Assert whether certain properties are allowed to be passed for the HA
groups and HA services API endpoints depending on whether the
use-location-rules feature flag is enabled or disabled.
Signed-off-by: Daniel Kral <d.k...@proxmox.com>
---
changes since v1:
- NEW!
src/PVE/API2/HA/Groups.pm | 20 ++++++++++++++++++++
src/PVE/API2/HA/Resources.pm | 30 ++++++++++++++++++++++++++----
src/PVE/API2/HA/Status.pm | 6 +++++-
3 files changed, 51 insertions(+), 5 deletions(-)
diff --git a/src/PVE/API2/HA/Groups.pm b/src/PVE/API2/HA/Groups.pm
index 32350df..4dcb458 100644
--- a/src/PVE/API2/HA/Groups.pm
+++ b/src/PVE/API2/HA/Groups.pm
@@ -32,6 +32,15 @@ my $api_copy_config = sub {
return $group_cfg;
};
+my $verify_group_api_call_is_allowed = sub {
+ my ($noerr) = @_;
+
+ return 1 if !PVE::HA::Config::is_ha_location_enabled();
+
+ die "ha groups are not allowed because location rules are enabled\n" if
!$noerr;
+ return 0;
+};
+
__PACKAGE__->register_method({
name => 'index',
path => '',
@@ -55,6 +64,9 @@ __PACKAGE__->register_method({
code => sub {
my ($param) = @_;
+ # return empty list instead of errors
+ return [] if !$verify_group_api_call_is_allowed->(1);
+
my $cfg = PVE::HA::Config::read_group_config();
my $res = [];
@@ -89,6 +101,8 @@ __PACKAGE__->register_method({
code => sub {
my ($param) = @_;
+ $verify_group_api_call_is_allowed->();
+
my $cfg = PVE::HA::Config::read_group_config();
return &$api_copy_config($cfg, $param->{group});
@@ -109,6 +123,8 @@ __PACKAGE__->register_method({
code => sub {
my ($param) = @_;
+ $verify_group_api_call_is_allowed->();
+
# create /etc/pve/ha directory
PVE::Cluster::check_cfs_quorum();
mkdir("/etc/pve/ha");
@@ -160,6 +176,8 @@ __PACKAGE__->register_method({
code => sub {
my ($param) = @_;
+ $verify_group_api_call_is_allowed->();
+
my $digest = extract_param($param, 'digest');
my $delete = extract_param($param, 'delete');
@@ -233,6 +251,8 @@ __PACKAGE__->register_method({
code => sub {
my ($param) = @_;
+ $verify_group_api_call_is_allowed->();
+
my $group = extract_param($param, 'group');
PVE::HA::Config::lock_ha_domain(
diff --git a/src/PVE/API2/HA/Resources.pm b/src/PVE/API2/HA/Resources.pm
index 5916204..f41fa2f 100644
--- a/src/PVE/API2/HA/Resources.pm
+++ b/src/PVE/API2/HA/Resources.pm
@@ -5,7 +5,7 @@ use warnings;
use PVE::SafeSyslog;
use PVE::Tools qw(extract_param);
-use PVE::Cluster;
+use PVE::Cluster qw(cfs_read_file);
use PVE::HA::Config;
use PVE::HA::Resources;
use HTTP::Status qw(:constants);
@@ -22,7 +22,7 @@ use base qw(PVE::RESTHandler);
my $resource_type_enum = PVE::HA::Resources->lookup_types();
my $api_copy_config = sub {
- my ($cfg, $sid) = @_;
+ my ($cfg, $sid, $remove_group) = @_;
die "no such resource '$sid'\n" if !$cfg->{ids}->{$sid};
@@ -30,9 +30,23 @@ my $api_copy_config = sub {
$scfg->{sid} = $sid;
$scfg->{digest} = $cfg->{digest};
+ delete $scfg->{group} if $remove_group;
+
return $scfg;
};
+my $assert_service_params_are_allowed = sub {
+ my ($param) = @_;
+
+ my $use_location_rules = PVE::HA::Config::is_ha_location_enabled();
+
+ die "'group' is not allowed because location rules are enabled in
datacenter config\n"
+ if defined($param->{group}) && $use_location_rules;
+
+ die "'failback' is not allowed because location rules are disabled in
datacenter config\n",
+ if defined($param->{failback}) && !$use_location_rules;
+};
+
sub check_service_state {
my ($sid, $req_state) = @_;
@@ -78,9 +92,11 @@ __PACKAGE__->register_method({
my $cfg = PVE::HA::Config::read_resources_config();
my $groups = PVE::HA::Config::read_group_config();
+ my $use_location_rules = PVE::HA::Config::is_ha_location_enabled();
+
my $res = [];
foreach my $sid (keys %{ $cfg->{ids} }) {
- my $scfg = &$api_copy_config($cfg, $sid);
+ my $scfg = &$api_copy_config($cfg, $sid, $use_location_rules);
next if $param->{type} && $param->{type} ne $scfg->{type};
if ($scfg->{group} && !$groups->{ids}->{ $scfg->{group} }) {
$scfg->{errors}->{group} = "group '$scfg->{group}' does not
exist";
@@ -154,7 +170,9 @@ __PACKAGE__->register_method({
my $sid = PVE::HA::Config::parse_sid($param->{sid});
- return &$api_copy_config($cfg, $sid);
+ my $use_location_rules = PVE::HA::Config::is_ha_location_enabled();
+
+ return &$api_copy_config($cfg, $sid, $use_location_rules);
},
});
@@ -188,6 +206,8 @@ __PACKAGE__->register_method({
$plugin->exists($name);
+ $assert_service_params_are_allowed->($param);
+
my $opts = $plugin->check_config($sid, $param, 1, 1);
PVE::HA::Config::lock_ha_domain(
@@ -235,6 +255,8 @@ __PACKAGE__->register_method({
die "types does not match\n" if $param_type ne $type;
}
+ $assert_service_params_are_allowed->($param);
+
if (my $group = $param->{group}) {
my $group_cfg = PVE::HA::Config::read_group_config();
diff --git a/src/PVE/API2/HA/Status.pm b/src/PVE/API2/HA/Status.pm
index 1547e0e..eba3876 100644
--- a/src/PVE/API2/HA/Status.pm
+++ b/src/PVE/API2/HA/Status.pm
@@ -241,6 +241,8 @@ __PACKAGE__->register_method({
}
}
+ my $use_location_rules = PVE::HA::Config::is_ha_location_enabled();
+
my $add_service = sub {
my ($sid, $sc, $ss) = @_;
@@ -260,7 +262,9 @@ __PACKAGE__->register_method({
# also return common resource attributes
if (defined($sc)) {
$data->{request_state} = $sc->{state};
- foreach my $key (qw(group max_restart max_relocate comment)) {
+ my @attributes = qw(max_restart max_relocate comment);
+ push @attributes, 'group' if !$use_location_rules;
+ foreach my $key (@attributes) {
$data->{$key} = $sc->{$key} if defined($sc->{$key});
}
}
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
