]>
git.proxmox.com Git - pve-access-control.git/blob - src/PVE/API2/Role.pm
1 package PVE
::API2
::Role
;
6 use PVE
::AccessControl
();
7 use PVE
::Cluster
qw(cfs_read_file cfs_write_file);
8 use PVE
::Exception
qw(raise_param_exc);
9 use PVE
::JSONSchema
qw(get_standard_option register_standard_option);
11 use base
qw(PVE::RESTHandler);
13 register_standard_option
('role-id', {
15 format
=> 'pve-roleid',
17 register_standard_option
('role-privs', {
19 format
=> 'pve-priv-list',
23 __PACKAGE__-
>register_method ({
27 description
=> "Role index.",
32 additionalProperties
=> 0,
40 roleid
=> get_standard_option
('role-id'),
41 privs
=> get_standard_option
('role-privs'),
42 special
=> { type
=> 'boolean', optional
=> 1, default => 0 },
45 links
=> [ { rel
=> 'child', href
=> "{roleid}" } ],
52 my $usercfg = cfs_read_file
("user.cfg");
54 foreach my $role (keys %{$usercfg->{roles
}}) {
55 my $privs = join(',', sort keys %{$usercfg->{roles
}->{$role}});
59 special
=> PVE
::AccessControl
::role_is_special
($role),
66 __PACKAGE__-
>register_method ({
67 name
=> 'create_role',
72 check
=> ['perm', '/access', ['Sys.Modify']],
74 description
=> "Create new role.",
76 additionalProperties
=> 0,
78 roleid
=> get_standard_option
('role-id'),
79 privs
=> get_standard_option
('role-privs'),
82 returns
=> { type
=> 'null' },
86 my $role = $param->{roleid
};
88 if ($role =~ /^PVE/i) {
90 roleid
=> "cannot use role ID starting with the (case-insensitive) 'PVE' namespace",
94 PVE
::AccessControl
::lock_user_config
(sub {
95 my $usercfg = cfs_read_file
("user.cfg");
97 die "role '$role' already exists\n" if $usercfg->{roles
}->{$role};
99 $usercfg->{roles
}->{$role} = {};
101 PVE
::AccessControl
::add_role_privs
($role, $usercfg, $param->{privs
});
103 cfs_write_file
("user.cfg", $usercfg);
104 }, "create role failed");
109 __PACKAGE__-
>register_method ({
110 name
=> 'update_role',
115 check
=> ['perm', '/access', ['Sys.Modify']],
117 description
=> "Update an existing role.",
119 additionalProperties
=> 0,
121 roleid
=> get_standard_option
('role-id'),
122 privs
=> get_standard_option
('role-privs'),
123 append
=> { type
=> 'boolean', optional
=> 1, requires
=> 'privs' },
126 returns
=> { type
=> 'null' },
130 my $role = $param->{roleid
};
132 die "auto-generated role '$role' cannot be modified\n"
133 if PVE
::AccessControl
::role_is_special
($role);
135 PVE
::AccessControl
::lock_user_config
(sub {
136 my $usercfg = cfs_read_file
("user.cfg");
138 die "role '$role' does not exist\n" if !$usercfg->{roles
}->{$role};
140 $usercfg->{roles
}->{$role} = {} if !$param->{append
};
142 PVE
::AccessControl
::add_role_privs
($role, $usercfg, $param->{privs
});
144 cfs_write_file
("user.cfg", $usercfg);
145 }, "update role failed");
150 __PACKAGE__-
>register_method ({
157 description
=> "Get role configuration.",
159 additionalProperties
=> 0,
161 roleid
=> get_standard_option
('role-id'),
166 additionalProperties
=> 0,
167 properties
=> PVE
::AccessControl
::create_priv_properties
(),
172 my $usercfg = cfs_read_file
("user.cfg");
174 my $role = $param->{roleid
};
176 my $data = $usercfg->{roles
}->{$role};
178 die "role '$role' does not exist\n" if !$data;
184 __PACKAGE__-
>register_method ({
185 name
=> 'delete_role',
190 check
=> ['perm', '/access', ['Sys.Modify']],
192 description
=> "Delete role.",
194 additionalProperties
=> 0,
196 roleid
=> get_standard_option
('role-id'),
199 returns
=> { type
=> 'null' },
203 my $role = $param->{roleid
};
205 die "auto-generated role '$role' cannot be deleted\n"
206 if PVE
::AccessControl
::role_is_special
($role);
208 PVE
::AccessControl
::lock_user_config
(sub {
209 my $usercfg = cfs_read_file
("user.cfg");
211 die "role '$role' does not exist\n" if !$usercfg->{roles
}->{$role};
213 delete ($usercfg->{roles
}->{$role});
215 # fixme: delete role from acl?
217 cfs_write_file
("user.cfg", $usercfg);
218 }, "delete role failed");