[SOLVED] Confusion about permissions when going via API

M

madduck

New Member
Proxmox Subscriber
Jul 14, 2024
12
2
3
Hello,

I created a new user, added them to a new group, created a new resource pool, added an LXC to that resource pool, and then gave the new group the PVETemplateUser role in that resource pool. I then created an API key for the new user (without privilege separation, such that the key would get the full user experience!).

My theory is that now the user should be able to clone that LXC using the API key because they are a member of the group that has the PVETemplateUser role in the context of the resource pool.

However, when I invoke the API with curl, I get an error about a missing VM.Clone permission:

Code: 
curl -X POST -H 'Authorization: PVEAPIToken=foo@realm!bar=88d8c20b-382e-11f1-a245-dcfb48350304' -H "Content-Type: application/json" https://pve.example.org/api2/json/nodes/pve/lxc/126/clone -d '{"description": "Cloned from original", "snapname": "test"}'
{"message":"Permission check failed (/vms/126, VM.Clone)\n","data":null}

VM.Clone is part of PVETemplateUser so why is PVE complaining that it's missing?
 
Last edited:
From the API-viewer:
You need 'VM.Clone' permissions on /vms/{vmid}, and 'VM.Allocate' permissions on /vms/{newid} (or on the VM pool /pool/{pool}). You also need 'Datastore.AllocateSpace' on any used storage, and 'SDN.Use' on any bridge.
Click to expand...

It also states there that the newid is a required parameter.
 
Thanks for that, @gfngfn256. I created a new role and gave it
  • Datastore.AllocateSpace
  • VM.Allocate
  • VM.Audit
  • VM.Clone
  • SDN.Use
and then I assigned the group in question this role in the context of the resource pool. Members of this resource pool are the LXC to clone, as well the storage used by this LXC.

This got me further!! Thank you!

Now I have

Code: 
{"message":"Permission check failed (/sdn/zones/localnetwork/vmbr0/234, SDN.Use)\n","data":null}%

wherein 234 is the VLAN I am using on the container. Do you happen to know where I can grant SDN.Use permission to my new group? I cannot find that anywhere.
 
madduck said:
Thanks for that, @gfngfn256. I created a new role and gave it
  • Datastore.AllocateSpace
  • VM.Allocate
  • VM.Audit
  • VM.Clone
  • SDN.Use
and then I assigned the group in question this role in the context of the resource pool. Members of this resource pool are the LXC to clone, as well the storage used by this LXC.

This got me further!! Thank you!

Now I have

Code: 
{"message":"Permission check failed (/sdn/zones/localnetwork/vmbr0/234, SDN.Use)\n","data":null}%

wherein 234 is the VLAN I am using on the container. Do you happen to know where I can grant SDN.Use permission to my new group? I cannot find that anywhere.
Click to expand...
Answering my own question: not possible through the WebUI, but on the CLI:

Code: 
pveum acl modify /sdn/zones/localnetwork/vmbr0/234 --roles MyNewRole --group MyNewGroup
 
  • Like
Reactions: gfngfn256
Happy you got sorted maybe mark this thread as Solved. At the top of the thread, choose the Edit thread button, then from the (no prefix) dropdown choose Solved.
 
  • Like
Reactions: madduck
You must log in or register to reply here.
Top Bottom
Back