PBS test, restore permissions issue.

E

elimus_

Member
Aug 26, 2017
19
1
23
35
Testing PBS in lab and atm I have setup up and running. (Both hosts running latest packages)

* I can create backups from PVE
* View them in storage view from PVE

But I cannot restore. I get error Error:

PVE side:
Code: 
Error: HTTP Error 400 Bad Request: no permissions
TASK ERROR: command '/usr/bin/proxmox-backup-client restore '--crypt-mode=none' vm/100/2020-07-10T18:15:10Z index.json /var/tmp/vzdumptmp5987/index.json --repository archiver@pbs@172.16.60.11:store' failed: exit code 255

PBS side:
Code: 
Jul 11 12:54:48 pve-bckp proxmox-backup-proxy[818]: GET /api2/json/reader: 400 Bad Request: [client [::ffff:172.16.60.10]:52748] no permissions

Permissions for pbs user on datastore ir set to "DatastorePowerUser".

Per what I can tell configuration should be correct what could be the problem here?
 
It should have? As mentioned I use "DatastorePowerUser" role for it. Or I have misunderstood something in permission scheme?

1594463872531.png

Before that also tried "DatastoreBackup" with same results.
 
elimus_ said:
It should have? As mentioned I use "DatastorePowerUser" role for it.
Click to expand...

Argh sorry, overlooked that part in the original message. But, the "no permissions" message is definitively from the privilege checker, it's so terse to not leak any info, we could/should make it a bit more verbose at least for the beta.

And you also made those backups with that user, because if the'd be made with root@pam the owner would not match the user?
(You can see the owner in the PBS datastore interface)

You could temporarily give that user more permissions (e.g., the full Admin on /) to see if it is a permission issue or something else.

Edit: oh, and thanks for testing!
 
Thanks for suggestions.

t.lamprecht said:
And you also made those backups with that user, because if the'd be made with root@pam the owner would not match the user?
(You can see the owner in the PBS datastore interface)
Click to expand...

More details on this please? I am logged in as "root@pam" on PVE/PBS, yes. But PBS stores on PVE, have only been added using "archiver@pbs" credentials for auth on PVE side.

In datastore interface for test store, owner for backups also seem to be correct, as far as I can tell.
1594475679205.png

t.lamprecht said:
You could temporarily give that user more permissions (e.g., the full Admin on /) to see if it is a permission issue or something else.
Click to expand...

Yes, changing store permissions entry for this user to "Admin" role allows me to successfully access backups for restore of VM. When going back to "DatastoreBackup" or "DatastorePowerUser" then issue comes back.

Also if I had mismatched users/perms. First thing that I somehow expect to bounce against when dealing with permissions would have been attempts to backup(write) VM and not the restore(read) of just created backups.

ATM it seems that those tho ACL roles are not working as expected. At least the restore part is not working...
 
  • Like
Reactions: smasty
Hi,

i had the same problem today, Proxmoe VE using PBS via user@pbs, ACL for user@pbs had been / DataStorePowerUser. Backup worked fine, Restore gave a permission error on /datastore/store.
Removing the old access and granting access to /datastore/store ACL DataStoreAdmin enabled me to restore the backup.

Regards,
Adrian
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom