[pve-devel] r5408 - in pve-access-control/trunk: . PVE PVE/API2

[svn-commits at proxmox.com]

Author: dietmar
Date: 2011-01-21 10:17:00 +0100 (Fri, 21 Jan 2011)
New Revision: 5408

Modified:
   pve-access-control/trunk/ChangeLog
   pve-access-control/trunk/PVE/API2/User.pm
   pve-access-control/trunk/PVE/AccessControl.pm
   pve-access-control/trunk/pveum
Log:
	* PVE/AccessControl.pm: register a JSONSchema standard option for
	'userid'.

	* pveum: allow to pass passwords with environment variable
	PVE_PW_TICKET
	* pveum (auth): new method to verify credentials/privileges (used
	by our kvm patches and vncterm)



Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog	2011-01-21 07:31:10 UTC (rev 5407)
+++ pve-access-control/trunk/ChangeLog	2011-01-21 09:17:00 UTC (rev 5408)
@@ -1,3 +1,13 @@
+2011-01-21  root  <root at maui.maurer-it.com>
+
+	* PVE/AccessControl.pm: register a JSONSchema standard option for
+	'userid'.
+
+	* pveum: allow to pass passwords with environment variable
+	PVE_PW_TICKET
+	* pveum (auth): new method to verify credentials/privileges (used
+	by our kvm patches and vncterm)
+
 2011-01-12  root  <root at maui.maurer-it.com>
 
 	* PVE/AccessControl.pm: use new PVE::Cluster class and read data

Modified: pve-access-control/trunk/PVE/API2/User.pm
===================================================================
--- pve-access-control/trunk/PVE/API2/User.pm	2011-01-21 07:31:10 UTC (rev 5407)
+++ pve-access-control/trunk/PVE/API2/User.pm	2011-01-21 09:17:00 UTC (rev 5408)
@@ -5,6 +5,7 @@
 use PVE::Cluster qw (cfs_read_file cfs_write_file);
 use PVE::Tools qw(split_list);
 use PVE::AccessControl;
+use PVE::JSONSchema qw(get_standard_option);
 
 use PVE::SafeSyslog;
 
@@ -58,7 +59,7 @@
     parameters => {
 	additionalProperties => 0,
 	properties => {
-	    userid => { type => 'string' , format => 'pve-userid'},
+	    userid => get_standard_option('userid'),
 	    password => { type => 'string' },
 	}
     },
@@ -81,7 +82,7 @@
     parameters => {
    	additionalProperties => 0,
 	properties => {
-	    userid => { type => 'string', format => 'pve-userid' },
+	    userid => get_standard_option('userid'),
 	    password => { type => 'string', optional => 1 },
 	    groups => { type => 'string', optional => 1, format => 'pve-groupid-list'},
 	},
@@ -135,7 +136,7 @@
     parameters => {
    	additionalProperties => 0,
 	properties => {
-	    userid => { type => 'string', format => 'pve-userid' },
+	    userid => get_standard_option('userid'),
 	},
     },
     returns => {},
@@ -163,7 +164,7 @@
     parameters => {
    	additionalProperties => 0,
 	properties => {
-	    userid => { type => 'string', format => 'pve-userid' },
+	    userid => get_standard_option('userid'),
 	    password => { type => 'string', optional => 1 },
 	    groups => { type => 'string', optional => 1,  format => 'pve-groupid-list'  },
 	    append => { 
@@ -239,7 +240,7 @@
     parameters => {
    	additionalProperties => 0,
 	properties => {
-	    userid => { type => 'string', format => 'pve-userid' },
+	    userid => get_standard_option('userid'),
 	}
     },
     returns => { type => 'null' },

Modified: pve-access-control/trunk/PVE/AccessControl.pm
===================================================================
--- pve-access-control/trunk/PVE/AccessControl.pm	2011-01-21 07:31:10 UTC (rev 5407)
+++ pve-access-control/trunk/PVE/AccessControl.pm	2011-01-21 09:17:00 UTC (rev 5408)
@@ -544,7 +544,12 @@
 
     return undef;
 }
+PVE::JSONSchema::register_standard_option('userid', {
+    description => "User ID (email address format)",
+    type => 'string', format => 'pve-userid',
+});
 
+
 PVE::JSONSchema::register_format('pve-groupid', \&verify_groupname);
 sub verify_groupname {
     my ($groupname, $noerr) = @_;

Modified: pve-access-control/trunk/pveum
===================================================================
--- pve-access-control/trunk/pveum	2011-01-21 07:31:10 UTC (rev 5407)
+++ pve-access-control/trunk/pveum	2011-01-21 09:17:00 UTC (rev 5408)
@@ -4,6 +4,7 @@
 use Getopt::Long;
 use PVE::Tools qw(run_command);
 use PVE::Cluster;
+use PVE::SafeSyslog;
 use PVE::AccessControl;
 use File::Path qw(make_path remove_tree);
 use Term::ReadLine;
@@ -13,7 +14,7 @@
 use PVE::API2::Group;
 use PVE::API2::Role;
 use PVE::API2::ACL;
-
+use PVE::JSONSchema qw(get_standard_option);
 use PVE::CLIHandler;
 
 use base qw(PVE::CLIHandler);
@@ -22,6 +23,8 @@
 
 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
 
+initlog ('pveum', 'daemon');
+
 #fixme: logging?
 
 die "please run as root\n" if $> != 0;
@@ -40,6 +43,8 @@
 
 my $read_password = sub {
 
+    return $ENV{PVE_PW_TICKET} if defined($ENV{PVE_PW_TICKET});
+
     my $term = new Term::ReadLine ('pveum');
     my $attribs = $term->Attribs;
     $attribs->{redisplay_function} = $attribs->{shadow_redisplay};
@@ -49,12 +54,58 @@
     return $input;
 };
 
+__PACKAGE__->register_method ({
+    name => 'auth', 
+    path => 'auth', 
+    method => 'GET',
+    description => "Helper method to authenticate users and verify access permissions. This is called by external tools like kvm and vncterm. Simply raises an exception when authentication fails or the user does not have the requested privileges.",
+    parameters => {
+	additionalProperties => 0,
+	properties => {
+	    userid => get_standard_option('userid'),
+	    password => { 
+		type => 'string',
+		description => "Password (or ticket). This can be passed via an environment variable 'PVE_PW_TICKET'.", 
+	    },
+	    permissions => { 
+		type => 'string' , format => 'pve-priv-list',
+		description => "The list of privileges to check for.",
+	    },
+	    path => { 
+		type => 'string',
+		description => "Path to identify object."
+	    }
+	}
+    },
+    returns => { type => 'null' },
+    code => sub {
+	my ($param) = @_;
+    
+	my $user = PVE::AccessControl::authenticate_user($param->{userid}, $param->{password});
+
+	# check permissions
+
+	my $path = PVE::AccessControl::normalize_path($param->{path});
+	my $cfg = PVE::Cluster::cfs_read_file("user.cfg"); 
+	my $perm = PVE::AccessControl::permission($cfg, $user, $path);
+
+	foreach my $priv (PVE::AccessControl::split_list($param->{permissions})) {
+	    die "missing privileg '$priv'\n" if !$perm->{$priv}; 
+	};
+	
+	PVE::Cluster::log_msg('info', "root", "successful auth for user '$user'");
+
+	return undef;
+    }});
+
+
 my $cmddef = {
     ticket => [ 'PVE::API2::User', 'create_ticket', ['userid'], undef,
 		sub {
 		    my $ticket = shift;
 		    print "$ticket\n";
 		}],
+    auth => [ __PACKAGE__, 'auth', ['path', 'userid', 'permissions'] ],
     useradd => [ 'PVE::API2::User', 'create_user', ['userid'] ],
     usermod => [ 'PVE::API2::User', 'update_user', ['userid'] ],
     userdel => [ 'PVE::API2::User', 'delete_user', ['userid'] ],