RE: API authentication token permissions

Hi @halvor,
FYI, ACL V2 / RBAC is now available in the REST API.

You can create a privilege that only give you read privilege on your host.
You can see the RBAC doc.
A dedicated thread is available on the forum thread, please feel free to share your feedback.

Thank you.

Hi @jedimarcus,
FYI, VIF creation is possible via the REST API POST /rest/v0/vifs

Hi, @14wkinnersley
We merged the PATCH /vms/:id endpoint onto the master branch

@acebmxer Hi

i am able to reproduce the dashboard issue locally now, so we can also investigate on our end.

Can you confirm, no dashboard issue on the commit : ee53cd072304a38e8bf816dceef9bc7277b776dc?

@acebmxer I remeber some users experiencing issues with XO6 due to a misconfigured NGINX reverse proxy (it was blocking SSE, which XO6 uses).

Is your reverse proxy configured correctly?

I won't have time to examine the script myself

@acebmxer Thank for your investigation.

• You talk about a script install-xen-orchestra.sh, but the link seems dead. What is that script, it is a script provided by Vates?
• Bearer token is not supported (the xo doc say we can use Basic auth, or cookie to connect). If Bearer token is an absolute need, we can think about implementing it.
• For XO6 UI that doesn't build, can you provide the full error log?

To reproduce dashbloard loading issues, we have to:

• have a fresh XO install
• import an XO config that come for antoher XO
• connect as the default admin@admin.net, and create another user
• connect as the new user, and delete the default user (admin@admin.net)

Symptom: Every browser session token fails immediately after login. Seconds after logging in, xo-server logs

Only browser session that use the deleted account fails, or even sessions with untouched users?

After that, the issue occures even if we logout/login with the new user?

@acebmxer Thanks!

What's strange is that the previous log shows a 401 status code for the /schedules endpoint, but you can access it.
The xo:rest-api:listener ERROR cannot handle data for task list> error is also odd.

You say you only have one user, but it seems you had several before, right?
Could you try logging out and then logging back in?

Is there perhaps a bug during user deletion that would keep some active but malfunctioning authentication tokens?

@acebmxer Thanks.
So, no issue to compute the dashboard.

In your log, I see unexpected 401 responses code.

Could you try /rest/v0/schedules and let me know the result? (and any XO-server errors that occur)

@acebmxer Hi,
Do you use an admin users or do you use a non admin users with RBAC/ACL-V2?

What is the ouput of /rest/v0/users/me?
Also, what is the ouput of /rest/v0/dashboard?

@acebmxer It also works on your XOA.

Thank you both for your availability for testing. I will see with the XO team when to release a fix.

We apologize for any inconvenience

Thanks @Baronvaile, the fix seems to work.

@acebmxer i will also patch your XOA, It's better to have several confirmations

Thanks @Baronvaile. Can i restart xo-server?

Can someone open a support tunnel, so that i can test a fix?

PR: https://github.com/vatesfr/xen-orchestra/pull/9798

MathieuRA opened this pull request in vatesfr/xen-orchestra

closed fix(rest-api): early return for admin user in acl check #9798

Hello, I'm investigating the problem.

@jr-m4 a fix is available on master for the SDN-controller plugin

@jr-m4 I can confirm there's a problem registering the SDN controller.
We're working on it.

Apr 29 05:11:14 mra-dev xo-server[26755]: 2026-04-29T09:11:14.973Z xo:plugin INFO failed register sdn-controller
Apr 29 05:11:14 mra-dev xo-server[26755]: 2026-04-29T09:11:14.973Z xo:plugin INFO Cannot find module 'api-errors.js'
Apr 29 05:11:14 mra-dev xo-server[26755]: Require stack:
Apr 29 05:11:14 mra-dev xo-server[26755]: - /home/debian/xen-orchestra/packages/xo-server-sdn-controller/dist/index.js {
Apr 29 05:11:14 mra-dev xo-server[26755]:   error: Error: Cannot find module 'api-errors.js'
Apr 29 05:11:14 mra-dev xo-server[26755]:   Require stack:
Apr 29 05:11:14 mra-dev xo-server[26755]:   - /home/debian/xen-orchestra/packages/xo-server-sdn-controller/dist/index.js
Apr 29 05:11:14 mra-dev xo-server[26755]:       at Function._resolveFilename (node:internal/modules/cjs/loader:1401:15)
Apr 29 05:11:14 mra-dev xo-server[26755]:       at defaultResolveImpl (node:internal/modules/cjs/loader:1057:19)
Apr 29 05:11:14 mra-dev xo-server[26755]:       at resolveForCJSWithHooks (node:internal/modules/cjs/loader:1062:22)
Apr 29 05:11:14 mra-dev xo-server[26755]:       at Function._load (node:internal/modules/cjs/loader:1211:37)
Apr 29 05:11:14 mra-dev xo-server[26755]:       at TracingChannel.traceSync (node:diagnostics_channel:322:14)
Apr 29 05:11:14 mra-dev xo-server[26755]:       at wrapModuleLoad (node:internal/modules/cjs/loader:235:24)
Apr 29 05:11:14 mra-dev xo-server[26755]:       at Module.require (node:internal/modules/cjs/loader:1487:12)
Apr 29 05:11:14 mra-dev xo-server[26755]:       at require (node:internal/modules/helpers:135:16)
Apr 29 05:11:14 mra-dev xo-server[26755]:       at Object.<anonymous> (/home/debian/xen-orchestra/packages/xo-server-sdn-controller/src/index.js:17:1)
Apr 29 05:11:14 mra-dev xo-server[26755]:       at Module._compile (node:internal/modules/cjs/loader:1730:14)
Apr 29 05:11:14 mra-dev xo-server[26755]:       at Object..js (node:internal/modules/cjs/loader:1895:10)
Apr 29 05:11:14 mra-dev xo-server[26755]:       at Module.load (node:internal/modules/cjs/loader:1465:32)
Apr 29 05:11:14 mra-dev xo-server[26755]:       at Function._load (node:internal/modules/cjs/loader:1282:12)
Apr 29 05:11:14 mra-dev xo-server[26755]:       at TracingChannel.traceSync (node:diagnostics_channel:322:14)
Apr 29 05:11:14 mra-dev xo-server[26755]:       at wrapModuleLoad (node:internal/modules/cjs/loader:235:24)
Apr 29 05:11:14 mra-dev xo-server[26755]:       at cjsLoader (node:internal/modules/esm/translators:266:5)
Apr 29 05:11:14 mra-dev xo-server[26755]:       at ModuleWrap.<anonymous> (node:internal/modules/esm/translators:200:7)
Apr 29 05:11:14 mra-dev xo-server[26755]:       at ModuleJob.run (node:internal/modules/esm/module_job:329:25)
Apr 29 05:11:14 mra-dev xo-server[26755]:       at onImport.tracePromise.__proto__ (node:internal/modules/esm/loader:644:26)
Apr 29 05:11:14 mra-dev xo-server[26755]:       at Xo.registerPlugin (file:///home/debian/xen-orchestra/packages/xo-server/src/index.mjs:379:19) {
Apr 29 05:11:14 mra-dev xo-server[26755]:     code: 'MODULE_NOT_FOUND',
Apr 29 05:11:14 mra-dev xo-server[26755]:     requireStack: [
Apr 29 05:11:14 mra-dev xo-server[26755]:       '/home/debian/xen-orchestra/packages/xo-server-sdn-controller/dist/index.js'
Apr 29 05:11:14 mra-dev xo-server[26755]:     ]
Apr 29 05:11:14 mra-dev xo-server[26755]:   }
Apr 29 05:11:14 mra-dev xo-server[26755]: }

@jr-m4 Can you check your XO server logs to see if you see any errors when attempting to register the SDN-controller plugin?

@acebmxer
Hi, we've detected a memory leak at the REST API level.
We pushed a fix on the branch: mra-fix-rest-memory-leak
Can you test the branch?

@pilow @majorp93
Hi, we've detected a memory leak at the REST API level.
We pushed a fix on the branch: mra-fix-rest-memory-leak
Can you test the branch?

@Team-XO-Backend Someone can take a look at it? I won't be to much available this week