ChangeLog

   1 2011-08-15  Proxmox Support Team  <support@proxmox.com>
   2
   3         * PVE/AccessControl.pm (parse_user_config): fix parser for files
   4         without newline at eof
   5         (parse_shadow_passwd): fix parser for files without newline at eof
   6         (parse_domains): fix parser for files without newline at eof
   7
   8 2011-08-01  Proxmox Support Team  <support@proxmox.com>
   9
  10         * PVE/AccessControl.pm (lock_*): remove $parent in calls to
  11         cfs_lock_file()
  12
  13 2011-07-22  Proxmox Support Team  <support@proxmox.com>
  14
  15         * PVE/API2/Domains.pm (create): use lower case: s/AD/ad/ and
  16         s/LDAP/ldap/
  17
  18         * PVE/AccessControl.pm (write_domains): use lc($type)
  19
  20 2011-07-14  Proxmox Support Team  <support@proxmox.com>
  21
  22         * control.in (Depends): remove depend on liburi-perl (code moved
  23         to pve-common)
  24
  25 2011-07-05  Proxmox Support Team  <support@proxmox.com>
  26
  27         * PVE/API2/User.pm (create_user): add -enable parameter
  28
  29         * PVE/API2/User.pm (update_user): use -enable instead of
  30         -lock/-unlock
  31
  32 2011-06-27  Proxmox Support Team  <support@proxmox.com>
  33
  34         * PVE/AccessControl.pm (normalize_path): allow '-' in path
  35
  36 2011-05-30  Proxmox Support Team  <support@proxmox.com>
  37
  38         * PVE/AccessControl.pm (assemble_csrf_prevention_token): CSRF
  39         token may not depend on cookie, because cookie can be updated from
  40         other window.
  41
  42 2011-03-30  Proxmox Support Team  <support@proxmox.com>
  43
  44         * PVE/API2/AccessControl.pm (create_ticket): also return user name
  45
  46 2011-03-24  Proxmox Support Team  <support@proxmox.com>
  47
  48         * PVE/AccessControl.pm (verify_csrf_prevention_token): add CSRF
  49         prevention code
  50
  51 2011-03-23  Proxmox Support Team  <support@proxmox.com>
  52
  53         * PVE/RPCEnvironment.pm (active_workers): simple log rotation when
  54         file is bigger that 50KB
  55
  56 2011-03-22  Proxmox Support Team  <support@proxmox.com>
  57
  58         * PVE/RPCEnvironment.pm (set_result_count): a way to set the total
  59         number of results - we use that for the ExtJS paging grid.
  60
  61 2011-03-21  Proxmox Support Team  <support@proxmox.com>
  62
  63         * PVE/RPCEnvironment.pm (active_workers): immediately move finished
  64         task to the index file.
  65
  66 2011-03-17  Proxmox Support Team  <support@proxmox.com>
  67
  68         * PVE/RPCEnvironment.pm (active_workers): update/get worker list
  69
  70 2011-03-16  Proxmox Support Team  <support@proxmox.com>
  71
  72         * PVE/RPCEnvironment.pm (fork_worker): add code to simulate running
  73         in foreground (cli).
  74
  75 2011-02-24  Proxmox Support Team  <support@proxmox.com>
  76
  77         * PVE/AccessControl.pm (roles): fix group permission propagation
  78
  79         * PVE/API2/ACL.pm: cleanup API - use '-users' and '-gropus'
  80         instead of '-uglist'
  81
  82 2011-02-23  Proxmox Support Team  <support@proxmox.com>
  83
  84         * PVE/API2/AccessControl.pm (create_ticket): moved code from REST.pm
  85
  86 2011-02-22  Proxmox Support Team  <support@proxmox.com>
  87
  88         * PVE/AccessControl.pm: make 'domains.cfg' readable by www-data,
  89         add 'default' attribute.
  90
  91         * PVE/AccessControl.pm: realm is now part of the username.
  92         Example: 'userid@realm'
  93         (valid_attributes): add 'domain, port, secure' attributes for AD.
  94         (parse_domains): add attribute 'secure' (replace LDAPS type),
  95
  96         * PVE/AccessControl.pm (parse_user_config): add firstname/lastname
  97         and email fields.
  98
  99 2011-02-21  Proxmox Support Team  <support@proxmox.com>
 100
 101         * PVE/API2/Group.pm (update_group): implement modgroup (set
 102         comment)
 103
 104 2011-02-18  Proxmox Support Team  <support@proxmox.com>
 105
 106         * PVE/AccessControl.pm (create_roles): try to create a predefined
 107         set of roles automatically.
 108
 109 2011-02-17  Proxmox Support Team  <support@proxmox.com>
 110
 111         * PVE/API2/Domains.pm: new API to for domains.cfg
 112
 113         * PVE/AccessControl.pm (authenticate_user_domain): added a 'domid'
 114         attribute to users. This references an entry in the domain
 115         config. This is simpler than the previous domain search
 116         algorithm.
 117
 118         * PVE/API2/User.pm: save domid, name, comment and expire time for
 119         user entries.
 120
 121         * PVE/AccessControl.pm (authenticate_user): check for expired
 122         accounts
 123
 124         * control.in (Depends): depend on liburi-perl (we use URI::Escape
 125         to encode text in our config files).
 126
 127         * PVE/AccessControl.pm (enable_user, disable_user): removed
 128         clumsy methods, not needed.
 129
 130 2011-02-16  Proxmox Support Team  <support@proxmox.com>
 131
 132         * README (privileges): Changes set of privileges. We try to be as
 133         simple as possible. We can refinen them in future.
 134
 135         * PVE/ACLCache.pm: deleted - moved code into RPCEnvironment.
 136
 137 2011-02-15  Proxmox Support Team  <support@proxmox.com>
 138
 139         * PVE/AccessControl.pm (verify_username): restrict user names to
 140         64 charachters. Add new priviledges Sys.PowerOff, Sys.Console and
 141         Sys.Syslog
 142
 143         * PVE/ACLCache.pm: move code into new file.
 144
 145         * test/perm-test1.pl: modified to use new PVE::ACLCache class.
 146
 147         * PVE/AccessControl.pm: add new class PVE::ACLCache (speed up ACL
 148         checks)
 149
 150 2011-01-27  Proxmox Support Team  <support@proxmox.com>
 151
 152         * pveum (auth): remove auth method - we do not use it any
 153         longer,  comment out ability to pass password via environment
 154         variable.
 155
 156         * PVE/AccessControl.pm (check_permissions): new helper to check
 157         permissions.
 158
 159 2011-01-21  root  <root@maui.maurer-it.com>
 160
 161         * PVE/AccessControl.pm: register a JSONSchema standard option for
 162         'userid'.
 163
 164         * pveum: allow to pass passwords with environment variable
 165         PVE_PW_TICKET
 166         * pveum (auth): new method to verify credentials/privileges (used
 167         by our kvm patches and vncterm)
 168
 169 2011-01-12  root  <root@maui.maurer-it.com>
 170
 171         * PVE/AccessControl.pm: use new PVE::Cluster class and read data
 172         from cluster filesystem (instead of local filesystem).
 173
 174 2011-01-11  root  <root@maui.maurer-it.com>
 175
 176         * control.in (Depends): depend on new pve-cluster package
 177
 178         * PVE/AccessControl.pm (read_pubkey, read_privkey): inotify does
 179         not work on the cluster filesystem, so I removed that code. Also
 180         moved lock files to /var/lock/pve-manager (cluster filesystem does
 181         not support locks - we need to do cluster wide locks later)
 182
 183 2010-09-14  Proxmox Support Team  <support@proxmox.com>
 184
 185         * PVE/API2/AccessControl.pm: moved from pve-manager
 186
 187         * PVE/: create correct directory hierarchy
 188
 189         * Makefile (install): use 'verifyapi'
 190
 191         * pveum: add verifyapi
 192
 193 2010-08-25  Proxmox Support Team  <support@proxmox.com>
 194
 195         * pveum: use new PVE::CLIHandler
 196
 197 2010-08-24  Proxmox Support Team  <support@proxmox.com>
 198
 199         * pveum: use new PVE::RPCEnvironment
 200
 201         * *.pm: remove $conn parameter everywhere
 202
 203 2010-08-16  Proxmox Support Team  <support@proxmox.com>
 204
 205         * AccessControl.pm (lock_user_config): add call to die, remove
 206         @param - we do not need that here
 207         (lock_shadow_config): add call to die, remove @param
 208
 209         * *.pm: remove $resp parameter everywhere.
 210
 211         * AccessControl.pm (verify_username): add test for username
 212         length (at least 3 characters)
 213
 214 2010-08-13  Proxmox Support Team  <support@proxmox.com>
 215
 216         * User.pm: use new 'format' property in schema
 217
 218         * ACL.pm: use new 'format' property in schema, remove redundant
 219         calls to verify_XXX calls.
 220
 221         * Role.pm: use new 'format' property in schema, remove redundant
 222         calls to verify_XXX calls.
 223
 224         * Group.pm: use new 'format' property in schema, remove redundant
 225         calls to verify_XXX calls.
 226
 227         * AccessControl.pm (modify_acl): strict error checking - use 'die'
 228         instead of 'warn', moved to ACL.pm
 229         (verify_username): fix serious bug
 230
 231 2010-08-12  Proxmox Support Team  <support@proxmox.com>
 232
 233         * Group.pm: use the new RESTHandler for API methods
 234
 235         * Role.pm: use the new RESTHandler for API methods
 236
 237         * AccessControl.pm (add_group): moved to Group.pm
 238         (delete_group): moved to Group.pm
 239         (delete_role): moved to Role.pm
 240         (modify_role): moved to Role.pm
 241
 242         * User.pm: strict error checking - use 'die' instead of 'warn'
 243
 244         * User.pm (delete_user): raise error when user does not exist.
 245
 246         * Group.pm (delete_group):  raise error when group does not exist.
 247
 248         * pveum: use the new
 249         RESTHandler (PVE::API2::User->cli_handler()). That way we have
 250         automatic command line argument parsing.
 251
 252         * User.pm: use the new RESTHandler for API methods. Those methods
 253         are automatically exposed with the API Server (pve-manager), and
 254         we can use them in the command line tools.
 255
 256         * AccessControl.pm (modify_user, delete_user): moved to User.pm
 257
 258 2010-08-10  Proxmox Support Team  <support@proxmox.com>
 259
 260         * control.in (Depends): depend on libpve-common-perl
 261
 262         * AccessControl.pm: initialize Crypt::OpenSSL::RSA with
 263         import_random_seed(), else I get a 'Segmentation fault' when
 264         creating tickets ("pveum ticket <testuser>").
 265
 266         * AccessControl.pm:  Moved utilities to new PVE::Tools
 267         module (pve-common), use new PVE::INotify to read/write config files.
 268
 269         * AccessControl.pm (parse_domains): ignore case (always convert
 270         type to lower case), fix bug from Seth and test for 'ldaps'.
 271         (file_set_contents): use O_WRONLY|O_CREAT instead of 'w' - else
 272         perm gets ignored.
 273
 274 2010-08-09  Seth Lauzon <seth.lauzon@gmail.com>
 275
 276         * AccessControl.pm (authenticate_user_ldap): changed the bind function
 277         for LDAP to allow for secure connection
 278
 279 2010-07-21  Seth Lauzon <seth.lauzon@gmail.com>
 280
 281         * AccessControl.pm (parse_domains): require base_dn for LDAP domains
 282         (valid_attributes): renamed from valid_params to maintain conformity
 283
 284 2010-07-19  Proxmox Support Team  <support@proxmox.com>
 285
 286         * AccessControl.pm (authenticate_user_domain): always add timeout
 287         after failed auth
 288         (file_set_contents): correctly emit exception if print/close fails
 289
 290 2010-07-19  Seth Lauzon <seth.lauzon@gmail.com>
 291
 292         * AccessControl.pm: fixed timeout for ldap/AD errors and reduced to two seconds
 293
 294         * AccessControl.pm: modified LDAP authentication to a two step bind method
 295
 296 2010-07-16  Proxmox Support Team  <support@proxmox.com>
 297
 298         * AccessControl.pm (authenticate_user_domain): catch special
 299         case ($domain eq '')
 300         (parse_domains): fix various bugs, allow spaces between domains,
 301         skip duplicate parameters
 302
 303 2010-07-16  Seth Lauzon <seth.lauzon@gmail.com>
 304
 305         * AccessControl.pm (parse_domains): borrowed code from Storage.pm to make it
 306         less fragile to syntax errors in the domains.cfg file
 307
 308         * AccessControl.pm: implemented LDAP authentication
 309
 310         * AccessControl.pm: added four second timeout on authentication failure for
 311         user_authentication_ldap and user_authentication_ad
 312
 313 2010-07-14  Proxmox Support Team  <support@proxmox.com>
 314
 315         * AccessControl.pm (ldap_bind): rename to authenticate_user_ad (AD
 316         only)
 317         (load_domains_config): return a reference to an array (not the
 318         array itself)
 319         (parse_config): return a reference to an array (not the array
 320         itself)
 321         (authenticate_user_domain): restructure code - this is no the
 322         centralized interface for authenticationn
 323         (authenticate_user_domain): add 'shadow' and 'PAM' default entries
 324         if there is no configuration for them in domain.cfg
 325         (authenticate_user_shadow): renamed from authenticate_user_pve
 326
 327         * control.in (Depends): add libnet-ldap-perl
 328
 329 2010-07-14  Seth Lauzon <seth.lauzon@gmail.com>A
 330
 331         * AccessControl.pm: implemented Active Directory authentication
 332
 333 2010-07-09  Seth Lauzon <seth.lauzon@gmail.com>
 334
 335         * AccessControl.pm (modify_acl): check if role exists
 336
 337 2010-07-08  Proxmox Support Team  <support@proxmox.com>
 338
 339         * pveum (print_usage): improve usage text.
 340
 341 2010-07-08  Seth Lauzon <seth.lauzon@gmail.com>
 342
 343         * AccessControl.pm: modify/delete ACL functionality
 344
 345         * pveum (aclmod): Add/Modify ACL
 346         (acldel): Delete ACL
 347
 348 2010-07-07  Proxmox Support Team  <support@proxmox.com>
 349
 350         * AccessControl.pm: implemented shadowauthentication (add/modify/delete/verify)
 351         with file locking (Seth)
 352         (encrypt_pw): use SHA256 to crypt passwords
 353         (save_shadow_config): change mode to 0600, store to /etc/pve/auth/shadow.cfg
 354         (parse_shadow): simplify code - there is no need to trim strings. Instead check for
 355         correct format.
 356
 357         * test/auth-test.pl: program for testing authentication methods (Seth)
 358
 359         * pveum (read_password): added confirm password
 360
 361 2010-07-05  Proxmox Support Team  <support@proxmox.com>
 362
 363         * AccessControl.pm (modify_user): remove call to change_password()
 364         - not neccessary at all (Seth)
 365         * AccessControl.pm: cleanup - remove space in function calls(Seth)
 366
 367 2010-07-02  Proxmox Support Team  <support@proxmox.com>
 368
 369         * AccessControl.pm (lock_user_config): renamed from lock_config,
 370         because we will have more then one config file (auth.conf, shadow
 371         password, ...)
 372         (modify_user): check for exceptions after lock_user_config()
 373         (delete_user): check for exceptions after lock_user_config(),
 374         raise invalid characters exception
 375         (delete_group): check for exceptions after lock_user_config(),
 376         raise invalid characters exception
 377         (modify_role): check for exceptions after lock_user_config()
 378         (delete_role): check for exceptions after lock_user_config(),
 379         raise invalid characters exception
 380         (verify_username): add $noerr parameter, raise exeption if
 381         user name contain invalid characters and $noerr is not set
 382         (verify_groupname): add $noerr parameter, raise exeption if
 383         group name contain invalid characters and $noerr is not set
 384         (verify_rolename): add $noerr parameter, raise exeption if
 385         role name contain invalid characters and $noerr is not set
 386
 387 2010-07-01  Proxmox Support Team  <support@proxmox.com>
 388
 389         * AccessControl.pm: implemented file locking functionality for all
 390         processes that make modifications to configuration file (Seth) -
 391         code for lock_file() was copied from QemuServer.pm.
 392
 393 2010-06-29  Proxmox Support Team  <support@proxmox.com>
 394
 395         * pveum: new roleadd/rolemod/roledel (Seth)
 396
 397         * AccessControl.pm (modify_role): create role and modify privileges (Seth)
 398
 399         * AccessControl.pm (delete_role): delete role functionality (Seth)
 400
 401 2010-06-28  Proxmox Support Team  <support@proxmox.com>
 402
 403         * pveum: new groupadd/groupdel (patch from Seth)
 404
 405         * AccessControl.pm (add_user): moved functionality to modify_user and
 406         removed subroutine (Seth)
 407
 408         * pveum: useradd command no longer requires a password and now uses
 409         modify_user (Seth)
 410
 411 2010-06-25  Proxmox Support Team  <support@proxmox.com>
 412
 413         * AccessControl.pm (modify_user): include patch from Seth
 414
 415 2010-06-24  Proxmox Support Team  <support@proxmox.com>
 416
 417         * test/perm-test1.pl (check_permission): a first regression test
 418
 419         * test/user.cfg.ex1: add another example - for use by regression
 420         tests
 421
 422         * test/dump-perm.pl: print permission as nice list, add ability to
 423         specify usr.cfg file
 424
 425 2010-06-23  Proxmox Support Team  <support@proxmox.com>
 426
 427         * pveum: implement some simple functions (add user, create ticket)
 428
 429         * pveum-pl: rename to pveum
 430
 431         * pveum.c: remove suexec code - we will use a daemon instead
 432
 433         * pvesh: removed (dead code)
 434
 435         * test/dump-perm.pl: simple script to dump permissions
 436
 437         * test/: created new directory for test skripts
 438
 439         * test/dump-users.pl: simple script to dump user table
 440
 441 2010-06-22  Proxmox Support Team  <support@proxmox.com>
 442
 443         * AccessControl.pm (add_user): Updated "valid_privs" with new
 444         permissions from readme (Seth)
 445
 446 2010-06-21  Proxmox Support Team  <support@proxmox.com>
 447
 448         * copyright: change license to AGPL
 449
 450 2010-03-17  Proxmox Support Team  <support@proxmox.com>
 451
 452         * pveum-pl: move all priviledged function to this file.
 453
 454 2009-07-09  Proxmox Support Team  <support@proxmox.com>
 455
 456         * pveum: added dummy binary
 457