[pve-devel] r4882 - pve-access-control/trunk

[svn-commits at proxmox.com]

Author: dietmar
Date: 2010-07-08 06:54:08 +0000 (Thu, 08 Jul 2010)
New Revision: 4882

Modified:
   pve-access-control/trunk/AccessControl.pm
   pve-access-control/trunk/ChangeLog
   pve-access-control/trunk/README
   pve-access-control/trunk/TODO
   pve-access-control/trunk/pveum
Log:
commit patch from Seth

       * AccessControl.pm: modify/delete ACL functionality

        * pveum (aclmod): Add/Modify ACL
        (acldel): Delete ACL



Modified: pve-access-control/trunk/AccessControl.pm
===================================================================
--- pve-access-control/trunk/AccessControl.pm	2010-07-07 08:42:20 UTC (rev 4881)
+++ pve-access-control/trunk/AccessControl.pm	2010-07-08 06:54:08 UTC (rev 4882)
@@ -750,6 +750,59 @@
     die "delete group failed: $err" if $err;
 }
 
+sub modify_acl {
+
+    my ($pathtxt, $uglist, $rolelist, $opts) = @_;
+
+    lock_user_config(sub {
+
+	my $cfg = load_user_config();
+	my $propagate = $opts->{propagate} ? 1 : 0;
+	if (my $path = normalize_path($pathtxt)) {
+	    foreach my $role (split_list($rolelist)) {
+		if (!verify_rolename($role, 1)) {
+		    warn "user config - ignore invalid role name '$role' in acl\n";
+		    next;
+		}
+
+		foreach my $ug (split_list($uglist)) {
+		    if ($ug =~ m/^@(\w+)$/) {
+			my $group = $1;
+			if ($cfg->{groups}->{$group}) { # group exists
+			    if ($opts->{delete}) {
+				delete ($cfg->{acl}->{$path}->{groups}->{$group}->{$role});
+			    } else {
+				$cfg->{acl}->{$path}->{groups}->{$group}->{$role} = $propagate;
+			    }
+			} else {
+			    warn "user config - ignore invalid acl group '$group'\n";
+			}
+		    } elsif (verify_username($ug, 1)) {
+			if ($cfg->{users}->{$ug}) { # user exists
+			    if ($opts->{delete}) {
+				delete ($cfg->{acl}->{$path}->{users}->{$ug}->{$role});
+			    } else {
+			    $cfg->{acl}->{$path}->{users}->{$ug}->{$role} = $propagate;
+			    }
+			} else {
+			    warn "user config - ignore invalid acl member '$ug'\n";
+			}
+		    } else {
+			warn "user config - invalid user/group '$ug' in acl\n";
+		    }
+		}
+	    }
+	} else {
+	    warn "user config - ignore invalid path in acl '$pathtxt'\n";
+	}
+	save_user_config($cfg);
+    });
+
+    my $err = $@;
+
+    die "acl modify failed: $err" if $err;
+}
+
 my $valid_privs = {
     'VM.Create' => 1,
     'VM.Remove' => 1,

Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog	2010-07-07 08:42:20 UTC (rev 4881)
+++ pve-access-control/trunk/ChangeLog	2010-07-08 06:54:08 UTC (rev 4882)
@@ -1,3 +1,10 @@
+2010-07-08  Proxmox Support Team  <support at proxmox.com>
+
+	* AccessControl.pm: modify/delete ACL functionality
+
+	* pveum (aclmod): Add/Modify ACL
+	(acldel): Delete ACL
+
 2010-07-07  Proxmox Support Team  <support at proxmox.com>
 
 	* AccessControl.pm: implemented shadowauthentication (add/modify/delete/verify)

Modified: pve-access-control/trunk/README
===================================================================
--- pve-access-control/trunk/README	2010-07-07 08:42:20 UTC (rev 4881)
+++ pve-access-control/trunk/README	2010-07-08 06:54:08 UTC (rev 4882)
@@ -51,7 +51,7 @@
 
 	special user root: The root user has full administrative privileges
 
-	encrypted passwords (md5 crypt) are stored in separate shadow file
+	encrypted passwords (SHA256 crypt) are stored in separate shadow file: /etc/pve/auth/shadow.cfg
 
 group:
 

Modified: pve-access-control/trunk/TODO
===================================================================
--- pve-access-control/trunk/TODO	2010-07-07 08:42:20 UTC (rev 4881)
+++ pve-access-control/trunk/TODO	2010-07-08 06:54:08 UTC (rev 4882)
@@ -1,10 +1,11 @@
 TODO: pve-access-control
 ------------------------
 
+Recycle Code: Implement delete functionality into modify subroutines. Look for creative
+    ways to recycle code.
+
 Implement LDAP Authentication using /etc/pve/auth.cfg for server information. See README.
 
-Implement create/modify/delete functionality for ACLs.
-
 Implement some INotify Class to track config file changes. We need
    something similar to PVE::Config (package pve-manager). I would
    prefer some generic class which can be used from all PVE packages

Modified: pve-access-control/trunk/pveum
===================================================================
--- pve-access-control/trunk/pveum	2010-07-07 08:42:20 UTC (rev 4881)
+++ pve-access-control/trunk/pveum	2010-07-08 06:54:08 UTC (rev 4882)
@@ -175,6 +175,41 @@
 
     exit(0);
 
+} elsif ($cmd eq 'aclmod') {
+
+    my $opts = {};
+
+    if (!GetOptions ($opts, 'propagate')) {
+        exit (-1);
+    }
+
+    die "wrong number of arguments\n" if scalar (@ARGV) != 3;
+    my $pathtxt = shift;
+    my $uglist = shift;
+    my $rolelist = shift;
+
+    print_usage("syntax error\nUsage: pveum aclmod /vm testuser,\@testgroup admin") if
+	!$pathtxt && !$rolelist && !$uglist;
+
+    PVE::AccessControl::modify_acl($pathtxt, $uglist, $rolelist, $opts);
+
+    exit(0);
+
+} elsif ($cmd eq 'acldel') {
+
+    my $opts = {};
+    die "wrong number of arguments\n" if scalar (@ARGV) != 3;
+    my $pathtxt = shift;
+    my $uglist = shift;
+    my $rolelist = shift;
+    $opts->{delete} = 1;
+    print_usage("syntax error\nUsage: pveum acldel /vm testuser,\@testgroup admin") if
+	!$pathtxt && !$rolelist && !$uglist;
+
+    PVE::AccessControl::modify_acl($pathtxt, $uglist, $rolelist, $opts);
+
+    exit(0);
+
 } else {
 
     print_usage("unknown command '$cmd'");