PBS client authentication with API token doesn't work

DerDanilo

DerDanilo

Renowned Member
Jan 21, 2017
477
139
83
From the documentation:
user@pbs!token@host:storeuser@pbs!tokenmyhostname:8007mydatastore

Bash: 
proxmox-backup-client backup server1.pxar:/ --repository 'vmbackup@pbs!MYTOKEN@PBSHOST:backup'

When trying to connect using the API token the client fails:
Bash: 
Error: error building client for repository vmbackup@pbs!MYTOKEN@PBSHOST:8007:backup - API token secret must be provided!

Connecting using the username and password without token works fine.

Tried with ZSH and BASH. Both fail.
The API token should be correct since it was just created and permission granted to the user.

Is this a syntax error or what am I doing wrong?

Thanks!
 
try setting the token secret to the env variable: PBS_PASSWORD
 
For example:

On Proxmox Backup Server

Code: 
root@pbs:~# proxmox-backup-manager user create forumuser@pbs
root@pbs:~# proxmox-backup-manager user generate-token forumuser@pbs forumtoken
Result: {
  "tokenid": "forumuser@pbs!forumtoken",
  "value": "5a740cf5-f254-4ddf-acf4-9d0ea4a7b059"
}
root@pbs:~# proxmox-backup-manager acl update / Admin --auth-id 'forumuser@pbs'
root@pbs:~# proxmox-backup-manager acl update / Admin --auth-id 'forumuser@pbs!forumtoken'
and on the client
Code: 
export PBS_PASSWORD=5a740cf5-f254-4ddf-acf4-9d0ea4a7b059
proxmox-backup-client list --repository 'forumuser@pbs!forumtoken@192.168.37.123:8007:myDatastore'
is a scenario that should work.
 
Last edited:
Dominic said:
For example:

On Proxmox Backup Server

Code: 
root@pbs:~# proxmox-backup-manager user create forumuser@pbs
root@pbs:~# proxmox-backup-manager user generate-token forumuser@pbs forumtoken
Result: {
  "tokenid": "forumuser@pbs!forumtoken",
  "value": "5a740cf5-f254-4ddf-acf4-9d0ea4a7b059"
}
root@pbs:~# proxmox-backup-manager acl update / Admin --auth-id 'forumuser@pbs'
root@pbs:~# proxmox-backup-manager acl update / Admin --auth-id 'forumuser@pbs!forumtoken'
and on the client
Code: 
export PBS_PASSWORD=5a740cf5-f254-4ddf-acf4-9d0ea4a7b059
proxmox-backup-client list --repository 'forumuser@pbs!forumtoken@192.168.37.123:8007:myDatastore'
is a scenario that should work.
Click to expand...
Thanks for the info. That works. I am wonder though why it only works if the token name is the same as the user name? Why can't it be custom?
 
I wrote a simple script that can be run by cron/systemd timer. Maybe it os of use to others.
It would be nice though if the backup client would have a schedule setting like other backup clients also have. Couldn't find this on the roadmap yet.

Bash: 
export PBS_PASSWORD='TOKEN'
export PBS_USER_STRING='HOSTbackup@pbs!HOSTbackup'
export PBS_SERVER='PBSSERVER'
export PBS_DATASTORE='DATASTORE NAME'
export PBS_REPOSITORY="${PBS_USER_STRING}@${PBS_SERVER}:${PBS_DATASTORE}"
export PBS_HOSTNAME="$(hostname -s)"
echo "Run pbs backup for $PBS_HOSTNAME ..."
proxmox-backup-client backup ${PBS_HOSTNAME}.pxar:/ --skip-lost-and-found
proxmox-backup-client list
echo "Done."
 
  • Like
Reactions: awalon and Dominic
DerDanilo said:
I am wonder though why it only works if the token name is the same as the user name?
Click to expand...
Do you mean that this
Code: 
export PBS_USER_STRING='HOSTbackup@pbs!HOSTbackup'
part of your code has twice HOSTbackup? Because that shouldn't be necessary.

When you type
Code: 
proxmox-backup-manager user list
you get as result userid forumuser@pbs and when you show its keys
Code: 
proxmox-backup-manager user list-token forumuser@pbs
you get tokenid forumuser@pbs!forumtoken.
So the userid is part of the tokenid and not the same as the tokenid?
 
Thanks for the fast reply.

Here it is possible to define a custom token name.

2020-12-07_11h11_48.png

I must have done something wrong, because it works now when testing again. Maybe a syntax error.

The idea is to use one pbs user and one API Token per VM (internal VMs, so it's no issue that every VM can read other VM backups). Each Host folder has the owner set to the it's user string (including token name).

Is it possible to configure token permission that allows to only read it's own backup files and not others? When listing backup it shows all backups for the datastore and not just the ones that the user created/owns.
 
There is a role called DatastoreBackup with which you can backup and restore owned backups. This could be what you want. You can find all roles in the PBS documentation.
 
  • Like
Reactions: DerDanilo
Is anybody interessted in an Ansible role that writes PBS backup scripts, configured (pre provided) backup encryption keyfile deployment and cron entries? I am not planing to update this role upstream but might as well provide it via Github for People to play with.
 
  • Like
Reactions: franko5
DerDanilo said:
Is anybody interessted in an Ansible role that writes PBS backup scripts, configured (pre provided) backup encryption keyfile deployment and cron entries? I am not planing to update this role upstream but might as well provide it via Github for People to play with.
Click to expand...
I would be interested in seeing what you have, yes.
 
Hello,

I have some problems to make this work properly.
There is already a user like backup@pbs that is doing a regular backup of VM's.
Also, backup of the file/directory with same credentials is working fine with the command:
Bash: 
$ proxmox-backup-client backup test.pxar:/root/test/ --repository 'backup@pbs@192.168.50.3:archive'
(I exported the password to the PBS_PASSWORD variable)


Now I want to have additional backup using the token.
API Token Permission belongs to the user backup@pbs and having the same permissions as backup@pbs:
  • DatastoreReader
  • DatastoreBackup
I exported the token value into PBS_PASSWORD variable.
The command for creating backup looks like:
Bash: 
$ proxmox-backup-client backup test.pxar:/root/test/ --repository 'backup@pbs!token-name@192.168.50.3:archive'
Starting backup: host/test/2021-10-06T13:08:36Z
Client name: proxmox-5
Starting backup protocol: Wed Oct  6 15:08:36 2021
Error: backup owner check failed (backup@pbs!token-name != backup@pbs)

The last error line is interesting, why is server expecting the regular user and not with the token?

I have 2 API's, one is created on GUI, another on the shell, both are visible in the gui, even if I give DatastoreAdmin permissions to the API in Datastore->Permissions, the same response from the server.

Is it the situation that we can't have both, API and the regular user from the same client machine?
Thanks in advance.
 
Last edited:
Alternative to the same question, what is the proper secure way to hide the password used by backup@pbs user for regular backup via cronjob?
 
franko5 said:
Error: backup owner check failed (backup@pbs!token-name != backup@pbs)[/CODE]

The last error line is interesting, why is server expecting the regular user and not with the token?

I have 2 API's, one is created on GUI, another on the shell, both are visible in the gui, even if I give DatastoreAdmin permissions to the API in Datastore->Permissions, the same response from the server.

Is it the situation that we can't have both, API and the regular user from the same client machine?
Thanks in advance.
Click to expand...
You need to change the owner of your already existing backup groups. They belong to "backup@pbs" and you need to change the owner to "backup@pbs!token-name". You can do that using the PBS webui by clicking on the icon looking like a person under "Datastore -> YourDatastore -> Content".

Alternative to the same question, what is the proper secure way to hide the password used by backup@pbs user for regular backup via cronjob?
Click to expand...
Like described above using the environment variable PBS_PASSWORD. Put it in the ".bashrc" of the user running the cron.
 
Last edited:
  • Like
Reactions: franko5
Hi @Dunuin

Thanks for answer. Changing the permissions as you described is the way out. It works as expected.
Only minus is that backup for the host must exist in order to change the permission to API user.
I shall figure out how to organize that efficiently in order to deploy it on all servers.

Adding the password somewhere as ".bashrc" will be the way out.
All the best,
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back