adelorenzo/portainer-mcp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ed37ee9e12
portainer-mcp/CLAUDE.md
Adolfo Delorenzo 84ca8aee99 first commit
2025-07-18 07:33:27 -06:00

182 lines
4.7 KiB
Markdown
Raw Blame History

# Portainer Core MCP Server
This MCP server provides authentication and core management functionality for Portainer Business Edition.
## Server Purpose
**Primary Functions:**
- User authentication and session management
- API token generation and validation
- User profile and settings management
- Basic system information retrieval
**Part of Portainer MCP Suite:**
- `portainer-core` - Authentication and user management (this server)
- `portainer-teams` - Teams and RBAC management
- `portainer-environments` - Environment and endpoint management
- `portainer-docker` - Docker container operations
- `portainer-kubernetes` - Kubernetes cluster management
- `portainer-stacks` - Stack deployment and management
- `portainer-edge` - Edge computing and device management
## Authentication Flow
**Required for all operations:**
1. Initialize admin user (first time setup)
2. Authenticate to get JWT token
3. Use token in `X-API-Key` header for all requests
**Token Management:**
- Tokens expire based on server configuration
- Generate new tokens before expiration
- Store tokens securely in environment variables
## Base Configuration
**Environment Variables:**
```bash
PORTAINER_URL=https://your-portainer-instance.com
PORTAINER_API_KEY=your-api-token
```
**API Base URLs:**
- Business Edition: `{PORTAINER_URL}/api`
- All endpoints require authentication except initial admin setup
## Common Response Patterns
**Success Response Structure:**
```json
{
"Id": 1,
"Username": "admin",
"Role": 1,
"CreationDate": 1631852794
}
```
**Error Response Structure:**
```json
{
"message": "Invalid credentials",
"details": "Authentication failed"
}
```
## Core Endpoint Categories
**Authentication Endpoints:**
- `POST /api/users/admin/init` - Initialize admin user
- `POST /api/auth` - Authenticate user
- `POST /api/users/{id}/tokens` - Generate API token
- `DELETE /api/auth` - Logout/invalidate session
**User Management:**
- `GET /api/users` - List users
- `POST /api/users` - Create user
- `GET /api/users/{id}` - Get user details
- `PUT /api/users/{id}` - Update user
- `DELETE /api/users/{id}` - Delete user
**Settings:**
- `GET /api/settings` - Get Portainer settings
- `PUT /api/settings` - Update settings
- `GET /api/settings/public` - Get public settings
## Error Handling
**Common HTTP Status Codes:**
- `200` - Success
- `201` - Created
- `400` - Bad Request (invalid parameters)
- `401` - Unauthorized (invalid/missing token)
- `403` - Forbidden (insufficient permissions)
- `404` - Not Found
- `409` - Conflict (resource already exists)
- `500` - Internal Server Error
**Retry Logic:**
- Implement exponential backoff for 5xx errors
- Refresh token on 401 responses
- Maximum 3 retry attempts
## Security Considerations
**Best Practices:**
- Always use HTTPS in production
- Rotate API tokens regularly
- Implement proper token storage
- Log authentication events
- Rate limit API calls
**RBAC Integration:**
- Check user permissions before operations
- Respect environment-level access controls
- Honor team-based restrictions
## Development Workflow
**Testing Authentication:**
```bash
# Test admin initialization
curl -X POST "${PORTAINER_URL}/api/users/admin/init" \
-H "Content-Type: application/json" \
-d '{"Username":"admin","Password":"yourpassword"}'
# Test login
curl -X POST "${PORTAINER_URL}/api/auth" \
-H "Content-Type: application/json" \
-d '{"Username":"admin","Password":"yourpassword"}'
```
**Local Development:**
- Use Docker Compose with Portainer for testing
- Mock authentication for unit tests
- Validate all endpoints with proper error handling
## Integration Notes
**With Other MCP Servers:**
- Share authentication state across Portainer MCP servers
- Use consistent error handling patterns
- Maintain session context for user operations
**Rate Limits:**
- Portainer has built-in rate limiting
- Implement client-side throttling
- Monitor for 429 responses
## Troubleshooting
**Common Issues:**
- **401 Unauthorized**: Check token validity and format
- **403 Forbidden**: Verify user permissions and RBAC settings
- **Connection Refused**: Confirm Portainer URL and network access
- **SSL Errors**: Validate certificate configuration
**Debug Commands:**
```bash
# Verify Portainer connectivity
curl -I "${PORTAINER_URL}/api/status"
# Check current user context
curl -H "X-API-Key: ${PORTAINER_API_KEY}" \
"${PORTAINER_URL}/api/users/me"
```
**Logging:**
- Enable verbose logging for authentication flows
- Log all API calls with timestamps
- Mask sensitive data in logs (passwords, tokens)
## Version Compatibility
**Supported Versions:**
- Portainer Business Edition 2.30.x+
- API Version: 2.31.3
**Breaking Changes:**
- Monitor Portainer release notes for API changes
- Test against new versions before upgrading
- Maintain backward compatibility where possible
Reference in New Issue View Git Blame Copy Permalink