From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <f.gruenbichler@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 5E78393620
 for <pve-devel@lists.proxmox.com>; Thu,  5 Jan 2023 09:37:33 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 42CDB27095
 for <pve-devel@lists.proxmox.com>; Thu,  5 Jan 2023 09:37:33 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Thu,  5 Jan 2023 09:37:31 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 4DCE74432A
 for <pve-devel@lists.proxmox.com>; Thu,  5 Jan 2023 09:37:31 +0100 (CET)
Date: Thu, 05 Jan 2023 09:37:24 +0100
From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
References: <0c01739ac2da8649dd9f96cc374ce84b@shelldog.de>
In-Reply-To: <0c01739ac2da8649dd9f96cc374ce84b@shelldog.de>
MIME-Version: 1.0
User-Agent: astroid/0.16.0 (https://github.com/astroidmail/astroid)
Message-Id: <1672907478.qzv3ze8grn.astroid@yuna.none>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  0
 AWL -2.369 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 KAM_SOMETLD_ARE_BAD_TLD      5 .bar, .beauty, .buzz, .cam, .casa, .cfd, .club,
 .date, .guru, .link, .live, .online, .press, .pw, .quest, .rest, .sbs, .shop,
 .stream, .top, .trade, .work, .xyz TLD abuse
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [proxmox.com, foo.bar]
 WEIRD_PORT              0.001 Uses non-standard port number for HTTP
Subject: Re: [pve-devel] Empty list as response of an API-endpoint
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2023 08:37:33 -0000

On January 4, 2023 4:10 pm, Sven Scholle wrote:
> Hi,
>=20
> I have a problem regarding the API rights management.
>=20
> The following request returns an empty array when issued using a token=20
> with the role PVEAuditor:
>=20
> 'pve.foo.bar:8006/api2/json/nodes/{}/storage/{}/content?content=3Dbackup&=
vmid=3D{}'.format(node,=20
> storage, vmid)
>=20
> When I disable privilege seperation or use the role Administrator, I=20
> will receive the content in the storage mathing the filters above.
> Those permissions do not seem to be sufficient: "Sys.Audit Sys.Syslog=20
> Pool.Audit VM.Audit Datastore.Audit"
>=20
> Using the permissions above, I'd expect to be granted to use the=20
> API-call above. I also tried "VM.Backup", but that didn't do the trick.
>=20
> Did I forget a permission or is there a bug?

Datastore.Audit is basically just to allow you to know about the storage.
without any other privs it will just allow you to read the status of the
storage. you need to also pass a per-volume check in order to "see" (or use=
, in
other contexts) the volume[0].

for your use-case of listing backup archives (provided they follow the regu=
lar
naming scheme, and the "owning" VMID is determinable for PVE) you need
'Datastore.AllocateSpace' on the storage, and 'VM.Backup' on the owning VMI=
D.
note that this also gives you permission for an in-place restore of that ba=
ckup
(well, you also need volume allocation rights on the target storage), there=
 is
no separate privilege for "just knowing about, but not using" volumes.

hope this helps!

0: https://git.proxmox.com/?p=3Dpve-storage.git;a=3Dblob;f=3DPVE/Storage.pm=
;h=3D89c71163b011f633e26df55ee011b88e9c9c7318;hb=3DHEAD#l512