[pve-devel] [RFC 12/23] API: add API token API endpoints

Thomas Lamprecht t.lamprecht at proxmox.com
Tue Oct 22 15:57:57 CEST 2019


On 10/22/19 3:50 PM, Fabian Grünbichler wrote:
> On October 22, 2019 3:32 pm, Thomas Lamprecht wrote:
>> On 10/22/19 3:22 PM, Fabian Grünbichler wrote:
>>> On October 22, 2019 1:44 pm, Tim Marx wrote:
>>>> Do we really want a enable/disable property?
>>>> Wouldn't it be enough to delete the token?
>>>
>>> there's a difference though. I might have configured the token on X 
>>> systems, but want to temporarily disable it. since the actual token 
>>> value is generated on creation by the server, if I need to delete the 
>>> token to disable it I then have to re-configure all clients with the new 
>>> token after (re-)creation..
>>>
>>
>> In which usage scenario does above make sense?
>>
>> Either the token is there and usable or not, a temporary disable does
>> not makes much sense, or? I mean, just don't start the services that
>> will use it. And if the trust is gone it won't come ever back again for
>> a token.
> 
> disabling the token is the server-side equivalent to not starting the 
> service on the client-side ;) I don't have some specific use case in 
> mind, except that we may want to not allow the token to do stuff without 
> having to re-generate and re-deploy it.

makes no sense IMO, why should the server care about such a debug feature?

> 
> could be to trouble-shoot (are those requests by my monitoring 
> system/backup client/...  responsible for the high load? -> disable 
> corresponding token), could be to investigate before deciding whether 
> trust is gone or not, could be to generate and distribute tokens, but 
> not yet activate them (client system is not yet live), ...
> 
> it's a small boolean flag that is very easy to understand (and 
> implement), but if there are big objections I can also drop it.
> 

yet another switch in our gran ocean of knobs, if not needed an a valid
use case is there I'd omit it, if said "real use case" arises and sounds
sensible, we can add this still later on. My 2¢ - but not to hard feelings
here..





More information about the pve-devel mailing list