Are group acls broken in v6.4?

[grin]

I was fighting to create an already tested state of: "a group [member] who can only manage users within the group foo" and kept failing, and I was thinking it's me:

# pveum acl modify /access/realm/pve -groups vmadmin -roles PVEUserAdmin
400 Parameter verification failed.
path: invalid ACL path '/access/realm/pve'
pveum acl modify <path> --roles <string> [OPTIONS]

And same for /access/groups/foo and similar.

Then I got angry and went to see the code.

• First, the problem seems to be API2::AccessControl::check_path() which seems to be convinced that there must be nothing after /access/groups or /access/realm.
• Second, this invalidates all the documentation related to that. (Sidenote: the documentation oscillates between "group" and "groups", "realm" and "realms".)
• Third, the repo has been slaughtered to pieces and it's impossible to see why and when this code was inserted. (no backwards pointers, or naming the original repo)
• Fourth, I see there are tests, except there seem to be no test for group or realm, which is not surprising since they'd fail immediately.

So I am really puzzled how shall I create a user with the specific rights under v6.4.

 

[dcsapak]

First, the problem seems to be API2::AccessControl::check_path() which seems to be convinced that there must be nothing after /access/groups or /access/realm.

yes this is a bug and i'll send a patch for that shortly, looking at the commit message it was a fix for https://bugzilla.proxmox.com/show_bug.cgi?id=1500

Second, this invalidates all the documentation related to that. (Sidenote: the documentation oscillates between "group" and "groups", "realm" and "realms".)

yeah, i'll see to it that we update the docs. it is definitely '/access/realm', groups i'll have to check
(if you want you can open a bug so that we can easier keep track of it)

Third, the repo has been slaughtered to pieces and it's impossible to see why and when this code was inserted. (no backwards pointers, or naming the original repo)

what do you mean by that exactly? the only major thing i am aware of is the move into a 'src' folder
though if you inspect the repo with 'git log --follow' it knows that the files only moved

Fourth, I see there are tests, except there seem to be no test for group or realm, which is not surprising since they'd fail immediately.

yes, i'd make sense to add some (idk if i have time for that, otherwise i'll open a bug for it)

 

[grin]

yes this is a bug and i'll send a patch for that shortly, looking at the commit message it was a fix for https://bugzilla.proxmox.com/show_bug.cgi?id=1500

Ok, that was what I was wondering. Tomas vs. regex 0:1

yeah, i'll see to it that we update the docs. it is definitely '/access/realm', groups i'll have to check
(if you want you can open a bug so that we can easier keep track of it)

I have patched mine so I'm okay, thank you.

what do you mean by that exactly? the only major thing i am aware of is the move into a 'src' folder
though if you inspect the repo with 'git log --follow' it knows that the files only moved

Well I see only the web interface and it gave no hint nor history; I try not to touch git if possible since I dislike it pretty much, but no offense, just mentioning that it seems the code were moved between repos(?) or else and the web history doesn't show it.

yes, i'd make sense to add some (idk if i have time for that, otherwise i'll open a bug for it)

I suggest to open a bug for that. Testing is nice.

g