]>
git.proxmox.com Git - pve-access-control.git/blob - src/PVE/API2/Role.pm
1 package PVE
::API2
::Role
;
6 use PVE
::AccessControl
();
7 use PVE
::Cluster
qw(cfs_read_file cfs_write_file);
8 use PVE
::JSONSchema
qw(get_standard_option register_standard_option);
10 use base
qw(PVE::RESTHandler);
12 register_standard_option
('role-id', {
14 format
=> 'pve-roleid',
16 register_standard_option
('role-privs', {
18 format
=> 'pve-priv-list',
22 __PACKAGE__-
>register_method ({
26 description
=> "Role index.",
31 additionalProperties
=> 0,
39 roleid
=> get_standard_option
('role-id'),
40 privs
=> get_standard_option
('role-privs'),
41 special
=> { type
=> 'boolean', optional
=> 1, default => 0 },
44 links
=> [ { rel
=> 'child', href
=> "{roleid}" } ],
51 my $usercfg = cfs_read_file
("user.cfg");
53 foreach my $role (keys %{$usercfg->{roles
}}) {
54 my $privs = join(',', sort keys %{$usercfg->{roles
}->{$role}});
58 special
=> PVE
::AccessControl
::role_is_special
($role),
65 __PACKAGE__-
>register_method ({
66 name
=> 'create_role',
71 check
=> ['perm', '/access', ['Sys.Modify']],
73 description
=> "Create new role.",
75 additionalProperties
=> 0,
77 roleid
=> get_standard_option
('role-id'),
78 privs
=> get_standard_option
('role-privs'),
81 returns
=> { type
=> 'null' },
85 PVE
::AccessControl
::lock_user_config
(sub {
86 my $usercfg = cfs_read_file
("user.cfg");
88 my $role = $param->{roleid
};
90 die "role '$role' already exists\n" if $usercfg->{roles
}->{$role};
92 $usercfg->{roles
}->{$role} = {};
94 PVE
::AccessControl
::add_role_privs
($role, $usercfg, $param->{privs
});
96 cfs_write_file
("user.cfg", $usercfg);
97 }, "create role failed");
102 __PACKAGE__-
>register_method ({
103 name
=> 'update_role',
108 check
=> ['perm', '/access', ['Sys.Modify']],
110 description
=> "Update an existing role.",
112 additionalProperties
=> 0,
114 roleid
=> get_standard_option
('role-id'),
115 privs
=> get_standard_option
('role-privs'),
116 append
=> { type
=> 'boolean', optional
=> 1, requires
=> 'privs' },
119 returns
=> { type
=> 'null' },
123 my $role = $param->{roleid
};
125 die "auto-generated role '$role' cannot be modified\n"
126 if PVE
::AccessControl
::role_is_special
($role);
128 PVE
::AccessControl
::lock_user_config
(sub {
129 my $usercfg = cfs_read_file
("user.cfg");
131 die "role '$role' does not exist\n" if !$usercfg->{roles
}->{$role};
133 $usercfg->{roles
}->{$role} = {} if !$param->{append
};
135 PVE
::AccessControl
::add_role_privs
($role, $usercfg, $param->{privs
});
137 cfs_write_file
("user.cfg", $usercfg);
138 }, "update role failed");
143 __PACKAGE__-
>register_method ({
150 description
=> "Get role configuration.",
152 additionalProperties
=> 0,
154 roleid
=> get_standard_option
('role-id'),
159 additionalProperties
=> 0,
160 properties
=> PVE
::AccessControl
::create_priv_properties
(),
165 my $usercfg = cfs_read_file
("user.cfg");
167 my $role = $param->{roleid
};
169 my $data = $usercfg->{roles
}->{$role};
171 die "role '$role' does not exist\n" if !$data;
177 __PACKAGE__-
>register_method ({
178 name
=> 'delete_role',
183 check
=> ['perm', '/access', ['Sys.Modify']],
185 description
=> "Delete role.",
187 additionalProperties
=> 0,
189 roleid
=> get_standard_option
('role-id'),
192 returns
=> { type
=> 'null' },
196 my $role = $param->{roleid
};
198 die "auto-generated role '$role' cannot be deleted\n"
199 if PVE
::AccessControl
::role_is_special
($role);
201 PVE
::AccessControl
::lock_user_config
(sub {
202 my $usercfg = cfs_read_file
("user.cfg");
204 die "role '$role' does not exist\n" if !$usercfg->{roles
}->{$role};
206 delete ($usercfg->{roles
}->{$role});
208 # fixme: delete role from acl?
210 cfs_write_file
("user.cfg", $usercfg);
211 }, "delete role failed");