From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <pmg-devel-bounces@lists.proxmox.com> Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id B53C81FF16B for <inbox@lore.proxmox.com>; Thu, 14 Nov 2024 17:20:11 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id E1B8E35681; Thu, 14 Nov 2024 17:20:13 +0100 (CET) Message-ID: <d6d1732b-f9a1-4790-99b9-faf7ace2430d@proxmox.com> Date: Thu, 14 Nov 2024 17:19:38 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: Christoph Heiss <c.heiss@proxmox.com> References: <20240624090850.4683-1-m.frank@proxmox.com> <ndeijynmohu27h5fvdifnpskmtlpeqregv6nynxk76t72awaiw@cugbamx4uqap> From: Markus Frank <m.frank@proxmox.com> In-Reply-To: <ndeijynmohu27h5fvdifnpskmtlpeqregv6nynxk76t72awaiw@cugbamx4uqap> X-SPAM-LEVEL: Spam detection results: 0 AWL -0.025 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [oidc.pm, proxmox.com, pmg.pm, authdomains.pm, accesscontrol.pm, plugin.pm, httpserver.pm, auth.pm, restenvironment.pm, utils.pm, mod.rs, userconfig.pm] Subject: Re: [pmg-devel] [PATCH pve-common/proxmox-perl-rs/pmg-api/pmg-gui v3 0/8] fix #3892: OpenID X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion <pmg-devel.lists.proxmox.com> List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pmg-devel>, <mailto:pmg-devel-request@lists.proxmox.com?subject=unsubscribe> List-Archive: <http://lists.proxmox.com/pipermail/pmg-devel/> List-Post: <mailto:pmg-devel@lists.proxmox.com> List-Help: <mailto:pmg-devel-request@lists.proxmox.com?subject=help> List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel>, <mailto:pmg-devel-request@lists.proxmox.com?subject=subscribe> Cc: pmg-devel@lists.proxmox.com Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: pmg-devel-bounces@lists.proxmox.com Sender: "pmg-devel" <pmg-devel-bounces@lists.proxmox.com> Thanks for the review and sorry for the late reply. Comments inline: On 2024-10-09 13:30, Christoph Heiss wrote: > Just tested this series using Keycloak 26.0.0 as an OpenID provider. > > Everything worked fine once it was set up for the OpenID side! Login via > OpenID worked, also tested the "Autocreate Users" feature (but see below > on that). The GUI dialog panel is from proxmox-widget-toolkit, so > nothing really new there. > > I noticed however that there seems to be no dedicated PAM realm in the > login window, only PMG authentication server - but you can still login > with PAM credentials. These two should be real separate realms, much > like we have it for PVE/PBS. But you can only login as root with PAM afaict. Should we separate it just for the root user or are we planning to add PAM login for other users? > > Also, when using the "Autocreate Users" feature - should the (PMG) role > assigned to the user maybe be configurable? Since it currently just > defaults to Auditor, as it seems. (or am I missing something?) Okay, that sounds reasonable. I will add such an option. > > Lastly, patches #2 and #3 need to be rebased on the latest master > of proxmox-perl-rs, they failed to apply (resolved that manually myself > to test them out for now). All other patches in this series apply on > their respective master cleanly. > > Didn't really have a look at the code yet, so might do some reviews on > that too. > > On Mon, Jun 24, 2024 at 11:08:42AM GMT, Markus Frank wrote: >> Patch-series to enable OpenID Login for PMG >> >> apply/compile order: >> >> 1. pve-common: add Schema package with auth module that contains realm sync options >> 2. proxmox-perl-rs: move openid code from pve-rs to common >> 3. proxmox-perl-rs: remove empty PMG::RS::OpenId package to avoid confusion >> 4. pmg-api: config: add plugin system for realms & add openid type realms >> 5. pmg-api: api: add/update/remove realms like in PVE >> 6. pmg-api: api: openid login similar to PVE >> 7. pmg-gui: login: add option to login with OpenID realm >> 8. pmg-gui: add panel for realms to User Management >> >> >> v3 changed only in proxmox-perl-rs and "pmg-api: api: openid login similar to PVE" >> >> >> pve-common: >> >> Markus Frank (1): >> add Schema package with auth module that contains realm sync options >> >> src/Makefile | 2 ++ >> src/PVE/Schema/Auth.pm | 82 ++++++++++++++++++++++++++++++++++++++++++ >> 2 files changed, 84 insertions(+) >> create mode 100644 src/PVE/Schema/Auth.pm >> >> >> proxmox-perl-rs: >> >> v3: removed PMG wrapper as Proxmox::RS:OpenId can be used instead. >> >> Markus Frank (2): >> move openid code from pve-rs to common >> remove empty PMG::RS::OpenId package to avoid confusion >> >> common/pkg/Makefile | 1 + >> common/src/mod.rs | 1 + >> common/src/openid/mod.rs | 63 ++++++++++++++++++++++++++++++++++++++++ >> pmg-rs/Cargo.toml | 1 + >> pmg-rs/Makefile | 1 - >> pmg-rs/debian/control | 1 + >> pve-rs/src/openid/mod.rs | 32 +++++--------------- >> 7 files changed, 75 insertions(+), 25 deletions(-) >> create mode 100644 common/src/openid/mod.rs >> >> >> pmg-api: >> >> v3: use Proxmox::RS:OpenId instead of PMG::RS::OpenId >> >> Markus Frank (3): >> config: add plugin system for realms & add openid type realms >> api: add/update/remove realms like in PVE >> api: openid login similar to PVE >> >> src/Makefile | 5 + >> src/PMG/API2/AccessControl.pm | 17 ++- >> src/PMG/API2/Authdomains.pm | 274 ++++++++++++++++++++++++++++++++++ >> src/PMG/API2/OIDC.pm | 243 ++++++++++++++++++++++++++++++ >> src/PMG/AccessControl.pm | 31 ++++ >> src/PMG/Auth/OIDC.pm | 99 ++++++++++++ >> src/PMG/Auth/PMG.pm | 28 ++++ >> src/PMG/Auth/Plugin.pm | 193 ++++++++++++++++++++++++ >> src/PMG/HTTPServer.pm | 2 + >> src/PMG/RESTEnvironment.pm | 14 ++ >> src/PMG/UserConfig.pm | 25 ++-- >> src/PMG/Utils.pm | 29 +++- >> 12 files changed, 943 insertions(+), 17 deletions(-) >> create mode 100644 src/PMG/API2/Authdomains.pm >> create mode 100644 src/PMG/API2/OIDC.pm >> create mode 100755 src/PMG/Auth/OIDC.pm >> create mode 100755 src/PMG/Auth/PMG.pm >> create mode 100755 src/PMG/Auth/Plugin.pm >> >> >> pmg-gui: >> >> Markus Frank (2): >> login: add OpenID realms >> add panel for realms to User Management >> >> js/LoginView.js | 200 +++++++++++++++++++++++++++++++++---------- >> js/UserManagement.js | 6 ++ >> js/Utils.js | 15 ++++ >> 3 files changed, 174 insertions(+), 47 deletions(-) >> >> -- >> 2.39.2 >> >> >> >> _______________________________________________ >> pmg-devel mailing list >> pmg-devel@lists.proxmox.com >> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel >> >> _______________________________________________ pmg-devel mailing list pmg-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel