Re: [pve-devel] [PATCH common v3 1/1] json schema/rest environment: add 'expose_credentials' option

[Dominik Csapak <d.csapak@proxmox.com>]

On 11/14/25 4:03 PM, Thomas Lamprecht wrote:
> Am 14.11.25 um 15:42 schrieb Dominik Csapak:
>> this is used to mark api calls to have access to the credentials
>> of the connection (token/ticket/etc.).
>>
>> For that we also expose a 'set/get_credentials' call on the
>> RESTEnvironment.
>>
>> This must be set in the http/cli handler.
>>
> 
> Many thanks for fleshing this out!
> 
> Some generic workflow thing:
> Not that I have a need for my name to turn up even more in git log, I'd
> strongly recommend to add trailers like co-authored or originally-by when
> taking over such code/ideas. Partially its to pay credits, but more
> importantly (at least for me) it's to know the ones that where involved
> with coming up with this, and thus one can, e.g., ask about and
> potentially also know about the original/other use cases, and these
> reference, while not very often needed, can be worth a lot once they
> are needed.
> 
> Depending on the changes it doesn't have to be a trailer, one might also
> include a link to e.g. the mailing list discussion or a simple "this was
> suggested by ... as they wanted to have it for ...".
> Not a big thing (especially not for me for this specific case ;)), I
> just would like us all to pay a bit more attention to these details, it
> gets more relevant the more devs we become.

yes of course, sorry.

I actually thought to myself that i have to add that in the commit
message, but the time between that thought and actually writing
the commit message was obviously too long, so i simply forgot^^

in any case, i added the trailers now to my branches and
if i should need to send another version, it's included.

If not, feel free to add the necessary trailers ;)

> 
>> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
>> ---
>> new in v3
>>   src/PVE/JSONSchema.pm      |  8 ++++++++
>>   src/PVE/RESTEnvironment.pm | 14 ++++++++++++++
>>   2 files changed, 22 insertions(+)
>>
>> diff --git a/src/PVE/JSONSchema.pm b/src/PVE/JSONSchema.pm
>> index c6e0f36..8278899 100644
>> --- a/src/PVE/JSONSchema.pm
>> +++ b/src/PVE/JSONSchema.pm
>> @@ -1850,6 +1850,14 @@ my $method_schema = {
>>               description => "Method needs special privileges - only pvedaemon can execute it",
>>               optional => 1,
>>           },
>> +        expose_credentials => {
>> +            type => 'boolean',
>> +            description => "Method needs access to the connecting users credentials (ticker or"
>> +                . " token), so it will be exposed through the RPC environment. Useful to avoid"
>> +                . " setting 'protected' when one needs to (manually) proxy to other cluster nodes."
>> +                . " nodes in the handler.",
>> +            optional => 1,
>> +        },
>>           allowtoken => {
>>               type => 'boolean',
>>               description => "Method is available for clients authenticated using an API token.",
>> diff --git a/src/PVE/RESTEnvironment.pm b/src/PVE/RESTEnvironment.pm
>> index 7695850..d597557 100644
>> --- a/src/PVE/RESTEnvironment.pm
>> +++ b/src/PVE/RESTEnvironment.pm
>> @@ -235,6 +235,20 @@ sub get_user {
>>       die "user name not set\n";
>>   }
>>   
>> +sub set_credentials {
>> +    my ($self, $credentials) = @_;
>> +
>> +    $self->{credentials} = $credentials;
>> +}
>> +
>> +sub get_credentials {
>> +    my ($self, $noerr) = @_;
>> +
>> +    return $self->{credentials} if defined($self->{credentials}) || $noerr;
>> +
>> +    die "credentials not set\n";
>> +}
>> +
>>   sub set_u2f_challenge {
>>       my ($self, $challenge) = @_;
>>   
> 



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel