]> git.ipfire.org Git - thirdparty/knot-resolver.git/commitdiff
kresctl: commands: changed validation strictness default to false
authorAleš Mrázek <ales.mrazek@nic.cz>
Mon, 7 Jul 2025 13:47:39 +0000 (15:47 +0200)
committerVladimír Čunát <vladimir.cunat@nic.cz>
Wed, 16 Jul 2025 15:58:40 +0000 (17:58 +0200)
NEWS
doc/user/manager-client.rst
python/knot_resolver/client/commands/convert.py
python/knot_resolver/client/commands/validate.py
scripts/poe-tasks/examples

diff --git a/NEWS b/NEWS
index c53b27c5f52f5ca319938157ce0864795f5f8450..d4d87dcff3a857adbba331947fe326d57905fe52 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,7 @@ Improvements
 - update/more precise default answers for special names (!1709)
   https://www.iana.org/assignments/special-use-domain-names
   https://www.iana.org/assignments/locally-served-dns-zones
+- kresctl: strict validation is now disabled by default (!1714)
 
 
 Knot Resolver 6.0.14 (2025-06-03)
index abeab2c93c1cc01e0e4d03a705d50a22176ff1ea..c0c757c01c01083e0849e6263e5cac763de8049c 100644 (file)
@@ -241,9 +241,15 @@ single ``kresctl`` command.
 
     Validate declarative configuration.
 
-    .. option:: --no-strict
+    .. option:: --strict
 
-        Ignore strict rules during validation, e.g. path/file existence.
+        Enable strict rules during validation.
+
+        During strict validation, the existence and access rights of paths are also checked.
+        However, if you are using an additional file system permission control mechanism,
+        such as access control lists (ACLs), this validation will likely fail.
+        This is because the validation runs under a different user/group than the resolver
+        itself and attempts to access the configured paths directly.
 
     .. option:: <input_file>
 
@@ -258,9 +264,15 @@ single ``kresctl`` command.
 
     Convert declarative configuration to a Lua script.
 
-    .. option:: --no-strict
+    .. option:: --strict
+
+        Enable strict rules during validation.
 
-        Ignore strict rules during validation, e.g. path/file existence.
+        During strict validation, the existence and access rights of paths are also checked.
+        However, if you are using an additional file system permission control mechanism,
+        such as access control lists (ACLs), this validation will likely fail.
+        This is because the validation runs under a different user/group than the resolver
+        itself and attempts to access the configured paths directly.
 
     .. option:: --type=<worker|policy-loader>
 
index aab07519cb5a5203cf80c37350c2b6c1d202b9c0..eea383e1f684677513ec78527927253337e57efe 100644 (file)
@@ -24,11 +24,11 @@ class ConvertCommand(Command):
         subparser: "argparse._SubParsersAction[argparse.ArgumentParser]",
     ) -> Tuple[argparse.ArgumentParser, "Type[Command]"]:
         convert = subparser.add_parser("convert", help="Converts JSON or YAML configuration to Lua script.")
-        convert.set_defaults(strict=True)
+        convert.set_defaults(strict=False)
         convert.add_argument(
-            "--no-strict",
-            help="Ignore strict rules during validation, e.g. path/file existence.",
-            action="store_false",
+            "--strict",
+            help="Enable strict rules during validation, e.g. path/file existence and permissions.",
+            action="store_true",
             dest="strict",
         )
         convert.add_argument(
index 92848b5848e738bf380c0ecd10109c9e9f784280..2a336db3eb370a4fcb4df6bc788d226e57cfc6e6 100644 (file)
@@ -22,11 +22,11 @@ class ValidateCommand(Command):
         subparser: "argparse._SubParsersAction[argparse.ArgumentParser]",
     ) -> Tuple[argparse.ArgumentParser, "Type[Command]"]:
         validate = subparser.add_parser("validate", help="Validates configuration in JSON or YAML format.")
-        validate.set_defaults(strict=True)
+        validate.set_defaults(strict=False)
         validate.add_argument(
-            "--no-strict",
-            help="Ignore strict rules during validation, e.g. path/file existence.",
-            action="store_false",
+            "--strict",
+            help="Enable strict rules during validation, e.g. paths/files existence and permissions.",
+            action="store_true",
             dest="strict",
         )
         validate.add_argument(
@@ -57,3 +57,13 @@ class ValidateCommand(Command):
         except (DataParsingError, DataValidationError) as e:
             print(e, file=sys.stderr)
             sys.exit(1)
+        if not self.strict:
+            print(
+                "Basic validation was successful."
+                "\nIf you want more strict validation, you can use the '--strict' switch."
+                "\nDuring strict validation, the existence and access rights of paths are also checked."
+                "\n\nHowever, if you are using an additional file system permission control mechanism,"
+                "\nsuch as access control lists (ACLs), this validation will likely fail."
+                "\nThis is because the validation runs under a different user/group than the resolver itself"
+                "\nand attempts to access the configured paths directly."
+            )
index d4437203d1fabb9876a6b739e4c09edd43e56f1f..78117e2d11020aad33f364c6dc5114761f7ca346 100755 (executable)
@@ -7,5 +7,5 @@ source $src_dir/utils/_env.sh
 # validate all configuration examples
 for example in $PWD/etc/config/config.example.*.yaml;
 do
-    python3 -m knot_resolver.client validate --no-strict $example;
+    python3 -m knot_resolver.client validate $example;
 done