1 package PVE
::CLI
::pveum
;
6 use PVE
::AccessControl
;
7 use PVE
::RPCEnvironment
;
12 use PVE
::API2
::AccessControl
;
13 use PVE
::API2
::Domains
;
15 use PVE
::Cluster
qw(cfs_read_file cfs_write_file);
16 use PVE
::CLIFormatter
;
18 use PVE
::JSONSchema
qw(get_standard_option);
21 use PVE
::Tools
qw(extract_param);
23 use base
qw(PVE::CLIHandler);
25 sub setup_environment
{
26 PVE
::RPCEnvironment-
>setup_default_cli_env();
33 'change_password' => [
34 PVE
::CLIHandler
::get_standard_mapping
('pve-password'),
37 PVE
::CLIHandler
::get_standard_mapping
('pve-password', {
39 # do not accept values given on cmdline
40 return PVE
::PTY
::read_password
('Enter password: ');
46 return $mapping->{$name};
49 my $print_api_result = sub {
50 my ($data, $schema, $options) = @_;
51 PVE
::CLIFormatter
::print_api_result
($data, $schema, undef, $options);
54 my $print_perm_result = sub {
55 my ($data, $schema, $options) = @_;
57 if (!defined($options->{'output-format'}) || $options->{'output-format'} eq 'text') {
63 'path' => { type
=> 'string', title
=> 'ACL path' },
64 'permissions' => { type
=> 'string', title
=> 'Permissions' },
69 foreach my $path (sort keys %$data) {
71 my $curr = $data->{$path};
72 foreach my $perm (sort keys %$curr) {
73 $value .= "\n" if $value;
75 $value .= " (*)" if $curr->{$perm};
77 push @$table_data, { path
=> $path, permissions
=> $value };
79 PVE
::CLIFormatter
::print_api_result
($table_data, $table_schema, undef, $options);
80 print "Permissions marked with '(*)' have the 'propagate' flag set.\n";
82 PVE
::CLIFormatter
::print_api_result
($data, $schema, undef, $options);
86 __PACKAGE__-
>register_method({
87 name
=> 'token_permissions',
88 path
=> 'token_permissions',
90 description
=> 'Retrieve effective permissions of given token.',
92 additionalProperties
=> 0,
94 userid
=> get_standard_option
('userid'),
95 tokenid
=> get_standard_option
('token-subid'),
96 path
=> get_standard_option
('acl-path', {
97 description
=> "Only dump this specific path, not the whole tree.",
104 description
=> 'Hash of structure "path" => "privilege" => "propagate boolean".',
109 my $token_subid = extract_param
($param, "tokenid");
110 $param->{userid
} = PVE
::AccessControl
::join_tokenid
($param->{userid
}, $token_subid);
112 return PVE
::API2
::AccessControl-
>permissions($param);
115 __PACKAGE__-
>register_method({
116 name
=> 'delete_tfa',
117 path
=> 'delete_tfa',
119 description
=> 'Delete TFA entries from a user.',
121 additionalProperties
=> 0,
123 userid
=> get_standard_option
('userid'),
125 description
=> "The TFA ID, if none provided, all TFA entries will be deleted.",
131 returns
=> { type
=> 'null' },
135 my $userid = extract_param
($param, "userid");
136 my $tfa_id = extract_param
($param, "id");
138 PVE
::AccessControl
::assert_new_tfa_config_available
();
140 PVE
::AccessControl
::lock_tfa_config
(sub {
141 my $tfa_cfg = cfs_read_file
('priv/tfa.cfg');
142 if (defined($tfa_id)) {
143 $tfa_cfg->api_delete_tfa($userid, $tfa_id);
145 $tfa_cfg->remove_user($userid);
147 cfs_write_file
('priv/tfa.cfg', $tfa_cfg);
154 add
=> [ 'PVE::API2::User', 'create_user', ['userid'] ],
155 modify
=> [ 'PVE::API2::User', 'update_user', ['userid'] ],
156 delete => [ 'PVE::API2::User', 'delete_user', ['userid'] ],
157 list
=> [ 'PVE::API2::User', 'index', [], {}, $print_api_result, $PVE::RESTHandler
::standard_output_options
],
158 permissions
=> [ 'PVE::API2::AccessControl', 'permissions', ['userid'], {}, $print_perm_result, $PVE::RESTHandler
::standard_output_options
],
160 delete => [ __PACKAGE__
, 'delete_tfa', ['userid'] ],
163 add
=> [ 'PVE::API2::User', 'generate_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler
::standard_output_options
],
164 modify
=> [ 'PVE::API2::User', 'update_token_info', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler
::standard_output_options
],
165 remove
=> [ 'PVE::API2::User', 'remove_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler
::standard_output_options
],
166 list
=> [ 'PVE::API2::User', 'token_index', ['userid'], {}, $print_api_result, $PVE::RESTHandler
::standard_output_options
],
167 permissions
=> [ __PACKAGE__
, 'token_permissions', ['userid', 'tokenid'], {}, $print_perm_result, $PVE::RESTHandler
::standard_output_options
],
171 add
=> [ 'PVE::API2::Group', 'create_group', ['groupid'] ],
172 modify
=> [ 'PVE::API2::Group', 'update_group', ['groupid'] ],
173 delete => [ 'PVE::API2::Group', 'delete_group', ['groupid'] ],
174 list
=> [ 'PVE::API2::Group', 'index', [], {}, $print_api_result, $PVE::RESTHandler
::standard_output_options
],
177 add
=> [ 'PVE::API2::Role', 'create_role', ['roleid'] ],
178 modify
=> [ 'PVE::API2::Role', 'update_role', ['roleid'] ],
179 delete => [ 'PVE::API2::Role', 'delete_role', ['roleid'] ],
180 list
=> [ 'PVE::API2::Role', 'index', [], {}, $print_api_result, $PVE::RESTHandler
::standard_output_options
],
183 modify
=> [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 0 }],
184 delete => [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 1 }],
185 list
=> [ 'PVE::API2::ACL', 'read_acl', [], {}, $print_api_result, $PVE::RESTHandler
::standard_output_options
],
188 add
=> [ 'PVE::API2::Domains', 'create', ['realm'] ],
189 modify
=> [ 'PVE::API2::Domains', 'update', ['realm'] ],
190 delete => [ 'PVE::API2::Domains', 'delete', ['realm'] ],
191 list
=> [ 'PVE::API2::Domains', 'index', [], {}, $print_api_result, $PVE::RESTHandler
::standard_output_options
],
192 sync
=> [ 'PVE::API2::Domains', 'sync', ['realm'], ],
195 ticket
=> [ 'PVE::API2::AccessControl', 'create_ticket', ['username'], undef,
198 print "$res->{ticket}\n";
201 passwd
=> [ 'PVE::API2::AccessControl', 'change_password', ['userid'] ],
203 useradd
=> { alias
=> 'user add' },
204 usermod
=> { alias
=> 'user modify' },
205 userdel
=> { alias
=> 'user delete' },
207 groupadd
=> { alias
=> 'group add' },
208 groupmod
=> { alias
=> 'group modify' },
209 groupdel
=> { alias
=> 'group delete' },
211 roleadd
=> { alias
=> 'role add' },
212 rolemod
=> { alias
=> 'role modify' },
213 roledel
=> { alias
=> 'role delete' },
215 aclmod
=> { alias
=> 'acl modify' },
216 acldel
=> { alias
=> 'acl delete' },
219 # FIXME: HACK! The pool API is in pve-manager as it needs access to storage guest and RRD stats,
220 # so we only add the pool commands if the API module is available (required for boots-trapping)
223 require PVE
::API2
::Pool
;
224 PVE
::API2
::Pool-
>import();
228 if ($have_pool_api) {
230 add
=> [ 'PVE::API2::Pool', 'create_pool', ['poolid'] ],
231 modify
=> [ 'PVE::API2::Pool', 'update_pool', ['poolid'] ],
232 delete => [ 'PVE::API2::Pool', 'delete_pool', ['poolid'] ],
233 list
=> [ 'PVE::API2::Pool', 'index', [], {}, $print_api_result, $PVE::RESTHandler
::standard_output_options
],
projects / pve-access-control.git / blob