From dd2cfee072b8ebe8280595b250dafdb2786297af Mon Sep 17 00:00:00 2001 From: Dietmar Maurer Date: Tue, 17 Apr 2012 10:26:48 +0200 Subject: [PATCH 1/1] return set of privileges on login - can be used to adopt GUI --- Makefile | 2 +- PVE/API2/AccessControl.pm | 67 +++++++++++++++++++++++++++++++++++++++ changelog.Debian | 6 ++++ 3 files changed, 74 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index eb163d6..9e3dd68 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ RELEASE=2.0 VERSION=1.0 PACKAGE=libpve-access-control -PKGREL=18 +PKGREL=19 DESTDIR= PREFIX=/usr diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm index 0ef31fa..141bc44 100644 --- a/PVE/API2/AccessControl.pm +++ b/PVE/API2/AccessControl.pm @@ -131,6 +131,71 @@ my $create_ticket = sub { }; }; +my $compute_api_permission = sub { + my ($rpcenv, $authuser) = @_; + + my $usercfg = $rpcenv->{user_cfg}; + + my $nodelist = PVE::Cluster::get_nodelist(); + my $vmlist = PVE::Cluster::get_vmlist() || {}; + my $idlist = $vmlist->{ids} || {}; + + my $cfg = PVE::Storage::config(); + my @sids = PVE::Storage::storage_ids ($cfg); + + my $res = { + vms => {}, + storage => {}, + access => {}, + nodes => {}, + dc => {}, + }; + + foreach my $vmid (keys %$idlist, '__phantom__') { + my $perm = $rpcenv->permissions($authuser, "/vms/$vmid"); + foreach my $priv (keys %$perm) { + next if !($priv eq 'Permissions.Modify' ||$priv =~ m/^VM\./); + $res->{vms}->{$priv} = 1; + } + } + + foreach my $storeid (@sids, '__phantom__') { + my $perm = $rpcenv->permissions($authuser, "/storage/$storeid"); + foreach my $priv (keys %$perm) { + next if !($priv eq 'Permissions.Modify' || $priv =~ m/^Datastore\./); + $res->{storage}->{$priv} = 1; + } + } + + foreach my $path (('/access/groups')) { + my $perm = $rpcenv->permissions($authuser, $path); + foreach my $priv (keys %$perm) { + next if $priv !~ m/^(User|Group)\./; + $res->{access}->{$priv} = 1; + } + } + + foreach my $group (keys %{$usercfg->{users}->{$authuser}->{groups}}, '__phantom__') { + my $perm = $rpcenv->permissions($authuser, "/access/groups/$group"); + if ($perm->{'User.Modify'}) { + $res->{access}->{'User.Modify'} = 1; + } + } + + foreach my $node (@$nodelist) { + my $perm = $rpcenv->permissions($authuser, "/nodes/$node"); + foreach my $priv (keys %$perm) { + next if $priv !~ m/^Sys\./; + $res->{nodes}->{$priv} = 1; + } + } + + my $perm = $rpcenv->permissions($authuser, "/"); + $res->{dc}->{'Sys.Audit'} = 1 if $perm->{'Sys.Audit'}; + + return $res; +}; + __PACKAGE__->register_method ({ name => 'create_ticket', path => 'ticket', @@ -207,6 +272,8 @@ __PACKAGE__->register_method ({ die $err; } + $res->{cap} = &$compute_api_permission($rpcenv, $username); + PVE::Cluster::log_msg('info', 'root@pam', "successful auth for user '$username'"); return $res; diff --git a/changelog.Debian b/changelog.Debian index 492266e..2bc47f4 100644 --- a/changelog.Debian +++ b/changelog.Debian @@ -1,3 +1,9 @@ +libpve-access-control (1.0-19) unstable; urgency=low + + * return set of privileges on login - can be used to adopt GUI + + -- Proxmox Support Team Tue, 17 Apr 2012 10:25:10 +0200 + libpve-access-control (1.0-18) unstable; urgency=low * fix bug #151: corretly parse username inside ticket -- 2.39.2