Permissions necessary to update custom cert via API

jforman

New Member
May 25, 2020
14
0
1
41
I'm trying to upload an SSL certificate via the API (https://pve.proxmox.com/pve-docs/api-viewer/index.html#/nodes/{node}/certificates/custom) using the Proxmoxer Python API, with an API Token tied to the root user.

I think I've gotten my code right, but am seeing the following error when I execute the POST call:
proxmoxer.core.ResourceException: 403 Forbidden: Permission check failed (user != root@pam) - b'{"data":null}'

From reading the API docs, only root has the ability to upload a custom cert, but then why am I receiving the error (which I am interpreting as "your user cannot be root@pam") ?

If the root user is not required, do I merely need to create an API token tied to a user who is in the Administrator role (who isn't root@pam)?

Any help is greatly appreciated.
 

oguz

Proxmox Staff Member
Staff member
Nov 19, 2018
5,207
677
118
hi,

From reading the API docs, only root has the ability to upload a custom cert, but then why am I receiving the error (which I am interpreting as "your user cannot be root@pam") ?

the error is saying that your current user (making the request) is not root@pam . are you sure your code is correct
 

oguz

Proxmox Staff Member
Staff member
Nov 19, 2018
5,207
677
118
maybe your shell isnt taking root@pam properly? can you try putting it in single quotes like 'root@pam'
 

oguz

Proxmox Staff Member
Staff member
Nov 19, 2018
5,207
677
118
did you figure this out?

i'm thinking you might need the authentication cookie to be able to send requests to the API in the first place
 

jforman

New Member
May 25, 2020
14
0
1
41
@oguz I was not able to.

Per your suggestion, would you be able to suggest where in my above Gist I would need to use the authentication cookie? I thought the API token id/secret was sufficient for that functionality. I've never heard of an "authentication cookie" in this context.
 

jforman

New Member
May 25, 2020
14
0
1
41
I did a bit more testing:

Defining the proxmox object like this:
proxmox = ProxmoxAPI(host, verify_ssl=False, user='root@pam', token_name='tokenname1234', token_value='tokenvalue1234)
.....
Gives me this error:
proxmoxer.core.ResourceException: 403 Forbidden: Permission check failed (user != root@pam) - b'{"data":null}'



Where as, defining proxmox object like this:
proxmox = ProxmoxAPI(host, verify_ssl=False, user='root', token_name='tokenname1234', token_value='tokenvalue1234)
.....
Gives me this error:
proxmoxer.core.ResourceException: 401 Unauthorized: 'root!root-token-test1' is not a valid token ID - not able to split into user and token parts - b''

According to the code, the first way of specifying the object is the correct way, but the permission check is failing, even though the user is specified in the expected way.

Is this perhaps a code bug in Proxmox? I dont believe this is a bug in the Proxmoxer library because the Authorization header looks to be specified correctly here: https://github.com/proxmoxer/proxmoxer/blob/develop/proxmoxer/backends/https.py#L122
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
7,670
1,448
164
it looks like this API endpoint is really only available to the root@pam user, and not also the tokens associated with it. could you file an issue at https://bugzilla.proxmox.com ?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!