1 package PVE
::API2
::Role
;
5 use PVE
::Cluster qw
(cfs_read_file cfs_write_file
);
6 use PVE
::AccessControl
;
7 use PVE
::JSONSchema
qw(get_standard_option register_standard_option);
13 use base
qw(PVE::RESTHandler);
15 register_standard_option
('role-id', {
17 format
=> 'pve-roleid',
19 register_standard_option
('role-privs', {
21 format
=> 'pve-priv-list',
25 __PACKAGE__-
>register_method ({
29 description
=> "Role index.",
34 additionalProperties
=> 0,
42 roleid
=> get_standard_option
('role-id'),
43 privs
=> get_standard_option
('role-privs'),
44 special
=> { type
=> 'boolean', optional
=> 1, default => 0 },
47 links
=> [ { rel
=> 'child', href
=> "{roleid}" } ],
54 my $usercfg = cfs_read_file
("user.cfg");
56 foreach my $role (keys %{$usercfg->{roles
}}) {
57 my $privs = join(',', sort keys %{$usercfg->{roles
}->{$role}});
61 special
=> PVE
::AccessControl
::role_is_special
($role),
68 __PACKAGE__-
>register_method ({
69 name
=> 'create_role',
74 check
=> ['perm', '/access', ['Sys.Modify']],
76 description
=> "Create new role.",
78 additionalProperties
=> 0,
80 roleid
=> get_standard_option
('role-id'),
81 privs
=> get_standard_option
('role-privs'),
84 returns
=> { type
=> 'null' },
88 PVE
::AccessControl
::lock_user_config
(
91 my $usercfg = cfs_read_file
("user.cfg");
93 my $role = $param->{roleid
};
95 die "role '$role' already exists\n"
96 if $usercfg->{roles
}->{$role};
98 $usercfg->{roles
}->{$role} = {};
100 PVE
::AccessControl
::add_role_privs
($role, $usercfg, $param->{privs
});
102 cfs_write_file
("user.cfg", $usercfg);
103 }, "create role failed");
108 __PACKAGE__-
>register_method ({
109 name
=> 'update_role',
114 check
=> ['perm', '/access', ['Sys.Modify']],
116 description
=> "Update an existing role.",
118 additionalProperties
=> 0,
120 roleid
=> get_standard_option
('role-id'),
121 privs
=> get_standard_option
('role-privs'),
122 append
=> { type
=> 'boolean', optional
=> 1, requires
=> 'privs' },
125 returns
=> { type
=> 'null' },
129 my $role = $param->{roleid
};
131 die "auto-generated role '$role' cannot be modified\n"
132 if PVE
::AccessControl
::role_is_special
($role);
134 PVE
::AccessControl
::lock_user_config
(
137 my $usercfg = cfs_read_file
("user.cfg");
139 die "role '$role' does not exist\n"
140 if !$usercfg->{roles
}->{$role};
142 $usercfg->{roles
}->{$role} = {} if !$param->{append
};
144 PVE
::AccessControl
::add_role_privs
($role, $usercfg, $param->{privs
});
146 cfs_write_file
("user.cfg", $usercfg);
147 }, "update role failed");
152 __PACKAGE__-
>register_method ({
159 description
=> "Get role configuration.",
161 additionalProperties
=> 0,
163 roleid
=> get_standard_option
('role-id'),
168 additionalProperties
=> 0,
169 properties
=> PVE
::AccessControl
::create_priv_properties
(),
174 my $usercfg = cfs_read_file
("user.cfg");
176 my $role = $param->{roleid
};
178 my $data = $usercfg->{roles
}->{$role};
180 die "role '$role' does not exist\n" if !$data;
186 __PACKAGE__-
>register_method ({
187 name
=> 'delete_role',
192 check
=> ['perm', '/access', ['Sys.Modify']],
194 description
=> "Delete role.",
196 additionalProperties
=> 0,
198 roleid
=> get_standard_option
('role-id'),
201 returns
=> { type
=> 'null' },
205 my $role = $param->{roleid
};
207 die "auto-generated role '$role' cannot be deleted\n"
208 if PVE
::AccessControl
::role_is_special
($role);
210 PVE
::AccessControl
::lock_user_config
(
212 my $usercfg = cfs_read_file
("user.cfg");
214 die "role '$role' does not exist\n"
215 if !$usercfg->{roles
}->{$role};
217 delete ($usercfg->{roles
}->{$role});
219 # fixme: delete role from acl?
221 cfs_write_file
("user.cfg", $usercfg);
222 }, "delete role failed");