my $domain_cfg = cfs_read_file('domains.cfg');
my $cfg = $domain_cfg->{ids}->{$realm};
- die "auth domain '$realm' does not exists\n" if !$cfg;
+ die "auth domain '$realm' does not exist\n" if !$cfg;
my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
$plugin->authenticate_user($cfg, $realm, $ruid, $password);
'Datastore.Audit',
],
},
+ SDN => {
+ root => [],
+ admin => [
+ 'SDN.Allocate',
+ 'SDN.Audit',
+ ],
+ audit => [
+ 'SDN.Audit',
+ ],
+ },
User => {
root => [
'Realm.Allocate',
} elsif ($et eq 'acl') {
my ($propagate, $pathtxt, $uglist, $rolelist) = @data;
+ $propagate = $propagate ? 1 : 0;
+
if (my $path = normalize_path($pathtxt)) {
foreach my $role (split_list($rolelist)) {
foreach my $group (sort keys %{$cfg->{groups}}) {
my $d = $cfg->{groups}->{$group};
- my $list = join (',', keys %{$d->{users}});
+ my $list = join (',', sort keys %{$d->{users}});
my $comment = $d->{comment} ? PVE::Tools::encode_text($d->{comment}) : '';
$data .= "group:$group:$list:$comment:\n";
}
foreach my $pool (sort keys %{$cfg->{pools}}) {
my $d = $cfg->{pools}->{$pool};
- my $vmlist = join (',', keys %{$d->{vms}});
- my $storelist = join (',', keys %{$d->{storage}});
+ my $vmlist = join (',', sort keys %{$d->{vms}});
+ my $storelist = join (',', sort keys %{$d->{storage}});
my $comment = $d->{comment} ? PVE::Tools::encode_text($d->{comment}) : '';
$data .= "pool:$pool:$comment:$vmlist:$storelist:\n";
}
next if $special_roles->{$role};
my $d = $cfg->{roles}->{$role};
- my $list = join (',', keys %$d);
+ my $list = join (',', sort keys %$d);
$data .= "role:$role:$list:\n";
}
$data .= "\n";
- foreach my $path (sort keys %{$cfg->{acl}}) {
- my $d = $cfg->{acl}->{$path};
+ my $collect_rolelist_members = sub {
+ my ($acl_members, $result, $prefix, $exclude) = @_;
- my $ra = {};
+ foreach my $member (keys %$acl_members) {
+ next if $exclude && $member eq $exclude;
- foreach my $group (keys %{$d->{groups}}) {
my $l0 = '';
my $l1 = '';
- foreach my $role (sort keys %{$d->{groups}->{$group}}) {
- my $propagate = $d->{groups}->{$group}->{$role};
+ foreach my $role (sort keys %{$acl_members->{$member}}) {
+ my $propagate = $acl_members->{$member}->{$role};
if ($propagate) {
$l1 .= ',' if $l1;
$l1 .= $role;
$l0 .= $role;
}
}
- $ra->{0}->{$l0}->{"\@$group"} = 1 if $l0;
- $ra->{1}->{$l1}->{"\@$group"} = 1 if $l1;
+ $result->{0}->{$l0}->{"${prefix}${member}"} = 1 if $l0;
+ $result->{1}->{$l1}->{"${prefix}${member}"} = 1 if $l1;
}
+ };
- foreach my $user (keys %{$d->{users}}) {
- # no need to save, because root is always 'Administrator'
- next if $user eq 'root@pam';
+ foreach my $path (sort keys %{$cfg->{acl}}) {
+ my $d = $cfg->{acl}->{$path};
- my $l0 = '';
- my $l1 = '';
- foreach my $role (sort keys %{$d->{users}->{$user}}) {
- my $propagate = $d->{users}->{$user}->{$role};
- if ($propagate) {
- $l1 .= ',' if $l1;
- $l1 .= $role;
- } else {
- $l0 .= ',' if $l0;
- $l0 .= $role;
- }
- }
- $ra->{0}->{$l0}->{$user} = 1 if $l0;
- $ra->{1}->{$l1}->{$user} = 1 if $l1;
- }
+ my $rolelist_members = {};
- foreach my $rolelist (sort keys %{$ra->{0}}) {
- my $uglist = join (',', sort keys %{$ra->{0}->{$rolelist}});
- $data .= "acl:0:$path:$uglist:$rolelist:\n";
- }
- foreach my $rolelist (sort keys %{$ra->{1}}) {
- my $uglist = join (',', sort keys %{$ra->{1}->{$rolelist}});
- $data .= "acl:1:$path:$uglist:$rolelist:\n";
+ $collect_rolelist_members->($d->{'groups'}, $rolelist_members, '@');
+
+ # no need to save 'root@pam', it is always 'Administrator'
+ $collect_rolelist_members->($d->{'users'}, $rolelist_members, '', 'root@pam');
+
+ foreach my $propagate (0,1) {
+ my $filtered = $rolelist_members->{$propagate};
+ foreach my $rolelist (sort keys %$filtered) {
+ my $uglist = join (',', sort keys %{$filtered->{$rolelist}});
+ $data .= "acl:$propagate:$path:$uglist:$rolelist:\n";
+ }
}
}
my ($cfg, $user, $path) = @_;
# NOTE: we do not consider pools here.
- # You need to use $rpcenv->roles() instead if you want that.
+ # Use $rpcenv->permission() for any actual permission checks!
return 'Administrator' if $user eq 'root@pam'; # root can do anything
return @ra;
}
-sub permission {
- my ($cfg, $user, $path) = @_;
-
- $user = PVE::Auth::Plugin::verify_username($user, 1);
- return {} if !$user;
-
- my @ra = roles($cfg, $user, $path);
-
- my $privs = {};
-
- foreach my $role (@ra) {
- if (my $privset = $cfg->{roles}->{$role}) {
- foreach my $p (keys %$privset) {
- $privs->{$p} = 1;
- }
- }
- }
-
- #print "priviledges $user $path = " . Dumper ($privs);
-
- return $privs;
-}
-
-sub check_permissions {
- my ($username, $path, $privlist) = @_;
-
- $path = normalize_path($path);
- my $usercfg = cfs_read_file('user.cfg');
- my $perm = permission($usercfg, $username, $path);
-
- foreach my $priv (split_list($privlist)) {
- return undef if !$perm->{$priv};
- };
-
- return 1;
-}
-
sub remove_vm_access {
my ($vmid) = @_;
my $delVMaccessFn = sub {
projects / pve-access-control.git / blobdiff