[SOLVED] API Token config

Veeh · Jul 12, 2021

Hi,

I'm new to the API world. But with what I've been able to do so far, I'm a fan!!

I have been able to work with the UserCredential/Ticket auth method.
Reusing the AuthCookie and Csrfpreventiontoken. All good.
I made a few scripts to automate some actions, and it's working fine.

Now I would like to go to the next step, skip this ticket request and use the API token for Auth.
But it's giving me data=null !

I'm passing the token as an Authorization value in the header. But I'm missing something.
Could you help me?
thank you.

Veeh

fabian · Jul 13, 2021

just to make sure - the "TOKENID" in your screenshot is you censoring your API token secret?

if not, you need to put the secret that got displayed when generating the token in its place..

do you see anything in the logs of the PVE host? journalctl -u pveproxy -u pvedaemon -f and repeat your attempt..

Veeh · Jul 13, 2021

Hello,

Thank you fabian. Sorry about the misleading screenshot, but yes "TOKENID" was the token secret.
I could not see anything in the log when running the query.
Where I usually get "successful auth for user 'api@pve'" (When using a ticket)
So I created a new token for the same user and it worked!

Weird, when the info is wrong the request returns a 401 invalid user/token...
the data:null threw me off, I should have tried with another token way sooner.
thanks.
Have a nice day

Edit: I realized something, I had "privilege separation" enable with the first token. Not the new one.
So I created another one to test this, and that's it. With privilege separation enable, I get data:null as a response.
You can disable it afterward, and it's working fine.
I presume this function is there to disable a token without removing it?
It's enabled by default though.

fabian · Jul 14, 2021

Veeh said:
Hello,

Thank you fabian. Sorry about the misleading screenshot, but yes "TOKENID" was the token secret.
I could not see anything in the log when running the query.
Where I usually get "successful auth for user 'api@pve'" (When using a ticket)
So I created a new token for the same user and it worked!

Weird, when the info is wrong the request returns a 401 invalid user/token...
the data:null threw me off, I should have tried with another token way sooner.
thanks.
Have a nice day

Edit: I realized something, I had "privilege separation" enable with the first token. Not the new one.
So I created another one to test this, and that's it. With privilege separation enable, I get data:null as a response.
You can disable it afterward, and it's working fine.
I presume this function is there to disable a token without removing it?
It's enabled by default though.

no, privilege separation means that you need to configure access for the token explicitly (within the limits of the ACLs of the owning user). without, the token automatically has exactly the same access as the user itself. e.g., you could define a token that just has power management privileges for guests (for automatic starting/stopping/.. via the API), but no possibility to change the config of the guests even though the user can.

Veeh · Jul 14, 2021

fabian said:
no, privilege separation means that you need to configure access for the token explicitly (within the limits of the ACLs of the owning user). without, the token automatically has exactly the same access as the user itself. e.g., you could define a token that just has power management privileges for guests (for automatic starting/stopping/.. via the API), but no possibility to change the config of the guests even though the user can.

Nice that's cool indeed. Right now to solve my issue I don't use it, but I have the permission set up at the user level.
I'll check this out, might be better to restrict the access at that level instead.
Thanks Fabian

Search

Search

[SOLVED] API Token config

Veeh

Well-Known Member

fabian

Proxmox Staff Member

Veeh

Well-Known Member

fabian

Proxmox Staff Member

Veeh

Well-Known Member