public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Fiona Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH manager 6/9] pve8to9: remove outdated checks for user roles
Date: Thu, 17 Jul 2025 15:36:54 +0200	[thread overview]
Message-ID: <20250717133711.84715-7-f.ebner@proxmox.com> (raw)
In-Reply-To: <20250717133711.84715-1-f.ebner@proxmox.com>

These checks were only relevant for the upgrade to PVE 8 and the
messages talking about a new PVE namespace or dropped
Permission.Modify privilege do not apply anymore.

Keep the infrastructure for checking custom roles intact for future
checks.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 PVE/CLI/pve8to9.pm | 32 ++++++--------------------------
 1 file changed, 6 insertions(+), 26 deletions(-)

diff --git a/PVE/CLI/pve8to9.pm b/PVE/CLI/pve8to9.pm
index eb6d67e5..0c7cb97f 100644
--- a/PVE/CLI/pve8to9.pm
+++ b/PVE/CLI/pve8to9.pm
@@ -760,41 +760,21 @@ sub check_custom_pool_roles {
             for my $priv (split_list($privlist)) {
                 $roles->{$role}->{$priv} = 1;
             }
-        } elsif ($et eq 'acl') {
-            my ($propagate, $pathtxt, $uglist, $rolelist) = @data;
-            for my $role (split_list($rolelist)) {
-                if ($role eq 'PVESysAdmin' || $role eq 'PVEAdmin') {
-                    log_warn(
-                        "found ACL entry on '$pathtxt' for '$uglist' with role '$role' - this role"
-                            . " will no longer have 'Permissions.Modify' after the upgrade!");
-                }
-            }
         }
     }
 
-    log_info("Checking custom role IDs for clashes with new 'PVE' namespace..");
-    my ($custom_roles, $pve_namespace_clashes) = (0, 0);
+    log_info("Checking custom role IDs");
+    my ($custom_roles, $need_handling) = (0, 0);
     for my $role (sort keys %{$roles}) {
         next if PVE::AccessControl::role_is_special($role);
         $custom_roles++;
-
-        if ($role =~ /^PVE/i) {
-            log_warn("custom role '$role' clashes with 'PVE' namespace for built-in roles");
-            $pve_namespace_clashes++;
-        }
     }
-    if ($pve_namespace_clashes > 0) {
-        log_fail(
-            "$pve_namespace_clashes custom role(s) will clash with 'PVE' namespace for built-in roles enforced in Proxmox VE 8"
-        );
+    if ($need_handling > 0) {
+        log_fail("$need_handling custom role(s) need handling");
     } elsif ($custom_roles > 0) {
-        log_pass(
-            "none of the $custom_roles custom roles will clash with newly enforced 'PVE' namespace"
-        );
+        log_pass("none of the $custom_roles custom roles need handling");
     } else {
-        log_pass(
-            "no custom roles defined, so no clash with 'PVE' role ID namespace enforced in Proxmox VE 8"
-        );
+        log_pass("no custom roles defined");
     }
 }
 
-- 
2.47.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


  parent reply	other threads:[~2025-07-17 13:37 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-17 13:36 [pve-devel] [PATCH-SERIES access-control/qemu-server/manager/docs] replace ambiguously named VM.Monitor privilege Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH access-control 1/9] add VM.GuestAgent privileges Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH access-control 2/9] privileges: drop VM.Monitor Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH qemu-server 3/9] api: agent: use more specific guest agent privileges Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH qemu-server 4/9] api: monitor: improve permission handling Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH qemu-server 5/9] api: monitor: require Sys.Audit or Sys.Modify privilege Fiona Ebner
2025-07-17 13:36 ` Fiona Ebner [this message]
2025-07-17 13:36 ` [pve-devel] [PATCH manager 7/9] pve8to9: check for to-be-dropped VM.Monitor privilege in custom roles Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH docs 8/9] user management: privileges: document new VM guest agent privileges Fiona Ebner
2025-07-17 13:36 ` [pve-devel] [PATCH docs 9/9] user management: privileges: remove reference to dropped VM.Monitor privilege Fiona Ebner
2025-07-17 21:26 ` [pve-devel] applied-series: [PATCH-SERIES access-control/qemu-server/manager/docs] replace ambiguously named " Thomas Lamprecht

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250717133711.84715-7-f.ebner@proxmox.com \
    --to=f.ebner@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal