[pve-devel] [PATCH common v3 1/1] json schema/rest environment: add 'expose_credentials' option
Thomas Lamprecht
t.lamprecht at proxmox.com
Fri Nov 14 16:04:16 CET 2025
Am 14.11.25 um 15:42 schrieb Dominik Csapak:
> this is used to mark api calls to have access to the credentials
> of the connection (token/ticket/etc.).
>
> For that we also expose a 'set/get_credentials' call on the
> RESTEnvironment.
>
> This must be set in the http/cli handler.
>
Many thanks for fleshing this out!
Some generic workflow thing:
Not that I have a need for my name to turn up even more in git log, I'd
strongly recommend to add trailers like co-authored or originally-by when
taking over such code/ideas. Partially its to pay credits, but more
importantly (at least for me) it's to know the ones that where involved
with coming up with this, and thus one can, e.g., ask about and
potentially also know about the original/other use cases, and these
reference, while not very often needed, can be worth a lot once they
are needed.
Depending on the changes it doesn't have to be a trailer, one might also
include a link to e.g. the mailing list discussion or a simple "this was
suggested by ... as they wanted to have it for ...".
Not a big thing (especially not for me for this specific case ;)), I
just would like us all to pay a bit more attention to these details, it
gets more relevant the more devs we become.
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
> new in v3
> src/PVE/JSONSchema.pm | 8 ++++++++
> src/PVE/RESTEnvironment.pm | 14 ++++++++++++++
> 2 files changed, 22 insertions(+)
>
> diff --git a/src/PVE/JSONSchema.pm b/src/PVE/JSONSchema.pm
> index c6e0f36..8278899 100644
> --- a/src/PVE/JSONSchema.pm
> +++ b/src/PVE/JSONSchema.pm
> @@ -1850,6 +1850,14 @@ my $method_schema = {
> description => "Method needs special privileges - only pvedaemon can execute it",
> optional => 1,
> },
> + expose_credentials => {
> + type => 'boolean',
> + description => "Method needs access to the connecting users credentials (ticker or"
> + . " token), so it will be exposed through the RPC environment. Useful to avoid"
> + . " setting 'protected' when one needs to (manually) proxy to other cluster nodes."
> + . " nodes in the handler.",
> + optional => 1,
> + },
> allowtoken => {
> type => 'boolean',
> description => "Method is available for clients authenticated using an API token.",
> diff --git a/src/PVE/RESTEnvironment.pm b/src/PVE/RESTEnvironment.pm
> index 7695850..d597557 100644
> --- a/src/PVE/RESTEnvironment.pm
> +++ b/src/PVE/RESTEnvironment.pm
> @@ -235,6 +235,20 @@ sub get_user {
> die "user name not set\n";
> }
>
> +sub set_credentials {
> + my ($self, $credentials) = @_;
> +
> + $self->{credentials} = $credentials;
> +}
> +
> +sub get_credentials {
> + my ($self, $noerr) = @_;
> +
> + return $self->{credentials} if defined($self->{credentials}) || $noerr;
> +
> + die "credentials not set\n";
> +}
> +
> sub set_u2f_challenge {
> my ($self, $challenge) = @_;
>
More information about the pve-devel
mailing list