Re: [pve-devel] Empty list as response of an API-endpoint

["Fabian Grünbichler" <f.gruenbichler@proxmox.com>]

On January 4, 2023 4:10 pm, Sven Scholle wrote:
> Hi,
> 
> I have a problem regarding the API rights management.
> 
> The following request returns an empty array when issued using a token 
> with the role PVEAuditor:
> 
> 'pve.foo.bar:8006/api2/json/nodes/{}/storage/{}/content?content=backup&vmid={}'.format(node, 
> storage, vmid)
> 
> When I disable privilege seperation or use the role Administrator, I 
> will receive the content in the storage mathing the filters above.
> Those permissions do not seem to be sufficient: "Sys.Audit Sys.Syslog 
> Pool.Audit VM.Audit Datastore.Audit"
> 
> Using the permissions above, I'd expect to be granted to use the 
> API-call above. I also tried "VM.Backup", but that didn't do the trick.
> 
> Did I forget a permission or is there a bug?

Datastore.Audit is basically just to allow you to know about the storage.
without any other privs it will just allow you to read the status of the
storage. you need to also pass a per-volume check in order to "see" (or use, in
other contexts) the volume[0].

for your use-case of listing backup archives (provided they follow the regular
naming scheme, and the "owning" VMID is determinable for PVE) you need
'Datastore.AllocateSpace' on the storage, and 'VM.Backup' on the owning VMID.
note that this also gives you permission for an in-place restore of that backup
(well, you also need volume allocation rights on the target storage), there is
no separate privilege for "just knowing about, but not using" volumes.

hope this helps!

0: https://git.proxmox.com/?p=pve-storage.git;a=blob;f=PVE/Storage.pm;h=89c71163b011f633e26df55ee011b88e9c9c7318;hb=HEAD#l512