[SOLVED] API access problem

M

Marsupilani

Member
Sep 12, 2022
10
1
8
Hopeful someone can help for debugging...
PVE version 8.2.7 Cluster with 6 nodes

I try to implement a spice access for VM-ID 111 with API-token. Based on this script:
https://gitlab.com/pawlakm/pve-spice-connect/-/tree/main?ref_type=heads

The spice access by webGUI to the VM works-

I created a User/Group/Role and a API Token....
1731582602846.png
1731582638878.png1731582698002.png1731582812615.png
Then I set the Permission to the vms
1731582776897.png

So I try to read the informations by curl....
curl -k -H 'Authorization: PVEAPIToken=SpiceUser@pve!SpiceUserAPIToken=<SECRET>' --url 'https://<PVE-IP>:8006/api2/json/nodes/pve-i5-12th-1' | jq

... I got HTTP/1.1 200 OK and a data array...then I try

curl -k -H 'Authorization: PVEAPIToken=SpiceUser@pve!SpiceUserAPIToken=<SECRET>' --url 'https://<PVE-IP>:8006/api2/json/nodes/pve-i5-12th-1/vms'

... I got ... HTTP/1.1 501 Method 'GET /nodes/pve-i5-12th-1/vms' not implemented...then I try

curl -k -H 'Authorization: PVEAPIToken=SpiceUser@pve!SpiceUserAPIToken=<SECRET>' --url 'https://<PVE-IP>:8006/api2/json/nodes/pve-i5-12th-1/qemu'

... I got HTTP/1.1 200 OK and an empty data array...then I try

curl -k -H 'Authorization: PVEAPIToken=SpiceUser@pve!SpiceUserAPIToken=<SECRET>' --url 'https://<PVE-IP>:8006/api2/json/nodes/pve-i5-12th-1/qemu/111'

... I got HTTP/1.1 200 OK and a data array

I'm not able to find the cause, why I'm not able to get an array of the VMs with this token?

Is there any log at PVE where I can get more information of the API permissions,requests and problems?
Regards 'https://<PVE-IP>:8006/pve-docs/api-viewer/index.html#/nodes/{node}/qemu' VM.Audit should be enough...
 

Attachments

  • 1731582734888.png
    1731582734888.png
    15.5 KB · Views: 5
  • 1731582728073.png
    1731582728073.png
    3 KB · Views: 6
  • 1731582688474.png
    1731582688474.png
    8.1 KB · Views: 5
  • 1731582627867.png
    1731582627867.png
    14.7 KB · Views: 5
Hi Marsupilami,

you might want to remove 'Privilege Separation' from your API-token settings. By default this setting is enabled (see [0]), which would need you to assign the permissions to the token as well (maximum assignable permissions top out with the user's ones). If you disable it, the token will automatically gain the user's permissions.

Best regards,
Daniel

[0] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pveum_tokens
 
Thanks,
that was the missing point.
I set the same permission to the SpiceGroup, too - and everything works. Even with enabled Privilege Separation.
 
  • Like
Reactions: dherzig
You must log in or register to reply here.
Top Bottom