[pve-devel] Feature: OAuth / OpenID-connect implementation

[pve-devel] Feature: OAuth / OpenID-connect implementation

[Michael Honkoop]

Hi all, 

I am slowly working on implementing the authentication method/ entry fields for it  in PVE, which have shown up, and look to be fine (at first glance).

There are 2 things i am yes unable to grasp, and i hope you could give me some directions : 

1)
UI : 
As Oauth/OpenID-connect does not have a need for a field 'tfa', but its inherited from the common auth, i'd like to override it ( as in not visible)

2)
Schema: 
I cant seem to get where a/the schema is defined, or updated for that matter.
I mean i have the UI / auth on the dc level now showing an entry and when i select add it will spawn the dialog to input parameters.
However if i were to put some text in there and click add it spawns an errormessage 'Parameter verification failed. (400)', 'type: value 'oauth' does not have a value in the enumeration 'ad, ldap, pam, pve'' and 'property is not defined in schema and the schema does not allow additional properties'

i've been searching where i can define it but this still have not found, or better said due to my newness in this i'm not following where it is/should be defined.

best regards, 

Michael Honkoop

Re: [pve-devel] Feature: OAuth / OpenID-connect implementation

[Fabian Grünbichler]

On December 13, 2020 2:16 am, Michael Honkoop wrote:
> Hi all, 
> 
> I am slowly working on implementing the authentication method/ entry fields for it  in PVE, which have shown up, and look to be fine (at first glance).
> 
> There are 2 things i am yes unable to grasp, and i hope you could give me some directions : 
> 
> 1)
> UI : 
> As Oauth/OpenID-connect does not have a need for a field 'tfa', but its inherited from the common auth, i'd like to override it ( as in not visible)
> 
> 2)
> Schema: 
> I cant seem to get where a/the schema is defined, or updated for that matter.
> I mean i have the UI / auth on the dc level now showing an entry and when i select add it will spawn the dialog to input parameters.
> However if i were to put some text in there and click add it spawns an errormessage 'Parameter verification failed. (400)', 'type: value 'oauth' does not have a value in the enumeration 'ad, ldap, pam, pve'' and 'property is not defined in schema and the schema does not allow additional properties'
> 
> i've been searching where i can define it but this still have not found, or better said due to my newness in this i'm not following where it is/should be defined.

the possible realm types are defined here:

 https://git.proxmox.com/?p=pve-access-control.git;a=blob;f=PVE/API2/Domains.pm;h=9c2b2548028790f19baaa81bde4cf0f071bb7719;hb=HEAD#l86
 https://git.proxmox.com/?p=pve-access-control.git;a=blob;f=PVE/Auth/Plugin.pm;h=141305336c8640dd40879eb6e084b95c51ad0fa7;hb=HEAD
 https://git.proxmox.com/?p=pve-access-control.git;a=tree;f=PVE/Auth;h=935646bae7647759c8b9ac04881275affb184500;hb=HEAD

each type registers as a plugin in the SectionConfig (which is in 
pve-common), the add/update/delete schemas are generated from the plugin 
definitions.

> 
> best regards, 
> 
> Michael Honkoop
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 

Re: [pve-devel] Feature: OAuth / OpenID-connect implementation

[Michael Honkoop]

Hi Fabian,

Thanks for your hints regarding where to find the realm types,
researching further on my issue.

best regards, 

Michael Honkoop

>>> Fabian Grünbichler <f.gruenbichler@proxmox.com> 8:12 14-12-2020
>>>
On December 13, 2020 2:16 am, Michael Honkoop wrote:
> Hi all, 
> 
> I am slowly working on implementing the authentication method/ entry
fields for it  in PVE, which have shown up, and look to be fine (at
first glance).
> 
> There are 2 things i am yes unable to grasp, and i hope you could
give me some directions : 
> 
> 1)
> UI : 
> As Oauth/OpenID-connect does not have a need for a field 'tfa', but
its inherited from the common auth, i'd like to override it ( as in not
visible)
> 
> 2)
> Schema: 
> I cant seem to get where a/the schema is defined, or updated for that
matter.
> I mean i have the UI / auth on the dc level now showing an entry and
when i select add it will spawn the dialog to input parameters.
> However if i were to put some text in there and click add it spawns
an errormessage 'Parameter verification failed. (400)', 'type: value
'oauth' does not have a value in the enumeration 'ad, ldap, pam, pve''
and 'property is not defined in schema and the schema does not allow
additional properties'
> 
> i've been searching where i can define it but this still have not
found, or better said due to my newness in this i'm not following where
it is/should be defined.

the possible realm types are defined here:

https://git.proxmox.com/?p=pve-access-control.git;a=blob;f=PVE/API2/Domains.pm;h=9c2b2548028790f19baaa81bde4cf0f071bb7719;hb=HEAD#l86

https://git.proxmox.com/?p=pve-access-control.git;a=blob;f=PVE/Auth/Plugin.pm;h=141305336c8640dd40879eb6e084b95c51ad0fa7;hb=HEAD

https://git.proxmox.com/?p=pve-access-control.git;a=tree;f=PVE/Auth;h=935646bae7647759c8b9ac04881275affb184500;hb=HEAD


each type registers as a plugin in the SectionConfig (which is in 
pve-common), the add/update/delete schemas are generated from the
plugin 
definitions.

> 
> best regards, 
> 
> Michael Honkoop
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

> 
> 
> 


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] Feature: OAuth / OpenID-connect implementation - II

[Michael Honkoop]

Hi all, 

In watching build-behaviour, i notice that when i build another git repo (pve-manager) it drops the directory 'dest' and then ( if one deletes the resulting *buildinfo, *.changes and *.deb) starts rebuilding.

On the pve-access-control it does not remove the directory 'libpve-access-control-6.1' , so when one has this dir, ( and assuming same behaviour as seen on pve-manager repo) it will take all sources from this dir - regardless of changes.

Is there a specific reason this differs from the pve-manager repo ? - as only after analysing why my added file was skipped over and over again ( in pve-access-control ) has lead me to a lot of questionmarks in my mind.

best regards, 

Michael Honkoop

Re: [pve-devel] Feature: OAuth / OpenID-connect implementation - II

[Fabian Grünbichler]

On December 15, 2020 12:44 am, Michael Honkoop wrote:
> Hi all, 
> 
> In watching build-behaviour, i notice that when i build another git repo (pve-manager) it drops the directory 'dest' and then ( if one deletes the resulting *buildinfo, *.changes and *.deb) starts rebuilding.
> 
> On the pve-access-control it does not remove the directory 'libpve-access-control-6.1' , so when one has this dir, ( and assuming same behaviour as seen on pve-manager repo) it will take all sources from this dir - regardless of changes.
> 
> Is there a specific reason this differs from the pve-manager repo ? - as only after analysing why my added file was skipped over and over again ( in pve-access-control ) has lead me to a lot of questionmarks in my mind.

no, no specific reason except that Makefiles tend to grow over time, and 
sometimes improvements/changes don't make it to all of them. feel free 
to improve upon it if you want, for the smaller repos when in doubt just 
add a 'make clean' before your build - the build should be rather fast 
anyway even when starting from scratch ;)