[pve-devel] r4993 - pve-access-control/trunk
svn-commits at proxmox.com
svn-commits at proxmox.com
Fri Aug 13 09:42:58 CEST 2010
Author: dietmar
Date: 2010-08-13 07:42:58 +0000 (Fri, 13 Aug 2010)
New Revision: 4993
Added:
pve-access-control/trunk/ACL.pm
Modified:
pve-access-control/trunk/AccessControl.pm
pve-access-control/trunk/ChangeLog
pve-access-control/trunk/Makefile
pve-access-control/trunk/pveum
Log:
* AccessControl.pm (modify_acl): strict error checking - use 'die'
instead of 'warn', moved to ACL.pm
Added: pve-access-control/trunk/ACL.pm
===================================================================
--- pve-access-control/trunk/ACL.pm (rev 0)
+++ pve-access-control/trunk/ACL.pm 2010-08-13 07:42:58 UTC (rev 4993)
@@ -0,0 +1,111 @@
+package PVE::API2::ACL;
+
+use strict;
+use warnings;
+use PVE::INotify qw (read_file write_file);
+use PVE::AccessControl;
+
+use PVE::SafeSyslog;
+
+use Data::Dumper; # fixme: remove
+
+use PVE::RESTHandler;
+
+use base qw(PVE::RESTHandler);
+
+# fixme: format, what data exactly??
+__PACKAGE__->register_method ({
+ name => 'read_acl',
+ path => '',
+ method => 'GET',
+ description => "Get Access Control List (ACLs).",
+ parameters => {
+ additionalProperties => 0,
+ properties => {},
+ },
+ returns => {},
+ code => sub {
+ my ($conn, $resp, $param) = @_;
+
+ my $res = [];
+
+ my $usercfg = read_file("usercfg");
+
+ return $usercfg->{acl};
+ }});
+
+__PACKAGE__->register_method ({
+ name => 'update_acl',
+ protected => 1,
+ path => '',
+ method => 'PUT',
+ description => "Update Access Control List.",
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ path => { type => 'string' },
+ uglist => { type => 'string' },
+ roles => { type => 'string' },
+ propagate => { type => 'boolean', optional => 1 },
+ delete => { type => 'boolean', optional => 1 },
+ },
+ },
+ returns => { type => 'null' },
+ code => sub {
+ my ($conn, $resp, $param) = @_;
+
+ PVE::AccessControl::lock_user_config(
+ sub {
+
+ my $cfg = read_file("usercfg");
+
+ my $propagate = $param->{propagate} ? 1 : 0;
+
+ my $path = PVE::AccessControl::normalize_path($param->{path});
+
+ die "invalid ACL path '$param->{path}'\n" if !$path;
+
+ foreach my $role (PVE::AccessControl::split_list($param->{roles})) {
+ PVE::AccessControl::verify_rolename($role);
+ die "role '$role' does not exist\n"
+ if !$cfg->{roles}->{$role};
+
+ foreach my $ug (PVE::AccessControl::split_list($param->{uglist})) {
+
+ if ($ug =~ m/^@(\w+)$/) {
+ my $group = $1;
+
+ die "group '$group' does not exist\n"
+ if !$cfg->{groups}->{$group};
+
+ if ($param->{delete}) {
+ delete($cfg->{acl}->{$path}->{groups}->{$group}->{$role});
+ } else {
+ $cfg->{acl}->{$path}->{groups}->{$group}->{$role} = $propagate;
+ }
+ } else {
+ my $username = PVE::AccessControl::verify_username($ug);
+
+ die "user '$username' does not exist\n"
+ if !$cfg->{users}->{$username};
+
+ if ($param->{delete}) {
+ delete($cfg->{acl}->{$path}->{users}->{$username}->{$role});
+ } else {
+ $cfg->{acl}->{$path}->{users}->{$username}->{$role} = $propagate;
+ }
+ }
+ }
+ }
+
+ write_file("usercfg", $cfg);
+ });
+
+ my $err = $@;
+
+ die "ACL update failed: $err" if $err;
+
+ return undef;
+ }});
+
+1;
Modified: pve-access-control/trunk/AccessControl.pm
===================================================================
--- pve-access-control/trunk/AccessControl.pm 2010-08-13 06:28:47 UTC (rev 4992)
+++ pve-access-control/trunk/AccessControl.pm 2010-08-13 07:42:58 UTC (rev 4993)
@@ -437,60 +437,6 @@
}
-sub modify_acl {
-
- my ($pathtxt, $uglist, $rolelist, $opts) = @_;
-
- lock_user_config(sub {
-
- my $cfg = read_file($userconfigpath);
- my $propagate = $opts->{propagate} ? 1 : 0;
- if (my $path = normalize_path($pathtxt)) {
- foreach my $role (split_list($rolelist)) {
- if ((!verify_rolename($role, 1)) || (!$cfg->{roles}->{$role})) {
- warn "user config - ignore invalid role name '$role' in acl\n";
- next;
- }
-
- foreach my $ug (split_list($uglist)) {
- if ($ug =~ m/^@(\w+)$/) {
- my $group = $1;
- if ($cfg->{groups}->{$group}) { # group exists
- if ($opts->{delete}) {
- delete ($cfg->{acl}->{$path}->{groups}->{$group}->{$role});
- } else {
- $cfg->{acl}->{$path}->{groups}->{$group}->{$role} = $propagate;
- }
- } else {
- warn "user config - ignore invalid acl group '$group'\n";
- }
- } elsif (verify_username($ug, 1)) {
- if ($cfg->{users}->{$ug}) { # user exists
- if ($opts->{delete}) {
- delete ($cfg->{acl}->{$path}->{users}->{$ug}->{$role});
- } else {
- $cfg->{acl}->{$path}->{users}->{$ug}->{$role} = $propagate;
- }
- } else {
- warn "user config - ignore invalid acl member '$ug'\n";
- }
- } else {
- warn "user config - invalid user/group '$ug' in acl\n";
- }
- }
- }
- } else {
- warn "user config - ignore invalid path in acl '$pathtxt'\n";
- }
-
- write_file($userconfigpath, $cfg);
- });
-
- my $err = $@;
-
- die "acl modify failed: $err" if $err;
-}
-
my $valid_privs = {
'VM.Create' => 1,
'VM.Remove' => 1,
Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog 2010-08-13 06:28:47 UTC (rev 4992)
+++ pve-access-control/trunk/ChangeLog 2010-08-13 07:42:58 UTC (rev 4993)
@@ -1,3 +1,8 @@
+2010-08-13 Proxmox Support Team <support at proxmox.com>
+
+ * AccessControl.pm (modify_acl): strict error checking - use 'die'
+ instead of 'warn', moved to ACL.pm
+
2010-08-12 Proxmox Support Team <support at proxmox.com>
* Group.pm: use the new RESTHandler for API methods
Modified: pve-access-control/trunk/Makefile
===================================================================
--- pve-access-control/trunk/Makefile 2010-08-13 06:28:47 UTC (rev 4992)
+++ pve-access-control/trunk/Makefile 2010-08-13 07:42:58 UTC (rev 4993)
@@ -1,4 +1,4 @@
-RELEASE=1.4
+RELEASE=2.0
VERSION=0.1
PACKAGE=libpve-access-control
@@ -17,6 +17,7 @@
DEB=${PACKAGE}_${VERSION}-${PKGREL}_${ARCH}.deb
API2_SOURCES= \
+ ACL.pm \
Role.pm \
Group.pm \
User.pm
Modified: pve-access-control/trunk/pveum
===================================================================
--- pve-access-control/trunk/pveum 2010-08-13 06:28:47 UTC (rev 4992)
+++ pve-access-control/trunk/pveum 2010-08-13 07:42:58 UTC (rev 4993)
@@ -9,6 +9,8 @@
use PVE::INotify;
use PVE::API2::User;
use PVE::API2::Group;
+use PVE::API2::Role;
+use PVE::API2::ACL;
use Data::Dumper; # fixme: remove
@@ -139,37 +141,25 @@
my $opts = {};
- if (!GetOptions ($opts, 'propagate')) {
- exit (-1);
- }
+ $opts->{path} = shift;
+ $opts->{uglist} = shift;
+ $opts->{roles} = shift;
- die "wrong number of arguments\n" if scalar (@ARGV) != 3;
- my $pathtxt = shift;
- my $uglist = shift;
- my $rolelist = shift;
+ PVE::API2::ACL->cli_handler('update_acl', \@ARGV, $opts);
- print_usage("syntax error")
- if !$pathtxt && !$rolelist && !$uglist;
-
- PVE::AccessControl::modify_acl($pathtxt, $uglist, $rolelist, $opts);
-
exit(0);
} elsif ($cmd eq 'acldel') {
my $opts = {};
- die "wrong number of arguments\n" if scalar (@ARGV) != 3;
- my $pathtxt = shift;
- my $uglist = shift;
- my $rolelist = shift;
+ $opts->{path} = shift;
+ $opts->{uglist} = shift;
+ $opts->{roles} = shift;
$opts->{delete} = 1;
- print_usage("syntax error")
- if !$pathtxt && !$rolelist && !$uglist;
+ PVE::API2::ACL->cli_handler('update_acl', \@ARGV, $opts);
- PVE::AccessControl::modify_acl($pathtxt, $uglist, $rolelist, $opts);
-
exit(0);
} else {
More information about the pve-devel
mailing list