From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <t.lamprecht@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 2C8E368D15
 for <pve-devel@lists.proxmox.com>; Tue, 22 Mar 2022 07:11:45 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 20A251A443
 for <pve-devel@lists.proxmox.com>; Tue, 22 Mar 2022 07:11:45 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 7B2B51A436
 for <pve-devel@lists.proxmox.com>; Tue, 22 Mar 2022 07:11:44 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 49F8F46E2A
 for <pve-devel@lists.proxmox.com>; Tue, 22 Mar 2022 07:11:44 +0100 (CET)
Message-ID: <d2fa2293-72d8-e9c8-96e6-b85664557f93@proxmox.com>
Date: Tue, 22 Mar 2022 07:11:41 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101
 Thunderbird/99.0
Content-Language: en-US
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
 Dominik Csapak <d.csapak@proxmox.com>
References: <20220204142501.1461441-1-d.csapak@proxmox.com>
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
In-Reply-To: <20220204142501.1461441-1-d.csapak@proxmox.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.057 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 NICE_REPLY_A           -0.001 Looks like a legit reply (A)
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 T_SCC_BODY_TEXT_LINE    -0.01 -
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [domains.pm, plugin.pm]
Subject: Re: [pve-devel] [PATCH access-control/manager v2] fix #3668:
 improving realm sync
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2022 06:11:45 -0000

On 04.02.22 15:24, Dominik Csapak wrote:
> this deprecates the 'full' sync option and replaces it with
> a 'mode' option, where we add a third one that updates
> the current users (while retaining their custom set attributes not
> exisiting in the source) and removing users that don't exist anymore
> in the source
> 

I'm not yet 100% sure about the specific mode names, as sync normally means
100% sync, I'll see if I find some other tool (rsync?) with similar option naming
problems. Independent from the specific names, this really needs a docs patch,
ideally with a table listing the modi as rows and having the various "user added",
"user removed", "properties added/updated", "properties removed" as columns, for a
better understanding of the effects..

> sorry for the long time between versions, i was distracted by
> various different things...
> 
> one "weird" thing that happens is when having a cluster and not all
> nodes are on the newest version if someone adds this option to the realm
> config. then everytime when the config is parsed on the older nodes,
> a warning is printed into the journal

you could work around this by getting the node versions from the pmxcfs node
kv store, currently only the manager version but we can do a bump with versioned
dependency there too, hopefully with a manager that has the ldap sync job (ui)
that I request since years shipped too ;-P

Not that we need to go that mechanism, we already tell everyone that a cluster
needs to be the same level of versions to work 100% correctly anyway.

> though this is the same for all new options in the domains.cfg, so i
> don't really see a way around this (besides allowing
> additionalProperties, but this would also first work on the next
> update)
> 
> changes from v1:
> * replace the 'remove-vanished' by a new 'mode' selection and adding
>   an appropriate mode
> 
> pve-access-control:
> 
> Dominik Csapak (2):
>   realm-sync: replace 'full' option with 'mode'
>   fix #3668: realm-sync: add mode 'sync'
> 
>  src/PVE/API2/Domains.pm | 59 ++++++++++++++++++++++++++++++++++-------
>  src/PVE/Auth/Plugin.pm  | 20 +++++++++++---
>  2 files changed, 66 insertions(+), 13 deletions(-)
> 
> pve-manager:
> 
> Dominik Csapak (1):
>   ui: realm sync: replace 'full' with 'mode'
> 
>  www/manager6/dc/AuthEditLDAP.js | 11 ++++++-----
>  www/manager6/dc/SyncWindow.js   |  9 +++++----
>  2 files changed, 11 insertions(+), 9 deletions(-)
>