From: Dominik Csapak <d.csapak@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH access-control v2 2/2] fix #3668: realm-sync: add mode 'sync'
Date: Fri, 4 Feb 2022 15:25:00 +0100 [thread overview]
Message-ID: <20220204142501.1461441-3-d.csapak@proxmox.com> (raw)
In-Reply-To: <20220204142501.1461441-1-d.csapak@proxmox.com>
this mode behaves like the 'update' mode (so it updates users with
new data from the server, and adds new users), but also deletes
users and groups that do not exist anymore on the sync source.
this way, an admin can add custom data (e.g. keys) to the users in pve while
keeping only the users available at the source without having
to manage those attributes there
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
src/PVE/API2/Domains.pm | 6 ++++--
src/PVE/Auth/Plugin.pm | 3 ++-
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/PVE/API2/Domains.pm b/src/PVE/API2/Domains.pm
index 2f351ad..e1280c0 100644
--- a/src/PVE/API2/Domains.pm
+++ b/src/PVE/API2/Domains.pm
@@ -313,10 +313,12 @@ my $update_users = sub {
my $users = $usercfg->{users};
my $oldusers = {};
- if ($opts->{mode} eq 'full') {
+ if ($opts->{mode} eq 'full' || $opts->{mode} eq 'sync') {
print "deleting outdated existing users first\n";
foreach my $userid (sort keys %$users) {
next if $userid !~ m/\@$realm$/;
+ # keep users (and their fields) in 'sync' mode
+ next if $opts->{mode} eq 'sync' && defined($synced_users->{$userid});
$oldusers->{$userid} = delete $users->{$userid};
if ($opts->{'purge'} && !$synced_users->{$userid}) {
@@ -367,7 +369,7 @@ my $update_groups = sub {
my $groups = $usercfg->{groups};
my $oldgroups = {};
- if ($opts->{mode} eq 'full') {
+ if ($opts->{mode} eq 'full' || $opts->{mode} eq 'sync') {
print "deleting outdated existing groups first\n";
foreach my $groupid (sort keys %$groups) {
next if $groupid !~ m/\-$realm$/;
diff --git a/src/PVE/Auth/Plugin.pm b/src/PVE/Auth/Plugin.pm
index 8a60062..24c1865 100755
--- a/src/PVE/Auth/Plugin.pm
+++ b/src/PVE/Auth/Plugin.pm
@@ -58,11 +58,12 @@ my $realm_sync_options_desc = {
},
mode => {
description => "Update (Default): Only updates/adds fields/users returned by the server. "
+ ."Sync: Updates/adds fields/users from the server and deletes vanished users. "
."Full: Removes any field/user that was not returned and overwrites all "
."existing users with information from the server. "
."If set, this parameter supersedes the parameter 'full'.",
type => 'string',
- enum => [qw(update full)],
+ enum => [qw(update sync full)],
optional => '1',
},
# TODO check/rewrite in pve7to8, and remove with 8.0
--
2.30.2
next prev parent reply other threads:[~2022-02-04 14:25 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-04 14:24 [pve-devel] [PATCH access-control/manager v2] fix #3668: improving realm sync Dominik Csapak
2022-02-04 14:24 ` [pve-devel] [PATCH access-control v2 1/2] realm-sync: replace 'full' option with 'mode' Dominik Csapak
2022-02-04 14:25 ` Dominik Csapak [this message]
2022-02-04 14:25 ` [pve-devel] [PATCH manager v2 1/1] ui: realm sync: replace 'full' " Dominik Csapak
2022-03-22 6:11 ` [pve-devel] [PATCH access-control/manager v2] fix #3668: improving realm sync Thomas Lamprecht
2022-03-22 13:44 ` Thomas Lamprecht
2022-03-22 15:23 ` Dominik Csapak
2022-03-23 7:33 ` Thomas Lamprecht
2022-03-23 8:21 ` Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220204142501.1461441-3-d.csapak@proxmox.com \
--to=d.csapak@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox