1 package PVE
::API2
::Role
;
5 use PVE
::Cluster qw
(cfs_read_file cfs_write_file
);
6 use PVE
::AccessControl
;
7 use PVE
::JSONSchema
qw(get_standard_option register_standard_option);
13 use base
qw(PVE::RESTHandler);
15 register_standard_option
('role-id', {
17 format
=> 'pve-roleid',
21 register_standard_option
('role-privs', {
23 format
=> 'pve-priv-list',
24 optional
=> 1, title
=> 'Privileges',
27 __PACKAGE__-
>register_method ({
31 description
=> "Role index.",
36 additionalProperties
=> 0,
44 roleid
=> get_standard_option
('role-id'),
45 privs
=> get_standard_option
('role-privs'),
46 special
=> { type
=> 'boolean', optional
=> 1, default => 0, title
=> 'Built-In' },
49 links
=> [ { rel
=> 'child', href
=> "{roleid}" } ],
56 my $usercfg = cfs_read_file
("user.cfg");
58 foreach my $role (keys %{$usercfg->{roles
}}) {
59 my $privs = join(',', sort keys %{$usercfg->{roles
}->{$role}});
63 special
=> PVE
::AccessControl
::role_is_special
($role),
70 __PACKAGE__-
>register_method ({
71 name
=> 'create_role',
76 check
=> ['perm', '/access', ['Sys.Modify']],
78 description
=> "Create new role.",
80 additionalProperties
=> 0,
82 roleid
=> get_standard_option
('role-id'),
83 privs
=> get_standard_option
('role-privs'),
86 returns
=> { type
=> 'null' },
90 PVE
::AccessControl
::lock_user_config
(
93 my $usercfg = cfs_read_file
("user.cfg");
95 my $role = $param->{roleid
};
97 die "role '$role' already exists\n"
98 if $usercfg->{roles
}->{$role};
100 $usercfg->{roles
}->{$role} = {};
102 PVE
::AccessControl
::add_role_privs
($role, $usercfg, $param->{privs
});
104 cfs_write_file
("user.cfg", $usercfg);
105 }, "create role failed");
110 __PACKAGE__-
>register_method ({
111 name
=> 'update_role',
116 check
=> ['perm', '/access', ['Sys.Modify']],
118 description
=> "Update an existing role.",
120 additionalProperties
=> 0,
122 roleid
=> get_standard_option
('role-id'),
123 privs
=> get_standard_option
('role-privs'),
124 append
=> { type
=> 'boolean', optional
=> 1, requires
=> 'privs' },
127 returns
=> { type
=> 'null' },
131 PVE
::AccessControl
::lock_user_config
(
134 my $role = $param->{roleid
};
136 my $usercfg = cfs_read_file
("user.cfg");
138 die "role '$role' does not exist\n"
139 if !$usercfg->{roles
}->{$role};
141 $usercfg->{roles
}->{$role} = {} if !$param->{append
};
143 PVE
::AccessControl
::add_role_privs
($role, $usercfg, $param->{privs
});
145 cfs_write_file
("user.cfg", $usercfg);
146 }, "update role failed");
151 __PACKAGE__-
>register_method ({
158 description
=> "Get role configuration.",
160 additionalProperties
=> 0,
162 roleid
=> get_standard_option
('role-id'),
167 additionalProperties
=> 0,
169 privs
=> get_standard_option
('role-privs'),
175 my $usercfg = cfs_read_file
("user.cfg");
177 my $role = $param->{roleid
};
179 my $data = $usercfg->{roles
}->{$role};
181 die "role '$role' does not exist\n" if !$data;
187 __PACKAGE__-
>register_method ({
188 name
=> 'delete_role',
193 check
=> ['perm', '/access', ['Sys.Modify']],
195 description
=> "Delete role.",
197 additionalProperties
=> 0,
199 roleid
=> get_standard_option
('role-id'),
202 returns
=> { type
=> 'null' },
206 my $role = $param->{roleid
};
208 die "auto-generated role '$role' cannot be deleted\n"
209 if PVE
::AccessControl
::role_is_special
($role);
211 PVE
::AccessControl
::lock_user_config
(
213 my $usercfg = cfs_read_file
("user.cfg");
215 die "role '$role' does not exist\n"
216 if !$usercfg->{roles
}->{$role};
218 delete ($usercfg->{roles
}->{$role});
220 # fixme: delete role from acl?
222 cfs_write_file
("user.cfg", $usercfg);
223 }, "delete role failed");