[pve-devel] r5567 - in pve-access-control/trunk: . PVE

svn-commits at proxmox.com svn-commits at proxmox.com
Fri Feb 18 11:12:42 CET 2011


Author: dietmar
Date: 2011-02-18 11:12:42 +0100 (Fri, 18 Feb 2011)
New Revision: 5567

Modified:
   pve-access-control/trunk/ChangeLog
   pve-access-control/trunk/PVE/AccessControl.pm
Log:
try to create a predefined
	set of roles automatically.


Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog	2011-02-18 07:01:00 UTC (rev 5566)
+++ pve-access-control/trunk/ChangeLog	2011-02-18 10:12:42 UTC (rev 5567)
@@ -1,3 +1,8 @@
+2011-02-18  Proxmox Support Team  <support at proxmox.com>
+
+	* PVE/AccessControl.pm (create_roles): try to create a predefined
+	set of roles automatically.
+
 2011-02-17  Proxmox Support Team  <support at proxmox.com>
 
 	* PVE/API2/Domains.pm: new API to for domains.cfg

Modified: pve-access-control/trunk/PVE/AccessControl.pm
===================================================================
--- pve-access-control/trunk/PVE/AccessControl.pm	2011-02-18 07:01:00 UTC (rev 5566)
+++ pve-access-control/trunk/PVE/AccessControl.pm	2011-02-18 10:12:42 UTC (rev 5567)
@@ -446,31 +446,78 @@
     return Encode::decode("utf8", uri_unescape($data));
 }
 
-my $valid_privs = {
-    'VM.Audit' => 1,
-    'VM.Modify' => 1,
-    'VM.Allocate' => 1,
-    'VM.PowerMgmt' => 1, 
-    'VM.Migrate' => 1,
-    'VM.Console' => 1,
- 
-    'Datastore.Audit' => 1,
-    'Datastore.Allocate' => 1,
-    'Datastore.AllocateSpace' => 1,
+# we automatically create some predefined roles by splitting privs
+# into 3 groups (per category)
+# root: only root is allowed to do that
+# admin: an administrator can to that
+# user: a normak user/customer can to that
+my $privgroups = {
+    VM => {
+	root => [],
+	admin => [	     
+	    'VM.Modify', 
+	    'VM.Allocate', 
+	    'VM.Migrate',
+	    'Permissions.Modify',
+	],
+	user => [
+	    'VM.Audit',
+	    'VM.Console', 
+	    'VM.PowerMgmt',
+	],
+    },
+    Sys => {
+	root => [
+	    'Sys.PowerMgmt',	 
+	],
+	admin => [
+	    'Sys.Console',    
+	    'Sys.Audit',
+	    'Sys.Syslog',
+	],
+	user => [],
+    },
+    Datastore => {
+	root => [
+	    'Datastore.Allocate',
+	    'Permissions.Modify',
+	],
+	admin => [],
+	user => [
+	    'Datastore.AllocateSpace',
+	    'Datastore.Audit',
+	],
+    },
+};
 
-    'Permissions.Modify' => 1,
+my $valid_privs = {};
 
-    'Sys.PowerMgmt' => 1,
-    'Sys.Console' => 1,
-    'Sys.Syslog' => 1,
-    'Sys.Audit' => 1,
-};
-
 my $special_roles = {
     'NoAccess' => {}, # no priviledges
     'Administrator' => $valid_privs, # all priviledges
 };
 
+sub create_roles {
+
+    foreach my $cat (keys %$privgroups) {
+	my $cd = $privgroups->{$cat};
+	foreach my $p (@{$cd->{root}}, @{$cd->{admin}}, @{$cd->{user}}) {
+	    $valid_privs->{$p} = 1;
+	}
+	foreach my $p (@{$cd->{admin}}, @{$cd->{user}}) {
+	    $special_roles->{"PVE${cat}Admin"}->{$p} = 1;
+	    $special_roles->{"PVEAdmin"}->{$p} = 1;
+	}
+	if (scalar(@{$cd->{user}})) {
+	    foreach my $p (@{$cd->{user}}) {
+		$special_roles->{"PVE${cat}User"}->{$p} = 1;
+	    }
+	}
+    }
+};
+
+create_roles();
+
 my $valid_attributes = {
     ad => {
 	server1 => '[\w\d]+(.[\w\d]+)*',



More information about the pve-devel mailing list