use strict;
use warnings;
-use Getopt::Long;
-use PVE::Tools qw(run_command);
-use PVE::Cluster;
-use PVE::SafeSyslog;
+
use PVE::AccessControl;
-use File::Path qw(make_path remove_tree);
-use Term::ReadLine;
-use PVE::INotify;
use PVE::RPCEnvironment;
use PVE::API2::User;
use PVE::API2::Group;
use PVE::API2::Role;
use PVE::API2::ACL;
use PVE::API2::AccessControl;
-use PVE::JSONSchema qw(get_standard_option);
+use PVE::API2::Domains;
+use PVE::CLIFormatter;
use PVE::CLIHandler;
+use PVE::JSONSchema qw(get_standard_option);
+use PVE::PTY;
+use PVE::RESTHandler;
+use PVE::Tools qw(extract_param);
use base qw(PVE::CLIHandler);
PVE::RPCEnvironment->setup_default_cli_env();
}
-sub read_password {
- # return $ENV{PVE_PW_TICKET} if defined($ENV{PVE_PW_TICKET});
+sub param_mapping {
+ my ($name) = @_;
+
+ my $mapping = {
+ 'change_password' => [
+ PVE::CLIHandler::get_standard_mapping('pve-password'),
+ ],
+ 'create_ticket' => [
+ PVE::CLIHandler::get_standard_mapping('pve-password', {
+ func => sub {
+ # do not accept values given on cmdline
+ return PVE::PTY::read_password('Enter password: ');
+ },
+ }),
+ ]
+ };
- my $term = new Term::ReadLine ('pveum');
- my $attribs = $term->Attribs;
- $attribs->{redisplay_function} = $attribs->{shadow_redisplay};
- my $input = $term->readline('Enter new password: ');
- my $conf = $term->readline('Retype new password: ');
- die "Passwords do not match.\n" if ($input ne $conf);
- return $input;
+ return $mapping->{$name};
}
+my $print_api_result = sub {
+ my ($data, $schema, $options) = @_;
+ PVE::CLIFormatter::print_api_result($data, $schema, undef, $options);
+};
+
+my $print_perm_result = sub {
+ my ($data, $schema, $options) = @_;
+
+ if (!defined($options->{'output-format'}) || $options->{'output-format'} eq 'text') {
+ my $table_schema = {
+ type => 'array',
+ items => {
+ type => 'object',
+ properties => {
+ 'path' => { type => 'string', title => 'ACL path' },
+ 'permissions' => { type => 'string', title => 'Permissions' },
+ },
+ },
+ };
+ my $table_data = [];
+ foreach my $path (sort keys %$data) {
+ my $value = '';
+ my $curr = $data->{$path};
+ foreach my $perm (sort keys %$curr) {
+ $value .= "\n" if $value;
+ $value .= $perm;
+ $value .= " (*)" if $curr->{$perm};
+ }
+ push @$table_data, { path => $path, permissions => $value };
+ }
+ PVE::CLIFormatter::print_api_result($table_data, $table_schema, undef, $options);
+ print "Permissions marked with '(*)' have the 'propagate' flag set.\n";
+ } else {
+ PVE::CLIFormatter::print_api_result($data, $schema, undef, $options);
+ }
+};
+
+__PACKAGE__->register_method({
+ name => 'token_permissions',
+ path => 'token_permissions',
+ method => 'GET',
+ description => 'Retrieve effective permissions of given token.',
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ userid => get_standard_option('userid'),
+ tokenid => get_standard_option('token-subid'),
+ path => get_standard_option('acl-path', {
+ description => "Only dump this specific path, not the whole tree.",
+ optional => 1,
+ }),
+ },
+ },
+ returns => {
+ type => 'object',
+ description => 'Hash of structure "path" => "privilege" => "propagate boolean".',
+ },
+ code => sub {
+ my ($param) = @_;
+
+ my $token_subid = extract_param($param, "tokenid");
+ $param->{userid} = PVE::AccessControl::join_tokenid($param->{userid}, $token_subid);
+
+ return PVE::API2::AccessControl->permissions($param);
+ }});
+
our $cmddef = {
+ user => {
+ add => [ 'PVE::API2::User', 'create_user', ['userid'] ],
+ modify => [ 'PVE::API2::User', 'update_user', ['userid'] ],
+ delete => [ 'PVE::API2::User', 'delete_user', ['userid'] ],
+ list => [ 'PVE::API2::User', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
+ permissions => [ 'PVE::API2::AccessControl', 'permissions', ['userid'], {}, $print_perm_result, $PVE::RESTHandler::standard_output_options],
+ token => {
+ add => [ 'PVE::API2::User', 'generate_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
+ modify => [ 'PVE::API2::User', 'update_token_info', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
+ remove => [ 'PVE::API2::User', 'remove_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
+ list => [ 'PVE::API2::User', 'token_index', ['userid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
+ permissions => [ __PACKAGE__, 'token_permissions', ['userid', 'tokenid'], {}, $print_perm_result, $PVE::RESTHandler::standard_output_options],
+ }
+ },
+ group => {
+ add => [ 'PVE::API2::Group', 'create_group', ['groupid'] ],
+ modify => [ 'PVE::API2::Group', 'update_group', ['groupid'] ],
+ delete => [ 'PVE::API2::Group', 'delete_group', ['groupid'] ],
+ list => [ 'PVE::API2::Group', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
+ },
+ role => {
+ add => [ 'PVE::API2::Role', 'create_role', ['roleid'] ],
+ modify => [ 'PVE::API2::Role', 'update_role', ['roleid'] ],
+ delete => [ 'PVE::API2::Role', 'delete_role', ['roleid'] ],
+ list => [ 'PVE::API2::Role', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
+ },
+ acl => {
+ modify => [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 0 }],
+ delete => [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 1 }],
+ list => [ 'PVE::API2::ACL', 'read_acl', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
+ },
+
+ realm => {
+ add => [ 'PVE::API2::Domains', 'create', ['realm'] ],
+ modify => [ 'PVE::API2::Domains', 'update', ['realm'] ],
+ delete => [ 'PVE::API2::Domains', 'delete', ['realm'] ],
+ list => [ 'PVE::API2::Domains', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
+ sync => [ 'PVE::API2::Domains', 'sync', ['realm'], ],
+ },
+
ticket => [ 'PVE::API2::AccessControl', 'create_ticket', ['username'], undef,
sub {
my ($res) = @_;
print "$res->{ticket}\n";
}],
- passwd => [ 'PVE::API2::AccessControl', 'change_passsword', ['userid'] ],
+ passwd => [ 'PVE::API2::AccessControl', 'change_password', ['userid'] ],
- useradd => [ 'PVE::API2::User', 'create_user', ['userid'] ],
- usermod => [ 'PVE::API2::User', 'update_user', ['userid'] ],
- userdel => [ 'PVE::API2::User', 'delete_user', ['userid'] ],
+ useradd => { alias => 'user add' },
+ usermod => { alias => 'user modify' },
+ userdel => { alias => 'user delete' },
- groupadd => [ 'PVE::API2::Group', 'create_group', ['groupid'] ],
- groupmod => [ 'PVE::API2::Group', 'update_group', ['groupid'] ],
- groupdel => [ 'PVE::API2::Group', 'delete_group', ['groupid'] ],
+ groupadd => { alias => 'group add' },
+ groupmod => { alias => 'group modify' },
+ groupdel => { alias => 'group delete' },
- roleadd => [ 'PVE::API2::Role', 'create_role', ['roleid'] ],
- rolemod => [ 'PVE::API2::Role', 'update_role', ['roleid'] ],
- roledel => [ 'PVE::API2::Role', 'delete_role', ['roleid'] ],
+ roleadd => { alias => 'role add' },
+ rolemod => { alias => 'role modify' },
+ roledel => { alias => 'role delete' },
- aclmod => [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 0 }],
- acldel => [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 1 }],
+ aclmod => { alias => 'acl modify' },
+ acldel => { alias => 'acl delete' },
};
1;
projects / pve-access-control.git / blobdiff