Listing storage content requires write permissions

C

crabhi

New Member
Aug 1, 2022
3
0
1
Hi, I'm trying to export the disk sizes to monitoring. A token with PVEAuditor role can read almost everything I need but the information about disks. Querying /nodes/{some_node}/storage/local-lvm/content yields an empty list. Calling the API with a more powerful role (e. g. PVEDatastoreAdmin) returns the info.

I'm at the version 7.2-11. Is it a bug or is there a reason why Datastore.Audit should not be able to list disks?
 
Thanks for pointing me to the right permission. I can confirm it works. Unfortunately, this is not ideal for a monitoring tool.

Maybe some maintainer can clarify why the other permission check is needed. The commit by Fabian Eber (@fabian?) is not that old - less than a year.
 
different person, but I can tell you anyhow ;)

there simply is no privilege in-between that would allow seeing, but not using (which equals reading the contents). we try to not add single-use privileges since our ACL system is already quite complex and we don't want to make it even more difficult to understand.

in this case it might be possible to refactor the code somehwat to differentiate between "is allowed to know about" (what you want, maybe replacing VM.Config.Disk with VM.Audit - haven't thought it through yet) vs "is allowed to use" (current check), and then storage content listing (and some other API paths?) could use the new check.
 
Thanks! That makes sense. I'm not that much familiar with the ACL system but from my point of view, using VM.Audit sounds better. My monitoring role currently uses Sys.Audit,Datastore.Audit,VM.Config.Disk.
 
You must log in or register to reply here.
Top Bottom