am 13/06/2023 um 13:50 schrieb Fabian Grünbichler:
> next patch adds acl-related checks
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
>  PVE/CLI/pve7to8.pm | 20 ++++++++++----------
>  1 file changed, 10 insertions(+), 10 deletions(-)
> 
>

seems I forgot to reply on those two, so:

applied both patches, thanks!




^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2023-06-16 12:39 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-13 11:50 [pve-devel] [PATCH manager 1/2] pve7to8: refactor user.cfg loop Fabian Grünbichler
2023-06-13 11:50 ` [pve-devel] [PATCH manager 2/2] pve7to8: add check for dropped Permissions.Modify Fabian Grünbichler
2023-06-16 12:39 ` [pve-devel] applied-series: [PATCH manager 1/2] pve7to8: refactor user.cfg loop Thomas Lamprecht

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal