[pve-devel] r5567 - in pve-access-control/trunk: . PVE
svn-commits at proxmox.com
svn-commits at proxmox.com
Fri Feb 18 11:12:42 CET 2011
Author: dietmar
Date: 2011-02-18 11:12:42 +0100 (Fri, 18 Feb 2011)
New Revision: 5567
Modified:
pve-access-control/trunk/ChangeLog
pve-access-control/trunk/PVE/AccessControl.pm
Log:
try to create a predefined
set of roles automatically.
Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog 2011-02-18 07:01:00 UTC (rev 5566)
+++ pve-access-control/trunk/ChangeLog 2011-02-18 10:12:42 UTC (rev 5567)
@@ -1,3 +1,8 @@
+2011-02-18 Proxmox Support Team <support at proxmox.com>
+
+ * PVE/AccessControl.pm (create_roles): try to create a predefined
+ set of roles automatically.
+
2011-02-17 Proxmox Support Team <support at proxmox.com>
* PVE/API2/Domains.pm: new API to for domains.cfg
Modified: pve-access-control/trunk/PVE/AccessControl.pm
===================================================================
--- pve-access-control/trunk/PVE/AccessControl.pm 2011-02-18 07:01:00 UTC (rev 5566)
+++ pve-access-control/trunk/PVE/AccessControl.pm 2011-02-18 10:12:42 UTC (rev 5567)
@@ -446,31 +446,78 @@
return Encode::decode("utf8", uri_unescape($data));
}
-my $valid_privs = {
- 'VM.Audit' => 1,
- 'VM.Modify' => 1,
- 'VM.Allocate' => 1,
- 'VM.PowerMgmt' => 1,
- 'VM.Migrate' => 1,
- 'VM.Console' => 1,
-
- 'Datastore.Audit' => 1,
- 'Datastore.Allocate' => 1,
- 'Datastore.AllocateSpace' => 1,
+# we automatically create some predefined roles by splitting privs
+# into 3 groups (per category)
+# root: only root is allowed to do that
+# admin: an administrator can to that
+# user: a normak user/customer can to that
+my $privgroups = {
+ VM => {
+ root => [],
+ admin => [
+ 'VM.Modify',
+ 'VM.Allocate',
+ 'VM.Migrate',
+ 'Permissions.Modify',
+ ],
+ user => [
+ 'VM.Audit',
+ 'VM.Console',
+ 'VM.PowerMgmt',
+ ],
+ },
+ Sys => {
+ root => [
+ 'Sys.PowerMgmt',
+ ],
+ admin => [
+ 'Sys.Console',
+ 'Sys.Audit',
+ 'Sys.Syslog',
+ ],
+ user => [],
+ },
+ Datastore => {
+ root => [
+ 'Datastore.Allocate',
+ 'Permissions.Modify',
+ ],
+ admin => [],
+ user => [
+ 'Datastore.AllocateSpace',
+ 'Datastore.Audit',
+ ],
+ },
+};
- 'Permissions.Modify' => 1,
+my $valid_privs = {};
- 'Sys.PowerMgmt' => 1,
- 'Sys.Console' => 1,
- 'Sys.Syslog' => 1,
- 'Sys.Audit' => 1,
-};
-
my $special_roles = {
'NoAccess' => {}, # no priviledges
'Administrator' => $valid_privs, # all priviledges
};
+sub create_roles {
+
+ foreach my $cat (keys %$privgroups) {
+ my $cd = $privgroups->{$cat};
+ foreach my $p (@{$cd->{root}}, @{$cd->{admin}}, @{$cd->{user}}) {
+ $valid_privs->{$p} = 1;
+ }
+ foreach my $p (@{$cd->{admin}}, @{$cd->{user}}) {
+ $special_roles->{"PVE${cat}Admin"}->{$p} = 1;
+ $special_roles->{"PVEAdmin"}->{$p} = 1;
+ }
+ if (scalar(@{$cd->{user}})) {
+ foreach my $p (@{$cd->{user}}) {
+ $special_roles->{"PVE${cat}User"}->{$p} = 1;
+ }
+ }
+ }
+};
+
+create_roles();
+
my $valid_attributes = {
ad => {
server1 => '[\w\d]+(.[\w\d]+)*',
More information about the pve-devel
mailing list