[pve-devel] [RFC/PATCH 0/23] API Tokens
Fabian Grünbichler
f.gruenbichler at proxmox.com
Thu Oct 17 16:14:41 CEST 2019
and I just realized that I dropped the per-repo subject-prefix from all
patches instead of just the cover-letter..
#1 is pve-common
#2-15 are pve-access-control
#16-18 are pve-http-server
#19-#23 are pve-manager
if you want a resend, just shout..
On October 17, 2019 3:13 pm, Fabian Grünbichler wrote:
> This is a draft of a patch series which aims to introduce API tokens
> into PVE.
>
> The basic idea is to allow users to generate API token values that
> - are attributed to this users
> - easily revokable
> - possibly less privileged than the user itself
> - allow direct API calls without round-trips to create/refresh a ticket
>
> Token information is stored in user.cfg together with the other
> access-control information. The actual token values will be stored in a
> 'shadow' file under /etc/pve/priv (see patch #12 for some
> ideas/comments).
>
> Still missing:
> - thorough review ;)
> - adaption/extension of user.cfg tests (especially w.r.t. #6/7)
> - PVE::APIClient support
> - token value generation, deletion & verification (#12)
> - pveum integration
> - GUI integration (just the token API, not using tokens for login..)
> - documentation
> - PMG adaption (at least for the changed method signatures in
> pve-http-server)
> - checking API endpoints for 'notoken'-ification
>
> I tried to order independent clean-ups etc. up front with-in each repo,
> but some of them require versioned breaks/depends so it might make sense
> to wait for the full series for those.
>
> pve-common:
>
> Fabian Grünbichler (1):
> API schema: add 'notoken' property
>
> src/PVE/JSONSchema.pm | 5 +++++
> 1 file changed, 5 insertions(+)
>
> pve-access-control:
>
> Fabian Grünbichler (14):
> add missing 'use PVE::Auth::Plugin'
> user.cfg: sort entries alphabetically in each section
> user.cfg: sort ACL members
> access-control: remove check_permissions/permission
> rpcenv: drop unused roles()
> auth: pull username REs into variables
> refactor acl transformation code
> API token: add REs, helpers, parsing + writing
> API token: add API helpers
> DO NOT APPLY: API token stubs for token value handling
> API: add API token API endpoints
> API: include API tokens in ACL API endpoints
> API token: implement permission checks
> api: mark some paths notoken
>
> PVE/API2/ACL.pm | 30 +++-
> PVE/API2/AccessControl.pm | 5 +
> PVE/API2/User.pm | 287 ++++++++++++++++++++++++++++++++++-
> PVE/AccessControl.pm | 307 ++++++++++++++++++++++++++++----------
> PVE/Auth/Plugin.pm | 5 +-
> PVE/RPCEnvironment.pm | 50 +++----
> 6 files changed, 568 insertions(+), 116 deletions(-)
>
> pve-http-server:
>
> Fabian Grünbichler (2):
> proxy_request: drop duplicate, unused parameter
> allow ticket in auth header as fallback
> api-server: extract, set and handle API token header
>
> PVE/APIServer/AnyEvent.pm | 27 +++++++++++++++++++--------
> PVE/APIServer/Formatter.pm | 21 +++++++++++++++------
> PVE/APIServer/Formatter/Bootstrap.pm | 1 +
> 3 files changed, 35 insertions(+), 14 deletions(-)
>
> pve-manager:
>
> Fabian Grünbichler (5):
> subscription: use rpcenv for permission check
> auth_handler: handle API tokens
> rest_handler: implement 'notoken' API endpoints
> pveproxy: use new cookie extraction method
> api/tasks: attribute token tasks to user
>
> PVE/API2/Cluster.pm | 3 ++
> PVE/API2/Subscription.pm | 2 +-
> PVE/API2/Tasks.pm | 15 ++++++++++
> PVE/HTTPServer.pm | 60 +++++++++++++++++++++++-----------------
> PVE/Service/pveproxy.pm | 2 +-
> 5 files changed, 54 insertions(+), 28 deletions(-)
>
> --
> 2.20.1
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
More information about the pve-devel
mailing list