[pve-devel] [PATCH manager v4 1/3] http server/pvesh: set credentials if necessary
Dominik Csapak
d.csapak at proxmox.com
Fri Nov 14 15:59:18 CET 2025
the new 'expose_credentials' property of api calls requires us to
set the credentials into the RPCEnvironment. Do that for the HTTPServer
and for the pvesh.
Delete the credentials after executing the api call.
Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
PVE/CLI/pvesh.pm | 18 ++++++++++++++++++
PVE/HTTPServer.pm | 5 +++++
2 files changed, 23 insertions(+)
diff --git a/PVE/CLI/pvesh.pm b/PVE/CLI/pvesh.pm
index 2a994ee9..acd9a605 100755
--- a/PVE/CLI/pvesh.pm
+++ b/PVE/CLI/pvesh.pm
@@ -356,8 +356,26 @@ sub call_api_method {
$param->{$p} = $uri_param->{$p};
}
+ if ($info->{expose_credentials}) {
+ # create a ticket for the root at pam user, since the
+ # api call expects to read those credentials
+ my $rpcenv = PVE::RPCEnvironment->get();
+ my $authuser = $rpcenv->get_user();
+
+ my $ticket = PVE::AccessControl::assemble_ticket($authuser);
+ my $csrf_token = PVE::AccessControl::assemble_csrf_prevention_token($authuser);
+ $rpcenv->set_credentials({
+ userid => $authuser,
+ ticket => $ticket,
+ token => $csrf_token,
+ });
+ }
+
$data = $handler->handle($info, $param);
+ # remove credentials after api call
+ PVE::RPCEnvironment->get()->set_credentials(undef);
+
# TODO: remove 'download' check with PVE 9.0
if (
ref($data) eq 'HASH'
diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
index 660d87e8..bb8052e3 100755
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@@ -184,6 +184,10 @@ sub rest_handler {
return;
}
+ if ($info->{expose_credentials}) {
+ $rpcenv->set_credentials($auth);
+ }
+
$resp = {
data => $handler->handle($info, $uri_param),
info => $info, # useful to format output
@@ -201,6 +205,7 @@ sub rest_handler {
my $err = $@;
$rpcenv->set_user(undef); # clear after request
+ $rpcenv->set_credentials(undef); # clear after request
if ($err) {
$resp = { info => $info };
--
2.47.3
More information about the pve-devel
mailing list