Can't figure out permissions to access PVE storage content API

S

Skye0

New Member
Apr 24, 2024
11
2
3
Hello,

I have recently set up PBS and am quite excited by it.

Now I would like to create a script on my PVE that checks that each of my backup enrolled VMs has at least one recent verified backup on my PBS. It looks like I can do that by querying the PVE API at this location: /nodes/<NODE>/storage/<PBS-STORAGE>/content Based on running pvesh as root, it should inform me of data like:

JSON: 
[
   {
      "content" : "backup",
      "ctime" : 1773871060,
      "encrypted" : "...",
      "format" : "pbs-vm",
      "notes" : "...",
      "size" : 42949674144,
      "subtype" : "qemu",
      "verification" : {
         "state" : "ok",
         "upid" : "..."
      },
      "vmid" : 1002,
      "volid" : "<PBS-STORAGE>:backup/vm/1002/2026-03-18T21:57:40Z"
   },
    ...
]

I think my api token+user doesn't have enough permission though, since when running via API as a less privileged token it returns this:

JSON: 
{
    "data": []
}

I have granted the user+api audit permission (PVEAuditor) over the nodes and backup storage, but it seems that is not enough. (I also tried some various other configurations that did not work.) Here are my current permissions:

JSON: 
[
   {
      "path" : "/nodes",
      "propagate" : 1,
      "roleid" : "PVEAuditor",
      "type" : "user",
      "ugid" : "backup-status-checker@pve"
   },
   {
      "path" : "/nodes",
      "propagate" : 1,
      "roleid" : "PVEAuditor",
      "type" : "token",
      "ugid" : "backup-status-checker@pve!backup-status-checker"
   },
   {
      "path" : "/storage/<PBS-STORAGE>",
      "propagate" : 1,
      "roleid" : "PVEAuditor",
      "type" : "user",
      "ugid" : "backup-status-checker@pve"
   },
   {
      "path" : "/storage/<PBS-STORAGE>",
      "propagate" : 1,
      "roleid" : "PVEAuditor",
      "type" : "token",
      "ugid" : "backup-status-checker@pve!backup-status-checker"
   }
]

What are the minimum needed permissions to get this api to return data? The api call documentation states "You need read access for the volume" (which seems perhaps a bit much for just querying metadata like upload time & verified state), but even for full volume read permission, it's not clear to me how to grant this. (I did try various permissions over /storage/<PBS-STORAGE> and /vms and even / but nothing I tried resolved it)
 
Those are permissions for the PBS api, whereas I was trying to make calls to the PVE api. If there is a similar api to get the verification status on PBS I suppose I could query both systems, but it seems more straightforward to just query PVE since it has both sets of information I need.

Also I previously tried numerous permissions already for the PVE apis but wasn't able to find a combination that worked, so any more specificity on the specific recommended ones would be helpful.
 
If I understand your issue right, you want to verify things at PBS side.
So permissions at PBS matter.
 
No, I was going to try pulling the status from the PVE api, which uses PVE api permissions. As I posted in my initial post, the data looks like it's available there (ie: PVE api to get VM list and PVE api to get backup/verification status)

However, if it's unsupported from API (which would be weird since it's visible in pvesh) then I can pivot to using both APIs instead and use two APIs instead of one (PVE api to get VM list and PBS api to get backup/verification status).
 
Skye0 said:
I was going to try pulling the status from the PVE api
Click to expand...
Facts about the backups are kept at the PBS. The PVE can only get the facts if the PBS agrees to give them to the PVE.
I.e., the PVE needs the appropriate permissions at the PBS.
 
Yes, and my PVE is clearly receiving those facts. I can see it in the PVE web UI and in pvesh. I just can't get it from the PVE API. Ergo I do not think it is a PBS permission issue, but a PVE permission issue.
 
Today I switched to the dual-API strategy and was able to finish my project via that strategy

backup-checker.png
So now I can get healthchecks notifications if backups go stale.
 
  • Like
Reactions: UdoB
@Skye0 thanks for the update. I'm glad you managed it :)

Would you mind sharing your scripts here? Your solution would surely be useful for other readers, too.
 
  • Like
Reactions: UdoB
Sure, once I verify it is all working after the backups finish syncing I will push it to github and make a thread for it

(update: posted)
 
Last edited:
You must log in or register to reply here.
Top Bottom
Back