Proxmox Datacenter Manager 1.0 (stable)

Sorry, I am a total noob when it comes to REST API. Does that mean that:
A: Is the connection always and mandatory secured with HTTPS, just like with PBS?
B: you recommend a VPN instead exposing the host, since it is best practice?
C: Does the REST API have a "brute force protection" by using a SHA256 key, instead of username + password?

Because then I found the easiest way for me to (just like with PBS) simply create a Firewall rule that looks like this, instead of using a VPN:
Allow all incoming TCP on all ports, from STATIC_IPV6_REMOTE to STATIC_IPV6_LOCAL.
 
Last edited:
IsThisThingOn said:
A: Is the connection always and mandatory secured with HTTPS, just like with PBS?
Click to expand...
Yes, all remotes are only connected to via HTTPS.

IsThisThingOn said:
B: you recommend a VPN instead exposing the host, since it is best practice?
Click to expand...
This depends on your setup. If everything is local in your network, a VPN may not be necessary. If you split your infrastructure across several networks, and it is not possible for PDM to connect to all remotes, then yes using a VPN or similar to allow direct connections from PDM to its remotes is recommended.

IsThisThingOn said:
C: Does the REST API have a "brute force protection" by using a SHA256 key, instead of username + password?
Click to expand...
There are numerous protections in-place. However, you should not rely on any single measure, but rather try to pursue a “defense in-depth” approach. I am not sure what exactly SHA256 is supposed to protect in this scenario. However, in terms of brute force protection when it comes to authentication I am aware of the following measures:

- When authentication fails, the API adds an intentional 3s delay to all requests. This should prohibit fast retries.
- Passwords are stored and verified with yescrypt. Yescrypt uses a work and space factor as well as salts. This should limit various attacks on passwords, such as rainbow tables. It is also hard for an attacker to get access to the actual password from the generated hash. The work and space factors also make it harder to compute hashes fast, preventing brute force attacks to some degree.
 
  • Like
Reactions: IsThisThingOn
I found a tiny error, nothing major by all means. I have two pve nodes, pve1 and pve2 and they both show up under clustername pve. When I go to the cluster then when I want to view the data per node it shows up fine, as far as I can see, but not for the "Notes" tab, that one shows the same "Note" for both nodes. I believe that's an error. Although very minor. FYI, I am using the latest pdm version available.
 
Hello!

I just updated Beta to 1.0.2 mainly to check out the new OpenID Realm authentication option.

That worked fine, I can now log in using our SSO account instead of being root@pam. But...

When logged in with the new user, I see 0 configured remotes? Root still sees all three remotes just fine.

It is really diminishing the value of per-user logins if everyone needs to set up their own tokens and accesses to clusters.

There is only one remotes.cfg so it makes much more sense to have the remotes configuration product-wide instead of per-user.

Having this per-user also introduces funny licensing questions. Say the root user is <80% for seeing all clusters (including test ones); but I can create a personal login seeing only the Standard clusters. Then I can not receive enterprise updates but simultaneously can receive enterprise updates for the system, depending on who I log in as? Schrödinger's licensing?
 
winterwonderland said:
When logged in with the new user, I see 0 configured remotes? Root still sees all three remotes just fine.
Click to expand...
I think you are misunderstanding something here. The remote configurations are not per user. You probably just haven't given your new user any permissions, so it does not see existing remotes. Simply configure appropriate permissions for the OpenID user in the Access Control menu.
 
sterzy said:
I think you are misunderstanding something here. The remote configurations are not per user. You probably just haven't given your new user any permissions, so it does not see existing remotes. Simply configure appropriate permissions for the OpenID user in the Access Control menu.
Click to expand...
Indeed, that was me being stupid :-)

All is well now, but raises the next point: PVE has group management with OIDC; on PDM you can only manage permissions for individual users. Feature parity with PVE would be nice here.
 
winterwonderland said:
All is well now, but raises the next point: PVE has group management with OIDC; on PDM you can only manage permissions for individual users. Feature parity with PVE would be nice here.
Click to expand...
Yes there is already an open bug to track implementing groups for PDM [1]. The context there is LDAP/AD realms, but of course OpenID realms would be part of that too once we implement it.

[1]: https://bugzilla.proxmox.com/show_bug.cgi?id=6883
 
You must log in or register to reply here.
Top Bottom