[SOLVED] API permissions on specific namespace

[bamf]

Hi,

I want to backup a PVE instance which is shared with other users to my own private PBS.

So I created user, API token and namespace.

How can I restrict that tokens access to only this specific namespace? When adding permission, I can only select the whole datastore, not the namespace.

 

[Onslow]

Hi. In the https://pbs.proxmox.com/docs/user-management.html#objects-and-paths
I read:

"Access permissions are assigned to objects, such as a datastore, namespace or some system resources.
[...]

/datastore/{store}/{ns}

Access to a specific namespace on a specific datastore

"
Doesn't it work for you?

 

[bamf]

Ah, I have to specify the namespace manually by typing it in? Because it's not selectable in the list.

 

[Onslow]

I don't remember the details how I did that .

BTW, make sure you don't give excessive permissions to the user.
The following roles should be enough:

/datastore/{store} DatastoreAudit Propagate: yes
/datastore/{store}/{ns} DatastoreBackup Propagate: yes

 

[bamf]

Thanks, now that I figured out I had to grant permissions to both API token and user, it works. For some reason PBS API tokens cannot use privilege separation like tokens in PVE?

I have additionally granted Datastore.Reader permissions on the namespace, so I can view and restore backups from the PVE WebUI.

 

[Onslow]

Thanks, now that I figured out I had to grant permissions to both API token and user, it works. For some reason PBS API tokens cannot use privilege separation like tokens in PVE?

They can.
From the linked docs:

"Newly generated API tokens don't have any permissions." And a fragment above:
"API tokens serve two purposes: [...] 2. Limit permissions for each client/token within the users' permission"

Thanks to this, the user is able to give precise (not only maximal) permissions to his token. In his scope.

I have additionally granted Datastore.Reader permissions on the namespace, so I can view and restore backups from the PVE WebUI.

As far as I understand the docs, it isn't necessary. The two roles which I listed in the previous post should do and they work in my setup. Depending on the configuration, the Reader probably doesn't hurt much though .