[SOLVED] Permission failure with push sync feature

[McTwist]

While trying the new "push sync" feature, I found out that it always fails with logs telling me about insufficient permission for the action.

Encountered errors: Pushing to remote namespace not allowed: missing permissions 'Remote.DatastoreBackup' on '[...]'

The sync goes from a namespace into another namespace. I have given Admin role to both the root namespace and the specific namespace. If I limit the permission to 'RemoteSyncPushOperator', it will only give me the following error:

Encountered error: Creating remote namespace not allowed: missing permissions 'Remote.DatastoreModify' on '[...]'

And fixing that will only revert to the previous error.

I have searched both on the forum and everywhere else for a solution, while also tinkering with different configs, but found nothing that works. Given this feature is only a month old, I do not expect many users going to use it, and therefore not many issues will surface. Especially when tutorials/documentation recommend "pull sync".

I will escalate this as a bug if I find no solution for it or any response at all.

 

[Chris]

Hi,

Encountered errors: Pushing to remote namespace not allowed: missing permissions 'Remote.DatastoreBackup' on '[...]'

The user on the source side needs the permissions to create backups on the remote (push target). The Remote.SyncPushOperator is allowed to read the remote and push snapshots, but not to create/delete namespaces or prune contents. Remote.DatastorePowerUser also has the permissions to prune, but not the permissons to create or remove namespaces. You will have to use Remote.DatastoreAdmin for the user to be allowed to create and remove namespaces on the remote.

See also https://pbs.proxmox.com/docs/managing-remotes.html#sync-direction-push

 

[McTwist]

As I have already said, the user(s) are Admin(s) on both sides, still it complains. I would not normally post anything here unless I have exhausted all my options and deducted that something is not according to the documentation or makes no sense logically.

 

[Chris]

As I have already said, the user(s) are Admin(s) on both sides, still it complains. I would not normally post anything here unless I have exhausted all my options and deducted that something is not according to the documentation or makes no sense logically.

Please share the contents of /etc/proxmox-backup/sync.cfg and /etc/proxmox-backup/acl.cfg. Note that it is not enough for the sync user on the source side to have Admin permissions on the source datastore, it is further required to have permissions configured for the remote on the sync source.
For example, the local user for the sync job would need something along the line of the ACLs below on the source PBS instance:

acl:1:/datastore/source-datastore:pushuser@pbs:DatastoreAdmin
acl:1:/remote/remote-name/target-datastore:pushuser@pbs:RemoteDatastoreAdmin

In addition, the user configured and used to connect to the remote requires the permission to access the datastore configured on the remote instance.

 

[McTwist]

Source PBS: retainer

sync: s-6238b631-910c
        ns public
        owner mctwist@pbs
        remote courage
        remote-ns public
        remote-store saroma
        remove-vanished false
        store notoro
        sync-direction push

acl:1:/datastore/notoro:mctwist@pbs:Admin

Remote PBS: courage

acl:1:/datastore/saroma:mctwist@pbs:Admin

No-edit: After checking your acl, I saw that it has a /remote in it, I therefore checked in my Access Control and saw that it had /remote (though, not /remote/courage/saroma). After adding /remote, I got it working.

While this solves my issue, and I do understand the reasoning behind having it built like this, it is still non-intuitive for most users, and even if the documentation mentions /remote, it is not understandable if it is going to be set on the source or the remote. Thank you for the help, and I hope there could be an update in the future that makes it a bit easier to understand.