API Permission - root only?

[ksl28]

Hey,

Just installed version 1.0 of PDM, and I'm still happy with the ease of use and speed of the product

However, I wanted to test the API and ran into a permission issue with API tokens.

I have created an API token (root@pam!api-scraper) with Administrator role on path / with propagation enabled, but the `/pve/remotes` endpoint returns "permission check failed":

$headers = @{
    'Authorization' = 'PDMAPIToken=root@pam!api-scraper:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
}

# This FAILS with "permission check failed"
Invoke-RestMethod -Uri "https://$pdmHost/api2/json/pve/remotes" -Headers $headers -SkipCertificateCheck -SkipHeaderValidation

# These WORK fine
Invoke-RestMethod -Uri "https://$pdmHost/api2/json/pve/remotes/$remote/qemu" -Headers $headers -SkipCertificateCheck -SkipHeaderValidation
Invoke-RestMethod -Uri "https://$pdmHost/api2/json/pve/remotes/$remote/qemu/123/config?state=active" -Headers $headers -SkipCertificateCheck -SkipHeaderValidation

Looking at the API viewer, `/pve/remotes` shows "Root only" as the required permission, while `/pve/remotes/{remote}/*` shows "Accessible by all authenticated users".
API Documentation

Is this intentional? Is there a way to grant API tokens access to list all remotes, or is this endpoint restricted to root@pam with password only?

For automation purposes, it would be great if API tokens could access this endpoint as well.

Thanks!

 

[gyptazy]

Hey @ksl28,

instead of:

api2/json/pve/remotes

simply use:

api2/json/remotes/remote

This probably returns you your expected remotes, including a list of the nodes themselves and their types (pre, pbs). The output looks like:

[{'authid': 'root@pam!test', 'id': 'fr-gra01', 'nodes': ['virt01-fr-gra01.internal.gyptazy.ch,fingerprint=aa:bb:cc:dd', 'virt02-fr-gra01.internal.gyptazy.ch,fingerprint=aa:bb:cc:dd'], 'token': '', 'type': 'pve'}, {'authid': 'root@pam!test', 'id': 'de-fra01', 'nodes': ['virt01-de-fra01.internal.gyptazy.ch,fingerprint=fingerprint=aa:bb:cc:dd'], 'token': '', 'type': 'pve'}, {'authid': 'root@pam!test', 'id': 'nl-ams01', 'nodes': ['virt01-nl-ams01.internal.gyptazy.ch,fingerprint=aa:bb:cc:dd'], 'token': '', 'type': 'pve'}, {'authid': 'root@pam!test', 'id': 'us-nyc01', 'nodes': ['virt01-us-nyc01.internal.gyptazy.ch,fingerprint=aa:bb:cc:dd'], 'token': '', 'type': 'pve'}, {'authid': 'root@pam!test', 'id': 'de-fra02', 'nodes': ['virt02-de-fra01.internal.gyptazy.ch,fingerprint=aa:bb:cc:dd'], 'token': '', 'type': 'pve'}, {'authid': 'root@pam!test', 'id': 'nl-egh01', 'nodes': ['virt01-nl-egh01.internal.gyptazy.ch,fingerprint=fingerprint=aa:bb:cc:dd'], 'token': '', 'type': 'pve'}, {'authid': 'root@pam!test', 'id': 'fr-gra01-backup01', 'nodes': ['10.0.1.35,fingerprint=aa:bb:cc:dd'], 'token': '', 'type': 'pbs'}]

Hope it helps! Afterwards, you can use this data as a foundation to query resources directly via /pve or /pbs.

But according to the API viewer, this should also work via:
/pve/remotes -> Return the list of PVE remotes
/pbs/remotes -> Return the list of PBS remotes

Both ones also immediately throw a permission error for me.

However the path:
/remotes/remote works immediately
and this also makes me wonder if this is not a "bug" (or tech bill), because having multiple ways for the same doesn't really makes sense. Especially, when type is already delivered to district pbs and pve.

According to https://git.proxmox.com/?p=proxmox-...63e6ea56f0c07c4f864d07c5d62258a4;hb=HEAD#l125 I'd expect an output like:

[
{ "remote": "fra01" },
{ "remote": "ams01" },
[...]
]

Cheers,
gyptazy

 

[fabian]

API endpoints being root only is the default if nothing else is specified. seems like those two "index" endpoints are lacking the permissions attribute, which should be fixed. but like @gyptazy said, the information is already available via other endpoints as well!