[pve-devel] [RFC 12/23] API: add API token API endpoints

Fabian Grünbichler f.gruenbichler at proxmox.com
Tue Oct 22 15:50:39 CEST 2019


On October 22, 2019 3:32 pm, Thomas Lamprecht wrote:
> On 10/22/19 3:22 PM, Fabian Grünbichler wrote:
>> On October 22, 2019 1:44 pm, Tim Marx wrote:
>>> Do we really want a enable/disable property?
>>> Wouldn't it be enough to delete the token?
>> 
>> there's a difference though. I might have configured the token on X 
>> systems, but want to temporarily disable it. since the actual token 
>> value is generated on creation by the server, if I need to delete the 
>> token to disable it I then have to re-configure all clients with the new 
>> token after (re-)creation..
>> 
> 
> In which usage scenario does above make sense?
> 
> Either the token is there and usable or not, a temporary disable does
> not makes much sense, or? I mean, just don't start the services that
> will use it. And if the trust is gone it won't come ever back again for
> a token.

disabling the token is the server-side equivalent to not starting the 
service on the client-side ;) I don't have some specific use case in 
mind, except that we may want to not allow the token to do stuff without 
having to re-generate and re-deploy it.

could be to trouble-shoot (are those requests by my monitoring 
system/backup client/...  responsible for the high load? -> disable 
corresponding token), could be to investigate before deciding whether 
trust is gone or not, could be to generate and distribute tokens, but 
not yet activate them (client system is not yet live), ...

it's a small boolean flag that is very easy to understand (and 
implement), but if there are big objections I can also drop it.




More information about the pve-devel mailing list