delete ($usercfg->{acl}->{$acl}->{users}->{$username})
if $usercfg->{acl}->{$acl}->{users}->{$username};
}
-
}
+
sub delete_group_acl {
my ($group, $usercfg) = @_;
delete ($usercfg->{acl}->{$acl}->{groups}->{$group})
if $usercfg->{acl}->{$acl}->{groups}->{$group};
}
+}
+
+sub delete_pool_acl {
+
+ my ($pool, $usercfg) = @_;
+
+ my $path = "/pool/$pool";
+ foreach my $aclpath (keys %{$usercfg->{acl}}) {
+ delete ($usercfg->{acl}->{$aclpath})
+ if $usercfg->{acl}->{$aclpath} eq 'path';
+ }
}
# we automatically create some predefined roles by splitting privs
VM => {
root => [],
admin => [
- 'VM.Modify',
+ 'VM.Config.Disk',
+ 'VM.Config.CDROM', # change CDROM media
+ 'VM.Config.CPU',
+ 'VM.Config.Memory',
+ 'VM.Config.Network',
+ 'VM.Config.HWType',
+ 'VM.Config.Options', # covers all other things
'VM.Allocate',
'VM.Migrate',
+ 'VM.Monitor',
],
user => [
'VM.Console',
+ 'VM.Backup',
'VM.PowerMgmt',
],
audit => [
- 'VM.Audit'
+ 'VM.Audit',
],
},
Sys => {
root => [],
admin => [
'Datastore.Allocate',
+ 'Datastore.AllocateTemplate',
],
user => [
'Datastore.AllocateSpace',
],
},
User => {
- root => [],
+ root => [
+ 'Realm.Allocate',
+ ],
admin => [
'User.Modify',
- 'User.Allocate',
+ 'Group.Allocate', # edit/change group settings
+ 'Realm.AllocateUser',
+ ],
+ user => [],
+ audit => [],
+ },
+ Pool => {
+ root => [],
+ admin => [
+ 'Pool.Allocate', # create/delete pools
],
user => [],
audit => [],
ldap => {
server1 => '[\w\d]+(.[\w\d]+)*',
server2 => '[\w\d]+(.[\w\d]+)*',
- base_dn => '\w+=[\w\s]+(,\s*\w+=[\w\s]+)*',
+ base_dn => '\w+=[^,]+(,\s*\w+=[^,]+)*',
user_attr => '\S{2,}',
secure => '',
port => '\d+',
my $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
+PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
sub pve_verify_realm {
my ($realm, $noerr) = @_;
PVE::JSONSchema::register_standard_option('realm', {
description => "Authentication domain ID",
- type => 'string', format => 'pve-configid',
+ type => 'string', format => 'pve-realm',
maxLength => 32,
});
return $rolename;
}
+PVE::JSONSchema::register_format('pve-poolid', \&verify_groupname);
+sub verify_poolname {
+ my ($poolname, $noerr) = @_;
+
+ if ($poolname !~ m/^[A-Za-z0-9\.\-_]+$/) {
+
+ die "pool name '$poolname' contains invalid characters\n" if !$noerr;
+
+ return undef;
+ }
+
+ return $poolname;
+}
+
PVE::JSONSchema::register_format('pve-priv', \&verify_privname);
sub verify_privname {
my ($priv, $noerr) = @_;
}
foreach my $ug (split_list($uglist)) {
- if ($ug =~ m/^@(\w+)$/) {
+ if ($ug =~ m/^@(\S+)$/) {
my $group = $1;
if ($cfg->{groups}->{$group}) { # group exists
$cfg->{acl}->{$path}->{groups}->{$group}->{$role} = $propagate;
warn "user config - ignore invalid path in acl '$pathtxt'\n";
}
} elsif ($et eq 'pool') {
- my ($pathtxt, $comment, $vmlist, $storelist) = @data;
+ my ($pool, $comment, $vmlist, $storelist) = @data;
- if (my $path = normalize_path($pathtxt)) {
- # make sure to add the pool (even if there are no members)
- $cfg->{pools}->{$path} = { vms => {}, storage => {} } if !$cfg->{pools}->{$path};
+ if (!verify_poolname($pool, 1)) {
+ warn "user config - ignore pool '$pool' - invalid characters in pool name\n";
+ next;
+ }
- $cfg->{pools}->{$path}->{comment} = PVE::Tools::decode_text($comment) if $comment;
+ # make sure to add the pool (even if there are no members)
+ $cfg->{pools}->{$pool} = { vms => {}, storage => {} } if !$cfg->{pools}->{$pool};
- foreach my $vmid (split_list($vmlist)) {
- if ($vmid !~ m/^\d+$/) {
- warn "user config - ignore invalid vmid '$vmid' in pool '$path'\n";
- next;
- }
- $vmid = int($vmid);
+ $cfg->{pools}->{$pool}->{comment} = PVE::Tools::decode_text($comment) if $comment;
- if ($cfg->{vms}->{$vmid}) {
- warn "user config - ignore duplicate vmid '$vmid' in pool '$path'\n";
- next;
- }
-
- $cfg->{pools}->{$path}->{vms}->{$vmid} = 1;
-
- # record vmid ==> pool relation
- $cfg->{vms}->{$vmid} = $path;
+ foreach my $vmid (split_list($vmlist)) {
+ if ($vmid !~ m/^\d+$/) {
+ warn "user config - ignore invalid vmid '$vmid' in pool '$pool'\n";
+ next;
}
+ $vmid = int($vmid);
- foreach my $storeid (split_list($storelist)) {
- if ($storeid !~ m/^[a-z][a-z0-9\-\_\.]*[a-z0-9]$/i) {
- warn "user config - ignore invalid storage '$storeid' in pool '$path'\n";
- next;
- }
- $cfg->{pools}->{$path}->{storage}->{$storeid} = 1;
+ if ($cfg->{vms}->{$vmid}) {
+ warn "user config - ignore duplicate vmid '$vmid' in pool '$pool'\n";
+ next;
}
- } else {
- warn "user config - ignore invalid path in pool'$pathtxt'\n";
+ $cfg->{pools}->{$pool}->{vms}->{$vmid} = 1;
+
+ # record vmid ==> pool relation
+ $cfg->{vms}->{$vmid} = $pool;
+ }
+
+ foreach my $storeid (split_list($storelist)) {
+ if ($storeid !~ m/^[a-z][a-z0-9\-\_\.]*[a-z0-9]$/i) {
+ warn "user config - ignore invalid storage '$storeid' in pool '$pool'\n";
+ next;
+ }
+ $cfg->{pools}->{$pool}->{storage}->{$storeid} = 1;
}
} else {
warn "user config - ignore config line: $line\n";
$data .= "\n";
- foreach my $path (keys %{$cfg->{pools}}) {
- my $d = $cfg->{pools}->{$path};
+ foreach my $pool (keys %{$cfg->{pools}}) {
+ my $d = $cfg->{pools}->{$pool};
my $vmlist = join (',', keys %{$d->{vms}});
my $storelist = join (',', keys %{$d->{storage}});
my $comment = $d->{comment} ? PVE::Tools::encode_text($d->{comment}) : '';
- $data .= "pool:$path:$comment:$vmlist:$storelist:\n";
+ $data .= "pool:$pool:$comment:$vmlist:$storelist:\n";
}
$data .= "\n";