public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: wb <webmaster@jbsky.fr>,
	Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel]  RE :  RE : pve-devel Digest, Vol 132, Issue 53
Date: Wed, 26 May 2021 08:22:06 +0200	[thread overview]
Message-ID: <cfde1759-7f32-fe99-0c2e-c1824e627847@proxmox.com> (raw)
In-Reply-To: <e86b4b273756ab5b78d9948086eb04cb@mwinf5d07.me-wanadoo.net>

Hi,

On 25.05.21 22:50, wb wrote:
> Sorry, the first mail went a little too fast
> 
>> running does not mean working...
> Ok, but starting from an installation, I doubt :).
> 

But you already started to patch around, so we just cannot know for sure - was just
mentioning that to cover more possibilities :-)


> systemctl status pve-cluster 
> 
> 
> 
> touch /etc/pve/foo
> findmnt /etc/pve
> 

Look OK, but please paste such things inline the next time, I and most others here
on this list find pictures of plain text rather needlessly hard to deal with.

> 
> I finally found the problem that comes from the read permission on the /etc/pve/priv/authkey.key file, probably because www-data is reading instead of root.
> 

I mean yes, it still is a filesystem so read/write need to adhere to the standard
POSIX file permissions.

Quoting from our documentation:

> All files and directories are owned by user root and have group www-data.
> Only root has write permissions, but group www-data can read most files.
> Files below the following paths:> 
> /etc/pve/priv/
> /etc/pve/nodes/${NAME}/priv/
> 
> are only accessible by root.

-- https://pve.proxmox.com/pve-docs/chapter-pmxcfs.html#_file_access_rights

If a API method needs to access the `priv` path it needs to set the
`protected => 1` "flag" in the API-method schema definition, that way it will proxied
to the local-only API daemon running as root.


> By moving it to /etc/pve/authkey.key, I finally manage to create the ticket and thus, to do SSO.
> An analysis of the problem in my code would be welcome.
> 
> There will still be 2 points to be clean (not counting the anomaly due to the right in reading) :
> ➢ First point, create links in the login page instead of putting saml authentication realm in the list.
> ➢ Check the saml request id properly in the authentication part of the SAML class, (this is really not the case)
> 
> Thank you in advance,
> 
> Attached is the patch.

This is a combined patch over multiple repositories, further having it as attachment
makes replying (reviewing) hard to do on the list.

Please check out the following resources:
* Developer docs, especially the CLA, and preparing/sending patches section:
  https://pve.proxmox.com/wiki/Developer_Documentation

* Our coding style guides, didn't looked to close to actually see violations so rather
  mentioning it for completeness sake:
  - https://pve.proxmox.com/wiki/Perl_Style_Guide
  - https://pve.proxmox.com/wiki/Javascript_Style_Guide

  Note, we're well aware that not all of the existing code holds up to those standards
  (yet), that's still no real excuse for new code to adapt to it, as much as the surrounding
  code style allows.

Just two short comments regarding the patch, as I did not checked that out in full:

1. I'm not sure why you need to duplicate API calls, especially the `post_saml` one.
2. It also seems you missed including the diff for the new `PVE::Auth::SAML` module.

If you want a real review I'd suggest to send out what you have now as real patche
series via `git send-email`, ideally adding some reasoning for why things are done
that way - making review much easier - thanks!

cheers,
Thomas





  parent reply	other threads:[~2021-05-26  6:22 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <mailman.1.1621850401.15220.pve-devel@lists.proxmox.com>
2021-05-24 21:45 ` [pve-devel] " wb
2021-05-25  6:11   ` Thomas Lamprecht
2021-05-25 20:20     ` [pve-devel] RE : " wb
     [not found]     ` <e86b4b273756ab5b78d9948086eb04cb@mwinf5d07.me-wanadoo.net>
2021-05-26  6:22       ` Thomas Lamprecht [this message]
2021-05-26 22:28         ` [pve-devel] RE : " wb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cfde1759-7f32-fe99-0c2e-c1824e627847@proxmox.com \
    --to=t.lamprecht@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    --cc=webmaster@jbsky.fr \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal