proxmox-mirrors/pve-manager
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-manager synced 2025-04-29 20:17:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

pve7to8: check for custom role ID clashes with "PVE" namespace

Browse Source 
we'll enforce that in Proxmox VE 8 to avoid some headache on future
ACL expansion.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2023-06-08 09:47:26 +02:00
parent af8e8c8822
commit 0672c98e32
1 changed files with 15 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
PVE/CLI/pve7to8.pm
View File

@ -695,7 +695,7 @@ sub check_cifs_credential_location {
} }
sub check_custom_pool_roles { sub check_custom_pool_roles {
log_info("Checking custom roles for pool permissions.."); log_info("Checking custom role IDs for clashes with new 'PVE' namespace..");
if (! -f "/etc/pve/user.cfg") { if (! -f "/etc/pve/user.cfg") {
log_skip("user.cfg does not exist"); log_skip("user.cfg does not exist");
@ -734,10 +734,22 @@ sub check_custom_pool_roles {
} }
} }
foreach my $role (sort keys %{$roles}) { my ($custom_roles, $pve_namespace_clashes) = (0, 0);
for my $role (sort keys %{$roles}) {
next if PVE::AccessControl::role_is_special($role); next if PVE::AccessControl::role_is_special($role);
$custom_roles++;
# TODO: any role updates? if ($role =~ /^PVE/i) {
log_warn("custom role '$role' clashes with 'PVE' namespace for built-in roles");
$pve_namespace_clashes++;
}
}
if ($pve_namespace_clashes > 0) {
log_fail("$pve_namespace_clashes custom role(s) will clash with 'PVE' namespace for built-in roles enforced in Proxmox VE 8");
} elsif ($custom_roles > 0) {
log_pass("none of the $custom_roles custom roles will clash with newly enforced 'PVE' namespace")
} else {
log_pass("no custom roles defined, so no clash with 'PVE' role ID namespace enforced in Proxmox VE 8")
} }
} }