* [PATCH access-control/manager 0/2] fixes #7504: add support for regenerating secrets
@ 2026-04-17 12:35 Hannes Laimer
2026-04-17 12:35 ` [PATCH pve-access-control 1/2] api: token: support regenerating the secret on update Hannes Laimer
2026-04-17 12:35 ` [PATCH pve-manager 2/2] ui: token: add regenerate secret button Hannes Laimer
0 siblings, 2 replies; 3+ messages in thread
From: Hannes Laimer @ 2026-04-17 12:35 UTC (permalink / raw)
To: pve-devel
Allows rotating secrets without having to re-create the whole token.
Like already possible in pbs.
pve-access-control:
Hannes Laimer (1):
api: token: support regenerating the secret on update
src/PVE/API2/User.pm | 41 +++++++++++++++++++++++++++++++++++------
1 file changed, 35 insertions(+), 6 deletions(-)
pve-manager:
Hannes Laimer (1):
ui: token: add regenerate secret button
www/manager6/dc/TokenView.js | 37 ++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
Summary over all repositories:
2 files changed, 72 insertions(+), 6 deletions(-)
--
Generated by murpp 0.11.0
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH pve-access-control 1/2] api: token: support regenerating the secret on update
2026-04-17 12:35 [PATCH access-control/manager 0/2] fixes #7504: add support for regenerating secrets Hannes Laimer
@ 2026-04-17 12:35 ` Hannes Laimer
2026-04-17 12:35 ` [PATCH pve-manager 2/2] ui: token: add regenerate secret button Hannes Laimer
1 sibling, 0 replies; 3+ messages in thread
From: Hannes Laimer @ 2026-04-17 12:35 UTC (permalink / raw)
To: pve-devel
Rotating a leaked API token currently requires deleting and
recreating it, which forces re-applying all ACLs that referenced it.
Add a `regenerate` flag to the token update endpoint that swaps in a
fresh secret in-place, preserving metadata and ACL entries. The new
secret is returned in the response.
Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
src/PVE/API2/User.pm | 41 +++++++++++++++++++++++++++++++++++------
1 file changed, 35 insertions(+), 6 deletions(-)
diff --git a/src/PVE/API2/User.pm b/src/PVE/API2/User.pm
index 4742f17..80a5ad0 100644
--- a/src/PVE/API2/User.pm
+++ b/src/PVE/API2/User.pm
@@ -833,7 +833,8 @@ __PACKAGE__->register_method({
name => 'update_token_info',
path => '{userid}/token/{tokenid}',
method => 'PUT',
- description => "Update API token for a specific user.",
+ description => "Update API token for a specific user. NOTE: when 'regenerate' is set,"
+ . " the returned token value needs to be stored as it cannot be retrieved afterwards!",
protected => 1,
permissions => {
check => [
@@ -848,6 +849,13 @@ __PACKAGE__->register_method({
expire => get_standard_option('token-expire'),
privsep => get_standard_option('token-privsep'),
comment => get_standard_option('token-comment'),
+ regenerate => {
+ description => "Regenerate the token's secret value. All users of the"
+ . " previous secret will lose access after this operation.",
+ type => 'boolean',
+ optional => 1,
+ default => 0,
+ },
delete => {
type => 'string',
format => 'pve-configid-list',
@@ -856,13 +864,26 @@ __PACKAGE__->register_method({
},
},
},
- returns =>
- get_standard_option('token-info', { description => "Updated token information." }),
+ returns => $token_info_extend->({
+ value => {
+ type => 'string',
+ description => "API token value used for authentication."
+ . " Only set when 'regenerate' was set.",
+ optional => 1,
+ },
+ 'full-tokenid' => {
+ type => 'string',
+ format_description => '<userid>!<tokenid>',
+ description => "The full token id. Only set when 'regenerate' was set.",
+ optional => 1,
+ },
+ }),
code => sub {
my ($param) = @_;
my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
my $tokenid = extract_param($param, 'tokenid');
+ my $regenerate = extract_param($param, 'regenerate');
my $usercfg = cfs_read_file("user.cfg");
my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
@@ -870,13 +891,14 @@ __PACKAGE__->register_method({
my $delete = extract_param($param, 'delete');
$delete = { map { $_ => 1 } PVE::Tools::split_list($delete) } if $delete;
+ my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
+ my $value;
+
PVE::AccessControl::lock_user_config(
sub {
$usercfg = cfs_read_file("user.cfg");
$token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
- my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
-
$token->{privsep} = $param->{privsep} if defined($param->{privsep});
$token->{expire} = $param->{expire} if defined($param->{expire});
$token->{comment} = $param->{comment} if defined($param->{comment});
@@ -894,13 +916,20 @@ __PACKAGE__->register_method({
delete $token->{$k};
}
+ $value = PVE::TokenConfig::generate_token($full_tokenid) if $regenerate;
+
$usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
cfs_write_file("user.cfg", $usercfg);
},
'updating token info failed',
);
- return $token;
+ my $res = {%$token};
+ if ($regenerate) {
+ $res->{value} = $value;
+ $res->{'full-tokenid'} = $full_tokenid;
+ }
+ return $res;
},
});
--
2.47.3
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH pve-manager 2/2] ui: token: add regenerate secret button
2026-04-17 12:35 [PATCH access-control/manager 0/2] fixes #7504: add support for regenerating secrets Hannes Laimer
2026-04-17 12:35 ` [PATCH pve-access-control 1/2] api: token: support regenerating the secret on update Hannes Laimer
@ 2026-04-17 12:35 ` Hannes Laimer
1 sibling, 0 replies; 3+ messages in thread
From: Hannes Laimer @ 2026-04-17 12:35 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
www/manager6/dc/TokenView.js | 37 ++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/www/manager6/dc/TokenView.js b/www/manager6/dc/TokenView.js
index b53cb888..8272729a 100644
--- a/www/manager6/dc/TokenView.js
+++ b/www/manager6/dc/TokenView.js
@@ -75,6 +75,26 @@ Ext.define('PVE.dc.TokenView', {
win.show();
};
+ let regenerate_token = function (_btn, _event, rec) {
+ if (!hasTokenCRUDPermissions(rec.data.userid)) {
+ return;
+ }
+ Proxmox.Utils.API2Request({
+ method: 'PUT',
+ url: urlFromRecord(rec),
+ params: { regenerate: 1 },
+ success: function (response) {
+ Ext.create('PVE.dc.TokenShow', {
+ autoShow: true,
+ tokenid: response.result.data['full-tokenid'],
+ secret: response.result.data.value,
+ });
+ reload();
+ },
+ failure: (res) => Ext.Msg.alert(gettext('Error'), res.htmlStatus),
+ });
+ };
+
let tbar = [
{
text: gettext('Add'),
@@ -104,6 +124,23 @@ Ext.define('PVE.dc.TokenView', {
getUrl: urlFromRecord,
},
'-',
+ {
+ xtype: 'proxmoxButton',
+ text: gettext('Regenerate Secret'),
+ disabled: true,
+ selModel: sm,
+ enableFn: (rec) => hasTokenCRUDPermissions(rec.data.userid),
+ dangerous: true,
+ confirmMsg: (rec) =>
+ Ext.String.format(
+ gettext(
+ "Regenerate the secret of the API token '{0}'? All users of the previous token secret will lose access!",
+ ),
+ rec.data.id,
+ ),
+ handler: regenerate_token,
+ },
+ '-',
{
xtype: 'proxmoxButton',
text: gettext('Show Permissions'),
--
2.47.3
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-17 12:35 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-04-17 12:35 [PATCH access-control/manager 0/2] fixes #7504: add support for regenerating secrets Hannes Laimer
2026-04-17 12:35 ` [PATCH pve-access-control 1/2] api: token: support regenerating the secret on update Hannes Laimer
2026-04-17 12:35 ` [PATCH pve-manager 2/2] ui: token: add regenerate secret button Hannes Laimer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox