use warnings;
use PVE::Cluster qw (cfs_read_file cfs_write_file);
use PVE::AccessControl;
+use PVE::JSONSchema qw(get_standard_option register_standard_option);
use PVE::SafeSyslog;
-use Data::Dumper; # fixme: remove
-
use PVE::RESTHandler;
use base qw(PVE::RESTHandler);
+register_standard_option('role-id', {
+ type => 'string',
+ format => 'pve-roleid',
+});
+register_standard_option('role-privs', {
+ type => 'string' ,
+ format => 'pve-priv-list',
+ optional => 1,
+});
+
__PACKAGE__->register_method ({
- name => 'index',
- path => '',
+ name => 'index',
+ path => '',
method => 'GET',
description => "Role index.",
- permissions => {
+ permissions => {
user => 'all',
},
parameters => {
items => {
type => "object",
properties => {
- roleid => { type => 'string' },
+ roleid => get_standard_option('role-id'),
+ privs => get_standard_option('role-privs'),
+ special => { type => 'boolean', optional => 1, default => 0 },
},
},
links => [ { rel => 'child', href => "{roleid}" } ],
},
code => sub {
my ($param) = @_;
-
+
my $res = [];
my $usercfg = cfs_read_file("user.cfg");
-
+
foreach my $role (keys %{$usercfg->{roles}}) {
my $privs = join(',', sort keys %{$usercfg->{roles}->{$role}});
- push @$res, { roleid => $role, privs => $privs,
- special => PVE::AccessControl::role_is_special($role) };
+ push @$res, {
+ roleid => $role,
+ privs => $privs,
+ special => PVE::AccessControl::role_is_special($role),
+ };
}
return $res;
- }});
+}});
__PACKAGE__->register_method ({
- name => 'create_role',
+ name => 'create_role',
protected => 1,
- path => '',
+ path => '',
method => 'POST',
- permissions => {
+ permissions => {
check => ['perm', '/access', ['Sys.Modify']],
},
description => "Create new role.",
parameters => {
- additionalProperties => 0,
+ additionalProperties => 0,
properties => {
- roleid => { type => 'string', format => 'pve-roleid' },
- privs => { type => 'string' , format => 'pve-priv-list', optional => 1 },
+ roleid => get_standard_option('role-id'),
+ privs => get_standard_option('role-privs'),
},
},
returns => { type => 'null' },
PVE::AccessControl::lock_user_config(
sub {
-
+
my $usercfg = cfs_read_file("user.cfg");
my $role = $param->{roleid};
- die "role '$role' already exists\n"
+ die "role '$role' already exists\n"
if $usercfg->{roles}->{$role};
$usercfg->{roles}->{$role} = {};
}, "create role failed");
return undef;
- }});
+}});
__PACKAGE__->register_method ({
- name => 'update_role',
+ name => 'update_role',
protected => 1,
- path => '{roleid}',
+ path => '{roleid}',
method => 'PUT',
- permissions => {
+ permissions => {
check => ['perm', '/access', ['Sys.Modify']],
},
- description => "Create new role.",
+ description => "Update an existing role.",
parameters => {
- additionalProperties => 0,
+ additionalProperties => 0,
properties => {
- roleid => { type => 'string', format => 'pve-roleid' },
- privs => { type => 'string' , format => 'pve-priv-list' },
- append => {
- type => 'boolean',
- optional => 1,
- requires => 'privs',
- },
+ roleid => get_standard_option('role-id'),
+ privs => get_standard_option('role-privs'),
+ append => { type => 'boolean', optional => 1, requires => 'privs' },
},
},
returns => { type => 'null' },
PVE::AccessControl::lock_user_config(
sub {
-
+
my $role = $param->{roleid};
my $usercfg = cfs_read_file("user.cfg");
-
- die "role '$role' does not exist\n"
+
+ die "role '$role' does not exist\n"
if !$usercfg->{roles}->{$role};
$usercfg->{roles}->{$role} = {} if !$param->{append};
}, "update role failed");
return undef;
- }});
+}});
-# fixme: return format!
__PACKAGE__->register_method ({
- name => 'read_role',
- path => '{roleid}',
+ name => 'read_role',
+ path => '{roleid}',
method => 'GET',
- permissions => {
+ permissions => {
user => 'all',
},
description => "Get role configuration.",
parameters => {
- additionalProperties => 0,
+ additionalProperties => 0,
properties => {
- roleid => { type => 'string' , format => 'pve-roleid' },
+ roleid => get_standard_option('role-id'),
},
},
- returns => {},
+ returns => {
+ type => "object",
+ additionalProperties => 0,
+ properties => PVE::AccessControl::create_priv_properties(),
+ },
code => sub {
my ($param) = @_;
die "role '$role' does not exist\n" if !$data;
return $data;
- }});
-
+ }
+});
__PACKAGE__->register_method ({
- name => 'delete_role',
+ name => 'delete_role',
protected => 1,
- path => '{roleid}',
+ path => '{roleid}',
method => 'DELETE',
- permissions => {
+ permissions => {
check => ['perm', '/access', ['Sys.Modify']],
},
description => "Delete role.",
parameters => {
- additionalProperties => 0,
+ additionalProperties => 0,
properties => {
- roleid => { type => 'string', format => 'pve-roleid' },
- }
+ roleid => get_standard_option('role-id'),
+ },
},
returns => { type => 'null' },
code => sub {
my ($param) = @_;
- PVE::AccessControl::lock_user_config(
- sub {
+ my $role = $param->{roleid};
- my $role = $param->{roleid};
+ die "auto-generated role '$role' cannot be deleted\n"
+ if PVE::AccessControl::role_is_special($role);
+ PVE::AccessControl::lock_user_config(
+ sub {
my $usercfg = cfs_read_file("user.cfg");
die "role '$role' does not exist\n"
if !$usercfg->{roles}->{$role};
-
- die "auto-generated role '$role' can not be deleted\n"
- if PVE::AccessControl::role_is_special($role);
delete ($usercfg->{roles}->{$role});
cfs_write_file("user.cfg", $usercfg);
}, "delete role failed");
-
+
return undef;
- }});
+ }
+});
1;
projects / pve-access-control.git / blobdiff