API Special Cases: List of endpoints for root and PAM users only

[Maddes]

The API viewer [1] cannot be searched for the necessary permissions of the API endpoints.
Wanted to know which API endpoints need a special user, so that only in these special cases those users are used (especially avoiding root).
So I checked all endpoints of the /nodes API path and their methods.
Just wanted to post the results for others as a reference. If you checked other API paths, then it would be nice to post them here.

[1] https://pve.proxmox.com/pve-docs/api-viewer/

Root only end points:

/nodes/{node}/ceph/osd/{osdid}
/nodes/{node}/certificates/acme/certificate
/nodes/{node}/certificates/custom
/nodes/{node}/storage/{storage}/content/{volume} POST
/nodes/{node}/vzdump  some parameters

PAM only end points:

/nodes/{node}/spiceshell
/nodes/{node}/termproxy
/nodes/{node}/vncshell
/nodes/{node}/vncwebsocket

 

[t.lamprecht]

Just wanted to post the results for others as a reference. If you checked other API paths, then it would be nice to post them here.

For people in the future, be aware that this can change, so check your actual usecase to the current versions.

So I checked all endpoints of the /nodes API path and their methods.

Further note that this provided list is incomplete, these are just the /node based ones, but not /cluster, /access, /storage.
And even there it may not be complete, we sometimes have cases where the privileges required cannot only depend on the API path but also on the parameters used, i.e., there we can only do run time checks (albeit we try to document that behavior in the API Endpoints privilege description).