]>
git.proxmox.com Git - pve-access-control.git/blob - src/PVE/CLI/pveum.pm
1 package PVE
::CLI
::pveum
;
6 use PVE
::AccessControl
;
7 use PVE
::RPCEnvironment
;
12 use PVE
::API2
::AccessControl
;
13 use PVE
::API2
::Domains
;
15 use PVE
::Cluster
qw(cfs_read_file cfs_write_file);
16 use PVE
::CLIFormatter
;
18 use PVE
::JSONSchema
qw(get_standard_option);
21 use PVE
::Tools
qw(extract_param);
23 use base
qw(PVE::CLIHandler);
25 sub setup_environment
{
26 PVE
::RPCEnvironment-
>setup_default_cli_env();
33 'change_password' => [
34 PVE
::CLIHandler
::get_standard_mapping
('pve-password'),
37 PVE
::CLIHandler
::get_standard_mapping
('pve-password', {
39 # do not accept values given on cmdline
40 return PVE
::PTY
::read_password
('Enter password: ');
46 return $mapping->{$name};
49 my $print_api_result = sub {
50 my ($data, $schema, $options) = @_;
51 PVE
::CLIFormatter
::print_api_result
($data, $schema, undef, $options);
54 my $print_perm_result = sub {
55 my ($data, $schema, $options) = @_;
57 if (!defined($options->{'output-format'}) || $options->{'output-format'} eq 'text') {
63 'path' => { type
=> 'string', title
=> 'ACL path' },
64 'permissions' => { type
=> 'string', title
=> 'Permissions' },
69 foreach my $path (sort keys %$data) {
71 my $curr = $data->{$path};
72 foreach my $perm (sort keys %$curr) {
73 $value .= "\n" if $value;
75 $value .= " (*)" if $curr->{$perm};
77 push @$table_data, { path
=> $path, permissions
=> $value };
79 PVE
::CLIFormatter
::print_api_result
($table_data, $table_schema, undef, $options);
80 print "Permissions marked with '(*)' have the 'propagate' flag set.\n";
82 PVE
::CLIFormatter
::print_api_result
($data, $schema, undef, $options);
86 __PACKAGE__-
>register_method({
87 name
=> 'token_permissions',
88 path
=> 'token_permissions',
90 description
=> 'Retrieve effective permissions of given token.',
92 additionalProperties
=> 0,
94 userid
=> get_standard_option
('userid'),
95 tokenid
=> get_standard_option
('token-subid'),
96 path
=> get_standard_option
('acl-path', {
97 description
=> "Only dump this specific path, not the whole tree.",
104 description
=> 'Hash of structure "path" => "privilege" => "propagate boolean".',
109 my $token_subid = extract_param
($param, "tokenid");
110 $param->{userid
} = PVE
::AccessControl
::join_tokenid
($param->{userid
}, $token_subid);
112 return PVE
::API2
::AccessControl-
>permissions($param);
115 __PACKAGE__-
>register_method({
116 name
=> 'delete_tfa',
117 path
=> 'delete_tfa',
119 description
=> 'Delete TFA entries from a user.',
121 additionalProperties
=> 0,
123 userid
=> get_standard_option
('userid'),
125 description
=> "The TFA ID, if none provided, all TFA entries will be deleted.",
131 returns
=> { type
=> 'null' },
135 my $userid = extract_param
($param, "userid");
136 my $tfa_id = extract_param
($param, "id");
138 PVE
::AccessControl
::lock_tfa_config
(sub {
139 my $tfa_cfg = cfs_read_file
('priv/tfa.cfg');
140 if (defined($tfa_id)) {
141 $tfa_cfg->api_delete_tfa($userid, $tfa_id);
143 $tfa_cfg->remove_user($userid);
145 cfs_write_file
('priv/tfa.cfg', $tfa_cfg);
150 __PACKAGE__-
>register_method({
154 description
=> "List TFA entries.",
156 additionalProperties
=> 0,
158 userid
=> get_standard_option
('userid', { optional
=> 1 }),
161 returns
=> { type
=> 'null' },
165 my $userid = extract_param
($param, "userid");
167 my sub format_tfa_entries
: prototype($;$) {
168 my ($entries, $indent) = @_;
173 for my $entry (@$entries) {
174 my ($id, $ty, $desc) = ($entry->@{qw
/id type description/});
175 printf("${nl}${indent}%-9s %s\n${indent} %s\n", "$ty:", $id, $desc // '');
180 my $tfa_cfg = cfs_read_file
('priv/tfa.cfg');
181 if (defined($userid)) {
182 format_tfa_entries
($tfa_cfg->api_list_user_tfa($userid));
184 my $result = $tfa_cfg->api_list_tfa('', 1);
186 for my $entry (sort { $a->{userid
} cmp $b->{userid
} } @$result) {
187 print "${nl}$entry->{userid}:\n";
188 format_tfa_entries
($entry->{entries
}, ' ');
197 add
=> [ 'PVE::API2::User', 'create_user', ['userid'] ],
198 modify
=> [ 'PVE::API2::User', 'update_user', ['userid'] ],
199 delete => [ 'PVE::API2::User', 'delete_user', ['userid'] ],
200 list
=> [ 'PVE::API2::User', 'index', [], {}, $print_api_result, $PVE::RESTHandler
::standard_output_options
],
201 permissions
=> [ 'PVE::API2::AccessControl', 'permissions', ['userid'], {}, $print_perm_result, $PVE::RESTHandler
::standard_output_options
],
203 delete => [ __PACKAGE__
, 'delete_tfa', ['userid'] ],
204 list
=> [ __PACKAGE__
, 'list_tfa', ['userid'] ],
205 unlock
=> [ 'PVE::API2::User', 'unlock_tfa', ['userid'] ],
208 add
=> [ 'PVE::API2::User', 'generate_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler
::standard_output_options
],
209 modify
=> [ 'PVE::API2::User', 'update_token_info', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler
::standard_output_options
],
210 remove
=> [ 'PVE::API2::User', 'remove_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler
::standard_output_options
],
211 list
=> [ 'PVE::API2::User', 'token_index', ['userid'], {}, $print_api_result, $PVE::RESTHandler
::standard_output_options
],
212 permissions
=> [ __PACKAGE__
, 'token_permissions', ['userid', 'tokenid'], {}, $print_perm_result, $PVE::RESTHandler
::standard_output_options
],
216 add
=> [ 'PVE::API2::Group', 'create_group', ['groupid'] ],
217 modify
=> [ 'PVE::API2::Group', 'update_group', ['groupid'] ],
218 delete => [ 'PVE::API2::Group', 'delete_group', ['groupid'] ],
219 list
=> [ 'PVE::API2::Group', 'index', [], {}, $print_api_result, $PVE::RESTHandler
::standard_output_options
],
222 add
=> [ 'PVE::API2::Role', 'create_role', ['roleid'] ],
223 modify
=> [ 'PVE::API2::Role', 'update_role', ['roleid'] ],
224 delete => [ 'PVE::API2::Role', 'delete_role', ['roleid'] ],
225 list
=> [ 'PVE::API2::Role', 'index', [], {}, $print_api_result, $PVE::RESTHandler
::standard_output_options
],
228 modify
=> [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 0 }],
229 delete => [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 1 }],
230 list
=> [ 'PVE::API2::ACL', 'read_acl', [], {}, $print_api_result, $PVE::RESTHandler
::standard_output_options
],
233 add
=> [ 'PVE::API2::Domains', 'create', ['realm'] ],
234 modify
=> [ 'PVE::API2::Domains', 'update', ['realm'] ],
235 delete => [ 'PVE::API2::Domains', 'delete', ['realm'] ],
236 list
=> [ 'PVE::API2::Domains', 'index', [], {}, $print_api_result, $PVE::RESTHandler
::standard_output_options
],
237 sync
=> [ 'PVE::API2::Domains', 'sync', ['realm'], ],
240 ticket
=> [ 'PVE::API2::AccessControl', 'create_ticket', ['username'], undef,
243 print "$res->{ticket}\n";
246 passwd
=> [ 'PVE::API2::AccessControl', 'change_password', ['userid'] ],
248 useradd
=> { alias
=> 'user add' },
249 usermod
=> { alias
=> 'user modify' },
250 userdel
=> { alias
=> 'user delete' },
252 groupadd
=> { alias
=> 'group add' },
253 groupmod
=> { alias
=> 'group modify' },
254 groupdel
=> { alias
=> 'group delete' },
256 roleadd
=> { alias
=> 'role add' },
257 rolemod
=> { alias
=> 'role modify' },
258 roledel
=> { alias
=> 'role delete' },
260 aclmod
=> { alias
=> 'acl modify' },
261 acldel
=> { alias
=> 'acl delete' },
264 # FIXME: HACK! The pool API is in pve-manager as it needs access to storage guest and RRD stats,
265 # so we only add the pool commands if the API module is available (required for boots-trapping)
268 require PVE
::API2
::Pool
;
269 PVE
::API2
::Pool-
>import();
273 if ($have_pool_api) {
275 add
=> [ 'PVE::API2::Pool', 'create_pool', ['poolid'] ],
276 modify
=> [ 'PVE::API2::Pool', 'update_pool', ['poolid'] ],
277 delete => [ 'PVE::API2::Pool', 'delete_pool', ['poolid'] ],
278 list
=> [ 'PVE::API2::Pool', 'index', [], {}, $print_api_result, $PVE::RESTHandler
::standard_output_options
],