[pve-devel] [PATCH v3 access-control 19/20] pveum: add permissions sub-commands

Fabian Grünbichler f.gruenbichler at proxmox.com
Tue Jan 21 13:54:17 CET 2020


for user and token commands, and some pretty-printing for regular text
output, since the returned nested hash/dict is not very readable.

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
 PVE/CLI/pveum.pm | 66 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)

diff --git a/PVE/CLI/pveum.pm b/PVE/CLI/pveum.pm
index c642f6d..9c9d413 100755
--- a/PVE/CLI/pveum.pm
+++ b/PVE/CLI/pveum.pm
@@ -3,6 +3,7 @@ package PVE::CLI::pveum;
 use strict;
 use warnings;
 
+use PVE::AccessControl;
 use PVE::RPCEnvironment;
 use PVE::API2::User;
 use PVE::API2::Group;
@@ -11,8 +12,10 @@ use PVE::API2::ACL;
 use PVE::API2::AccessControl;
 use PVE::CLIFormatter;
 use PVE::CLIHandler;
+use PVE::JSONSchema qw(get_standard_option);
 use PVE::PTY;
 use PVE::RESTHandler;
+use PVE::Tools qw(extract_param);
 
 use base qw(PVE::CLIHandler);
 
@@ -45,17 +48,80 @@ my $print_api_result = sub {
     PVE::CLIFormatter::print_api_result($data, $schema, undef, $options);
 };
 
+my $print_perm_result = sub {
+    my ($data, $schema, $options) = @_;
+
+    if (!defined($options->{'output-format'}) || $options->{'output-format'} eq 'text') {
+	my $table_schema = {
+	    type => 'array',
+	    items => {
+		type => 'object',
+		properties => {
+		    'path' => { type => 'string', title => 'ACL path' },
+		    'permissions' => { type => 'string', title => 'Permissions' },
+		},
+	    },
+	};
+	my $table_data = [];
+	foreach my $path (sort keys %$data) {
+	    my $value = '';
+	    my $curr = $data->{$path};
+	    foreach my $perm (sort keys %$curr) {
+		$value .= "\n" if $value;
+		$value .= $perm;
+		$value .= " (*)" if $curr->{$perm};
+	    }
+	    push @$table_data, { path => $path, permissions => $value };
+	}
+	PVE::CLIFormatter::print_api_result($table_data, $table_schema, undef, $options);
+	print "Permissions marked with '(*)' have the 'propagate' flag set.\n";
+    } else {
+	PVE::CLIFormatter::print_api_result($data, $schema, undef, $options);
+    }
+};
+
+__PACKAGE__->register_method({
+    name => 'token_permissions',
+    path => 'token_permissions',
+    method => 'GET',
+    description => 'Retrieve effective permissions of given token.',
+    parameters => {
+	additionalProperties => 0,
+	properties => {
+	    userid => get_standard_option('userid'),
+	    tokenid => get_standard_option('token-subid'),
+	    path => get_standard_option('acl-path', {
+		description => "Only dump this specific path, not the whole tree.",
+		optional => 1,
+	    }),
+	},
+    },
+    returns => {
+	type => 'object',
+	description => 'Hash of structure "path" => "privilege" => "propagate boolean".',
+    },
+    code => sub {
+	my ($param) = @_;
+
+	my $token_subid = extract_param($param, "tokenid");
+	$param->{userid} = PVE::AccessControl::join_tokenid($param->{userid}, $token_subid);
+
+	return PVE::API2::AccessControl->permissions($param);
+    }});
+
 our $cmddef = {
     user => {
 	add    => [ 'PVE::API2::User', 'create_user', ['userid'] ],
 	modify => [ 'PVE::API2::User', 'update_user', ['userid'] ],
 	delete => [ 'PVE::API2::User', 'delete_user', ['userid'] ],
 	list   => [ 'PVE::API2::User', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
+	permissions => [ 'PVE::API2::AccessControl', 'permissions', ['userid'], {}, $print_perm_result, $PVE::RESTHandler::standard_output_options],
 	token => {
 	    add    => [ 'PVE::API2::User', 'generate_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
 	    update    => [ 'PVE::API2::User', 'update_token_info', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
 	    remove    => [ 'PVE::API2::User', 'remove_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
 	    list   => [ 'PVE::API2::User', 'token_index', ['userid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
+	    permissions => [ __PACKAGE__, 'token_permissions', ['userid', 'tokenid'], {}, $print_perm_result, $PVE::RESTHandler::standard_output_options],
 	}
     },
     group => {
-- 
2.20.1





More information about the pve-devel mailing list