1 package PVE
::API2
::Role
;
5 use PVE
::Cluster qw
(cfs_read_file cfs_write_file
);
6 use PVE
::AccessControl
;
12 use base
qw(PVE::RESTHandler);
14 __PACKAGE__-
>register_method ({
18 description
=> "Role index.",
23 additionalProperties
=> 0,
31 roleid
=> { type
=> 'string' },
34 links
=> [ { rel
=> 'child', href
=> "{roleid}" } ],
41 my $usercfg = cfs_read_file
("user.cfg");
43 foreach my $role (keys %{$usercfg->{roles
}}) {
44 my $privs = join(',', sort keys %{$usercfg->{roles
}->{$role}});
45 push @$res, { roleid
=> $role, privs
=> $privs,
46 special
=> PVE
::AccessControl
::role_is_special
($role) };
52 __PACKAGE__-
>register_method ({
53 name
=> 'create_role',
58 check
=> ['perm', '/access', ['Sys.Modify']],
60 description
=> "Create new role.",
62 additionalProperties
=> 0,
64 roleid
=> { type
=> 'string', format
=> 'pve-roleid' },
65 privs
=> { type
=> 'string' , format
=> 'pve-priv-list', optional
=> 1 },
68 returns
=> { type
=> 'null' },
72 PVE
::AccessControl
::lock_user_config
(
75 my $usercfg = cfs_read_file
("user.cfg");
77 my $role = $param->{roleid
};
79 die "role '$role' already exists\n"
80 if $usercfg->{roles
}->{$role};
82 $usercfg->{roles
}->{$role} = {};
84 PVE
::AccessControl
::add_role_privs
($role, $usercfg, $param->{privs
});
86 cfs_write_file
("user.cfg", $usercfg);
87 }, "create role failed");
92 __PACKAGE__-
>register_method ({
93 name
=> 'update_role',
98 check
=> ['perm', '/access', ['Sys.Modify']],
100 description
=> "Create new role.",
102 additionalProperties
=> 0,
104 roleid
=> { type
=> 'string', format
=> 'pve-roleid' },
105 privs
=> { type
=> 'string' , format
=> 'pve-priv-list' },
113 returns
=> { type
=> 'null' },
117 PVE
::AccessControl
::lock_user_config
(
120 my $role = $param->{roleid
};
122 my $usercfg = cfs_read_file
("user.cfg");
124 die "role '$role' does not exist\n"
125 if !$usercfg->{roles
}->{$role};
127 $usercfg->{roles
}->{$role} = {} if !$param->{append
};
129 PVE
::AccessControl
::add_role_privs
($role, $usercfg, $param->{privs
});
131 cfs_write_file
("user.cfg", $usercfg);
132 }, "update role failed");
137 # fixme: return format!
138 __PACKAGE__-
>register_method ({
145 description
=> "Get role configuration.",
147 additionalProperties
=> 0,
149 roleid
=> { type
=> 'string' , format
=> 'pve-roleid' },
156 my $usercfg = cfs_read_file
("user.cfg");
158 my $role = $param->{roleid
};
160 my $data = $usercfg->{roles
}->{$role};
162 die "role '$role' does not exist\n" if !$data;
168 __PACKAGE__-
>register_method ({
169 name
=> 'delete_role',
174 check
=> ['perm', '/access', ['Sys.Modify']],
176 description
=> "Delete role.",
178 additionalProperties
=> 0,
180 roleid
=> { type
=> 'string', format
=> 'pve-roleid' },
183 returns
=> { type
=> 'null' },
187 PVE
::AccessControl
::lock_user_config
(
190 my $role = $param->{roleid
};
192 my $usercfg = cfs_read_file
("user.cfg");
194 die "role '$role' does not exist\n"
195 if !$usercfg->{roles
}->{$role};
197 die "auto-generated role '$role' can not be deleted\n"
198 if PVE
::AccessControl
::role_is_special
($role);
200 delete ($usercfg->{roles
}->{$role});
202 # fixme: delete role from acl?
204 cfs_write_file
("user.cfg", $usercfg);
205 }, "delete role failed");