[pve-devel] [RFC/PATCH 0/23] API Tokens

Fabian Grünbichler f.gruenbichler at proxmox.com
Thu Oct 17 15:13:54 CEST 2019 

This is a draft of a patch series which aims to introduce API tokens
into PVE.

The basic idea is to allow users to generate API token values that
- are attributed to this users
- easily revokable
- possibly less privileged than the user itself
- allow direct API calls without round-trips to create/refresh a ticket

Token information is stored in user.cfg together with the other
access-control information. The actual token values will be stored in a
'shadow' file under /etc/pve/priv (see patch #12 for some
ideas/comments).

Still missing:
- thorough review ;)
- adaption/extension of user.cfg tests (especially w.r.t. #6/7)
- PVE::APIClient support
- token value generation, deletion & verification (#12)
- pveum integration
- GUI integration (just the token API, not using tokens for login..)
- documentation
- PMG adaption (at least for the changed method signatures in
  pve-http-server)
- checking API endpoints for 'notoken'-ification

I tried to order independent clean-ups etc. up front with-in each repo,
but some of them require versioned breaks/depends so it might make sense
to wait for the full series for those.

pve-common:

Fabian Grünbichler (1):
  API schema: add 'notoken' property

 src/PVE/JSONSchema.pm | 5 +++++
 1 file changed, 5 insertions(+)

pve-access-control:

Fabian Grünbichler (14):
  add missing 'use PVE::Auth::Plugin'
  user.cfg: sort entries alphabetically in each section
  user.cfg: sort ACL members
  access-control: remove check_permissions/permission
  rpcenv: drop unused roles()
  auth: pull username REs into variables
  refactor acl transformation code
  API token: add REs, helpers, parsing + writing
  API token: add API helpers
  DO NOT APPLY: API token stubs for token value handling
  API: add API token API endpoints
  API: include API tokens in ACL API endpoints
  API token: implement permission checks
  api: mark some paths notoken

 PVE/API2/ACL.pm           |  30 +++-
 PVE/API2/AccessControl.pm |   5 +
 PVE/API2/User.pm          | 287 ++++++++++++++++++++++++++++++++++-
 PVE/AccessControl.pm      | 307 ++++++++++++++++++++++++++++----------
 PVE/Auth/Plugin.pm        |   5 +-
 PVE/RPCEnvironment.pm     |  50 +++----
 6 files changed, 568 insertions(+), 116 deletions(-)

pve-http-server:

Fabian Grünbichler (2):
  proxy_request: drop duplicate, unused parameter
  allow ticket in auth header as fallback
  api-server: extract, set and handle API token header

 PVE/APIServer/AnyEvent.pm            | 27 +++++++++++++++++++--------
 PVE/APIServer/Formatter.pm           | 21 +++++++++++++++------
 PVE/APIServer/Formatter/Bootstrap.pm |  1 +
 3 files changed, 35 insertions(+), 14 deletions(-)

pve-manager:

Fabian Grünbichler (5):
  subscription: use rpcenv for permission check
  auth_handler: handle API tokens
  rest_handler: implement 'notoken' API endpoints
  pveproxy: use new cookie extraction method
  api/tasks: attribute token tasks to user

 PVE/API2/Cluster.pm      |  3 ++
 PVE/API2/Subscription.pm |  2 +-
 PVE/API2/Tasks.pm        | 15 ++++++++++
 PVE/HTTPServer.pm        | 60 +++++++++++++++++++++++-----------------
 PVE/Service/pveproxy.pm  |  2 +-
 5 files changed, 54 insertions(+), 28 deletions(-)

-- 
2.20.1

More information about the pve-devel mailing list