* [pve-devel] Empty list as response of an API-endpoint
@ 2023-01-04 15:10 Sven Scholle
2023-01-05 8:37 ` Fabian Grünbichler
0 siblings, 1 reply; 2+ messages in thread
From: Sven Scholle @ 2023-01-04 15:10 UTC (permalink / raw)
To: pve-devel
Hi,
I have a problem regarding the API rights management.
The following request returns an empty array when issued using a token
with the role PVEAuditor:
'pve.foo.bar:8006/api2/json/nodes/{}/storage/{}/content?content=backup&vmid={}'.format(node,
storage, vmid)
When I disable privilege seperation or use the role Administrator, I
will receive the content in the storage mathing the filters above.
Those permissions do not seem to be sufficient: "Sys.Audit Sys.Syslog
Pool.Audit VM.Audit Datastore.Audit"
Using the permissions above, I'd expect to be granted to use the
API-call above. I also tried "VM.Backup", but that didn't do the trick.
Did I forget a permission or is there a bug?
Used Proxmox-VE-Version: 7.2-1
Thanks!
Regards
Sven
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [pve-devel] Empty list as response of an API-endpoint
2023-01-04 15:10 [pve-devel] Empty list as response of an API-endpoint Sven Scholle
@ 2023-01-05 8:37 ` Fabian Grünbichler
0 siblings, 0 replies; 2+ messages in thread
From: Fabian Grünbichler @ 2023-01-05 8:37 UTC (permalink / raw)
To: Proxmox VE development discussion
On January 4, 2023 4:10 pm, Sven Scholle wrote:
> Hi,
>
> I have a problem regarding the API rights management.
>
> The following request returns an empty array when issued using a token
> with the role PVEAuditor:
>
> 'pve.foo.bar:8006/api2/json/nodes/{}/storage/{}/content?content=backup&vmid={}'.format(node,
> storage, vmid)
>
> When I disable privilege seperation or use the role Administrator, I
> will receive the content in the storage mathing the filters above.
> Those permissions do not seem to be sufficient: "Sys.Audit Sys.Syslog
> Pool.Audit VM.Audit Datastore.Audit"
>
> Using the permissions above, I'd expect to be granted to use the
> API-call above. I also tried "VM.Backup", but that didn't do the trick.
>
> Did I forget a permission or is there a bug?
Datastore.Audit is basically just to allow you to know about the storage.
without any other privs it will just allow you to read the status of the
storage. you need to also pass a per-volume check in order to "see" (or use, in
other contexts) the volume[0].
for your use-case of listing backup archives (provided they follow the regular
naming scheme, and the "owning" VMID is determinable for PVE) you need
'Datastore.AllocateSpace' on the storage, and 'VM.Backup' on the owning VMID.
note that this also gives you permission for an in-place restore of that backup
(well, you also need volume allocation rights on the target storage), there is
no separate privilege for "just knowing about, but not using" volumes.
hope this helps!
0: https://git.proxmox.com/?p=pve-storage.git;a=blob;f=PVE/Storage.pm;h=89c71163b011f633e26df55ee011b88e9c9c7318;hb=HEAD#l512
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-01-05 8:37 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-01-04 15:10 [pve-devel] Empty list as response of an API-endpoint Sven Scholle
2023-01-05 8:37 ` Fabian Grünbichler
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox