proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-07-22 22:45:46 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
d29d2d4a11
pve-access-control/PVE/CLI/pveum.pm
Dominik Csapak 673d2bf267 api: domains: add user/group sync API enpoint 
this api call syncs the users and groups from LDAP/AD to the
user.cfg

it also implements a 'full' mode where we first delete all
users/groups from the config and sync them again

the parameter 'enable' controls if newly synced users are 'enabled'
(if no sync parameter handles that)
the parameter 'purge' controls if ACLs get removed for users/groups
that do not exists anymore after

also add this command to pveum

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2020-03-21 16:05:15 +01:00

179 lines
6.0 KiB
Perl
Executable File
Raw Blame History

package PVE::CLI::pveum;
use strict;
use warnings;
use PVE::AccessControl;
use PVE::RPCEnvironment;
use PVE::API2::User;
use PVE::API2::Group;
use PVE::API2::Role;
use PVE::API2::ACL;
use PVE::API2::AccessControl;
use PVE::API2::Domains;
use PVE::CLIFormatter;
use PVE::CLIHandler;
use PVE::JSONSchema qw(get_standard_option);
use PVE::PTY;
use PVE::RESTHandler;
use PVE::Tools qw(extract_param);
use base qw(PVE::CLIHandler);
sub setup_environment {
PVE::RPCEnvironment->setup_default_cli_env();
}
sub param_mapping {
my ($name) = @_;
my $mapping = {
'change_password' => [
PVE::CLIHandler::get_standard_mapping('pve-password'),
],
'create_ticket' => [
PVE::CLIHandler::get_standard_mapping('pve-password', {
func => sub {
# do not accept values given on cmdline
return PVE::PTY::read_password('Enter password: ');
},
}),
]
};
return $mapping->{$name};
}
my $print_api_result = sub {
my ($data, $schema, $options) = @_;
PVE::CLIFormatter::print_api_result($data, $schema, undef, $options);
};
my $print_perm_result = sub {
my ($data, $schema, $options) = @_;
if (!defined($options->{'output-format'}) || $options->{'output-format'} eq 'text') {
my $table_schema = {
type => 'array',
items => {
type => 'object',
properties => {
'path' => { type => 'string', title => 'ACL path' },
'permissions' => { type => 'string', title => 'Permissions' },
},
},
};
my $table_data = [];
foreach my $path (sort keys %$data) {
my $value = '';
my $curr = $data->{$path};
foreach my $perm (sort keys %$curr) {
$value .= "\n" if $value;
$value .= $perm;
$value .= " (*)" if $curr->{$perm};
}
push @$table_data, { path => $path, permissions => $value };
}
PVE::CLIFormatter::print_api_result($table_data, $table_schema, undef, $options);
print "Permissions marked with '(*)' have the 'propagate' flag set.\n";
} else {
PVE::CLIFormatter::print_api_result($data, $schema, undef, $options);
}
};
__PACKAGE__->register_method({
name => 'token_permissions',
path => 'token_permissions',
method => 'GET',
description => 'Retrieve effective permissions of given token.',
parameters => {
additionalProperties => 0,
properties => {
userid => get_standard_option('userid'),
tokenid => get_standard_option('token-subid'),
path => get_standard_option('acl-path', {
description => "Only dump this specific path, not the whole tree.",
optional => 1,
}),
},
},
returns => {
type => 'object',
description => 'Hash of structure "path" => "privilege" => "propagate boolean".',
},
code => sub {
my ($param) = @_;
my $token_subid = extract_param($param, "tokenid");
$param->{userid} = PVE::AccessControl::join_tokenid($param->{userid}, $token_subid);
return PVE::API2::AccessControl->permissions($param);
}});
our $cmddef = {
user => {
add => [ 'PVE::API2::User', 'create_user', ['userid'] ],
modify => [ 'PVE::API2::User', 'update_user', ['userid'] ],
delete => [ 'PVE::API2::User', 'delete_user', ['userid'] ],
list => [ 'PVE::API2::User', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
permissions => [ 'PVE::API2::AccessControl', 'permissions', ['userid'], {}, $print_perm_result, $PVE::RESTHandler::standard_output_options],
token => {
add => [ 'PVE::API2::User', 'generate_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
modify => [ 'PVE::API2::User', 'update_token_info', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
remove => [ 'PVE::API2::User', 'remove_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
list => [ 'PVE::API2::User', 'token_index', ['userid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
permissions => [ __PACKAGE__, 'token_permissions', ['userid', 'tokenid'], {}, $print_perm_result, $PVE::RESTHandler::standard_output_options],
}
},
group => {
add => [ 'PVE::API2::Group', 'create_group', ['groupid'] ],
modify => [ 'PVE::API2::Group', 'update_group', ['groupid'] ],
delete => [ 'PVE::API2::Group', 'delete_group', ['groupid'] ],
list => [ 'PVE::API2::Group', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
},
role => {
add => [ 'PVE::API2::Role', 'create_role', ['roleid'] ],
modify => [ 'PVE::API2::Role', 'update_role', ['roleid'] ],
delete => [ 'PVE::API2::Role', 'delete_role', ['roleid'] ],
list => [ 'PVE::API2::Role', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
},
acl => {
modify => [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 0 }],
delete => [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 1 }],
list => [ 'PVE::API2::ACL', 'read_acl', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
},
realm => {
add => [ 'PVE::API2::Domains', 'create', ['realm'] ],
modify => [ 'PVE::API2::Domains', 'update', ['realm'] ],
delete => [ 'PVE::API2::Domains', 'delete', ['realm'] ],
list => [ 'PVE::API2::Domains', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
sync => [ 'PVE::API2::Domains', 'sync', ['realm'], ],
},
ticket => [ 'PVE::API2::AccessControl', 'create_ticket', ['username'], undef,
sub {
my ($res) = @_;
print "$res->{ticket}\n";
}],
passwd => [ 'PVE::API2::AccessControl', 'change_password', ['userid'] ],
useradd => { alias => 'user add' },
usermod => { alias => 'user modify' },
userdel => { alias => 'user delete' },
groupadd => { alias => 'group add' },
groupmod => { alias => 'group modify' },
groupdel => { alias => 'group delete' },
roleadd => { alias => 'role add' },
rolemod => { alias => 'role modify' },
roledel => { alias => 'role delete' },
aclmod => { alias => 'acl modify' },
acldel => { alias => 'acl delete' },
};
1;
Reference in New Issue View Git Blame Copy Permalink