]>
git.proxmox.com Git - ceph.git/blob - ceph/src/pybind/mgr/dashboard/controllers/role.py
1 # -*- coding: utf-8 -*-
2 from __future__
import absolute_import
6 from . import ApiController
, RESTController
, UiApiController
,\
9 from ..exceptions
import RoleDoesNotExist
, DashboardException
,\
10 RoleIsAssociatedWithUser
, RoleAlreadyExists
11 from ..security
import Scope
as SecurityScope
, Permission
12 from ..services
.access_control
import SYSTEM_ROLES
15 @ApiController('/role', SecurityScope
.USER
)
16 class Role(RESTController
):
18 def _role_to_dict(role
):
19 role_dict
= role
.to_dict()
20 role_dict
['system'] = role_dict
['name'] in SYSTEM_ROLES
24 def _validate_permissions(scopes_permissions
):
25 if scopes_permissions
:
26 for scope
, permissions
in scopes_permissions
.items():
27 if scope
not in SecurityScope
.all_scopes():
28 raise DashboardException(msg
='Invalid scope',
31 if any(permission
not in Permission
.all_permissions()
32 for permission
in permissions
):
33 raise DashboardException(msg
='Invalid permission',
34 code
='invalid_permission',
38 def _set_permissions(role
, scopes_permissions
):
39 role
.reset_scope_permissions()
40 if scopes_permissions
:
41 for scope
, permissions
in scopes_permissions
.items():
43 role
.set_scope_permissions(scope
, permissions
)
47 roles
= dict(mgr
.ACCESS_CTRL_DB
.roles
)
48 roles
.update(SYSTEM_ROLES
)
49 roles
= sorted(roles
.values(), key
=lambda role
: role
.name
)
50 return [Role
._role
_to
_dict
(r
) for r
in roles
]
54 role
= SYSTEM_ROLES
.get(name
)
57 role
= mgr
.ACCESS_CTRL_DB
.get_role(name
)
58 except RoleDoesNotExist
:
59 raise cherrypy
.HTTPError(404)
60 return Role
._role
_to
_dict
(role
)
64 return Role
._get
(name
)
67 def _create(name
=None, description
=None, scopes_permissions
=None):
69 raise DashboardException(msg
='Name is required',
72 Role
._validate
_permissions
(scopes_permissions
)
74 role
= mgr
.ACCESS_CTRL_DB
.create_role(name
, description
)
75 except RoleAlreadyExists
:
76 raise DashboardException(msg
='Role already exists',
77 code
='role_already_exists',
79 Role
._set
_permissions
(role
, scopes_permissions
)
80 mgr
.ACCESS_CTRL_DB
.save()
81 return Role
._role
_to
_dict
(role
)
83 def create(self
, name
=None, description
=None, scopes_permissions
=None):
84 # type: (str, str, dict) -> dict
85 return Role
._create
(name
, description
, scopes_permissions
)
87 def set(self
, name
, description
=None, scopes_permissions
=None):
88 # type: (str, str, dict) -> dict
90 role
= mgr
.ACCESS_CTRL_DB
.get_role(name
)
91 except RoleDoesNotExist
:
92 if name
in SYSTEM_ROLES
:
93 raise DashboardException(msg
='Cannot update system role',
94 code
='cannot_update_system_role',
96 raise cherrypy
.HTTPError(404)
97 Role
._validate
_permissions
(scopes_permissions
)
98 Role
._set
_permissions
(role
, scopes_permissions
)
99 role
.description
= description
100 mgr
.ACCESS_CTRL_DB
.update_users_with_roles(role
)
101 mgr
.ACCESS_CTRL_DB
.save()
102 return Role
._role
_to
_dict
(role
)
104 def delete(self
, name
):
105 # type: (str) -> None
107 mgr
.ACCESS_CTRL_DB
.delete_role(name
)
108 except RoleDoesNotExist
:
109 if name
in SYSTEM_ROLES
:
110 raise DashboardException(msg
='Cannot delete system role',
111 code
='cannot_delete_system_role',
113 raise cherrypy
.HTTPError(404)
114 except RoleIsAssociatedWithUser
:
115 raise DashboardException(msg
='Role is associated with user',
116 code
='role_is_associated_with_user',
118 mgr
.ACCESS_CTRL_DB
.save()
120 @RESTController.Resource('POST', status
=201)
122 def clone(self
, name
, new_name
):
123 # type: (str, str) -> dict
124 role
= Role
._get
(name
)
125 return Role
._create
(new_name
, role
.get('description'),
126 role
.get('scopes_permissions'))
129 @UiApiController('/scope', SecurityScope
.USER
)
130 class Scope(RESTController
):
132 return SecurityScope
.all_scopes()