X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAPI2%2FRole.pm;h=156d3b89bc4015060ae851bd180bd10a7ce2c394;hp=396ba488f8684994272dd63031ff52249eb13262;hb=bcf4eb3d4960aa2b3d1e63c482fc35b83bab2c0a;hpb=2c3a6c0aaac7fbdaeb26bc5a596d21e897f3343a diff --git a/PVE/API2/Role.pm b/PVE/API2/Role.pm index 396ba48..156d3b8 100644 --- a/PVE/API2/Role.pm +++ b/PVE/API2/Role.pm @@ -4,20 +4,34 @@ use strict; use warnings; use PVE::Cluster qw (cfs_read_file cfs_write_file); use PVE::AccessControl; +use PVE::JSONSchema qw(get_standard_option register_standard_option); use PVE::SafeSyslog; -use Data::Dumper; # fixme: remove - use PVE::RESTHandler; use base qw(PVE::RESTHandler); +register_standard_option('role-id', { + type => 'string', + format => 'pve-roleid', + title => 'Role ID', + print_width => 30 +}); +register_standard_option('role-privs', { + type => 'string' , + format => 'pve-priv-list', + optional => 1, title => 'Privileges', +}); + __PACKAGE__->register_method ({ - name => 'index', - path => '', + name => 'index', + path => '', method => 'GET', description => "Role index.", + permissions => { + user => 'all', + }, parameters => { additionalProperties => 0, properties => {}, @@ -27,37 +41,46 @@ __PACKAGE__->register_method ({ items => { type => "object", properties => { - roleid => { type => 'string' }, + roleid => get_standard_option('role-id'), + privs => get_standard_option('role-privs'), + special => { type => 'boolean', optional => 1, default => 0, title => 'Built-In' }, }, }, links => [ { rel => 'child', href => "{roleid}" } ], }, code => sub { my ($param) = @_; - + my $res = []; my $usercfg = cfs_read_file("user.cfg"); - + foreach my $role (keys %{$usercfg->{roles}}) { my $privs = join(',', sort keys %{$usercfg->{roles}->{$role}}); - push @$res, { roleid => $role, privs => $privs }; + push @$res, { + roleid => $role, + privs => $privs, + special => PVE::AccessControl::role_is_special($role), + }; } return $res; - }}); +}}); __PACKAGE__->register_method ({ - name => 'create_role', + name => 'create_role', protected => 1, - path => '', + path => '', method => 'POST', + permissions => { + check => ['perm', '/access', ['Sys.Modify']], + }, description => "Create new role.", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { - roleid => { type => 'string', format => 'pve-roleid' }, - privs => { type => 'string' , format => 'pve-priv-list', optional => 1 }, + roleid => get_standard_option('role-id'), + privs => get_standard_option('role-privs'), }, }, returns => { type => 'null' }, @@ -66,12 +89,12 @@ __PACKAGE__->register_method ({ PVE::AccessControl::lock_user_config( sub { - + my $usercfg = cfs_read_file("user.cfg"); my $role = $param->{roleid}; - die "role '$role' already exists\n" + die "role '$role' already exists\n" if $usercfg->{roles}->{$role}; $usercfg->{roles}->{$role} = {}; @@ -82,24 +105,23 @@ __PACKAGE__->register_method ({ }, "create role failed"); return undef; - }}); +}}); __PACKAGE__->register_method ({ - name => 'update_role', + name => 'update_role', protected => 1, - path => '{roleid}', + path => '{roleid}', method => 'PUT', - description => "Create new role.", + permissions => { + check => ['perm', '/access', ['Sys.Modify']], + }, + description => "Update an existing role.", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { - roleid => { type => 'string', format => 'pve-roleid' }, - privs => { type => 'string' , format => 'pve-priv-list' }, - append => { - type => 'boolean', - optional => 1, - requires => 'privs', - }, + roleid => get_standard_option('role-id'), + privs => get_standard_option('role-privs'), + append => { type => 'boolean', optional => 1, requires => 'privs' }, }, }, returns => { type => 'null' }, @@ -108,12 +130,12 @@ __PACKAGE__->register_method ({ PVE::AccessControl::lock_user_config( sub { - + my $role = $param->{roleid}; my $usercfg = cfs_read_file("user.cfg"); - - die "role '$role' does not exist\n" + + die "role '$role' does not exist\n" if !$usercfg->{roles}->{$role}; $usercfg->{roles}->{$role} = {} if !$param->{append}; @@ -124,21 +146,29 @@ __PACKAGE__->register_method ({ }, "update role failed"); return undef; - }}); +}}); -# fixme: return format! __PACKAGE__->register_method ({ - name => 'read_role', - path => '{roleid}', + name => 'read_role', + path => '{roleid}', method => 'GET', + permissions => { + user => 'all', + }, description => "Get role configuration.", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { - roleid => { type => 'string' , format => 'pve-roleid' }, + roleid => get_standard_option('role-id'), + }, + }, + returns => { + type => "object", + additionalProperties => 0, + properties => { + privs => get_standard_option('role-privs'), }, }, - returns => {}, code => sub { my ($param) = @_; @@ -151,43 +181,49 @@ __PACKAGE__->register_method ({ die "role '$role' does not exist\n" if !$data; return $data; - }}); - + } +}); __PACKAGE__->register_method ({ - name => 'delete_role', + name => 'delete_role', protected => 1, - path => '{roleid}', + path => '{roleid}', method => 'DELETE', + permissions => { + check => ['perm', '/access', ['Sys.Modify']], + }, description => "Delete role.", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { - roleid => { type => 'string', format => 'pve-roleid' }, - } + roleid => get_standard_option('role-id'), + }, }, returns => { type => 'null' }, code => sub { my ($param) = @_; - PVE::AccessControl::lock_user_config( - sub { + my $role = $param->{roleid}; - my $role = $param->{roleid}; + die "auto-generated role '$role' cannot be deleted\n" + if PVE::AccessControl::role_is_special($role); + PVE::AccessControl::lock_user_config( + sub { my $usercfg = cfs_read_file("user.cfg"); die "role '$role' does not exist\n" if !$usercfg->{roles}->{$role}; - + delete ($usercfg->{roles}->{$role}); # fixme: delete role from acl? cfs_write_file("user.cfg", $usercfg); }, "delete role failed"); - + return undef; - }}); + } +}); 1;