1 package PVE
::API2
::ACL
;
5 use PVE
::Cluster qw
(cfs_read_file cfs_write_file
);
6 use PVE
::Tools
qw(split_list);
7 use PVE
::AccessControl
;
8 use PVE
::Exception
qw(raise_param_exc);
12 use Data
::Dumper
; # fixme: remove
16 use base
qw(PVE::RESTHandler);
18 __PACKAGE__-
>register_method ({
22 description
=> "Get Access Control List (ACLs).",
24 check
=> ['perm', '/access', ['Sys.Audit', 'Permissions.Modify'], any
=> 1],
27 additionalProperties
=> 0,
34 additionalProperties
=> 0,
36 path
=> { type
=> 'string' },
37 type
=> { type
=> 'string', enum
=> ['user', 'group'] },
38 ugid
=> { type
=> 'string' },
39 roleid
=> { type
=> 'string' },
40 propagate
=> { type
=> 'boolean' },
49 my $usercfg = cfs_read_file
("user.cfg");
51 if (!$usercfg || !$usercfg->{acl
}) {
55 my $acl = $usercfg->{acl
};
56 foreach my $path (keys %$acl) {
57 foreach my $type (qw(users groups)) {
58 my $d = $acl->{$path}->{$type};
60 foreach my $id (keys %$d) {
61 foreach my $role (keys %{$d->{$id}}) {
62 my $propagate = $d->{$id}->{$role};
65 type
=> $type eq 'groups' ?
'group' : 'user',
68 propagate
=> $propagate,
78 __PACKAGE__-
>register_method ({
84 check
=> ['perm', '/access', ['Permissions.Modify']],
86 description
=> "Update Access Control List (add or remove permissions).",
88 additionalProperties
=> 0,
91 description
=> "Access control path",
95 description
=> "List of users.",
96 type
=> 'string', format
=> 'pve-userid-list',
100 description
=> "List of groups.",
101 type
=> 'string', format
=> 'pve-groupid-list',
105 description
=> "List of roles.",
106 type
=> 'string', format
=> 'pve-roleid-list',
109 description
=> "Allow to propagate (inherit) permissions.",
114 description
=> "Remove permissions (instead of adding it).",
120 returns
=> { type
=> 'null' },
124 if (!($param->{users
} || $param->{groups
})) {
126 users
=> "either 'users' or 'groups' is required.",
127 groups
=> "either 'users' or 'groups' is required." });
130 my $path = PVE
::AccessControl
::normalize_path
($param->{path
});
131 raise_param_exc
({ path
=> "invalid ACL path '$param->{path}'" }) if !$path;
133 PVE
::AccessControl
::lock_user_config
(
136 my $cfg = cfs_read_file
("user.cfg");
138 my $propagate = $param->{propagate
} ?
1 : 0;
140 foreach my $role (split_list
($param->{roles
})) {
141 die "role '$role' does not exist\n"
142 if !$cfg->{roles
}->{$role};
144 foreach my $group (split_list
($param->{groups
})) {
146 die "group '$group' does not exist\n"
147 if !$cfg->{groups
}->{$group};
149 if ($param->{delete}) {
150 delete($cfg->{acl
}->{$path}->{groups
}->{$group}->{$role});
152 $cfg->{acl
}->{$path}->{groups
}->{$group}->{$role} = $propagate;
156 foreach my $userid (split_list
($param->{users
})) {
157 my $username = PVE
::AccessControl
::verify_username
($userid);
159 die "user '$username' does not exist\n"
160 if !$cfg->{users
}->{$username};
162 if ($param->{delete}) {
163 delete($cfg->{acl
}->{$path}->{users
}->{$username}->{$role});
165 $cfg->{acl
}->{$path}->{users
}->{$username}->{$role} = $propagate;
170 cfs_write_file
("user.cfg", $cfg);
171 }, "ACL update failed");