From 0672c98e3254e46aa1be9f5acc25ec7ac3b29acb Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Thu, 8 Jun 2023 09:47:26 +0200 Subject: [PATCH] pve7to8: check for custom role ID clashes with "PVE" namespace we'll enforce that in Proxmox VE 8 to avoid some headache on future ACL expansion. Signed-off-by: Thomas Lamprecht --- PVE/CLI/pve7to8.pm | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/PVE/CLI/pve7to8.pm b/PVE/CLI/pve7to8.pm index 51114e7e..f8cdfa33 100644 --- a/PVE/CLI/pve7to8.pm +++ b/PVE/CLI/pve7to8.pm @@ -695,7 +695,7 @@ sub check_cifs_credential_location { } sub check_custom_pool_roles { - log_info("Checking custom roles for pool permissions.."); + log_info("Checking custom role IDs for clashes with new 'PVE' namespace.."); if (! -f "/etc/pve/user.cfg") { log_skip("user.cfg does not exist"); @@ -734,10 +734,22 @@ sub check_custom_pool_roles { } } - foreach my $role (sort keys %{$roles}) { + my ($custom_roles, $pve_namespace_clashes) = (0, 0); + for my $role (sort keys %{$roles}) { next if PVE::AccessControl::role_is_special($role); + $custom_roles++; - # TODO: any role updates? + if ($role =~ /^PVE/i) { + log_warn("custom role '$role' clashes with 'PVE' namespace for built-in roles"); + $pve_namespace_clashes++; + } + } + if ($pve_namespace_clashes > 0) { + log_fail("$pve_namespace_clashes custom role(s) will clash with 'PVE' namespace for built-in roles enforced in Proxmox VE 8"); + } elsif ($custom_roles > 0) { + log_pass("none of the $custom_roles custom roles will clash with newly enforced 'PVE' namespace") + } else { + log_pass("no custom roles defined, so no clash with 'PVE' role ID namespace enforced in Proxmox VE 8") } } -- 2.39.2