Re: [pve-devel] [PATCH common v3 1/1] json schema/rest environment: add 'expose_credentials' option

From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
	Dominik Csapak <d.csapak@proxmox.com>
Subject: Re: [pve-devel] [PATCH common v3 1/1] json schema/rest environment: add 'expose_credentials' option
Date: Fri, 14 Nov 2025 16:04:16 +0100	[thread overview]
Message-ID: <0d6234fa-ed0c-4a52-8776-afe0ea2c09ed@proxmox.com> (raw)
In-Reply-To: <20251114144225.3639124-3-d.csapak@proxmox.com>

Am 14.11.25 um 15:42 schrieb Dominik Csapak:
> this is used to mark api calls to have access to the credentials
> of the connection (token/ticket/etc.).
> 
> For that we also expose a 'set/get_credentials' call on the
> RESTEnvironment.
> 
> This must be set in the http/cli handler.
> 

Many thanks for fleshing this out!

Some generic workflow thing:
Not that I have a need for my name to turn up even more in git log, I'd
strongly recommend to add trailers like co-authored or originally-by when
taking over such code/ideas. Partially its to pay credits, but more
importantly (at least for me) it's to know the ones that where involved
with coming up with this, and thus one can, e.g., ask about and
potentially also know about the original/other use cases, and these
reference, while not very often needed, can be worth a lot once they
are needed.

Depending on the changes it doesn't have to be a trailer, one might also
include a link to e.g. the mailing list discussion or a simple "this was
suggested by ... as they wanted to have it for ...".
Not a big thing (especially not for me for this specific case ;)), I
just would like us all to pay a bit more attention to these details, it
gets more relevant the more devs we become.

> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
> ---
> new in v3
>  src/PVE/JSONSchema.pm      |  8 ++++++++
>  src/PVE/RESTEnvironment.pm | 14 ++++++++++++++
>  2 files changed, 22 insertions(+)
> 
> diff --git a/src/PVE/JSONSchema.pm b/src/PVE/JSONSchema.pm
> index c6e0f36..8278899 100644
> --- a/src/PVE/JSONSchema.pm
> +++ b/src/PVE/JSONSchema.pm
> @@ -1850,6 +1850,14 @@ my $method_schema = {
>              description => "Method needs special privileges - only pvedaemon can execute it",
>              optional => 1,
>          },
> +        expose_credentials => {
> +            type => 'boolean',
> +            description => "Method needs access to the connecting users credentials (ticker or"
> +                . " token), so it will be exposed through the RPC environment. Useful to avoid"
> +                . " setting 'protected' when one needs to (manually) proxy to other cluster nodes."
> +                . " nodes in the handler.",
> +            optional => 1,
> +        },
>          allowtoken => {
>              type => 'boolean',
>              description => "Method is available for clients authenticated using an API token.",
> diff --git a/src/PVE/RESTEnvironment.pm b/src/PVE/RESTEnvironment.pm
> index 7695850..d597557 100644
> --- a/src/PVE/RESTEnvironment.pm
> +++ b/src/PVE/RESTEnvironment.pm
> @@ -235,6 +235,20 @@ sub get_user {
>      die "user name not set\n";
>  }
>  
> +sub set_credentials {
> +    my ($self, $credentials) = @_;
> +
> +    $self->{credentials} = $credentials;
> +}
> +
> +sub get_credentials {
> +    my ($self, $noerr) = @_;
> +
> +    return $self->{credentials} if defined($self->{credentials}) || $noerr;
> +
> +    die "credentials not set\n";
> +}
> +
>  sub set_u2f_challenge {
>      my ($self, $challenge) = @_;
>  

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel