Re: [pve-devel] [PATCH access-control/manager v2] fix #3668: improving realm sync

[Thomas Lamprecht <t.lamprecht@proxmox.com>]

On 04.02.22 15:24, Dominik Csapak wrote:
> this deprecates the 'full' sync option and replaces it with
> a 'mode' option, where we add a third one that updates
> the current users (while retaining their custom set attributes not
> exisiting in the source) and removing users that don't exist anymore
> in the source
> 

I'm not yet 100% sure about the specific mode names, as sync normally means
100% sync, I'll see if I find some other tool (rsync?) with similar option naming
problems. Independent from the specific names, this really needs a docs patch,
ideally with a table listing the modi as rows and having the various "user added",
"user removed", "properties added/updated", "properties removed" as columns, for a
better understanding of the effects..

> sorry for the long time between versions, i was distracted by
> various different things...
> 
> one "weird" thing that happens is when having a cluster and not all
> nodes are on the newest version if someone adds this option to the realm
> config. then everytime when the config is parsed on the older nodes,
> a warning is printed into the journal

you could work around this by getting the node versions from the pmxcfs node
kv store, currently only the manager version but we can do a bump with versioned
dependency there too, hopefully with a manager that has the ldap sync job (ui)
that I request since years shipped too ;-P

Not that we need to go that mechanism, we already tell everyone that a cluster
needs to be the same level of versions to work 100% correctly anyway.

> though this is the same for all new options in the domains.cfg, so i
> don't really see a way around this (besides allowing
> additionalProperties, but this would also first work on the next
> update)
> 
> changes from v1:
> * replace the 'remove-vanished' by a new 'mode' selection and adding
>   an appropriate mode
> 
> pve-access-control:
> 
> Dominik Csapak (2):
>   realm-sync: replace 'full' option with 'mode'
>   fix #3668: realm-sync: add mode 'sync'
> 
>  src/PVE/API2/Domains.pm | 59 ++++++++++++++++++++++++++++++++++-------
>  src/PVE/Auth/Plugin.pm  | 20 +++++++++++---
>  2 files changed, 66 insertions(+), 13 deletions(-)
> 
> pve-manager:
> 
> Dominik Csapak (1):
>   ui: realm sync: replace 'full' with 'mode'
> 
>  www/manager6/dc/AuthEditLDAP.js | 11 ++++++-----
>  www/manager6/dc/SyncWindow.js   |  9 +++++----
>  2 files changed, 11 insertions(+), 9 deletions(-)
>