1 package PVE
::API2
::Role
;
5 use PVE
::Cluster qw
(cfs_read_file cfs_write_file
);
6 use PVE
::AccessControl
;
12 use base
qw(PVE::RESTHandler);
14 __PACKAGE__-
>register_method ({
18 description
=> "Role index.",
23 additionalProperties
=> 0,
31 roleid
=> { type
=> 'string' },
34 links
=> [ { rel
=> 'child', href
=> "{roleid}" } ],
41 my $usercfg = cfs_read_file
("user.cfg");
43 foreach my $role (keys %{$usercfg->{roles
}}) {
44 my $privs = join(',', sort keys %{$usercfg->{roles
}->{$role}});
48 special
=> PVE
::AccessControl
::role_is_special
($role),
55 __PACKAGE__-
>register_method ({
56 name
=> 'create_role',
61 check
=> ['perm', '/access', ['Sys.Modify']],
63 description
=> "Create new role.",
65 additionalProperties
=> 0,
67 roleid
=> { type
=> 'string', format
=> 'pve-roleid' },
68 privs
=> { type
=> 'string' , format
=> 'pve-priv-list', optional
=> 1 },
71 returns
=> { type
=> 'null' },
75 PVE
::AccessControl
::lock_user_config
(
78 my $usercfg = cfs_read_file
("user.cfg");
80 my $role = $param->{roleid
};
82 die "role '$role' already exists\n"
83 if $usercfg->{roles
}->{$role};
85 $usercfg->{roles
}->{$role} = {};
87 PVE
::AccessControl
::add_role_privs
($role, $usercfg, $param->{privs
});
89 cfs_write_file
("user.cfg", $usercfg);
90 }, "create role failed");
95 __PACKAGE__-
>register_method ({
96 name
=> 'update_role',
101 check
=> ['perm', '/access', ['Sys.Modify']],
103 description
=> "Create new role.",
105 additionalProperties
=> 0,
107 roleid
=> { type
=> 'string', format
=> 'pve-roleid' },
108 privs
=> { type
=> 'string' , format
=> 'pve-priv-list' },
116 returns
=> { type
=> 'null' },
120 PVE
::AccessControl
::lock_user_config
(
123 my $role = $param->{roleid
};
125 my $usercfg = cfs_read_file
("user.cfg");
127 die "role '$role' does not exist\n"
128 if !$usercfg->{roles
}->{$role};
130 $usercfg->{roles
}->{$role} = {} if !$param->{append
};
132 PVE
::AccessControl
::add_role_privs
($role, $usercfg, $param->{privs
});
134 cfs_write_file
("user.cfg", $usercfg);
135 }, "update role failed");
140 # fixme: return format!
141 __PACKAGE__-
>register_method ({
148 description
=> "Get role configuration.",
150 additionalProperties
=> 0,
152 roleid
=> { type
=> 'string' , format
=> 'pve-roleid' },
159 my $usercfg = cfs_read_file
("user.cfg");
161 my $role = $param->{roleid
};
163 my $data = $usercfg->{roles
}->{$role};
165 die "role '$role' does not exist\n" if !$data;
170 __PACKAGE__-
>register_method ({
171 name
=> 'delete_role',
176 check
=> ['perm', '/access', ['Sys.Modify']],
178 description
=> "Delete role.",
180 additionalProperties
=> 0,
182 roleid
=> { type
=> 'string', format
=> 'pve-roleid' },
185 returns
=> { type
=> 'null' },
189 my $role = $param->{roleid
};
191 die "auto-generated role '$role' cannot be deleted\n"
192 if PVE
::AccessControl
::role_is_special
($role);
194 PVE
::AccessControl
::lock_user_config
(
196 my $usercfg = cfs_read_file
("user.cfg");
198 die "role '$role' does not exist\n"
199 if !$usercfg->{roles
}->{$role};
201 delete ($usercfg->{roles
}->{$role});
203 # fixme: delete role from acl?
205 cfs_write_file
("user.cfg", $usercfg);
206 }, "delete role failed");