From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 70F8E69313 for ; Wed, 23 Mar 2022 08:33:52 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 657C724306 for ; Wed, 23 Mar 2022 08:33:52 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 9D536242FB for ; Wed, 23 Mar 2022 08:33:51 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 4B76946F67 for ; Wed, 23 Mar 2022 08:33:51 +0100 (CET) Message-ID: <850588f1-aea9-d5fe-6419-c74ec655512d@proxmox.com> Date: Wed, 23 Mar 2022 08:33:48 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Thunderbird/99.0 Content-Language: en-US To: Proxmox VE development discussion , Dominik Csapak References: <20220204142501.1461441-1-d.csapak@proxmox.com> <50f39747-1685-92d4-ae3e-5cfe5c288776@proxmox.com> From: Thomas Lamprecht In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL 0.056 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -0.001 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: Re: [pve-devel] [PATCH access-control/manager v2] fix #3668: improving realm sync X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Mar 2022 07:33:52 -0000 On 22.03.22 16:23, Dominik Csapak wrote: > On 3/22/22 14:44, Thomas Lamprecht wrote: >> On 22.03.22 07:11, Thomas Lamprecht wrote: >>> On 04.02.22 15:24, Dominik Csapak wrote: >>>> this deprecates the 'full' sync option and replaces it with >>>> a 'mode' option, where we add a third one that updates >>>> the current users (while retaining their custom set attributes not >>>> exisiting in the source) and removing users that don't exist anymore= >>>> in the source >>>> >>> I'm not yet 100% sure about the specific mode names, as sync normally= means >>> 100% sync, I'll see if I find some other tool (rsync?) with similar o= ption naming >>> problems. Independent from the specific names, this really needs a do= cs patch, >>> ideally with a table listing the modi as rows and having the various = "user added", >>> "user removed", "properties added/updated", "properties removed" as c= olumns, for a >>> better understanding of the effects.. >>> >> A thought (train): what we decide with this isn't what gets added/upda= ted, that's >> always the same, only what gets removed if vanished on the source, so = maybe: >> >> remove-vanished: < none | user | user-and-properties > >> >> Or if we can actually also remove either user *or* group then: s/user/= entity/ ? >> >> ps. the web interface should probably do a s/Purge/Purge ACLs/ too; or= with that >> in mind we could actually drop that do and have: >> >> remove-vanished: < none | user | user-and-properties | user-and-proper= ties-and-acl > >> >> And with that, we could go the separate semicolon-endcoded-flag-list l= ike we do for >> some CT features (or mount options) IIRC: >> >> remove-vanished: [];[];[acls] >> >> I.e., those three flags would replace your new mode + purge like: >> >> +--------+--------+---------------------+ >> |=C2=A0 Mode=C2=A0 | Purge=C2=A0 | -> removed-vanished | >> +--------+--------+---------------------+ >> | update |=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 0 | "" (none)=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | >> | sync=C2=A0=C2=A0 |=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 0 | user=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 | >> | full=C2=A0=C2=A0 |=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 0 | user;properties= =C2=A0=C2=A0=C2=A0=C2=A0 | >> | update |=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 1 | acl=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 = | >> | sync=C2=A0=C2=A0 |=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 1 | acl;user=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | >> | full=C2=A0=C2=A0 |=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 1 | acl;user;proper= ties | >> +--------+--------+---------------------+ >> >> The selector for them could be either three check boxes on one line (s= imilar to the >> privilege level radio buttons from CT restore) or even a full blown co= mbobox with all >> the options spelled out. >> >> It's only slightly weird for acl, as there the "remove-vanished" somew= hat implies that >> we import acl's in the first place, if we really don't want that we co= uld keep >> "Purge ACLs" as separate option that is only enabled if "remove-vanish= ed" "user" flag >> is set, put IMO not _that_ of a big problem to understand compared to = the status quo. >> >> Does (any of) this make sense to you? >=20 > yes this sounds sensible, but i agree about the possibly confusing 'rem= ove-vanished' > implication for acls. Maybe 'remove-on-vanish' ? sounds the same to me semantically, so see no improvement there. > this would (semantically) decouple the 'vanished' thing from the 'remov= ed' thing, > at least a little bit. IMO purely subjective and if a real grammar/semantic connection would be = there that I just miss (always a possibility) it'd be to subtle. I think that the confusion potential overall would get quite a bit reduce= d that getting this slightly confusing one newly is still a net benefit and can be easil= y defused with a short docs note. > in either case the docs would have to be updated anyway (as you already= said) >=20 > aside from that, i think line 4 in your table is not really practical, > since it would remove the acls but leave the users ? The user cannot do anything anymore (like auto-disable) but you still hav= e a reference to it and all its configured fields + TFA, either to re-enable it later = or to check contact info if one would investigate a specific task, so IMO its still p= ractical for setups that want to auto-disable but not auto-remove.