* [PATCH access-control/manager 0/2] fixes #7504: add support for regenerating secrets
@ 2026-04-17 12:35 Hannes Laimer
2026-04-17 12:35 ` [PATCH pve-access-control 1/2] api: token: support regenerating the secret on update Hannes Laimer
2026-04-17 12:35 ` [PATCH pve-manager 2/2] ui: token: add regenerate secret button Hannes Laimer
0 siblings, 2 replies; 3+ messages in thread
From: Hannes Laimer @ 2026-04-17 12:35 UTC (permalink / raw)
To: pve-devel
Allows rotating secrets without having to re-create the whole token.
Like already possible in pbs.
pve-access-control:
Hannes Laimer (1):
api: token: support regenerating the secret on update
src/PVE/API2/User.pm | 41 +++++++++++++++++++++++++++++++++++------
1 file changed, 35 insertions(+), 6 deletions(-)
pve-manager:
Hannes Laimer (1):
ui: token: add regenerate secret button
www/manager6/dc/TokenView.js | 37 ++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
Summary over all repositories:
2 files changed, 72 insertions(+), 6 deletions(-)
--
Generated by murpp 0.11.0
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH pve-access-control 1/2] api: token: support regenerating the secret on update
2026-04-17 12:35 [PATCH access-control/manager 0/2] fixes #7504: add support for regenerating secrets Hannes Laimer
@ 2026-04-17 12:35 ` Hannes Laimer
2026-04-17 12:35 ` [PATCH pve-manager 2/2] ui: token: add regenerate secret button Hannes Laimer
1 sibling, 0 replies; 3+ messages in thread
From: Hannes Laimer @ 2026-04-17 12:35 UTC (permalink / raw)
To: pve-devel
Rotating a leaked API token currently requires deleting and
recreating it, which forces re-applying all ACLs that referenced it.
Add a `regenerate` flag to the token update endpoint that swaps in a
fresh secret in-place, preserving metadata and ACL entries. The new
secret is returned in the response.
Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
src/PVE/API2/User.pm | 41 +++++++++++++++++++++++++++++++++++------
1 file changed, 35 insertions(+), 6 deletions(-)
diff --git a/src/PVE/API2/User.pm b/src/PVE/API2/User.pm
index 4742f17..80a5ad0 100644
--- a/src/PVE/API2/User.pm
+++ b/src/PVE/API2/User.pm
@@ -833,7 +833,8 @@ __PACKAGE__->register_method({
name => 'update_token_info',
path => '{userid}/token/{tokenid}',
method => 'PUT',
- description => "Update API token for a specific user.",
+ description => "Update API token for a specific user. NOTE: when 'regenerate' is set,"
+ . " the returned token value needs to be stored as it cannot be retrieved afterwards!",
protected => 1,
permissions => {
check => [
@@ -848,6 +849,13 @@ __PACKAGE__->register_method({
expire => get_standard_option('token-expire'),
privsep => get_standard_option('token-privsep'),
comment => get_standard_option('token-comment'),
+ regenerate => {
+ description => "Regenerate the token's secret value. All users of the"
+ . " previous secret will lose access after this operation.",
+ type => 'boolean',
+ optional => 1,
+ default => 0,
+ },
delete => {
type => 'string',
format => 'pve-configid-list',
@@ -856,13 +864,26 @@ __PACKAGE__->register_method({
},
},
},
- returns =>
- get_standard_option('token-info', { description => "Updated token information." }),
+ returns => $token_info_extend->({
+ value => {
+ type => 'string',
+ description => "API token value used for authentication."
+ . " Only set when 'regenerate' was set.",
+ optional => 1,
+ },
+ 'full-tokenid' => {
+ type => 'string',
+ format_description => '<userid>!<tokenid>',
+ description => "The full token id. Only set when 'regenerate' was set.",
+ optional => 1,
+ },
+ }),
code => sub {
my ($param) = @_;
my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
my $tokenid = extract_param($param, 'tokenid');
+ my $regenerate = extract_param($param, 'regenerate');
my $usercfg = cfs_read_file("user.cfg");
my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
@@ -870,13 +891,14 @@ __PACKAGE__->register_method({
my $delete = extract_param($param, 'delete');
$delete = { map { $_ => 1 } PVE::Tools::split_list($delete) } if $delete;
+ my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
+ my $value;
+
PVE::AccessControl::lock_user_config(
sub {
$usercfg = cfs_read_file("user.cfg");
$token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
- my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
-
$token->{privsep} = $param->{privsep} if defined($param->{privsep});
$token->{expire} = $param->{expire} if defined($param->{expire});
$token->{comment} = $param->{comment} if defined($param->{comment});
@@ -894,13 +916,20 @@ __PACKAGE__->register_method({
delete $token->{$k};
}
+ $value = PVE::TokenConfig::generate_token($full_tokenid) if $regenerate;
+
$usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
cfs_write_file("user.cfg", $usercfg);
},
'updating token info failed',
);
- return $token;
+ my $res = {%$token};
+ if ($regenerate) {
+ $res->{value} = $value;
+ $res->{'full-tokenid'} = $full_tokenid;
+ }
+ return $res;
},
});
--
2.47.3
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH pve-manager 2/2] ui: token: add regenerate secret button
2026-04-17 12:35 [PATCH access-control/manager 0/2] fixes #7504: add support for regenerating secrets Hannes Laimer
2026-04-17 12:35 ` [PATCH pve-access-control 1/2] api: token: support regenerating the secret on update Hannes Laimer
@ 2026-04-17 12:35 ` Hannes Laimer
1 sibling, 0 replies; 3+ messages in thread
From: Hannes Laimer @ 2026-04-17 12:35 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
www/manager6/dc/TokenView.js | 37 ++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/www/manager6/dc/TokenView.js b/www/manager6/dc/TokenView.js
index b53cb888..8272729a 100644
--- a/www/manager6/dc/TokenView.js
+++ b/www/manager6/dc/TokenView.js
@@ -75,6 +75,26 @@ Ext.define('PVE.dc.TokenView', {
win.show();
};
+ let regenerate_token = function (_btn, _event, rec) {
+ if (!hasTokenCRUDPermissions(rec.data.userid)) {
+ return;
+ }
+ Proxmox.Utils.API2Request({
+ method: 'PUT',
+ url: urlFromRecord(rec),
+ params: { regenerate: 1 },
+ success: function (response) {
+ Ext.create('PVE.dc.TokenShow', {
+ autoShow: true,
+ tokenid: response.result.data['full-tokenid'],
+ secret: response.result.data.value,
+ });
+ reload();
+ },
+ failure: (res) => Ext.Msg.alert(gettext('Error'), res.htmlStatus),
+ });
+ };
+
let tbar = [
{
text: gettext('Add'),
@@ -104,6 +124,23 @@ Ext.define('PVE.dc.TokenView', {
getUrl: urlFromRecord,
},
'-',
+ {
+ xtype: 'proxmoxButton',
+ text: gettext('Regenerate Secret'),
+ disabled: true,
+ selModel: sm,
+ enableFn: (rec) => hasTokenCRUDPermissions(rec.data.userid),
+ dangerous: true,
+ confirmMsg: (rec) =>
+ Ext.String.format(
+ gettext(
+ "Regenerate the secret of the API token '{0}'? All users of the previous token secret will lose access!",
+ ),
+ rec.data.id,
+ ),
+ handler: regenerate_token,
+ },
+ '-',
{
xtype: 'proxmoxButton',
text: gettext('Show Permissions'),
--
2.47.3
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-17 12:35 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-04-17 12:35 [PATCH access-control/manager 0/2] fixes #7504: add support for regenerating secrets Hannes Laimer
2026-04-17 12:35 ` [PATCH pve-access-control 1/2] api: token: support regenerating the secret on update Hannes Laimer
2026-04-17 12:35 ` [PATCH pve-manager 2/2] ui: token: add regenerate secret button Hannes Laimer
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.