[SOLVED] Proxmox v7 API ACL

H

Husarenka

New Member
Oct 14, 2022
6
0
1
Poland
Hi!
I'm trying to run ansible downloading templates for VMs without giving ansible admin permissions.
I tried to change permissions on role as follows:
Code: 
pveum roleadd API_RoleDatastoreAmin -privs "Datastore.AllocateTemplate Datastore.Audit Datastore.AllocateSpace"
BUT it doesn't work.
In log there is:
Code: 
::ffff:IPAADDESS- storageadmin@pve [14/10/2022:20:30:38 +0000] "GET /api2/json/version HTTP/1.1" 200 65
::ffff:IPAADDESS- storageadmin@pve [14/10/2022:20:30:38 +0000] "GET /api2/json/nodes/hv/storage/local/content HTTP/1.1" 500 13
I use this ansible module:
HTML: 
https://docs.ansible.com/ansible/latest/collections/community/general/proxmox_template_module.html#ansible-collections-community-general-proxmox-template-module
 
Hi,
can you post the output of cat /etc/pve/user.cfg and pveversion -v?
 
Hi!|here it is:

Code: 
root@proxmoxhv:~# pveversion -v
proxmox-ve: 7.2-1 (running kernel: 5.15.60-2-pve)
pve-manager: 7.2-11 (running version: 7.2-11/b76d3178)
pve-kernel-helper: 7.2-13
pve-kernel-5.15: 7.2-12
pve-kernel-5.15.60-2-pve: 5.15.60-2
pve-kernel-5.15.53-1-pve: 5.15.53-1
ceph-fuse: 16.2.9-pve1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
libjs-extjs: 7.0.0-1
libknet1: 1.24-pve1
libproxmox-acme-perl: 1.4.2
libproxmox-backup-qemu0: 1.3.1-1
libpve-access-control: 7.2-4
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.2-3
libpve-guest-common-perl: 4.1-3
libpve-http-server-perl: 4.1-4
libpve-storage-perl: 7.2-10
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 5.0.0-3
lxcfs: 4.0.12-pve1
novnc-pve: 1.3.0-3
proxmox-backup-client: 2.2.7-1
proxmox-backup-file-restore: 2.2.7-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.5.1
pve-cluster: 7.2-2
pve-container: 4.2-2
pve-docs: 7.2-2
pve-edk2-firmware: 3.20220526-1
pve-firewall: 4.2-6
pve-firmware: 3.5-4
pve-ha-manager: 3.4.0
pve-i18n: 2.7-2
pve-qemu-kvm: 7.0.0-3
pve-xtermjs: 4.16.0-1
qemu-server: 7.2-4
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.6-pve1

Code: 
root@proxmoxhv:~# cat /etc/pve/user.cfg
user:root@pam:1:0::::::
user:storageadmin@pve:1:0:::pvestorageadmin@somedomain.com:Ansible storage admin user::

group:API_GroupDatastoreAmin:storageadmin@pve:DataStore Admin for API users group:
group:apiusers:::


role:API_RoleDatastoreAmin:Datastore.AllocateTemplate,Datastore.Audit,Pool.Audit,Sys.Audit,VM.Audit:

acl:1:/:@API_GroupDatastoreAmin:API_RoleDatastoreAmin,PVEAuditor:
acl:1:/storage/local:@API_GroupDatastoreAmin:PVEDatastoreAdmin:
 
This configuration works for me.

Husarenka said:
Code: 
::ffff:IPAADDESS- storageadmin@pve [14/10/2022:20:30:38 +0000] "GET /api2/json/version HTTP/1.1" 200 65
::ffff:IPAADDESS- storageadmin@pve [14/10/2022:20:30:38 +0000] "GET /api2/json/nodes/hv/storage/local/content HTTP/1.1" 500 13
Click to expand...
The HTTP status code is 500 and so I'd guess it's not a permission issue (that should be status code 403), but some other issue. Stupid question: is the storage enabled on that node?
 
I cannot login to gui using 'storageadmin' credentials, and what is more - I don't see this attempt in the syslog or even access.log.
I restarted pveproxy, but result is the same - there is NO LOG.
After that server had been rebooted, there are still no log in indicates any login from user 'storageadmin in 'syslog, pveproxy,pveam/access.log'.
Other logs (for example root login) are shown normally.
Its fresh Proxmox install, nearly 2 weeks now, its non production (there are no many changes, only some administrative (users) or monitoring), 1 node env.
 
Did you use the username storageadmin (not storageadmin@pve) and select the correct realm (there is a drop-down combobox for it)? What exact error message do you get?
 
You must log in or register to reply here.
Top Bottom