[SOLVED] Permission(s) required for snapshot rollback only

[baalkor]

Hi Folks,

I'd like to integrate one of our VM in one of our automation tool. The idea is to be able to programmatically rollback a specific VM to a snapshot using an API token.
The automation is done using ansible (community.proxmox.proxmox_snap). The thing is that we need to have a token with very limited set of privileges.

In my first attempt, I did create a role "VMRollback" with only "VM.Snap+VM.Snap.rollback right". Then I've assigned this role to the VM (Permission) based on API browser.

The ansible role complained it didn't find the VM.

VM with vmid 900 does not exist in cluster

By adding additional permission VM.Audit, It is now complaining that the permission check failed.

Rollback of snapshot before_update of VM 900 failed with exception: 403 Forbidden: Permission check failed (/vms/900, VM.Snapshot|VM.Snapshot.Rollback

So to the test, I did switch the role to PVEVMAdmin which has VM.Snapshot

However, the problem persists.
I did click the "Show permissions" and even with PVEVMAdmin, it seems that permissions seems not sufficient.


Do you know what I am missing ?

Sincerely,

 

[fiona]

Hi,
does the user itself have the permission to do the rollback? A token always has a subset of the permissions of the user it is associated to.

 

[baalkor]

In fact the issue was the privileges separation. I had to create a user that had no permission at all.
Looking at the doc, it seems that the resulting privileges between API token and user's permissions were the intersection, resulting in a user with no rights at all.