]> git.proxmox.com Git - pve-access-control.git/blob - PVE/API2/Role.pm
projects / pve-access-control.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
bump version to 5.1-1
[pve-access-control.git] / PVE / API2 / Role.pm
1 package PVE::API2::Role;
2
3 use strict;
4 use warnings;
5 use PVE::Cluster qw (cfs_read_file cfs_write_file);
6 use PVE::AccessControl;
7 use PVE::JSONSchema qw(get_standard_option register_standard_option);
8
9 use PVE::SafeSyslog;
10
11 use PVE::RESTHandler;
12
13 use base qw(PVE::RESTHandler);
14
15 register_standard_option('role-id', {
16 type => 'string',
17 format => 'pve-roleid',
18 });
19 register_standard_option('role-privs', {
20 type => 'string' ,
21 format => 'pve-priv-list',
22 optional => 1,
23 });
24
25 __PACKAGE__->register_method ({
26 name => 'index',
27 path => '',
28 method => 'GET',
29 description => "Role index.",
30 permissions => {
31 user => 'all',
32 },
33 parameters => {
34 additionalProperties => 0,
35 properties => {},
36 },
37 returns => {
38 type => 'array',
39 items => {
40 type => "object",
41 properties => {
42 roleid => get_standard_option('role-id'),
43 privs => get_standard_option('role-privs'),
44 special => { type => 'boolean', optional => 1, default => 0 },
45 },
46 },
47 links => [ { rel => 'child', href => "{roleid}" } ],
48 },
49 code => sub {
50 my ($param) = @_;
51
52 my $res = [];
53
54 my $usercfg = cfs_read_file("user.cfg");
55
56 foreach my $role (keys %{$usercfg->{roles}}) {
57 my $privs = join(',', sort keys %{$usercfg->{roles}->{$role}});
58 push @$res, {
59 roleid => $role,
60 privs => $privs,
61 special => PVE::AccessControl::role_is_special($role),
62 };
63 }
64
65 return $res;
66 }});
67
68 __PACKAGE__->register_method ({
69 name => 'create_role',
70 protected => 1,
71 path => '',
72 method => 'POST',
73 permissions => {
74 check => ['perm', '/access', ['Sys.Modify']],
75 },
76 description => "Create new role.",
77 parameters => {
78 additionalProperties => 0,
79 properties => {
80 roleid => get_standard_option('role-id'),
81 privs => get_standard_option('role-privs'),
82 },
83 },
84 returns => { type => 'null' },
85 code => sub {
86 my ($param) = @_;
87
88 PVE::AccessControl::lock_user_config(
89 sub {
90
91 my $usercfg = cfs_read_file("user.cfg");
92
93 my $role = $param->{roleid};
94
95 die "role '$role' already exists\n"
96 if $usercfg->{roles}->{$role};
97
98 $usercfg->{roles}->{$role} = {};
99
100 PVE::AccessControl::add_role_privs($role, $usercfg, $param->{privs});
101
102 cfs_write_file("user.cfg", $usercfg);
103 }, "create role failed");
104
105 return undef;
106 }});
107
108 __PACKAGE__->register_method ({
109 name => 'update_role',
110 protected => 1,
111 path => '{roleid}',
112 method => 'PUT',
113 permissions => {
114 check => ['perm', '/access', ['Sys.Modify']],
115 },
116 description => "Update an existing role.",
117 parameters => {
118 additionalProperties => 0,
119 properties => {
120 roleid => get_standard_option('role-id'),
121 privs => get_standard_option('role-privs'),
122 append => { type => 'boolean', optional => 1, requires => 'privs' },
123 },
124 },
125 returns => { type => 'null' },
126 code => sub {
127 my ($param) = @_;
128
129 PVE::AccessControl::lock_user_config(
130 sub {
131
132 my $role = $param->{roleid};
133
134 my $usercfg = cfs_read_file("user.cfg");
135
136 die "role '$role' does not exist\n"
137 if !$usercfg->{roles}->{$role};
138
139 $usercfg->{roles}->{$role} = {} if !$param->{append};
140
141 PVE::AccessControl::add_role_privs($role, $usercfg, $param->{privs});
142
143 cfs_write_file("user.cfg", $usercfg);
144 }, "update role failed");
145
146 return undef;
147 }});
148
149 __PACKAGE__->register_method ({
150 name => 'read_role',
151 path => '{roleid}',
152 method => 'GET',
153 permissions => {
154 user => 'all',
155 },
156 description => "Get role configuration.",
157 parameters => {
158 additionalProperties => 0,
159 properties => {
160 roleid => get_standard_option('role-id'),
161 },
162 },
163 returns => {
164 type => "object",
165 additionalProperties => 0,
166 properties => {
167 privs => get_standard_option('role-privs'),
168 },
169 },
170 code => sub {
171 my ($param) = @_;
172
173 my $usercfg = cfs_read_file("user.cfg");
174
175 my $role = $param->{roleid};
176
177 my $data = $usercfg->{roles}->{$role};
178
179 die "role '$role' does not exist\n" if !$data;
180
181 return $data;
182 }
183 });
184
185 __PACKAGE__->register_method ({
186 name => 'delete_role',
187 protected => 1,
188 path => '{roleid}',
189 method => 'DELETE',
190 permissions => {
191 check => ['perm', '/access', ['Sys.Modify']],
192 },
193 description => "Delete role.",
194 parameters => {
195 additionalProperties => 0,
196 properties => {
197 roleid => get_standard_option('role-id'),
198 },
199 },
200 returns => { type => 'null' },
201 code => sub {
202 my ($param) = @_;
203
204 my $role = $param->{roleid};
205
206 die "auto-generated role '$role' cannot be deleted\n"
207 if PVE::AccessControl::role_is_special($role);
208
209 PVE::AccessControl::lock_user_config(
210 sub {
211 my $usercfg = cfs_read_file("user.cfg");
212
213 die "role '$role' does not exist\n"
214 if !$usercfg->{roles}->{$role};
215
216 delete ($usercfg->{roles}->{$role});
217
218 # fixme: delete role from acl?
219
220 cfs_write_file("user.cfg", $usercfg);
221 }, "delete role failed");
222
223 return undef;
224 }
225 });
226
227 1;
Access control framework