1 package PVE::API2::User;
5 use PVE::Exception qw(raise raise_perm_exc);
6 use PVE::Cluster qw (cfs_read_file cfs_write_file);
7 use PVE::Tools qw(split_list);
8 use PVE::AccessControl;
9 use PVE::JSONSchema qw(get_standard_option register_standard_option);
15 use base qw(PVE::RESTHandler);
17 register_standard_option('user-enable', {
19 description => "Enable the account (default). You can set this to '0' to disable the account",
24 register_standard_option('user-expire', {
25 description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
30 register_standard_option('user-firstname', { type => 'string', optional => 1 });
31 register_standard_option('user-lastname', { type => 'string', optional => 1 });
32 register_standard_option('user-email', { type => 'string', optional => 1, format => 'email-opt' });
33 register_standard_option('user-comment', { type => 'string', optional => 1 });
34 register_standard_option('user-keys', {
35 description => "Keys for two factor auth (yubico).",
39 register_standard_option('group-list', {
40 type => 'string', format => 'pve-groupid-list',
42 completion => \&PVE::AccessControl::complete_group,
45 my $extract_user_data = sub {
46 my ($data, $full) = @_;
50 foreach my $prop (qw(enable expire firstname lastname email comment keys)) {
51 $res->{$prop} = $data->{$prop} if defined($data->{$prop});
54 return $res if !$full;
56 $res->{groups} = $data->{groups} ? [ keys %{$data->{groups}} ] : [];
61 __PACKAGE__->register_method ({
65 description => "User index.",
67 description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
71 additionalProperties => 0,
75 description => "Optional filter for enable property.",
85 userid => get_standard_option('userid-completed'),
86 enable => get_standard_option('user-enable'),
87 expire => get_standard_option('user-expire'),
88 firstname => get_standard_option('user-firstname'),
89 lastname => get_standard_option('user-lastname'),
90 email => get_standard_option('user-email'),
91 comment => get_standard_option('user-comment'),
92 keys => get_standard_option('user-keys'),
95 links => [ { rel => 'child', href => "{userid}" } ],
100 my $rpcenv = PVE::RPCEnvironment::get();
101 my $usercfg = $rpcenv->{user_cfg};
102 my $authuser = $rpcenv->get_user();
106 my $privs = [ 'User.Modify', 'Sys.Audit' ];
107 my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1);
108 my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
109 my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
111 foreach my $user (keys %{$usercfg->{users}}) {
113 if (!($canUserMod || $user eq $authuser)) {
114 next if !$allowed_users->{$user};
117 my $entry = &$extract_user_data($usercfg->{users}->{$user});
119 if (defined($param->{enabled})) {
120 next if $entry->{enable} && !$param->{enabled};
121 next if !$entry->{enable} && $param->{enabled};
124 $entry->{userid} = $user;
131 __PACKAGE__->register_method ({
132 name => 'create_user',
137 description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
139 [ 'userid-param', 'Realm.AllocateUser'],
140 [ 'userid-group', ['User.Modify'], groups_param => 1],
143 description => "Create new user.",
145 additionalProperties => 0,
147 userid => get_standard_option('userid-completed'),
148 enable => get_standard_option('user-enable'),
149 expire => get_standard_option('user-expire'),
150 firstname => get_standard_option('user-firstname'),
151 lastname => get_standard_option('user-lastname'),
152 email => get_standard_option('user-email'),
153 comment => get_standard_option('user-comment'),
154 keys => get_standard_option('user-keys'),
156 description => "Initial password.",
162 groups => get_standard_option('group-list'),
165 returns => { type => 'null' },
169 PVE::AccessControl::lock_user_config(
172 my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
174 my $usercfg = cfs_read_file("user.cfg");
176 die "user '$username' already exists\n"
177 if $usercfg->{users}->{$username};
179 PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
180 if defined($param->{password});
182 my $enable = defined($param->{enable}) ? $param->{enable} : 1;
183 $usercfg->{users}->{$username} = { enable => $enable };
184 $usercfg->{users}->{$username}->{expire} = $param->{expire} if $param->{expire};
186 if ($param->{groups}) {
187 foreach my $group (split_list($param->{groups})) {
188 if ($usercfg->{groups}->{$group}) {
189 PVE::AccessControl::add_user_group($username, $usercfg, $group);
191 die "no such group '$group'\n";
196 $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if $param->{firstname};
197 $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if $param->{lastname};
198 $usercfg->{users}->{$username}->{email} = $param->{email} if $param->{email};
199 $usercfg->{users}->{$username}->{comment} = $param->{comment} if $param->{comment};
200 $usercfg->{users}->{$username}->{keys} = $param->{keys} if $param->{keys};
202 cfs_write_file("user.cfg", $usercfg);
203 }, "create user failed");
208 __PACKAGE__->register_method ({
212 description => "Get user configuration.",
214 check => ['userid-group', ['User.Modify', 'Sys.Audit']],
217 additionalProperties => 0,
219 userid => get_standard_option('userid-completed'),
223 additionalProperties => 0,
225 enable => get_standard_option('user-enable'),
226 expire => get_standard_option('user-expire'),
227 firstname => get_standard_option('user-firstname'),
228 lastname => get_standard_option('user-lastname'),
229 email => get_standard_option('user-email'),
230 comment => get_standard_option('user-comment'),
231 keys => get_standard_option('user-keys'),
232 groups => { type => 'array' },
239 my ($username, undef, $domain) =
240 PVE::AccessControl::verify_username($param->{userid});
242 my $usercfg = cfs_read_file("user.cfg");
244 my $data = PVE::AccessControl::check_user_exist($usercfg, $username);
246 return &$extract_user_data($data, 1);
249 __PACKAGE__->register_method ({
250 name => 'update_user',
255 check => ['userid-group', ['User.Modify'], groups_param => 1 ],
257 description => "Update user configuration.",
259 additionalProperties => 0,
261 userid => get_standard_option('userid-completed'),
262 enable => get_standard_option('user-enable'),
263 expire => get_standard_option('user-expire'),
264 firstname => get_standard_option('user-firstname'),
265 lastname => get_standard_option('user-lastname'),
266 email => get_standard_option('user-email'),
267 comment => get_standard_option('user-comment'),
268 keys => get_standard_option('user-keys'),
269 groups => get_standard_option('group-list'),
273 requires => 'groups',
277 returns => { type => 'null' },
281 my ($username, $ruid, $realm) =
282 PVE::AccessControl::verify_username($param->{userid});
284 PVE::AccessControl::lock_user_config(
287 my $usercfg = cfs_read_file("user.cfg");
289 PVE::AccessControl::check_user_exist($usercfg, $username);
291 $usercfg->{users}->{$username}->{enable} = $param->{enable} if defined($param->{enable});
293 $usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire});
295 PVE::AccessControl::delete_user_group($username, $usercfg)
296 if (!$param->{append} && defined($param->{groups}));
298 if ($param->{groups}) {
299 foreach my $group (split_list($param->{groups})) {
300 if ($usercfg->{groups}->{$group}) {
301 PVE::AccessControl::add_user_group($username, $usercfg, $group);
303 die "no such group '$group'\n";
308 $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if defined($param->{firstname});
309 $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if defined($param->{lastname});
310 $usercfg->{users}->{$username}->{email} = $param->{email} if defined($param->{email});
311 $usercfg->{users}->{$username}->{comment} = $param->{comment} if defined($param->{comment});
312 $usercfg->{users}->{$username}->{keys} = $param->{keys} if defined($param->{keys});
314 cfs_write_file("user.cfg", $usercfg);
315 }, "update user failed");
320 __PACKAGE__->register_method ({
321 name => 'delete_user',
325 description => "Delete user.",
328 [ 'userid-param', 'Realm.AllocateUser'],
329 [ 'userid-group', ['User.Modify']],
333 additionalProperties => 0,
335 userid => get_standard_option('userid-completed'),
338 returns => { type => 'null' },
342 my $rpcenv = PVE::RPCEnvironment::get();
343 my $authuser = $rpcenv->get_user();
345 my ($userid, $ruid, $realm) =
346 PVE::AccessControl::verify_username($param->{userid});
348 PVE::AccessControl::lock_user_config(
351 my $usercfg = cfs_read_file("user.cfg");
353 my $domain_cfg = cfs_read_file('domains.cfg');
354 if (my $cfg = $domain_cfg->{ids}->{$realm}) {
355 my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
356 $plugin->delete_user($cfg, $realm, $ruid);
359 delete $usercfg->{users}->{$userid};
361 PVE::AccessControl::delete_user_group($userid, $usercfg);
362 PVE::AccessControl::delete_user_acl($userid, $usercfg);
364 cfs_write_file("user.cfg", $usercfg);
365 }, "delete user failed");