2011-08-15 Proxmox Support Team * PVE/AccessControl.pm (parse_user_config): fix parser for files without newline at eof (parse_shadow_passwd): fix parser for files without newline at eof (parse_domains): fix parser for files without newline at eof 2011-08-01 Proxmox Support Team * PVE/AccessControl.pm (lock_*): remove $parent in calls to cfs_lock_file() 2011-07-22 Proxmox Support Team * PVE/API2/Domains.pm (create): use lower case: s/AD/ad/ and s/LDAP/ldap/ * PVE/AccessControl.pm (write_domains): use lc($type) 2011-07-14 Proxmox Support Team * control.in (Depends): remove depend on liburi-perl (code moved to pve-common) 2011-07-05 Proxmox Support Team * PVE/API2/User.pm (create_user): add -enable parameter * PVE/API2/User.pm (update_user): use -enable instead of -lock/-unlock 2011-06-27 Proxmox Support Team * PVE/AccessControl.pm (normalize_path): allow '-' in path 2011-05-30 Proxmox Support Team * PVE/AccessControl.pm (assemble_csrf_prevention_token): CSRF token may not depend on cookie, because cookie can be updated from other window. 2011-03-30 Proxmox Support Team * PVE/API2/AccessControl.pm (create_ticket): also return user name 2011-03-24 Proxmox Support Team * PVE/AccessControl.pm (verify_csrf_prevention_token): add CSRF prevention code 2011-03-23 Proxmox Support Team * PVE/RPCEnvironment.pm (active_workers): simple log rotation when file is bigger that 50KB 2011-03-22 Proxmox Support Team * PVE/RPCEnvironment.pm (set_result_count): a way to set the total number of results - we use that for the ExtJS paging grid. 2011-03-21 Proxmox Support Team * PVE/RPCEnvironment.pm (active_workers): immediately move finished task to the index file. 2011-03-17 Proxmox Support Team * PVE/RPCEnvironment.pm (active_workers): update/get worker list 2011-03-16 Proxmox Support Team * PVE/RPCEnvironment.pm (fork_worker): add code to simulate running in foreground (cli). 2011-02-24 Proxmox Support Team * PVE/AccessControl.pm (roles): fix group permission propagation * PVE/API2/ACL.pm: cleanup API - use '-users' and '-gropus' instead of '-uglist' 2011-02-23 Proxmox Support Team * PVE/API2/AccessControl.pm (create_ticket): moved code from REST.pm 2011-02-22 Proxmox Support Team * PVE/AccessControl.pm: make 'domains.cfg' readable by www-data, add 'default' attribute. * PVE/AccessControl.pm: realm is now part of the username. Example: 'userid@realm' (valid_attributes): add 'domain, port, secure' attributes for AD. (parse_domains): add attribute 'secure' (replace LDAPS type), * PVE/AccessControl.pm (parse_user_config): add firstname/lastname and email fields. 2011-02-21 Proxmox Support Team * PVE/API2/Group.pm (update_group): implement modgroup (set comment) 2011-02-18 Proxmox Support Team * PVE/AccessControl.pm (create_roles): try to create a predefined set of roles automatically. 2011-02-17 Proxmox Support Team * PVE/API2/Domains.pm: new API to for domains.cfg * PVE/AccessControl.pm (authenticate_user_domain): added a 'domid' attribute to users. This references an entry in the domain config. This is simpler than the previous domain search algorithm. * PVE/API2/User.pm: save domid, name, comment and expire time for user entries. * PVE/AccessControl.pm (authenticate_user): check for expired accounts * control.in (Depends): depend on liburi-perl (we use URI::Escape to encode text in our config files). * PVE/AccessControl.pm (enable_user, disable_user): removed clumsy methods, not needed. 2011-02-16 Proxmox Support Team * README (privileges): Changes set of privileges. We try to be as simple as possible. We can refinen them in future. * PVE/ACLCache.pm: deleted - moved code into RPCEnvironment. 2011-02-15 Proxmox Support Team * PVE/AccessControl.pm (verify_username): restrict user names to 64 charachters. Add new priviledges Sys.PowerOff, Sys.Console and Sys.Syslog * PVE/ACLCache.pm: move code into new file. * test/perm-test1.pl: modified to use new PVE::ACLCache class. * PVE/AccessControl.pm: add new class PVE::ACLCache (speed up ACL checks) 2011-01-27 Proxmox Support Team * pveum (auth): remove auth method - we do not use it any longer, comment out ability to pass password via environment variable. * PVE/AccessControl.pm (check_permissions): new helper to check permissions. 2011-01-21 root * PVE/AccessControl.pm: register a JSONSchema standard option for 'userid'. * pveum: allow to pass passwords with environment variable PVE_PW_TICKET * pveum (auth): new method to verify credentials/privileges (used by our kvm patches and vncterm) 2011-01-12 root * PVE/AccessControl.pm: use new PVE::Cluster class and read data from cluster filesystem (instead of local filesystem). 2011-01-11 root * control.in (Depends): depend on new pve-cluster package * PVE/AccessControl.pm (read_pubkey, read_privkey): inotify does not work on the cluster filesystem, so I removed that code. Also moved lock files to /var/lock/pve-manager (cluster filesystem does not support locks - we need to do cluster wide locks later) 2010-09-14 Proxmox Support Team * PVE/API2/AccessControl.pm: moved from pve-manager * PVE/: create correct directory hierarchy * Makefile (install): use 'verifyapi' * pveum: add verifyapi 2010-08-25 Proxmox Support Team * pveum: use new PVE::CLIHandler 2010-08-24 Proxmox Support Team * pveum: use new PVE::RPCEnvironment * *.pm: remove $conn parameter everywhere 2010-08-16 Proxmox Support Team * AccessControl.pm (lock_user_config): add call to die, remove @param - we do not need that here (lock_shadow_config): add call to die, remove @param * *.pm: remove $resp parameter everywhere. * AccessControl.pm (verify_username): add test for username length (at least 3 characters) 2010-08-13 Proxmox Support Team * User.pm: use new 'format' property in schema * ACL.pm: use new 'format' property in schema, remove redundant calls to verify_XXX calls. * Role.pm: use new 'format' property in schema, remove redundant calls to verify_XXX calls. * Group.pm: use new 'format' property in schema, remove redundant calls to verify_XXX calls. * AccessControl.pm (modify_acl): strict error checking - use 'die' instead of 'warn', moved to ACL.pm (verify_username): fix serious bug 2010-08-12 Proxmox Support Team * Group.pm: use the new RESTHandler for API methods * Role.pm: use the new RESTHandler for API methods * AccessControl.pm (add_group): moved to Group.pm (delete_group): moved to Group.pm (delete_role): moved to Role.pm (modify_role): moved to Role.pm * User.pm: strict error checking - use 'die' instead of 'warn' * User.pm (delete_user): raise error when user does not exist. * Group.pm (delete_group): raise error when group does not exist. * pveum: use the new RESTHandler (PVE::API2::User->cli_handler()). That way we have automatic command line argument parsing. * User.pm: use the new RESTHandler for API methods. Those methods are automatically exposed with the API Server (pve-manager), and we can use them in the command line tools. * AccessControl.pm (modify_user, delete_user): moved to User.pm 2010-08-10 Proxmox Support Team * control.in (Depends): depend on libpve-common-perl * AccessControl.pm: initialize Crypt::OpenSSL::RSA with import_random_seed(), else I get a 'Segmentation fault' when creating tickets ("pveum ticket "). * AccessControl.pm: Moved utilities to new PVE::Tools module (pve-common), use new PVE::INotify to read/write config files. * AccessControl.pm (parse_domains): ignore case (always convert type to lower case), fix bug from Seth and test for 'ldaps'. (file_set_contents): use O_WRONLY|O_CREAT instead of 'w' - else perm gets ignored. 2010-08-09 Seth Lauzon * AccessControl.pm (authenticate_user_ldap): changed the bind function for LDAP to allow for secure connection 2010-07-21 Seth Lauzon * AccessControl.pm (parse_domains): require base_dn for LDAP domains (valid_attributes): renamed from valid_params to maintain conformity 2010-07-19 Proxmox Support Team * AccessControl.pm (authenticate_user_domain): always add timeout after failed auth (file_set_contents): correctly emit exception if print/close fails 2010-07-19 Seth Lauzon * AccessControl.pm: fixed timeout for ldap/AD errors and reduced to two seconds * AccessControl.pm: modified LDAP authentication to a two step bind method 2010-07-16 Proxmox Support Team * AccessControl.pm (authenticate_user_domain): catch special case ($domain eq '') (parse_domains): fix various bugs, allow spaces between domains, skip duplicate parameters 2010-07-16 Seth Lauzon * AccessControl.pm (parse_domains): borrowed code from Storage.pm to make it less fragile to syntax errors in the domains.cfg file * AccessControl.pm: implemented LDAP authentication * AccessControl.pm: added four second timeout on authentication failure for user_authentication_ldap and user_authentication_ad 2010-07-14 Proxmox Support Team * AccessControl.pm (ldap_bind): rename to authenticate_user_ad (AD only) (load_domains_config): return a reference to an array (not the array itself) (parse_config): return a reference to an array (not the array itself) (authenticate_user_domain): restructure code - this is no the centralized interface for authenticationn (authenticate_user_domain): add 'shadow' and 'PAM' default entries if there is no configuration for them in domain.cfg (authenticate_user_shadow): renamed from authenticate_user_pve * control.in (Depends): add libnet-ldap-perl 2010-07-14 Seth Lauzon A * AccessControl.pm: implemented Active Directory authentication 2010-07-09 Seth Lauzon * AccessControl.pm (modify_acl): check if role exists 2010-07-08 Proxmox Support Team * pveum (print_usage): improve usage text. 2010-07-08 Seth Lauzon * AccessControl.pm: modify/delete ACL functionality * pveum (aclmod): Add/Modify ACL (acldel): Delete ACL 2010-07-07 Proxmox Support Team * AccessControl.pm: implemented shadowauthentication (add/modify/delete/verify) with file locking (Seth) (encrypt_pw): use SHA256 to crypt passwords (save_shadow_config): change mode to 0600, store to /etc/pve/auth/shadow.cfg (parse_shadow): simplify code - there is no need to trim strings. Instead check for correct format. * test/auth-test.pl: program for testing authentication methods (Seth) * pveum (read_password): added confirm password 2010-07-05 Proxmox Support Team * AccessControl.pm (modify_user): remove call to change_password() - not neccessary at all (Seth) * AccessControl.pm: cleanup - remove space in function calls(Seth) 2010-07-02 Proxmox Support Team * AccessControl.pm (lock_user_config): renamed from lock_config, because we will have more then one config file (auth.conf, shadow password, ...) (modify_user): check for exceptions after lock_user_config() (delete_user): check for exceptions after lock_user_config(), raise invalid characters exception (delete_group): check for exceptions after lock_user_config(), raise invalid characters exception (modify_role): check for exceptions after lock_user_config() (delete_role): check for exceptions after lock_user_config(), raise invalid characters exception (verify_username): add $noerr parameter, raise exeption if user name contain invalid characters and $noerr is not set (verify_groupname): add $noerr parameter, raise exeption if group name contain invalid characters and $noerr is not set (verify_rolename): add $noerr parameter, raise exeption if role name contain invalid characters and $noerr is not set 2010-07-01 Proxmox Support Team * AccessControl.pm: implemented file locking functionality for all processes that make modifications to configuration file (Seth) - code for lock_file() was copied from QemuServer.pm. 2010-06-29 Proxmox Support Team * pveum: new roleadd/rolemod/roledel (Seth) * AccessControl.pm (modify_role): create role and modify privileges (Seth) * AccessControl.pm (delete_role): delete role functionality (Seth) 2010-06-28 Proxmox Support Team * pveum: new groupadd/groupdel (patch from Seth) * AccessControl.pm (add_user): moved functionality to modify_user and removed subroutine (Seth) * pveum: useradd command no longer requires a password and now uses modify_user (Seth) 2010-06-25 Proxmox Support Team * AccessControl.pm (modify_user): include patch from Seth 2010-06-24 Proxmox Support Team * test/perm-test1.pl (check_permission): a first regression test * test/user.cfg.ex1: add another example - for use by regression tests * test/dump-perm.pl: print permission as nice list, add ability to specify usr.cfg file 2010-06-23 Proxmox Support Team * pveum: implement some simple functions (add user, create ticket) * pveum-pl: rename to pveum * pveum.c: remove suexec code - we will use a daemon instead * pvesh: removed (dead code) * test/dump-perm.pl: simple script to dump permissions * test/: created new directory for test skripts * test/dump-users.pl: simple script to dump user table 2010-06-22 Proxmox Support Team * AccessControl.pm (add_user): Updated "valid_privs" with new permissions from readme (Seth) 2010-06-21 Proxmox Support Team * copyright: change license to AGPL 2010-03-17 Proxmox Support Team * pveum-pl: move all priviledged function to this file. 2009-07-09 Proxmox Support Team * pveum: added dummy binary