Help with api permissions

D

Daxcor

Member
Oct 31, 2021
38
2
13
57
Here is the identity & permissions I have setup.


Code: 
pveum user add foundry@pve --password "<redacted>" --email "admin@foundryserver.com"
pveum user token add foundry@pve foundryApi --comment "API token for Foundry VM management"

pveum role add FoundryApiRole --privs "VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.Disk,VM.Config.CPU,VM.Config.Memory,VM.Config.Network,VM.Config.Options,VM.PowerMgmt,Datastore.Audit,Sys.Audit,Datastore.AllocateSpace,Datastore.Allocate,Datastore.AllocateTemplate"

pveum acl modify / --user foundry@pve --role FoundryApiRole

When I run the following:

Code: 
const axios = require('axios');
let data = JSON.stringify({
  "vmid": "2222",
  "mode": "snapshot",
  "compress": "zstd",
  "storage": "backup-nfs",
  "prune-backups": "keep-last=2",
  "remove": "1",
  "notes-template": "{{guestname}}-{{node}}-{{vmid}}"
});

let config = {
  method: 'post',
  maxBodyLength: Infinity,
  url: 'https://spare1.mgmt.local:8006/api2/json/nodes/temppve/vzdump',
  headers: {
    'Authorization': 'PVEAPIToken=foundry@pve!foundryApi=<redacted>',
    'Content-Type': 'application/json'
  },
  data : data
};

axios.request(config)
.then((response) => {
  console.log(JSON.stringify(response.data));
})
.catch((error) => {
  console.log(error);
});

I get the following returned error:

{
"message": "Permission check failed (/storage/backup-nfs, Datastore.Allocate)\n",
"data": null
}

I am not sure what more permissions I need to give? I am trying to keep the permissions as tight as I can. Any insight would be appreciated.
 
Upon further reading

The user needs 'VM.Backup' permissions on any VM, and 'Datastore.AllocateSpace' on the backup storage (and fleecing storage when fleecing is used). The 'tmpdir', 'dumpdir', 'script' and 'job-id' parameters are restricted to the 'root@pam' user. The 'maxfiles' and 'prune-backups' settings require 'Datastore.Allocate' on the backup storage. The 'bwlimit', 'performance' and 'ionice' parameters require 'Sys.Modify' on '/'.

I added the role of PVEDatastoreAdmin to the storage of "backup-nfs" with no change in behaviour
 
Last edited:
you can check with "pveum user permissions" or "pveum user token permissions" which effective privileges a user or token has on a specific path (or on all paths).

note two important bits:
- ACLs can have a "propagate bit" set or not, they are only "inherited" along the path if that bit is set
- tokens by default don't have any privileges unless you add ACLs covering them, each token can *at most* have the privileges of the corresponding user
 
You must log in or register to reply here.
Top Bottom