Thomas Lamprecht [Mon, 27 Sep 2021 13:31:31 +0000 (15:31 +0200)]
fix #2302: allow deletion of users when realm enforces TFA
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 23 Sep 2021 12:16:50 +0000 (14:16 +0200)]
api: user: indentation & whitspace cleanups
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Alexandre Derumier [Thu, 5 Aug 2021 15:00:44 +0000 (17:00 +0200)]
check_path: add /sdn/vnets/* path
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Thomas Lamprecht [Fri, 2 Jul 2021 11:45:51 +0000 (13:45 +0200)]
bump version to 7.0-4
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 2 Jul 2021 11:42:16 +0000 (13:42 +0200)]
api: users: use public regex directly to parse out realm
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 2 Jul 2021 11:41:29 +0000 (13:41 +0200)]
api: users: code-style cleanup and sort when iterating users
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 2 Jul 2021 11:38:46 +0000 (13:38 +0200)]
api: users: s/realmtype/realm-type/ in response
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dominik Csapak [Thu, 1 Jul 2021 12:25:00 +0000 (14:25 +0200)]
api: user: add realmtype to user list
this makes it much easier to determine if a user can e.g.
change a password or tfa, based on realm
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dietmar Maurer [Wed, 30 Jun 2021 06:10:07 +0000 (08:10 +0200)]
implement OpenID autocreate user feature
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dietmar Maurer [Wed, 30 Jun 2021 06:10:06 +0000 (08:10 +0200)]
api: implement openid API
This moves compute_api_permission() into RPCEnvironment.pm.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dietmar Maurer [Wed, 30 Jun 2021 06:10:05 +0000 (08:10 +0200)]
depend on libpve-rs-perl
Dietmar Maurer [Wed, 30 Jun 2021 06:10:04 +0000 (08:10 +0200)]
add OpenId configuration
Dietmar Maurer [Wed, 30 Jun 2021 06:10:03 +0000 (08:10 +0200)]
check_user_enabled: also check if user is expired
Thomas Lamprecht [Mon, 21 Jun 2021 08:31:23 +0000 (10:31 +0200)]
bump version to 7.0-3
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 17 Jun 2021 12:43:44 +0000 (14:43 +0200)]
buildsys: clean more
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 17 Jun 2021 12:41:02 +0000 (14:41 +0200)]
access control: style: register configs in single line each
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Alexandre Derumier [Wed, 9 Jun 2021 04:37:30 +0000 (06:37 +0200)]
check_path : add sdn zone path
This was missing in commit20c60513b2a6b2d7c7aae0dcc0391889b9cb7ecf,
so user can't assign permisson on a zone currently
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dominik Csapak [Wed, 16 Jun 2021 13:55:34 +0000 (15:55 +0200)]
add missing paths in check_path
* /access/realm/<realm>
* /access/groups/<group>
were overlooked when fixing #1500
see: https://forum.proxmox.com/threads/are-group-acls-broken-in-v6-4.91000/
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Thomas Lamprecht [Tue, 15 Jun 2021 12:38:41 +0000 (14:38 +0200)]
rpc env: sort use statements
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 8 Jun 2021 07:47:21 +0000 (09:47 +0200)]
buildsys: change upload dist to bullseye
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Fabian Grünbichler [Tue, 1 Jun 2021 09:29:49 +0000 (11:29 +0200)]
bump version to 7.0-2
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Lorenz Stechauner [Thu, 20 May 2021 10:03:39 +0000 (12:03 +0200)]
fix #3402: add Pool.Audit permission
add new user "PVEPoolUser" and add Pool.Audit to "PVEAuditor".
Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
Fabian Grünbichler [Tue, 18 May 2021 11:17:16 +0000 (13:17 +0200)]
d/control: add missing libuuid-perl b-d
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Thomas Lamprecht [Sun, 9 May 2021 16:18:39 +0000 (18:18 +0200)]
bump version to 7.0-1
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sun, 9 May 2021 17:46:53 +0000 (19:46 +0200)]
pveum: work around unavailable API2:Pools module
commit
42ade84744ab60ff8e452d3e562a36dd3da2b810 added the pool
subcommands, reusing the PVE::API2::Pool module. But that module has
to live in pve-manager and is not available here, most of the time
not a real issue (but always ugly), on bootstrapping this becomes a
blocker though...
So, for now add a hack and do not hard depend on the modules
availability...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sun, 9 May 2021 17:46:31 +0000 (19:46 +0200)]
d/control: update standards version
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sun, 9 May 2021 17:46:17 +0000 (19:46 +0200)]
d/control: drop perl dependency, added by ${perl:Depends}
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sun, 9 May 2021 17:37:47 +0000 (19:37 +0200)]
buildsys: split packaging and source build-systems
Much nicer to handle and work with than entangling all together in a
single spaghetti pile.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sun, 9 May 2021 16:16:38 +0000 (18:16 +0200)]
d/control: bump debhelper compat to >= 12
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sun, 9 May 2021 16:16:03 +0000 (18:16 +0200)]
d/rules: fix dh_missing override
note, with compat level >= 13 we can drop that override finally
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sat, 24 Apr 2021 17:48:25 +0000 (19:48 +0200)]
bump version to 6.4-1
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dylan Whyte [Fri, 29 Jan 2021 07:54:39 +0000 (08:54 +0100)]
resource pools: add resource pool cli commands
Add commands for creating, modifying, listing, and deleting resource
pools.
Signed-off-by: Dylan Whyte <d.whyte@proxmox.com>
Lorenz Stechauner [Tue, 20 Apr 2021 12:11:55 +0000 (14:11 +0200)]
fix typo in oathkeygen: randon -> random
Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
Thomas Lamprecht [Mon, 19 Apr 2021 09:50:16 +0000 (11:50 +0200)]
acl: check path: further resdtrict VMID values
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Mon, 19 Apr 2021 09:48:49 +0000 (11:48 +0200)]
acl: check path: spell param out
we normally use shift only in closures, to keep them short, as a
module method this should rather use our standard style.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Lorenz Stechauner [Mon, 19 Apr 2021 07:16:28 +0000 (09:16 +0200)]
fix #1500: permission path syntax check for access control
Syntax for permission paths is now checked on API calls for
creation or update on permissions.
Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
Wolfgang Bumiller [Fri, 20 Nov 2020 10:05:34 +0000 (11:05 +0100)]
fix #1670: change PAM service name to project specific name
Instead of 'common-auth' use 'proxmox-ve-auth', this way
users can override PAM authentication settings via
`/etc/pam.d/proxmox-ve-auth`.
If the file does not exist, pam will use `/etc/pam.d/other`
which by default behaves like `common-auth`.
Note that this *can* be different from directly using
`common-auth` *if* a user has actually modified
`/etc/pam.d/other` for some reason.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Thomas Lamprecht [Tue, 29 Sep 2020 06:53:56 +0000 (08:53 +0200)]
bump version to 6.1-3
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 29 Sep 2020 05:09:51 +0000 (07:09 +0200)]
api/users: catch existing user also on case insensitive realm
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 29 Sep 2020 04:19:07 +0000 (06:19 +0200)]
api/users: indentation cleanup
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Link [Tue, 8 Sep 2020 12:09:45 +0000 (14:09 +0200)]
fix #2947 login name for the LDAP/AD realm can be case-insensitive
This is an optional for LDAP and AD realm.
The default behavior is case-sensitive.
Signed-off-by: Wolfgang Link <w.link@proxmox.com>
Thomas Lamprecht [Fri, 3 Jul 2020 09:06:55 +0000 (11:06 +0200)]
partially fix #2825: authkey: rotate if it was generated in the future
Can happen if the RTC is in the future during installation and first
boot, when during key generation the clock is in the future and then,
after the key was already generated, jumps back in time.
Allow a fuzz of $auth_graceperiod, which is currently 5 minutes, as
that fuzz allows some minor, not really problematic, time sync
disparity in clusters.
If an old authkey exists, meaning we rotated at least once, check it's
time too. Only rotate if it'd not be valid for any tickets in the
cluster anymore, i.e., if it difference between the current key is >
$ticket_lifetime (2 hours)..
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 3 Jul 2020 13:18:11 +0000 (15:18 +0200)]
authkey: use variable instead of hard coded grace period value
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 30 Jun 2020 11:06:59 +0000 (13:06 +0200)]
bump version to 6.1-2
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Mira Limbeck [Thu, 25 Jun 2020 14:48:46 +0000 (16:48 +0200)]
introduce VM.Config.Cloudinit permission
It is added to PVEVMUser by default.
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
Alexandre Derumier [Fri, 12 Jun 2020 09:53:22 +0000 (11:53 +0200)]
api2: AccessControl: add sdn permissions.modify
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Thomas Lamprecht [Tue, 9 Jun 2020 09:43:51 +0000 (11:43 +0200)]
comput coarse UI permissions: also check SDN ones
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 8 May 2020 15:47:50 +0000 (17:47 +0200)]
bump version to 6.1-1
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dominik Csapak [Fri, 8 May 2020 11:16:58 +0000 (13:16 +0200)]
LDAP: skip anonymous bind when clientcert/key is given
It seems that servers associate the client-cert/key with an account, so
doing an explicit anonymous bind then 'logs out' the already verified
user, limiting the search results in some cases
before refactoring to PVE::LDAP, we did not do '$ldap->bind' at all when
there was no bind_dn, but it is not really clear if Net::LDAP does this
automatically when searching (other libraries do this), so leave the
anonymous bind (for compatibility with PMG) but skip it when a client
certificate and key is given.
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Thomas Lamprecht [Fri, 8 May 2020 07:38:34 +0000 (09:38 +0200)]
ldap_delete_credentials: don't complain if already deleted
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tim Marx [Wed, 6 May 2020 12:00:53 +0000 (14:00 +0200)]
whitespace cleanup
Signed-off-by: Tim Marx <t.marx@proxmox.com>
Thomas Lamprecht [Sun, 3 May 2020 14:40:03 +0000 (16:40 +0200)]
pveum: add 'tfa delete' subcommand for deleting user-TFA
Allows a user to straight forward delete TFS over CLI, easier as
telling them to edit some config files, and the API is already there.
Short circuit most params of that API call to undef, as they do not
make sense to expose.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sat, 25 Apr 2020 17:35:20 +0000 (19:35 +0200)]
bump version to 6.0-7
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sat, 25 Apr 2020 16:55:35 +0000 (18:55 +0200)]
domains: dry-run: adapt log messages and improve variable name
keep variable names aligned with the params the relate to, "write"
was quite ambiguous too (write what?)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sat, 25 Apr 2020 16:54:45 +0000 (18:54 +0200)]
parse_sync_opts: code cleanup
avoid confusion between fmt default and cfg default
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dominik Csapak [Thu, 23 Apr 2020 06:47:19 +0000 (08:47 +0200)]
domain sync: add 'dry-run' parameter
this can be used to test the resulting config before actually changing
anything
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Thu, 23 Apr 2020 06:47:18 +0000 (08:47 +0200)]
auth ldap/ad: introduce connection 'mode'
instead of having only a 'secure' flag which switches between
ldap/ldaps we now have a mode which also contains 'ldap+starttls'
our connection code in PVE::LDAP can handle this already (used in pmg)
so that is no problem
if we want to really remove the 'secure' flag, e.g. in 7.0
we'd either have to rewrite the config or have it as an error
in a pve6to7 script
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Thu, 23 Apr 2020 06:47:17 +0000 (08:47 +0200)]
domain sync: make options actually required
we want the api options to be optional, but only as long as there are
default values set in the realm config
since they are all marked as optional (else they would be required in
the api) this check did not work as intended
instead, set the result to the value of:
* the parameter
* the set default in the config
* the api default
in this order
if it is undef after this, raise a parameter exception
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Wed, 8 Apr 2020 07:00:53 +0000 (09:00 +0200)]
auth ldap/ad: make password a parameter for the api
Allows us to add it in the gui, until now the admin needed to create
the file themself.
Mirrored after credential handling from CIFS and PBS in their
pve-storage plugins
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
[Thomas: don't differ from storage one unnecessarily, keep comments
and behavior]
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sat, 18 Apr 2020 16:47:37 +0000 (18:47 +0200)]
api/domain: add on add/update/delete hooks
Almost 1:1 taken from pve-storage ones
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 15 Apr 2020 18:41:38 +0000 (20:41 +0200)]
token create: return also full token id for convenience
makes creating a client for this slightly nicer, as it doesn't needs
to be as state full.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 15 Apr 2020 18:04:54 +0000 (20:04 +0200)]
buildsys: fix getting the build commit
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 15 Apr 2020 15:13:59 +0000 (17:13 +0200)]
token: avoid undef warning if no tokens are configured
Initially the config may not even exist, and so the first token
create would give one then a ugly warning like:
> Use of uninitialized value $raw in split at ..
Handle that case, empty config (where we get '') was fine already, so
explicitly check for definedness, not truthiness.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dominik Csapak [Mon, 6 Apr 2020 11:31:52 +0000 (13:31 +0200)]
auth ad: add sync-defaults-options
this was missing for AD realms
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Thomas Lamprecht [Sat, 21 Mar 2020 15:51:06 +0000 (16:51 +0100)]
d/control: bump versioned to libpve-common-perl
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sat, 21 Mar 2020 15:04:44 +0000 (16:04 +0100)]
split and sort some module use
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sat, 21 Mar 2020 15:01:56 +0000 (16:01 +0100)]
realm: add default-sync-options to config
This allows us to have a convenient way to set the desired default
sync options, and thus not forcing users to pass always all options
when they want to trigger a sync.
We still die when an option is neither specified in the domains
(realm) config nor as API/CLI parameter.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sat, 21 Mar 2020 14:56:51 +0000 (15:56 +0100)]
api: realm sync: move out group and user update to separate methods
keep the api call way smaller and clearer
On moving out some minor adaptions where made, e.g., we do not print
"remove user X" if we know that we'd add it again, but just print a
single "update user X" for that. Same for groups.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sat, 21 Mar 2020 15:07:49 +0000 (16:07 +0100)]
api: realm sync: use auth-realm-sync as worker id
we may potentially also sync something else over this in the future,
for example PAM users from a specific group, so use a more general
name.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sat, 21 Mar 2020 14:55:30 +0000 (15:55 +0100)]
api: realm sync: cleanup code and refactor
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dominik Csapak [Fri, 13 Mar 2020 12:18:48 +0000 (13:18 +0100)]
do not modify ACLs/Groups for missing users
instead of dropping ACLs and group membership for missing users,
simply warn and leave it in the config
for users that get removed via the api this happens explicitely
this is to prevent that a 'faulty' ldapsync removes users temporarily
and with it all acls that the admin created
we still have a 'purge' flag for the sync where ACLs get removed
explicitly for users removed from ldap
also adapt the tests
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Fri, 13 Mar 2020 12:18:47 +0000 (13:18 +0100)]
api: domains: add user/group sync API enpoint
this api call syncs the users and groups from LDAP/AD to the
user.cfg
it also implements a 'full' mode where we first delete all
users/groups from the config and sync them again
the parameter 'enable' controls if newly synced users are 'enabled'
(if no sync parameter handles that)
the parameter 'purge' controls if ACLs get removed for users/groups
that do not exists anymore after
also add this command to pveum
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Fri, 13 Mar 2020 12:18:46 +0000 (13:18 +0100)]
Auth/AD: make PVE::Auth::AD a subclass of PVE::Auth::LDAP
this makes it much easier to reuse the sync code from LDAP in AD.
The 'authenticate_user' sub is still the same, but we now
can still use the get_users and get_groups functionality of LDAP
in the case of AD, the user_attr is optional in the config
(would have been a breaking change) but we set it
to default to 'sAMAccountName'
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Fri, 13 Mar 2020 12:18:45 +0000 (13:18 +0100)]
Auth/LDAP: add get_{users, groups} subs for syncing
this adds the subs which actually query the LDAP for users/groups
and returns the value in format which makes it easy to insert
in our parsed user.cfg
when we find a user/groupname which cannot be in our config,
we warn the verification error
for groups, we append "-$realm" to the groupname, to lower the chance of
accidental overwriting of existing groups (this will be documented
in the api call since it technically does not prevent overwriting, just
makes it more unlikely)
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Fri, 13 Mar 2020 12:18:44 +0000 (13:18 +0100)]
Auth/LDAP: add necessary options for syncing
for syncing users/groups from ldap, we need some more options
so that the users can adapt it to their LDAP setup, which are very
different accross systems.
sensible defaults are documented
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sat, 7 Mar 2020 18:53:05 +0000 (19:53 +0100)]
d/control: bump versioned dependency to pve-common
to ensure we've the new LDAP module available
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dominik Csapak [Fri, 6 Mar 2020 10:05:41 +0000 (11:05 +0100)]
Auth/LDAP: refactor out 'connect_and_bind'
we will use this not only for authentication but also for
getting users/groups from LDAP
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Fri, 6 Mar 2020 10:05:40 +0000 (11:05 +0100)]
API2/Domains.pm: document 'type' return value
this way it gets printed with 'pveum realm list'
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Fri, 6 Mar 2020 10:05:39 +0000 (11:05 +0100)]
API2/Domains.pm: fix whitespace errors
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Fri, 6 Mar 2020 10:05:38 +0000 (11:05 +0100)]
add realm commands to pveum
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Fri, 6 Mar 2020 10:05:37 +0000 (11:05 +0100)]
use PVE::LDAP module instead of useing Net::LDAP directly
for things like connecting/binding/etc.
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Fri, 31 Jan 2020 10:54:33 +0000 (11:54 +0100)]
fix #2575: die when trying to edit built-in roles
instead of silently ignoring the change
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Thomas Lamprecht [Wed, 29 Jan 2020 09:17:31 +0000 (10:17 +0100)]
bump version to 6.0-6
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 29 Jan 2020 09:14:27 +0000 (10:14 +0100)]
d/control: bump versioned dependency on pve-common
for new allowtoken property in schema
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 29 Jan 2020 09:14:15 +0000 (10:14 +0100)]
d/control: change homepage link to https
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:18 +0000 (13:54 +0100)]
user.cfg: skip inexisting roles when parsing ACLs
we do the same for missing users, groups and tokens, and just like
groups, roles with an empty privilege set are explicitly allowed so
pre-generating placeholders is possible.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:17 +0000 (13:54 +0100)]
pveum: add permissions sub-commands
for user and token commands, and some pretty-printing for regular text
output, since the returned nested hash/dict is not very readable.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Thomas Lamprecht [Wed, 29 Jan 2020 19:21:10 +0000 (20:21 +0100)]
pveum token: rename 'update' subcommand to 'modify' for consistency
While the 1:1 mapping from API call names is not bad it was now the
unique "PUT" (modify) command having a different name here. Avoid
that for consistency.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:16 +0000 (13:54 +0100)]
pveum: add 'pveum user token add/update/remove/list'
mapping 1-to-1 to the respective API paths
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:14 +0000 (13:54 +0100)]
tests: unify config file naming
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:13 +0000 (13:54 +0100)]
test: add token-related tests
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:12 +0000 (13:54 +0100)]
API: add 'permissions' API endpoint
and related helper, to dump permissions + propagate info for
- a specific, given path
- generic top-level + user.cfg-referenced paths, including pools
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:11 +0000 (13:54 +0100)]
roles()/permissions(): also return propagate flag
this information is already available, but not exposed. we need it for
dumping an effective permission tree of a given user/token.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:10 +0000 (13:54 +0100)]
api: disallow some paths for API tokens
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:09 +0000 (13:54 +0100)]
API token: implement permission checks
non-privsep tokens will always return the roles/permissions of their
associated users. privsep tokens will return unfiltered roles, but
filtered permissions.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:08 +0000 (13:54 +0100)]
API: include API tokens in ACL API endpoints
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Thomas Lamprecht [Wed, 29 Jan 2020 20:21:15 +0000 (21:21 +0100)]
api/users: mark tokens and groups as optional in return schema
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:07 +0000 (13:54 +0100)]
API: add group and token info to user index
otherwise we need 1+N API calls to retrieve the full user+token picture
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Thomas Lamprecht [Wed, 29 Jan 2020 09:02:52 +0000 (10:02 +0100)]
api: document default of token expiration date
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:06 +0000 (13:54 +0100)]
API: add API token API endpoints
and integration for user API endpoints.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>