1 package PVE::API2::ACL;
5 use PVE::Cluster qw (cfs_read_file cfs_write_file);
6 use PVE::Tools qw(split_list);
7 use PVE::AccessControl;
8 use PVE::Exception qw(raise_param_exc);
12 use Data::Dumper; # fixme: remove
16 use base qw(PVE::RESTHandler);
18 __PACKAGE__->register_method ({
22 description => "Get Access Control List (ACLs).",
27 additionalProperties => 0,
34 additionalProperties => 0,
36 path => { type => 'string' },
37 type => { type => 'string', enum => ['user', 'group'] },
38 ugid => { type => 'string' },
39 roleid => { type => 'string' },
40 propagate => { type => 'boolean' },
47 my $rpcenv = PVE::RPCEnvironment::get();
48 my $authuser = $rpcenv->get_user();
51 my $usercfg = $rpcenv->{user_cfg};
52 if (!$usercfg || !$usercfg->{acl}) {
56 my $audit = $rpcenv->check($authuser, '/access', ['Sys.Audit'], 1);
58 my $acl = $usercfg->{acl};
59 foreach my $path (keys %$acl) {
60 foreach my $type (qw(users groups)) {
61 my $d = $acl->{$path}->{$type};
63 next if !($audit || $rpcenv->check_perm_modify($authuser, $path, 1));
64 foreach my $id (keys %$d) {
65 foreach my $role (keys %{$d->{$id}}) {
66 my $propagate = $d->{$id}->{$role};
69 type => $type eq 'groups' ? 'group' : 'user',
72 propagate => $propagate,
82 __PACKAGE__->register_method ({
88 check => ['perm-modify', '{path}'],
90 description => "Update Access Control List (add or remove permissions).",
92 additionalProperties => 0,
95 description => "Access control path",
99 description => "List of users.",
100 type => 'string', format => 'pve-userid-list',
104 description => "List of groups.",
105 type => 'string', format => 'pve-groupid-list',
109 description => "List of roles.",
110 type => 'string', format => 'pve-roleid-list',
113 description => "Allow to propagate (inherit) permissions.",
118 description => "Remove permissions (instead of adding it).",
124 returns => { type => 'null' },
128 if (!($param->{users} || $param->{groups})) {
130 users => "either 'users' or 'groups' is required.",
131 groups => "either 'users' or 'groups' is required." });
134 my $path = PVE::AccessControl::normalize_path($param->{path});
135 raise_param_exc({ path => "invalid ACL path '$param->{path}'" }) if !$path;
137 PVE::AccessControl::lock_user_config(
140 my $cfg = cfs_read_file("user.cfg");
142 my $propagate = $param->{propagate} ? 1 : 0;
144 foreach my $role (split_list($param->{roles})) {
145 die "role '$role' does not exist\n"
146 if !$cfg->{roles}->{$role};
148 foreach my $group (split_list($param->{groups})) {
150 die "group '$group' does not exist\n"
151 if !$cfg->{groups}->{$group};
153 if ($param->{delete}) {
154 delete($cfg->{acl}->{$path}->{groups}->{$group}->{$role});
156 $cfg->{acl}->{$path}->{groups}->{$group}->{$role} = $propagate;
160 foreach my $userid (split_list($param->{users})) {
161 my $username = PVE::AccessControl::verify_username($userid);
163 die "user '$username' does not exist\n"
164 if !$cfg->{users}->{$username};
166 if ($param->{delete}) {
167 delete($cfg->{acl}->{$path}->{users}->{$username}->{$role});
169 $cfg->{acl}->{$path}->{users}->{$username}->{$role} = $propagate;
174 cfs_write_file("user.cfg", $cfg);
175 }, "ACL update failed");
projects / pve-access-control.git / blob