From: Dominik Csapak <d.csapak@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH manager v4 1/3] http server/pvesh: set credentials if necessary
Date: Fri, 14 Nov 2025 15:59:18 +0100 [thread overview]
Message-ID: <20251114145927.3766668-4-d.csapak@proxmox.com> (raw)
In-Reply-To: <20251114145927.3766668-1-d.csapak@proxmox.com>
the new 'expose_credentials' property of api calls requires us to
set the credentials into the RPCEnvironment. Do that for the HTTPServer
and for the pvesh.
Delete the credentials after executing the api call.
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
PVE/CLI/pvesh.pm | 18 ++++++++++++++++++
PVE/HTTPServer.pm | 5 +++++
2 files changed, 23 insertions(+)
diff --git a/PVE/CLI/pvesh.pm b/PVE/CLI/pvesh.pm
index 2a994ee9..acd9a605 100755
--- a/PVE/CLI/pvesh.pm
+++ b/PVE/CLI/pvesh.pm
@@ -356,8 +356,26 @@ sub call_api_method {
$param->{$p} = $uri_param->{$p};
}
+ if ($info->{expose_credentials}) {
+ # create a ticket for the root@pam user, since the
+ # api call expects to read those credentials
+ my $rpcenv = PVE::RPCEnvironment->get();
+ my $authuser = $rpcenv->get_user();
+
+ my $ticket = PVE::AccessControl::assemble_ticket($authuser);
+ my $csrf_token = PVE::AccessControl::assemble_csrf_prevention_token($authuser);
+ $rpcenv->set_credentials({
+ userid => $authuser,
+ ticket => $ticket,
+ token => $csrf_token,
+ });
+ }
+
$data = $handler->handle($info, $param);
+ # remove credentials after api call
+ PVE::RPCEnvironment->get()->set_credentials(undef);
+
# TODO: remove 'download' check with PVE 9.0
if (
ref($data) eq 'HASH'
diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
index 660d87e8..bb8052e3 100755
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@@ -184,6 +184,10 @@ sub rest_handler {
return;
}
+ if ($info->{expose_credentials}) {
+ $rpcenv->set_credentials($auth);
+ }
+
$resp = {
data => $handler->handle($info, $uri_param),
info => $info, # useful to format output
@@ -201,6 +205,7 @@ sub rest_handler {
my $err = $@;
$rpcenv->set_user(undef); # clear after request
+ $rpcenv->set_credentials(undef); # clear after request
if ($err) {
$resp = { info => $info };
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-11-14 14:59 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-14 14:59 [pve-devel] [PATCH apiclient/common/manager v4 0/5] implement cluster-wide bulk-actions for guests Dominik Csapak
2025-11-14 14:59 ` [pve-devel] [PATCH pve-apiclient v4 1/1] try to refresh ticket before an api call Dominik Csapak
2025-11-14 14:59 ` [pve-devel] [PATCH common v4 1/1] json schema/rest environment: add 'expose_credentials' option Dominik Csapak
2025-11-14 14:59 ` Dominik Csapak [this message]
2025-11-14 21:02 ` [pve-devel] applied: [PATCH manager v4 1/3] http server/pvesh: set credentials if necessary Thomas Lamprecht
2025-11-14 14:59 ` [pve-devel] [PATCH manager v4 2/3] api: implement node-independent bulk actions Dominik Csapak
2025-11-14 21:02 ` [pve-devel] applied: " Thomas Lamprecht
2025-11-14 14:59 ` [pve-devel] [PATCH manager v4 3/3] ui: add bulk actions to the datacenter level Dominik Csapak
2025-11-14 21:02 ` [pve-devel] applied: " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251114145927.3766668-4-d.csapak@proxmox.com \
--to=d.csapak@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox