[pve-devel] applied: [PATCH v3 access-control 04/20] API token: add REs, helpers, parsing + writing

Thomas Lamprecht t.lamprecht at proxmox.com
Tue Jan 28 21:07:52 CET 2020


On 1/21/20 1:54 PM, Fabian Grünbichler wrote:
> token definitions/references in user.cfg always use the full form of the
> token id, consisting of:
> 
> USER at REALM!TOKENID
> 
> token definitions are represented by their own lines prefixed with
> 'token', which need to come after the corresponding user definition, but
> before any ACLs referencing them.
> 
> parsed representation in a user config hash is inside a new 'tokens'
> element of the corresponding user object, using the unique-per-user
> token id as key.
> 
> only token metadata is stored inside user.cfg / accessible via the
> parsed user config hash. the actual token values will be stored
> root-readable only in a separate (shadow) file.
> 
> 'comment' and 'expire' have the same semantics as for users.
> 
> 'privsep' determines whether an API token gets the full privileges of
> the corresponding user, or just the intersection of privileges of the
> corresponding user and those of the API token itself.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
> 
> Notes:
>     v1->v2:
>     - remove 'enable' boolean for tokens
>     
>     I am a bit unsure how to differentiate in a clean way between:
>     A full userid/tokenid (username at realm OR username at real!token)
>     B user (username at realm)
>     C tokenid (username at realm!token)
>     D token/tokensubid/tokenid-per-user (just the part after !)
>     
>     I am not sure whether it makes much sense to replace all the existing naming
>     where B becomes A with the introduction of tokens. it might make sense to have
>     some specific variable naming for those few places where we explicitly handle
>     the difference (A goes in, we check if it's B or C and do different stuff in
>     either case), as well as for cleanly separating between C and D. applies to
>     patches after this as well..
>     
>     recommendations/input welcome ;)
> 
>  PVE/AccessControl.pm | 88 ++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 88 insertions(+)
> 

applied, thanks!




More information about the pve-devel mailing list