[SOLVED] ACL for accessing info about cluster

[czechsys]

Hi,

i am playing with acl lists to check, if it's possible for specific user:

role: sys.audit, vm.audit
allowed access:
list of nodes -> out of box
list of vms -> acl /vms
list of HA section -> HOW? /cluster/ha or /ha doesn't works in GUI testing.

The goal is create specific user for creating dynamic list of vms and their config with info about HA group and allowed nodes in that group. This will be called via API.

Thank you.

 

[wolfgang]

Hi,

I'm not sure what you mean with the "HA section"?

if you mean services (KVM/Containers) then I would use this path

GET /api2/json/cluster/ha/resources

More information about the API path can you get here
https://pve.proxmox.com/pve-docs/api-viewer/index.html#/cluster/ha/resources

 

[czechsys]

I am trying to set acl based on API documentation. I want to allow access in GUI to "Datacenter->HA"
When i have in "Datacenter->Permissions":
/vms
/cluster/ha (or /ha)

I still can't see menu item "Datacenter->HA". I see only "Datacenter->Search" and "Datacenter->Users"

 

[t.lamprecht]

/cluster/ha (or /ha)

There's no such API ACL object.. See: https://pve.proxmox.com/pve-docs/chapter-pveum.html#_objects_and_paths
API paths cannot be translated to ACL paths 1:1

The link to the api-viewer tool wolfgang posted states clearly that currently this is checked:

Check: ["perm","/",["Sys.Audit"]]

There's not yet a fine grained per HA service permission possible, as HA affects normally the whole cluster.