[pve-devel] r5612 - in pve-access-control/trunk: . PVE/API2

svn-commits at proxmox.com svn-commits at proxmox.com
Thu Feb 24 13:19:06 CET 2011


Author: dietmar
Date: 2011-02-24 13:19:06 +0100 (Thu, 24 Feb 2011)
New Revision: 5612

Modified:
   pve-access-control/trunk/ChangeLog
   pve-access-control/trunk/PVE/API2/ACL.pm
   pve-access-control/trunk/pveum
Log:
	* PVE/API2/ACL.pm: cleanup API - use '-users' and '-gropus'
	instead of '-uglist'


Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog	2011-02-24 11:46:39 UTC (rev 5611)
+++ pve-access-control/trunk/ChangeLog	2011-02-24 12:19:06 UTC (rev 5612)
@@ -1,3 +1,8 @@
+2011-02-24  Proxmox Support Team  <support at proxmox.com>
+
+	* PVE/API2/ACL.pm: cleanup API - use '-users' and '-gropus'
+	instead of '-uglist'
+
 2011-02-23  Proxmox Support Team  <support at proxmox.com>
 
 	* PVE/API2/AccessControl.pm (create_ticket): moved code from REST.pm

Modified: pve-access-control/trunk/PVE/API2/ACL.pm
===================================================================
--- pve-access-control/trunk/PVE/API2/ACL.pm	2011-02-24 11:46:39 UTC (rev 5611)
+++ pve-access-control/trunk/PVE/API2/ACL.pm	2011-02-24 12:19:06 UTC (rev 5612)
@@ -5,6 +5,7 @@
 use PVE::Cluster qw (cfs_read_file cfs_write_file);
 use PVE::Tools qw(split_list);
 use PVE::AccessControl;
+use PVE::Exception qw(raise_param_exc);
 
 use PVE::SafeSyslog;
 
@@ -76,21 +77,53 @@
     protected => 1,
     path => '', 
     method => 'PUT',
-    description => "Update Access Control List.",
+    description => "Update Access Control List (add or remove permissions).",
     parameters => {
    	additionalProperties => 0,
 	properties => {
-	    path => { type => 'string' },
-	    uglist => { type => 'string' },
-	    roles => { type => 'string', format => 'pve-roleid-list' },
-	    propagate => { type => 'boolean', optional => 1 },
-	    delete => { type => 'boolean', optional => 1 },
+	    path => {
+		description => "Access control path",
+		type => 'string',
+	    },
+	    users => { 
+		description => "List of users.",
+		type => 'string',  format => 'pve-userid-list',  
+		optional => 1,
+	    },
+	    groups => { 
+		description => "List of groups.",
+		type => 'string', format => 'pve-groupid-list',
+		optional => 1,  
+	    },
+	    roles => { 
+		description => "List of roles.",
+		type => 'string', format => 'pve-roleid-list',
+	    },
+	    propagate => { 
+		description => "Allow to propagate (inherit) permissions.",
+		type => 'boolean', 
+		optional => 1,
+	    },
+	    delete => {
+		description => "Remove permissions (instead of adding it).",
+		type => 'boolean', 
+		optional => 1,
+	    },
 	},
     },
     returns => { type => 'null' },
     code => sub {
 	my ($param) = @_;
 
+	if (!($param->{users} || $param->{groups})) {
+	    raise_param_exc({ 
+		users => "either 'users' or 'groups' is required.", 
+		groups => "either 'users' or 'groups' is required." });
+	}
+
+	my $path = PVE::AccessControl::normalize_path($param->{path});
+	raise_param_exc({ path => "invalid ACL path '$param->{path}'" }) if !$path;
+
 	PVE::AccessControl::lock_user_config(
 	    sub {
 			
@@ -98,39 +131,33 @@
 
 		my $propagate = $param->{propagate} ? 1 : 0;
 
-		my $path = PVE::AccessControl::normalize_path($param->{path});
-
-		die "invalid ACL path '$param->{path}'\n" if !$path;
-
 		foreach my $role (split_list($param->{roles})) {
 		    die "role '$role' does not exist\n" 
 			if !$cfg->{roles}->{$role};
 
-		    foreach my $ug (split_list($param->{uglist})) {
+		    foreach my $group (split_list($param->{groups})) {
 
-			if ($ug =~ m/^@(\w+)$/) {
-			    my $group = $1;
+			die "group '$group' does not exist\n"
+			    if !$cfg->{groups}->{$group};
 
-			    die "group '$group' does not exist\n"
-				if !$cfg->{groups}->{$group};
-
-			    if ($param->{delete}) {
-				delete($cfg->{acl}->{$path}->{groups}->{$group}->{$role});
-			    } else {
-				$cfg->{acl}->{$path}->{groups}->{$group}->{$role} = $propagate;
-			    }
+			if ($param->{delete}) {
+			    delete($cfg->{acl}->{$path}->{groups}->{$group}->{$role});
 			} else {
-			    my $username = PVE::AccessControl::verify_username($ug);
+			    $cfg->{acl}->{$path}->{groups}->{$group}->{$role} = $propagate;
+			}
+		    }
 
-			    die "user '$username' does not exist\n"
-				if !$cfg->{users}->{$username};
+		    foreach my $userid (split_list($param->{users})) {
+			my $username = PVE::AccessControl::verify_username($userid);
 
-			    if ($param->{delete}) {
-				delete($cfg->{acl}->{$path}->{users}->{$username}->{$role});
-			    } else {
-				$cfg->{acl}->{$path}->{users}->{$username}->{$role} = $propagate;
-			    } 
-			}
+			die "user '$username' does not exist\n"
+			    if !$cfg->{users}->{$username};
+
+			if ($param->{delete}) {
+			    delete($cfg->{acl}->{$path}->{users}->{$username}->{$role});
+			} else {
+			    $cfg->{acl}->{$path}->{users}->{$username}->{$role} = $propagate;
+			} 
 		    }
 		}
 

Modified: pve-access-control/trunk/pveum
===================================================================
--- pve-access-control/trunk/pveum	2011-02-24 11:46:39 UTC (rev 5611)
+++ pve-access-control/trunk/pveum	2011-02-24 12:19:06 UTC (rev 5612)
@@ -72,8 +72,8 @@
     rolemod => [ 'PVE::API2::Role', 'update_role', ['roleid'] ],
     roledel => [ 'PVE::API2::Role', 'delete_role', ['roleid'] ],
 
-    aclmod => [ 'PVE::API2::ACL', 'update_acl', ['path', 'uglist', 'roles'], { delete => 0 }],
-    acldel => [ 'PVE::API2::ACL', 'update_acl', ['path', 'uglist', 'roles'], { delete => 1 }],
+    aclmod => [ 'PVE::API2::ACL', 'update_acl', ['path', 'roles'], { delete => 0 }],
+    acldel => [ 'PVE::API2::ACL', 'update_acl', ['path', 'roles'], { delete => 1 }],
 };
 
 my $cmd = shift;



More information about the pve-devel mailing list