Proxmox - PVEAuditor does not grant access to storage

[David Herselman]

I have a relatively simple Python script which receives no results when connecting with an account that has an acl applied to '/' of PVEAuditor. I presume the issue to relate to storage not being accessible when logging in to the WebUI as that account:

[admin@kvm1e ~]# grep inventory@pve /etc/pve/user.cfg
user:inventory@pve:1:0:inventory:Collector::::
acl:1:/:inventory@pve:PVEAuditor:

Nothing shows when selecting shared storage when logged in as that user:



I'm able to view all cluster, node and VM settings though, for example:



Simple Python ProxmoxAPI script which doesn't work with this account but is fine when run with an administrator account:

from proxmoxer import ProxmoxAPI
from collections import defaultdict
import getpass
import csv
import pandas

proxmox = ProxmoxAPI('kvm1e.redacted', user='inventory@pve',password='*************************', verify_ssl=True)

titles = ['VMID', 'Name', 'vCPUs', 'vRAM', 'Disk']
l1 = []
l2 = []
l3 = []
l4 = []

for node in proxmox.nodes.get():
    for vm in proxmox.nodes(node['node']).qemu.get():
        l1.append({'VMID': vm['vmid'], 'Name': vm['name'], 'vCPU' : vm['cpus'], 'VRam' : vm['maxmem']/1073741824})


for vm in proxmox.nodes.kvm1e.storage.rbd_hdd.content.get():
    l2.append({'VMID': vm['vmid'], 'Size' : vm['size']/1073741824})
    c = defaultdict(int)
    for d in l2:
        c[d['VMID']] += d['Size']
    l2 = [{'VMID': vmid, 'Size': size} for vmid, size in c.items()]

for x in l1:
    for y in l2:
        if int(y['VMID']) == int(x['VMID']):
            l3.append((x['VMID'],x['Name'],x['vCPU'],x['VRam'],y['Size']))

pd = pandas.DataFrame(l3)
pd.to_csv('kvm1.csv',index=False,header=False)

Regards
David Herselman

 

[fabian]

yeah, Datastore.Audit is not enough to list arbitrary storage contents (only isos/templates).. anything more requires Datastore.Allocate, or going via the VM/CT API if access to the VM config is available..

 

[David Herselman]

We actually just want a list of the drive sizes so that we can cross check other references, is there a way to obtain a list of a qemu instance's disks?

We don't appear to have access when trying your suggestion:

[admin@kvm5b ~]# grep inventory /etc/pve/user.cfg user:inventory@pve:1:0:Inventory:Collector::::
acl:1:/:inventory@pveatastore.Allocate,PVEAuditor:

Perhaps a bug? Reading the documentation also leads me to believe that Datastore.Audit should have the relevant permission though...
https://pve.proxmox.com/wiki/User_Management



Storage related privileges
Datastore.Allocate: create/remove/modify a data store, delete volumes

Datastore.AllocateSpace: allocate space on a datastore

Datastore.AllocateTemplate: allocate/upload templates and iso images

Datastore.Audit: view/browse a datastore

 

[fabian]

We actually just want a list of the drive sizes so that we can cross check other references, is there a way to obtain a list of a qemu instance's disks?

well, the config contains the disks and sizes, but the latter might be outdated.. if you regularly run qm rescan that should not be a problem though.

We don't appear to have access when trying your suggestion:


Perhaps a bug? Reading the documentation also leads me to believe that Datastore.Audit should have the relevant permission though...
https://pve.proxmox.com/wiki/User_Management

Datastore.Audit is a privilege, ACLs take roles. so you'd need to define your own role or use one that contains Datastore.Allocate. but be aware that the latter privilege allows quite a lot :-/

Storage related privileges
Datastore.Allocate: create/remove/modify a data store, delete volumes

Datastore.AllocateSpace: allocate space on a datastore

Datastore.AllocateTemplate: allocate/upload templates and iso images

Datastore.Audit: view/browse a datastore

yeah, it allows browsing, but the list of returned contents is still filtered by what you are allowed to access. I'll think a bit about whether it would make sense to broaden this, or add another privilege that explicitly allows reading more.

 

[David Herselman]

Thanks Fabian, I would very much like to recommend that PVEAuditor have the ability to list images in storage.

Rewrote our inventory collection / audit report script to run through the ide, scsi and virtio images associated with a VM and to represent the sum of all disks as a combined value. I'm really no programmer so I hope the following isn't too horrendous.

A VM with 3 disks would subsequently have the disk size reported as the sum of all the disks:

Installation:
  python3.7 -m venv /usr/local/audit-report;
  . /usr/local/audit-report/bin/activate;
  pip install pandas;
  pip install proxmoxer;
  pip install requests;

Collecting inventory:
  . /usr/local/audit-report/bin/activate;
  python kvm1.py;
  dir *.csv;

kvm1.py:

from proxmoxer import ProxmoxAPI
import csv
import pandas
import re

#proxmox = ProxmoxAPI('kvm1a.acme.com', user='inventory@pve',password='********************************', verify_ssl=True)
proxmox = ProxmoxAPI('kvm1a.acme.com', user='inventory@pve', token_name='audit-report', token_value='************************************', verify_ssl=True)

file = 'kvm1.csv'
l1 = []

def to_bytes(spec, si=True):
  decade = 1000 if si else 1024
  suffixes = tuple('BKMGTP')
  num = float(spec[:-1])
  s = spec[-1]
  i = suffixes.index(s)
  for n in range(i):
    num *= decade
  return int(num)

for node in proxmox.nodes.get():
  for vm in proxmox.nodes(node['node']).qemu.get():
    config = proxmox.nodes(node['node']).qemu(vm['vmid']).config.get()
    vm['size'] = 0
    for line in config.keys():
      if re.match('^(ide|scsi|virtio)\d', line):
        if not re.match('^(none|iso_library)[:,]', config[line]):
          res = dict(item.split("=") for item in re.sub('^([a-z0-9_-]*):', r'\1=', config[line]).split(","))
          vm['size'] += to_bytes(res['size'], 0)
    l1.append({ 'VMID': vm['vmid'], 'Name': vm['name'], 'vCPU' : vm['cpus'], 'vRAM' : round(vm['maxmem']/1073741824, 3), 'Disk' : round(vm['size']/1073741824, 3) })

pd = pandas.DataFrame(l1)
pd.sort_values(by=['Name']).to_csv(file, index=False, header=True)

 

[David Herselman]

Should have clarified, the above works with:

[admin@kvm1d ~]# grep inventory /etc/pve/user.cfg
user:inventory@pve:1:0:Inventory:Collector::::
token:inventory@pve!audit-report:0:0:Connection from pve-test.acme.com:
acl:1:/:inventory@pve:PVEAuditor:

 

[fabian]

there are basically two ways to tackle this:
- extend Datastore.Audit to allow reading/listing all contents, in addition to what it currently does
- add a new Datastore.Read to allow reading/listing all contents, Datastore.Audit would remain "know about storage and storage config, list some content types"

extending would be a breaking change (suddenly, all the existing PVEAuditors gain access to stuff they didn't have before!), so that would have to wait for 7.0 (released some time this year). adding a new privilege would be easier to do, but would then either require adding a new built-in role above PVEAuditor, or usage of custom roles. it does have the advantage that you can specify more clearly what the user is supposed to see.

 

[Cookiefamily]

Hi, also wanted to chime in here, I ran into the same issue.

Have you decided on which option will be implemented yet? Or is the 2nd option already implemented?

 

[fabian]

the preference would be the new privilege, but we haven't implemented it yet.