On 1/21/20 1:54 PM, Fabian Grünbichler wrote: > token definitions/references in user.cfg always use the full form of the > token id, consisting of: > > USER@REALM!TOKENID > > token definitions are represented by their own lines prefixed with > 'token', which need to come after the corresponding user definition, but > before any ACLs referencing them. > > parsed representation in a user config hash is inside a new 'tokens' > element of the corresponding user object, using the unique-per-user > token id as key. > > only token metadata is stored inside user.cfg / accessible via the > parsed user config hash. the actual token values will be stored > root-readable only in a separate (shadow) file. > > 'comment' and 'expire' have the same semantics as for users. > > 'privsep' determines whether an API token gets the full privileges of > the corresponding user, or just the intersection of privileges of the > corresponding user and those of the API token itself. > > Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com> > --- > > Notes: > v1->v2: > - remove 'enable' boolean for tokens > > I am a bit unsure how to differentiate in a clean way between: > A full userid/tokenid (username@realm OR username@real!token) > B user (username@realm) > C tokenid (username@realm!token) > D token/tokensubid/tokenid-per-user (just the part after !) > > I am not sure whether it makes much sense to replace all the existing > naming > where B becomes A with the introduction of tokens. it might make sense to > have > some specific variable naming for those few places where we explicitly > handle > the difference (A goes in, we check if it's B or C and do different stuff > in > either case), as well as for cleanly separating between C and D. applies > to > patches after this as well.. > > recommendations/input welcome ;) > > PVE/AccessControl.pm | 88 ++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 88 insertions(+) >
applied, thanks! _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
