API token permission for "datastorebackup" does not allow creation of backup, only user permission "datastorebackup" works - why?

[steffeninseoul]

Hi!

In PBS 4.1.1, have granted a user on a datastore the API token permission "DatastoreBackup" so that user can create (but not delete) backups. It is my understanding that this privilege is sufficient.

Unfortunately, that does not work. When I initiate a backup of a VM in PVE, I get the error message in PVE "TASK ERROR: could not activate storage 'pbs': pbs: Cannot find datastore 'Backup-NAS', check permissions and existence"

If, however, grant the user permission (!) "DatastoreBackup" I can create backups and all works fine.

I understand that the use of API tokens is better to protect against ransomeware. So what do I do wrong or miss here, please?

Thanks for any help!

 

[_gabriel]

edit : myself test with a PBS v3. 2
grant user permission is required to allow API token Read Datastore for Sync job.
(perhaps fixed in newer version)
https://pbs.proxmox.com/docs/user-management.html#api-tokens

 

[Chris]

I understand that the use of API tokens is better to protect against ransomeware. So what do I do wrong or miss here, please?

Permissions for users and permissions for tokens are independent. So you must set the permissions to allow Datastore.Backup for the API token specifically, best limited to the datastore path (or even namespace).