depend on libauthen-pam-perl
[pve-access-control.git] / ChangeLog
1 2011-08-15 Proxmox Support Team <support@proxmox.com>
2
3 * PVE/AccessControl.pm (parse_user_config): fix parser for files
4 without newline at eof
5 (parse_shadow_passwd): fix parser for files without newline at eof
6 (parse_domains): fix parser for files without newline at eof
7
8 2011-08-01 Proxmox Support Team <support@proxmox.com>
9
10 * PVE/AccessControl.pm (lock_*): remove $parent in calls to
11 cfs_lock_file()
12
13 2011-07-22 Proxmox Support Team <support@proxmox.com>
14
15 * PVE/API2/Domains.pm (create): use lower case: s/AD/ad/ and
16 s/LDAP/ldap/
17
18 * PVE/AccessControl.pm (write_domains): use lc($type)
19
20 2011-07-14 Proxmox Support Team <support@proxmox.com>
21
22 * control.in (Depends): remove depend on liburi-perl (code moved
23 to pve-common)
24
25 2011-07-05 Proxmox Support Team <support@proxmox.com>
26
27 * PVE/API2/User.pm (create_user): add -enable parameter
28
29 * PVE/API2/User.pm (update_user): use -enable instead of
30 -lock/-unlock
31
32 2011-06-27 Proxmox Support Team <support@proxmox.com>
33
34 * PVE/AccessControl.pm (normalize_path): allow '-' in path
35
36 2011-05-30 Proxmox Support Team <support@proxmox.com>
37
38 * PVE/AccessControl.pm (assemble_csrf_prevention_token): CSRF
39 token may not depend on cookie, because cookie can be updated from
40 other window.
41
42 2011-03-30 Proxmox Support Team <support@proxmox.com>
43
44 * PVE/API2/AccessControl.pm (create_ticket): also return user name
45
46 2011-03-24 Proxmox Support Team <support@proxmox.com>
47
48 * PVE/AccessControl.pm (verify_csrf_prevention_token): add CSRF
49 prevention code
50
51 2011-03-23 Proxmox Support Team <support@proxmox.com>
52
53 * PVE/RPCEnvironment.pm (active_workers): simple log rotation when
54 file is bigger that 50KB
55
56 2011-03-22 Proxmox Support Team <support@proxmox.com>
57
58 * PVE/RPCEnvironment.pm (set_result_count): a way to set the total
59 number of results - we use that for the ExtJS paging grid.
60
61 2011-03-21 Proxmox Support Team <support@proxmox.com>
62
63 * PVE/RPCEnvironment.pm (active_workers): immediately move finished
64 task to the index file.
65
66 2011-03-17 Proxmox Support Team <support@proxmox.com>
67
68 * PVE/RPCEnvironment.pm (active_workers): update/get worker list
69
70 2011-03-16 Proxmox Support Team <support@proxmox.com>
71
72 * PVE/RPCEnvironment.pm (fork_worker): add code to simulate running
73 in foreground (cli).
74
75 2011-02-24 Proxmox Support Team <support@proxmox.com>
76
77 * PVE/AccessControl.pm (roles): fix group permission propagation
78
79 * PVE/API2/ACL.pm: cleanup API - use '-users' and '-gropus'
80 instead of '-uglist'
81
82 2011-02-23 Proxmox Support Team <support@proxmox.com>
83
84 * PVE/API2/AccessControl.pm (create_ticket): moved code from REST.pm
85
86 2011-02-22 Proxmox Support Team <support@proxmox.com>
87
88 * PVE/AccessControl.pm: make 'domains.cfg' readable by www-data,
89 add 'default' attribute.
90
91 * PVE/AccessControl.pm: realm is now part of the username.
92 Example: 'userid@realm'
93 (valid_attributes): add 'domain, port, secure' attributes for AD.
94 (parse_domains): add attribute 'secure' (replace LDAPS type),
95
96 * PVE/AccessControl.pm (parse_user_config): add firstname/lastname
97 and email fields.
98
99 2011-02-21 Proxmox Support Team <support@proxmox.com>
100
101 * PVE/API2/Group.pm (update_group): implement modgroup (set
102 comment)
103
104 2011-02-18 Proxmox Support Team <support@proxmox.com>
105
106 * PVE/AccessControl.pm (create_roles): try to create a predefined
107 set of roles automatically.
108
109 2011-02-17 Proxmox Support Team <support@proxmox.com>
110
111 * PVE/API2/Domains.pm: new API to for domains.cfg
112
113 * PVE/AccessControl.pm (authenticate_user_domain): added a 'domid'
114 attribute to users. This references an entry in the domain
115 config. This is simpler than the previous domain search
116 algorithm.
117
118 * PVE/API2/User.pm: save domid, name, comment and expire time for
119 user entries.
120
121 * PVE/AccessControl.pm (authenticate_user): check for expired
122 accounts
123
124 * control.in (Depends): depend on liburi-perl (we use URI::Escape
125 to encode text in our config files).
126
127 * PVE/AccessControl.pm (enable_user, disable_user): removed
128 clumsy methods, not needed.
129
130 2011-02-16 Proxmox Support Team <support@proxmox.com>
131
132 * README (privileges): Changes set of privileges. We try to be as
133 simple as possible. We can refinen them in future.
134
135 * PVE/ACLCache.pm: deleted - moved code into RPCEnvironment.
136
137 2011-02-15 Proxmox Support Team <support@proxmox.com>
138
139 * PVE/AccessControl.pm (verify_username): restrict user names to
140 64 charachters. Add new priviledges Sys.PowerOff, Sys.Console and
141 Sys.Syslog
142
143 * PVE/ACLCache.pm: move code into new file.
144
145 * test/perm-test1.pl: modified to use new PVE::ACLCache class.
146
147 * PVE/AccessControl.pm: add new class PVE::ACLCache (speed up ACL
148 checks)
149
150 2011-01-27 Proxmox Support Team <support@proxmox.com>
151
152 * pveum (auth): remove auth method - we do not use it any
153 longer, comment out ability to pass password via environment
154 variable.
155
156 * PVE/AccessControl.pm (check_permissions): new helper to check
157 permissions.
158
159 2011-01-21 root <root@maui.maurer-it.com>
160
161 * PVE/AccessControl.pm: register a JSONSchema standard option for
162 'userid'.
163
164 * pveum: allow to pass passwords with environment variable
165 PVE_PW_TICKET
166 * pveum (auth): new method to verify credentials/privileges (used
167 by our kvm patches and vncterm)
168
169 2011-01-12 root <root@maui.maurer-it.com>
170
171 * PVE/AccessControl.pm: use new PVE::Cluster class and read data
172 from cluster filesystem (instead of local filesystem).
173
174 2011-01-11 root <root@maui.maurer-it.com>
175
176 * control.in (Depends): depend on new pve-cluster package
177
178 * PVE/AccessControl.pm (read_pubkey, read_privkey): inotify does
179 not work on the cluster filesystem, so I removed that code. Also
180 moved lock files to /var/lock/pve-manager (cluster filesystem does
181 not support locks - we need to do cluster wide locks later)
182
183 2010-09-14 Proxmox Support Team <support@proxmox.com>
184
185 * PVE/API2/AccessControl.pm: moved from pve-manager
186
187 * PVE/: create correct directory hierarchy
188
189 * Makefile (install): use 'verifyapi'
190
191 * pveum: add verifyapi
192
193 2010-08-25 Proxmox Support Team <support@proxmox.com>
194
195 * pveum: use new PVE::CLIHandler
196
197 2010-08-24 Proxmox Support Team <support@proxmox.com>
198
199 * pveum: use new PVE::RPCEnvironment
200
201 * *.pm: remove $conn parameter everywhere
202
203 2010-08-16 Proxmox Support Team <support@proxmox.com>
204
205 * AccessControl.pm (lock_user_config): add call to die, remove
206 @param - we do not need that here
207 (lock_shadow_config): add call to die, remove @param
208
209 * *.pm: remove $resp parameter everywhere.
210
211 * AccessControl.pm (verify_username): add test for username
212 length (at least 3 characters)
213
214 2010-08-13 Proxmox Support Team <support@proxmox.com>
215
216 * User.pm: use new 'format' property in schema
217
218 * ACL.pm: use new 'format' property in schema, remove redundant
219 calls to verify_XXX calls.
220
221 * Role.pm: use new 'format' property in schema, remove redundant
222 calls to verify_XXX calls.
223
224 * Group.pm: use new 'format' property in schema, remove redundant
225 calls to verify_XXX calls.
226
227 * AccessControl.pm (modify_acl): strict error checking - use 'die'
228 instead of 'warn', moved to ACL.pm
229 (verify_username): fix serious bug
230
231 2010-08-12 Proxmox Support Team <support@proxmox.com>
232
233 * Group.pm: use the new RESTHandler for API methods
234
235 * Role.pm: use the new RESTHandler for API methods
236
237 * AccessControl.pm (add_group): moved to Group.pm
238 (delete_group): moved to Group.pm
239 (delete_role): moved to Role.pm
240 (modify_role): moved to Role.pm
241
242 * User.pm: strict error checking - use 'die' instead of 'warn'
243
244 * User.pm (delete_user): raise error when user does not exist.
245
246 * Group.pm (delete_group): raise error when group does not exist.
247
248 * pveum: use the new
249 RESTHandler (PVE::API2::User->cli_handler()). That way we have
250 automatic command line argument parsing.
251
252 * User.pm: use the new RESTHandler for API methods. Those methods
253 are automatically exposed with the API Server (pve-manager), and
254 we can use them in the command line tools.
255
256 * AccessControl.pm (modify_user, delete_user): moved to User.pm
257
258 2010-08-10 Proxmox Support Team <support@proxmox.com>
259
260 * control.in (Depends): depend on libpve-common-perl
261
262 * AccessControl.pm: initialize Crypt::OpenSSL::RSA with
263 import_random_seed(), else I get a 'Segmentation fault' when
264 creating tickets ("pveum ticket <testuser>").
265
266 * AccessControl.pm: Moved utilities to new PVE::Tools
267 module (pve-common), use new PVE::INotify to read/write config files.
268
269 * AccessControl.pm (parse_domains): ignore case (always convert
270 type to lower case), fix bug from Seth and test for 'ldaps'.
271 (file_set_contents): use O_WRONLY|O_CREAT instead of 'w' - else
272 perm gets ignored.
273
274 2010-08-09 Seth Lauzon <seth.lauzon@gmail.com>
275
276 * AccessControl.pm (authenticate_user_ldap): changed the bind function
277 for LDAP to allow for secure connection
278
279 2010-07-21 Seth Lauzon <seth.lauzon@gmail.com>
280
281 * AccessControl.pm (parse_domains): require base_dn for LDAP domains
282 (valid_attributes): renamed from valid_params to maintain conformity
283
284 2010-07-19 Proxmox Support Team <support@proxmox.com>
285
286 * AccessControl.pm (authenticate_user_domain): always add timeout
287 after failed auth
288 (file_set_contents): correctly emit exception if print/close fails
289
290 2010-07-19 Seth Lauzon <seth.lauzon@gmail.com>
291
292 * AccessControl.pm: fixed timeout for ldap/AD errors and reduced to two seconds
293
294 * AccessControl.pm: modified LDAP authentication to a two step bind method
295
296 2010-07-16 Proxmox Support Team <support@proxmox.com>
297
298 * AccessControl.pm (authenticate_user_domain): catch special
299 case ($domain eq '')
300 (parse_domains): fix various bugs, allow spaces between domains,
301 skip duplicate parameters
302
303 2010-07-16 Seth Lauzon <seth.lauzon@gmail.com>
304
305 * AccessControl.pm (parse_domains): borrowed code from Storage.pm to make it
306 less fragile to syntax errors in the domains.cfg file
307
308 * AccessControl.pm: implemented LDAP authentication
309
310 * AccessControl.pm: added four second timeout on authentication failure for
311 user_authentication_ldap and user_authentication_ad
312
313 2010-07-14 Proxmox Support Team <support@proxmox.com>
314
315 * AccessControl.pm (ldap_bind): rename to authenticate_user_ad (AD
316 only)
317 (load_domains_config): return a reference to an array (not the
318 array itself)
319 (parse_config): return a reference to an array (not the array
320 itself)
321 (authenticate_user_domain): restructure code - this is no the
322 centralized interface for authenticationn
323 (authenticate_user_domain): add 'shadow' and 'PAM' default entries
324 if there is no configuration for them in domain.cfg
325 (authenticate_user_shadow): renamed from authenticate_user_pve
326
327 * control.in (Depends): add libnet-ldap-perl
328
329 2010-07-14 Seth Lauzon <seth.lauzon@gmail.com>A
330
331 * AccessControl.pm: implemented Active Directory authentication
332
333 2010-07-09 Seth Lauzon <seth.lauzon@gmail.com>
334
335 * AccessControl.pm (modify_acl): check if role exists
336
337 2010-07-08 Proxmox Support Team <support@proxmox.com>
338
339 * pveum (print_usage): improve usage text.
340
341 2010-07-08 Seth Lauzon <seth.lauzon@gmail.com>
342
343 * AccessControl.pm: modify/delete ACL functionality
344
345 * pveum (aclmod): Add/Modify ACL
346 (acldel): Delete ACL
347
348 2010-07-07 Proxmox Support Team <support@proxmox.com>
349
350 * AccessControl.pm: implemented shadowauthentication (add/modify/delete/verify)
351 with file locking (Seth)
352 (encrypt_pw): use SHA256 to crypt passwords
353 (save_shadow_config): change mode to 0600, store to /etc/pve/auth/shadow.cfg
354 (parse_shadow): simplify code - there is no need to trim strings. Instead check for
355 correct format.
356
357 * test/auth-test.pl: program for testing authentication methods (Seth)
358
359 * pveum (read_password): added confirm password
360
361 2010-07-05 Proxmox Support Team <support@proxmox.com>
362
363 * AccessControl.pm (modify_user): remove call to change_password()
364 - not neccessary at all (Seth)
365 * AccessControl.pm: cleanup - remove space in function calls(Seth)
366
367 2010-07-02 Proxmox Support Team <support@proxmox.com>
368
369 * AccessControl.pm (lock_user_config): renamed from lock_config,
370 because we will have more then one config file (auth.conf, shadow
371 password, ...)
372 (modify_user): check for exceptions after lock_user_config()
373 (delete_user): check for exceptions after lock_user_config(),
374 raise invalid characters exception
375 (delete_group): check for exceptions after lock_user_config(),
376 raise invalid characters exception
377 (modify_role): check for exceptions after lock_user_config()
378 (delete_role): check for exceptions after lock_user_config(),
379 raise invalid characters exception
380 (verify_username): add $noerr parameter, raise exeption if
381 user name contain invalid characters and $noerr is not set
382 (verify_groupname): add $noerr parameter, raise exeption if
383 group name contain invalid characters and $noerr is not set
384 (verify_rolename): add $noerr parameter, raise exeption if
385 role name contain invalid characters and $noerr is not set
386
387 2010-07-01 Proxmox Support Team <support@proxmox.com>
388
389 * AccessControl.pm: implemented file locking functionality for all
390 processes that make modifications to configuration file (Seth) -
391 code for lock_file() was copied from QemuServer.pm.
392
393 2010-06-29 Proxmox Support Team <support@proxmox.com>
394
395 * pveum: new roleadd/rolemod/roledel (Seth)
396
397 * AccessControl.pm (modify_role): create role and modify privileges (Seth)
398
399 * AccessControl.pm (delete_role): delete role functionality (Seth)
400
401 2010-06-28 Proxmox Support Team <support@proxmox.com>
402
403 * pveum: new groupadd/groupdel (patch from Seth)
404
405 * AccessControl.pm (add_user): moved functionality to modify_user and
406 removed subroutine (Seth)
407
408 * pveum: useradd command no longer requires a password and now uses
409 modify_user (Seth)
410
411 2010-06-25 Proxmox Support Team <support@proxmox.com>
412
413 * AccessControl.pm (modify_user): include patch from Seth
414
415 2010-06-24 Proxmox Support Team <support@proxmox.com>
416
417 * test/perm-test1.pl (check_permission): a first regression test
418
419 * test/user.cfg.ex1: add another example - for use by regression
420 tests
421
422 * test/dump-perm.pl: print permission as nice list, add ability to
423 specify usr.cfg file
424
425 2010-06-23 Proxmox Support Team <support@proxmox.com>
426
427 * pveum: implement some simple functions (add user, create ticket)
428
429 * pveum-pl: rename to pveum
430
431 * pveum.c: remove suexec code - we will use a daemon instead
432
433 * pvesh: removed (dead code)
434
435 * test/dump-perm.pl: simple script to dump permissions
436
437 * test/: created new directory for test skripts
438
439 * test/dump-users.pl: simple script to dump user table
440
441 2010-06-22 Proxmox Support Team <support@proxmox.com>
442
443 * AccessControl.pm (add_user): Updated "valid_privs" with new
444 permissions from readme (Seth)
445
446 2010-06-21 Proxmox Support Team <support@proxmox.com>
447
448 * copyright: change license to AGPL
449
450 2010-03-17 Proxmox Support Team <support@proxmox.com>
451
452 * pveum-pl: move all priviledged function to this file.
453
454 2009-07-09 Proxmox Support Team <support@proxmox.com>
455
456 * pveum: added dummy binary
457