From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 494611FF15C for ; Fri, 14 Nov 2025 16:09:09 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 5FEAE16D52; Fri, 14 Nov 2025 16:10:05 +0100 (CET) Message-ID: Date: Fri, 14 Nov 2025 16:10:02 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Beta To: Thomas Lamprecht , Proxmox VE development discussion References: <20251114144225.3639124-1-d.csapak@proxmox.com> <20251114144225.3639124-3-d.csapak@proxmox.com> <0d6234fa-ed0c-4a52-8776-afe0ea2c09ed@proxmox.com> Content-Language: en-US From: Dominik Csapak In-Reply-To: <0d6234fa-ed0c-4a52-8776-afe0ea2c09ed@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1763132976054 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.029 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH common v3 1/1] json schema/rest environment: add 'expose_credentials' option X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" On 11/14/25 4:03 PM, Thomas Lamprecht wrote: > Am 14.11.25 um 15:42 schrieb Dominik Csapak: >> this is used to mark api calls to have access to the credentials >> of the connection (token/ticket/etc.). >> >> For that we also expose a 'set/get_credentials' call on the >> RESTEnvironment. >> >> This must be set in the http/cli handler. >> > > Many thanks for fleshing this out! > > Some generic workflow thing: > Not that I have a need for my name to turn up even more in git log, I'd > strongly recommend to add trailers like co-authored or originally-by when > taking over such code/ideas. Partially its to pay credits, but more > importantly (at least for me) it's to know the ones that where involved > with coming up with this, and thus one can, e.g., ask about and > potentially also know about the original/other use cases, and these > reference, while not very often needed, can be worth a lot once they > are needed. > > Depending on the changes it doesn't have to be a trailer, one might also > include a link to e.g. the mailing list discussion or a simple "this was > suggested by ... as they wanted to have it for ...". > Not a big thing (especially not for me for this specific case ;)), I > just would like us all to pay a bit more attention to these details, it > gets more relevant the more devs we become. yes of course, sorry. I actually thought to myself that i have to add that in the commit message, but the time between that thought and actually writing the commit message was obviously too long, so i simply forgot^^ in any case, i added the trailers now to my branches and if i should need to send another version, it's included. If not, feel free to add the necessary trailers ;) > >> Signed-off-by: Dominik Csapak >> --- >> new in v3 >> src/PVE/JSONSchema.pm | 8 ++++++++ >> src/PVE/RESTEnvironment.pm | 14 ++++++++++++++ >> 2 files changed, 22 insertions(+) >> >> diff --git a/src/PVE/JSONSchema.pm b/src/PVE/JSONSchema.pm >> index c6e0f36..8278899 100644 >> --- a/src/PVE/JSONSchema.pm >> +++ b/src/PVE/JSONSchema.pm >> @@ -1850,6 +1850,14 @@ my $method_schema = { >> description => "Method needs special privileges - only pvedaemon can execute it", >> optional => 1, >> }, >> + expose_credentials => { >> + type => 'boolean', >> + description => "Method needs access to the connecting users credentials (ticker or" >> + . " token), so it will be exposed through the RPC environment. Useful to avoid" >> + . " setting 'protected' when one needs to (manually) proxy to other cluster nodes." >> + . " nodes in the handler.", >> + optional => 1, >> + }, >> allowtoken => { >> type => 'boolean', >> description => "Method is available for clients authenticated using an API token.", >> diff --git a/src/PVE/RESTEnvironment.pm b/src/PVE/RESTEnvironment.pm >> index 7695850..d597557 100644 >> --- a/src/PVE/RESTEnvironment.pm >> +++ b/src/PVE/RESTEnvironment.pm >> @@ -235,6 +235,20 @@ sub get_user { >> die "user name not set\n"; >> } >> >> +sub set_credentials { >> + my ($self, $credentials) = @_; >> + >> + $self->{credentials} = $credentials; >> +} >> + >> +sub get_credentials { >> + my ($self, $noerr) = @_; >> + >> + return $self->{credentials} if defined($self->{credentials}) || $noerr; >> + >> + die "credentials not set\n"; >> +} >> + >> sub set_u2f_challenge { >> my ($self, $challenge) = @_; >> > _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel