Thomas Lamprecht
cd46b379b3
bump version to 7.0-6
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-10-21 12:28:58 +02:00
Dominik Csapak
4aa4f0b3d7
fix user deletion when realm does not enforce TFA
...
here the existance of the user is only interesting if we want to set
data, not if we delete it.
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-10-21 12:27:42 +02:00
Thomas Lamprecht
52da88a86c
bump version to 7.0-5
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-10-04 12:47:15 +02:00
Thomas Lamprecht
e780b46aab
api: delete user: better communicate partial deletion
...
this is really an edge case and should not happen often in practice,
the time window is small and deletions are not _that_ common, but
still.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-09-27 15:48:21 +02:00
Thomas Lamprecht
ba6cc98fcb
api: delete user: disable first to avoid surprise on error
...
Write out a config with the user disabled so that it cannot be used
even if deletion fails, why ever that is
Suggested-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-09-27 15:47:22 +02:00
Thomas Lamprecht
8ecf1a490d
fix #2302 : allow deletion of users when realm enforces TFA
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-09-27 15:32:05 +02:00
Thomas Lamprecht
3e5b237feb
api: user: indentation & whitspace cleanups
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-09-23 14:16:50 +02:00
Alexandre Derumier
4100ba8d65
check_path: add /sdn/vnets/* path
...
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
2021-08-23 18:19:15 +02:00
Thomas Lamprecht
543d646c44
bump version to 7.0-4
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-07-02 13:45:51 +02:00
Thomas Lamprecht
d658d04acb
api: users: use public regex directly to parse out realm
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-07-02 13:42:16 +02:00
Thomas Lamprecht
525a931b98
api: users: code-style cleanup and sort when iterating users
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-07-02 13:41:29 +02:00
Thomas Lamprecht
3f6023f55c
api: users: s/realmtype/realm-type/ in response
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-07-02 13:38:46 +02:00
Dominik Csapak
8bb59c2612
api: user: add realmtype to user list
...
this makes it much easier to determine if a user can e.g.
change a password or tfa, based on realm
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-07-02 13:14:51 +02:00
Dietmar Maurer
fbf4594aaf
implement OpenID autocreate user feature
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-07-01 13:35:58 +02:00
Dietmar Maurer
ac344d7df3
api: implement openid API
...
This moves compute_api_permission() into RPCEnvironment.pm.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-07-01 13:31:45 +02:00
Dietmar Maurer
f0c9ef167b
depend on libpve-rs-perl
2021-07-01 13:13:59 +02:00
Dietmar Maurer
52d1c1b966
add OpenId configuration
2021-07-01 13:13:59 +02:00
Dietmar Maurer
8a724f7b3a
check_user_enabled: also check if user is expired
2021-07-01 13:13:59 +02:00
Thomas Lamprecht
7a4c4fd870
bump version to 7.0-3
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-21 10:31:23 +02:00
Thomas Lamprecht
a981f7c1c6
buildsys: clean more
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-17 14:43:44 +02:00
Thomas Lamprecht
d7e8d24ef5
access control: style: register configs in single line each
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-17 14:41:02 +02:00
Alexandre Derumier
0a06acb128
check_path : add sdn zone path
...
This was missing in commit20c60513b2a6b2d7c7aae0dcc0391889b9cb7ecf,
so user can't assign permisson on a zone currently
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-17 13:15:36 +02:00
Dominik Csapak
8737ff3718
add missing paths in check_path
...
* /access/realm/<realm>
* /access/groups/<group>
were overlooked when fixing #1500
see: https://forum.proxmox.com/threads/are-group-acls-broken-in-v6-4.91000/
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-06-16 16:19:33 +02:00
Thomas Lamprecht
5e868938f1
rpc env: sort use statements
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-15 14:38:41 +02:00
Thomas Lamprecht
f368e8c75c
buildsys: change upload dist to bullseye
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-08 09:47:21 +02:00
Fabian Grünbichler
0902a936f3
bump version to 7.0-2
...
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-06-01 11:29:49 +02:00
Lorenz Stechauner
6d048ad6fc
fix #3402 : add Pool.Audit permission
...
add new user "PVEPoolUser" and add Pool.Audit to "PVEAuditor".
Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
2021-06-01 10:31:16 +02:00
Fabian Grünbichler
8ac53236df
d/control: add missing libuuid-perl b-d
...
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-05-19 11:54:26 +02:00
Thomas Lamprecht
67febb6933
bump version to 7.0-1
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-05-09 19:48:50 +02:00
Thomas Lamprecht
3470fad8c1
pveum: work around unavailable API2:Pools module
...
commit 42ade84744
2021-05-09 19:48:50 +02:00
Thomas Lamprecht
d4c9a54e35
d/control: update standards version
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-05-09 19:48:50 +02:00
Thomas Lamprecht
ce4b5d6066
d/control: drop perl dependency, added by ${perl:Depends}
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-05-09 19:48:50 +02:00
Thomas Lamprecht
197d1016fd
buildsys: split packaging and source build-systems
...
Much nicer to handle and work with than entangling all together in a
single spaghetti pile.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-05-09 19:48:50 +02:00
Thomas Lamprecht
08eb54c9dc
d/control: bump debhelper compat to >= 12
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-05-09 18:16:38 +02:00
Thomas Lamprecht
ebcefa86d4
d/rules: fix dh_missing override
...
note, with compat level >= 13 we can drop that override finally
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-05-09 18:16:04 +02:00
Thomas Lamprecht
2942ba4139
bump version to 6.4-1
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-04-24 19:48:25 +02:00
Dylan Whyte
42ade84744
resource pools: add resource pool cli commands
...
Add commands for creating, modifying, listing, and deleting resource
pools.
Signed-off-by: Dylan Whyte <d.whyte@proxmox.com>
2021-04-22 21:53:09 +02:00
Lorenz Stechauner
b89cd20528
fix typo in oathkeygen: randon -> random
...
Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
2021-04-20 18:13:51 +02:00
Thomas Lamprecht
ad1ef9fc1c
acl: check path: further resdtrict VMID values
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-04-19 11:50:16 +02:00
Thomas Lamprecht
91c30089a7
acl: check path: spell param out
...
we normally use shift only in closures, to keep them short, as a
module method this should rather use our standard style.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-04-19 11:48:52 +02:00
Lorenz Stechauner
20c60513b2
fix #1500 : permission path syntax check for access control
...
Syntax for permission paths is now checked on API calls for
creation or update on permissions.
Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
2021-04-19 10:13:45 +02:00
Wolfgang Bumiller
01f191c8c4
fix #1670 : change PAM service name to project specific name
...
Instead of 'common-auth' use 'proxmox-ve-auth', this way
users can override PAM authentication settings via
`/etc/pam.d/proxmox-ve-auth`.
If the file does not exist, pam will use `/etc/pam.d/other`
which by default behaves like `common-auth`.
Note that this *can* be different from directly using
`common-auth` *if* a user has actually modified
`/etc/pam.d/other` for some reason.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2020-11-20 14:51:29 +01:00
Thomas Lamprecht
54d312f350
bump version to 6.1-3
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-09-29 08:55:56 +02:00
Thomas Lamprecht
f335d265b8
api/users: catch existing user also on case insensitive realm
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-09-29 08:51:36 +02:00
Thomas Lamprecht
2dd1e1d41e
api/users: indentation cleanup
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-09-29 06:19:07 +02:00
Wolfgang Link
eb41d20051
fix #2947 login name for the LDAP/AD realm can be case-insensitive
...
This is an optional for LDAP and AD realm.
The default behavior is case-sensitive.
Signed-off-by: Wolfgang Link <w.link@proxmox.com>
2020-09-29 06:14:53 +02:00
Thomas Lamprecht
9de25de807
partially fix #2825 : authkey: rotate if it was generated in the future
...
Can happen if the RTC is in the future during installation and first
boot, when during key generation the clock is in the future and then,
after the key was already generated, jumps back in time.
Allow a fuzz of $auth_graceperiod, which is currently 5 minutes, as
that fuzz allows some minor, not really problematic, time sync
disparity in clusters.
If an old authkey exists, meaning we rotated at least once, check it's
time too. Only rotate if it'd not be valid for any tickets in the
cluster anymore, i.e., if it difference between the current key is >
$ticket_lifetime (2 hours)..
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-07-04 18:22:51 +02:00
Thomas Lamprecht
8304b226d6
authkey: use variable instead of hard coded grace period value
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-07-03 15:18:45 +02:00
Thomas Lamprecht
6a9be12f55
bump version to 6.1-2
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-06-30 13:06:59 +02:00
Mira Limbeck
cb381abc6b
introduce VM.Config.Cloudinit permission
...
It is added to PVEVMUser by default.
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
2020-06-26 09:39:54 +02:00
