[pve-devel] [PATCH v3 access-control 19/20] pveum: add permissions sub-commands
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Jan 21 13:54:17 CET 2020
for user and token commands, and some pretty-printing for regular text
output, since the returned nested hash/dict is not very readable.
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
PVE/CLI/pveum.pm | 66 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 66 insertions(+)
diff --git a/PVE/CLI/pveum.pm b/PVE/CLI/pveum.pm
index c642f6d..9c9d413 100755
--- a/PVE/CLI/pveum.pm
+++ b/PVE/CLI/pveum.pm
@@ -3,6 +3,7 @@ package PVE::CLI::pveum;
use strict;
use warnings;
+use PVE::AccessControl;
use PVE::RPCEnvironment;
use PVE::API2::User;
use PVE::API2::Group;
@@ -11,8 +12,10 @@ use PVE::API2::ACL;
use PVE::API2::AccessControl;
use PVE::CLIFormatter;
use PVE::CLIHandler;
+use PVE::JSONSchema qw(get_standard_option);
use PVE::PTY;
use PVE::RESTHandler;
+use PVE::Tools qw(extract_param);
use base qw(PVE::CLIHandler);
@@ -45,17 +48,80 @@ my $print_api_result = sub {
PVE::CLIFormatter::print_api_result($data, $schema, undef, $options);
};
+my $print_perm_result = sub {
+ my ($data, $schema, $options) = @_;
+
+ if (!defined($options->{'output-format'}) || $options->{'output-format'} eq 'text') {
+ my $table_schema = {
+ type => 'array',
+ items => {
+ type => 'object',
+ properties => {
+ 'path' => { type => 'string', title => 'ACL path' },
+ 'permissions' => { type => 'string', title => 'Permissions' },
+ },
+ },
+ };
+ my $table_data = [];
+ foreach my $path (sort keys %$data) {
+ my $value = '';
+ my $curr = $data->{$path};
+ foreach my $perm (sort keys %$curr) {
+ $value .= "\n" if $value;
+ $value .= $perm;
+ $value .= " (*)" if $curr->{$perm};
+ }
+ push @$table_data, { path => $path, permissions => $value };
+ }
+ PVE::CLIFormatter::print_api_result($table_data, $table_schema, undef, $options);
+ print "Permissions marked with '(*)' have the 'propagate' flag set.\n";
+ } else {
+ PVE::CLIFormatter::print_api_result($data, $schema, undef, $options);
+ }
+};
+
+__PACKAGE__->register_method({
+ name => 'token_permissions',
+ path => 'token_permissions',
+ method => 'GET',
+ description => 'Retrieve effective permissions of given token.',
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ userid => get_standard_option('userid'),
+ tokenid => get_standard_option('token-subid'),
+ path => get_standard_option('acl-path', {
+ description => "Only dump this specific path, not the whole tree.",
+ optional => 1,
+ }),
+ },
+ },
+ returns => {
+ type => 'object',
+ description => 'Hash of structure "path" => "privilege" => "propagate boolean".',
+ },
+ code => sub {
+ my ($param) = @_;
+
+ my $token_subid = extract_param($param, "tokenid");
+ $param->{userid} = PVE::AccessControl::join_tokenid($param->{userid}, $token_subid);
+
+ return PVE::API2::AccessControl->permissions($param);
+ }});
+
our $cmddef = {
user => {
add => [ 'PVE::API2::User', 'create_user', ['userid'] ],
modify => [ 'PVE::API2::User', 'update_user', ['userid'] ],
delete => [ 'PVE::API2::User', 'delete_user', ['userid'] ],
list => [ 'PVE::API2::User', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
+ permissions => [ 'PVE::API2::AccessControl', 'permissions', ['userid'], {}, $print_perm_result, $PVE::RESTHandler::standard_output_options],
token => {
add => [ 'PVE::API2::User', 'generate_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
update => [ 'PVE::API2::User', 'update_token_info', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
remove => [ 'PVE::API2::User', 'remove_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
list => [ 'PVE::API2::User', 'token_index', ['userid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
+ permissions => [ __PACKAGE__, 'token_permissions', ['userid', 'tokenid'], {}, $print_perm_result, $PVE::RESTHandler::standard_output_options],
}
},
group => {
--
2.20.1
More information about the pve-devel
mailing list