[pve-devel] r4989 - pve-access-control/trunk
svn-commits at proxmox.com
svn-commits at proxmox.com
Thu Aug 12 16:17:46 CEST 2010
Author: dietmar
Date: 2010-08-12 14:17:46 +0000 (Thu, 12 Aug 2010)
New Revision: 4989
Added:
pve-access-control/trunk/Role.pm
Modified:
pve-access-control/trunk/AccessControl.pm
pve-access-control/trunk/ChangeLog
pve-access-control/trunk/Group.pm
pve-access-control/trunk/Makefile
pve-access-control/trunk/User.pm
pve-access-control/trunk/pveum
Log:
(delete_role): moved to Role.pm
(modify_role): moved to Role.pm
Modified: pve-access-control/trunk/AccessControl.pm
===================================================================
--- pve-access-control/trunk/AccessControl.pm 2010-08-12 13:07:15 UTC (rev 4988)
+++ pve-access-control/trunk/AccessControl.pm 2010-08-12 14:17:46 UTC (rev 4989)
@@ -537,62 +537,22 @@
port => '\d*',
};
-sub modify_role {
- my ($role, $opts) = @_;
+sub add_role_privs {
+ my ($role, $usercfg, $privs) = @_;
- lock_user_config(sub {
-
- my $usercfg = read_file($userconfigpath);
+ return if !$privs;
- verify_rolename($role);
+ die "role '$role' does not exist\n" if !$usercfg->{roles}->{$role};
- if ($opts->{create}) {
- die "can't add role '$role' - role already exists\n" if $usercfg->{roles}->{$role};
- $usercfg->{roles}->{$role} = {};
- }
-
- die "role '$role' does not exist\n" if !$usercfg->{roles}->{$role};
-
- $usercfg->{roles}->{$role} = {} if !$opts->{append};
- if ($opts->{privs}) {
- foreach my $priv (split_list($opts->{privs})) {
- if ($usercfg->{roles}->{$role} && defined ($valid_privs->{$priv})) {
- $usercfg->{roles}->{$role}->{$priv} = 1;
- } else {
- warn "modify role - ignore invalid priviledge '$priv'\n";
- }
- }
- }
-
- write_file($userconfigpath, $usercfg);
- });
-
- my $err = $@;
-
- die "modify role failed: $err" if $err;
+ foreach my $priv (split_list($privs)) {
+ if (defined ($valid_privs->{$priv})) {
+ $usercfg->{roles}->{$role}->{$priv} = 1;
+ } else {
+ die "invalid priviledge '$priv'\n";
+ }
+ }
}
-sub delete_role {
-
- my ($role) = @_;
-
- lock_user_config(sub {
-
- my $usercfg = read_file($userconfigpath);
-
- verify_rolename($role);
-
- delete ($usercfg->{roles}->{$role})
- if $usercfg->{roles}->{$role};
-
- write_file($userconfigpath, $usercfg);
- });
-
- my $err = $@;
-
- die "delete role '$role' failed: $err" if $err;
-}
-
sub split_list {
my $listtxt = shift || '';
Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog 2010-08-12 13:07:15 UTC (rev 4988)
+++ pve-access-control/trunk/ChangeLog 2010-08-12 14:17:46 UTC (rev 4989)
@@ -2,6 +2,8 @@
* AccessControl.pm (add_group): moved to Group.pm
(delete_group): moved to Group.pm
+ (delete_role): moved to Role.pm
+ (modify_role): moved to Role.pm
* User.pm: strict error checking - use 'die' instead of 'warn'
Modified: pve-access-control/trunk/Group.pm
===================================================================
--- pve-access-control/trunk/Group.pm 2010-08-12 13:07:15 UTC (rev 4988)
+++ pve-access-control/trunk/Group.pm 2010-08-12 14:17:46 UTC (rev 4989)
@@ -103,11 +103,16 @@
code => sub {
my ($conn, $resp, $param) = @_;
+ my $group = $param->{groupid};
+
+ PVE::AccessControl::verify_groupname($group);
+
my $usercfg = read_file("usercfg");
- my $data = $usercfg->{groups}->{$param->{groupid}};
- die "no such group\n" if !$data;
+ my $data = $usercfg->{groups}->{$group};
+ die "group '$group' does not exist\n" if !$data;
+
return $data;
}});
Modified: pve-access-control/trunk/Makefile
===================================================================
--- pve-access-control/trunk/Makefile 2010-08-12 13:07:15 UTC (rev 4988)
+++ pve-access-control/trunk/Makefile 2010-08-12 14:17:46 UTC (rev 4989)
@@ -17,6 +17,7 @@
DEB=${PACKAGE}_${VERSION}-${PKGREL}_${ARCH}.deb
API2_SOURCES= \
+ Role.pm \
Group.pm \
User.pm
Added: pve-access-control/trunk/Role.pm
===================================================================
--- pve-access-control/trunk/Role.pm (rev 0)
+++ pve-access-control/trunk/Role.pm 2010-08-12 14:17:46 UTC (rev 4989)
@@ -0,0 +1,213 @@
+package PVE::API2::Role;
+
+use strict;
+use warnings;
+use PVE::INotify qw (read_file write_file);
+use PVE::AccessControl;
+
+use PVE::SafeSyslog;
+
+use Data::Dumper; # fixme: remove
+
+use PVE::RESTHandler;
+
+use base qw(PVE::RESTHandler);
+
+# fixme: index should return more/all attributes?
+__PACKAGE__->register_method ({
+ name => 'index',
+ path => '',
+ method => 'GET',
+ description => "Role index.",
+ parameters => {
+ additionalProperties => 0,
+ properties => {},
+ },
+ returns => {
+ type => 'array',
+ items => {
+ type => "object",
+ properties => {
+ id => { type => 'string' },
+ },
+ },
+ links => [ { rel => 'child', href => "{id}" } ],
+ },
+ code => sub {
+ my ($conn, $resp, $param) = @_;
+
+ my $res = [];
+
+ my $usercfg = read_file("usercfg");
+
+ foreach my $role (keys %{$usercfg->{roles}}) {
+ push @$res, { id => $role };
+ }
+
+ return $res;
+ }});
+
+__PACKAGE__->register_method ({
+ name => 'create_role',
+ protected => 1,
+ path => '{roleid}',
+ method => 'POST',
+ description => "Create new role.",
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ roleid => { type => 'string' },
+ privs => { type => 'string', optional => 1 },
+ },
+ },
+ returns => { type => 'null' },
+ code => sub {
+ my ($conn, $resp, $param) = @_;
+
+ PVE::AccessControl::lock_user_config(
+ sub {
+
+ my $usercfg = read_file("usercfg");
+
+ my $role = $param->{roleid};
+
+ PVE::AccessControl::verify_rolename($role);
+
+ die "role '$role' already exists\n"
+ if $usercfg->{roles}->{$role};
+
+ $usercfg->{roles}->{$role} = {};
+
+ PVE::AccessControl::add_role_privs($role, $usercfg, $param->{privs});
+
+ write_file("usercfg", $usercfg);
+ });
+
+ my $err = $@;
+
+ die "create role failed: $err" if $err;
+
+ return undef;
+ }});
+
+__PACKAGE__->register_method ({
+ name => 'update_role',
+ protected => 1,
+ path => '{roleid}',
+ method => 'PUT',
+ description => "Create new role.",
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ roleid => { type => 'string' },
+ privs => { type => 'string' },
+ append => {
+ type => 'boolean',
+ optional => 1,
+ requires => 'privs',
+ },
+ },
+ },
+ returns => { type => 'null' },
+ code => sub {
+ my ($conn, $resp, $param) = @_;
+
+ PVE::AccessControl::lock_user_config(
+ sub {
+
+ my $role = $param->{roleid};
+
+ PVE::AccessControl::verify_rolename($role);
+
+ my $usercfg = read_file("usercfg");
+
+ die "role '$role' does not exist\n"
+ if !$usercfg->{roles}->{$role};
+
+ $usercfg->{roles}->{$role} = {} if !$param->{append};
+
+ PVE::AccessControl::add_role_privs($role, $usercfg, $param->{privs});
+
+ write_file("usercfg", $usercfg);
+ });
+
+ my $err = $@;
+
+ die "update role failed: $err" if $err;
+
+ return undef;
+ }});
+
+# fixme: return format!
+__PACKAGE__->register_method ({
+ name => 'read_role',
+ path => '{roleid}',
+ method => 'GET',
+ description => "Get role configuration.",
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ roleid => { type => 'string' },
+ },
+ },
+ returns => {},
+ code => sub {
+ my ($conn, $resp, $param) = @_;
+
+ my $usercfg = read_file("usercfg");
+
+ my $role = $param->{roleid};
+
+ PVE::AccessControl::verify_rolename($role);
+
+ my $data = $usercfg->{roles}->{$role};
+
+ die "role '$role' does not exist\n" if !$data;
+
+ return $data;
+ }});
+
+
+__PACKAGE__->register_method ({
+ name => 'delete_role',
+ protected => 1,
+ path => '{roleid}',
+ method => 'DELETE',
+ description => "Delete role.",
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ roleid => { type => 'string' },
+ }
+ },
+ returns => { type => 'null' },
+ code => sub {
+ my ($conn, $resp, $param) = @_;
+
+ PVE::AccessControl::lock_user_config(
+ sub {
+
+ my $role = $param->{roleid};
+
+ PVE::AccessControl::verify_rolename($role);
+
+ my $usercfg = read_file("usercfg");
+
+ die "role '$role' does not exist\n"
+ if !$usercfg->{roles}->{$role};
+
+ delete ($usercfg->{roles}->{$role});
+
+ # fixme: delete role from acl?
+
+ write_file("usercfg", $usercfg);
+ });
+
+ my $err = $@;
+
+ die "delete role failed: $err" if $err;
+
+ return undef;
+ }});
+
+1;
Modified: pve-access-control/trunk/User.pm
===================================================================
--- pve-access-control/trunk/User.pm 2010-08-12 13:07:15 UTC (rev 4988)
+++ pve-access-control/trunk/User.pm 2010-08-12 14:17:46 UTC (rev 4989)
@@ -145,11 +145,15 @@
code => sub {
my ($conn, $resp, $param) = @_;
+ my ($username, undef, $domain) =
+ PVE::AccessControl::verify_username($param->{userid});
+
my $usercfg = read_file("usercfg");
- my $data = $usercfg->{users}->{$param->{userid}};
- die "no such user\n" if !$data;
+ my $data = $usercfg->{users}->{$username};
+ die "user '$username' does not exist\n" if !$data;
+
return $data;
}});
Modified: pve-access-control/trunk/pveum
===================================================================
--- pve-access-control/trunk/pveum 2010-08-12 13:07:15 UTC (rev 4988)
+++ pve-access-control/trunk/pveum 2010-08-12 14:17:46 UTC (rev 4989)
@@ -113,46 +113,26 @@
} elsif ($cmd eq 'roleadd') {
- my $opts = {};
-
- if (!GetOptions ($opts, 'privs=s')) {
- exit (-1);
- }
-
my $role = shift;
- die "no role specified\n" if !$role;
+ PVE::API2::Role->cli_handler('create_role', \@ARGV, { roleid => $role });
- $opts->{create} = 1;
-
- PVE::AccessControl::modify_role($role, $opts);
-
exit(0);
} elsif ($cmd eq 'rolemod') {
- my $opts = {};
-
- if (!GetOptions ($opts, 'append', 'privs=s')) {
- exit (-1);
- }
-
my $role = shift;
- die "no role specified\n" if !$role;
+ PVE::API2::Role->cli_handler('update_role', \@ARGV, { roleid => $role });
- PVE::AccessControl::modify_role($role, $opts);
-
exit(0);
} elsif ($cmd eq 'roledel') {
my $role = shift;
- die "no role specified\n" if !$role;
+ PVE::API2::Role->cli_handler('delete_role', \@ARGV, { roleid => $role });
- PVE::AccessControl::delete_role($role);
-
exit(0);
} elsif ($cmd eq 'aclmod') {
More information about the pve-devel
mailing list