This is a draft of a patch series which aims to introduce API tokens into PVE.
The basic idea is to allow users to generate API token values that - are attributed to this users - easily revokable - possibly less privileged than the user itself - allow direct API calls without round-trips to create/refresh a ticket Token information is stored in user.cfg together with the other access-control information. The actual token values will be stored in a 'shadow' file under /etc/pve/priv (see patch #12 for some ideas/comments). Still missing: - thorough review ;) - adaption/extension of user.cfg tests (especially w.r.t. #6/7) - PVE::APIClient support - token value generation, deletion & verification (#12) - pveum integration - GUI integration (just the token API, not using tokens for login..) - documentation - PMG adaption (at least for the changed method signatures in pve-http-server) - checking API endpoints for 'notoken'-ification I tried to order independent clean-ups etc. up front with-in each repo, but some of them require versioned breaks/depends so it might make sense to wait for the full series for those. pve-common: Fabian Grünbichler (1): API schema: add 'notoken' property src/PVE/JSONSchema.pm | 5 +++++ 1 file changed, 5 insertions(+) pve-access-control: Fabian Grünbichler (14): add missing 'use PVE::Auth::Plugin' user.cfg: sort entries alphabetically in each section user.cfg: sort ACL members access-control: remove check_permissions/permission rpcenv: drop unused roles() auth: pull username REs into variables refactor acl transformation code API token: add REs, helpers, parsing + writing API token: add API helpers DO NOT APPLY: API token stubs for token value handling API: add API token API endpoints API: include API tokens in ACL API endpoints API token: implement permission checks api: mark some paths notoken PVE/API2/ACL.pm | 30 +++- PVE/API2/AccessControl.pm | 5 + PVE/API2/User.pm | 287 ++++++++++++++++++++++++++++++++++- PVE/AccessControl.pm | 307 ++++++++++++++++++++++++++++---------- PVE/Auth/Plugin.pm | 5 +- PVE/RPCEnvironment.pm | 50 +++---- 6 files changed, 568 insertions(+), 116 deletions(-) pve-http-server: Fabian Grünbichler (2): proxy_request: drop duplicate, unused parameter allow ticket in auth header as fallback api-server: extract, set and handle API token header PVE/APIServer/AnyEvent.pm | 27 +++++++++++++++++++-------- PVE/APIServer/Formatter.pm | 21 +++++++++++++++------ PVE/APIServer/Formatter/Bootstrap.pm | 1 + 3 files changed, 35 insertions(+), 14 deletions(-) pve-manager: Fabian Grünbichler (5): subscription: use rpcenv for permission check auth_handler: handle API tokens rest_handler: implement 'notoken' API endpoints pveproxy: use new cookie extraction method api/tasks: attribute token tasks to user PVE/API2/Cluster.pm | 3 ++ PVE/API2/Subscription.pm | 2 +- PVE/API2/Tasks.pm | 15 ++++++++++ PVE/HTTPServer.pm | 60 +++++++++++++++++++++++----------------- PVE/Service/pveproxy.pm | 2 +- 5 files changed, 54 insertions(+), 28 deletions(-) -- 2.20.1 _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
