Query Regarding API Permission

ermanishchawla

Well-Known Member
Mar 23, 2020
332
37
48
38
I have created PVE user and its API Token for a user manish@pve in proxmox cluster running version 7. When i assign user permission to VM as attached in screenshot1, the permission are showing with propagate=Yes whereas if I assign token permission to the same VM with same role, it is showing Propagate=No

Now Issue is if I assign only API permission and try to access the VM properties through API call, it is giving me all null and when I assign both user and API to the VM then only API is showing me correct permission

Why this weird behavior??
 

Attachments

  • Screenshot 2022-01-20 at 6.02.49 PM.png
    Screenshot 2022-01-20 at 6.02.49 PM.png
    40.6 KB · Views: 41
  • Screenshot 2022-01-20 at 6.05.16 PM.png
    Screenshot 2022-01-20 at 6.05.16 PM.png
    36.8 KB · Views: 38
With API token permission only assigned to the VM

curl -f -s -S -k --header 'Authorization: PVEAPIToken=manish@pve!monitoring=b9b0c035-3fe2-46e9-9374-299854b44b12' "https://172.19.200.121:8006/api2/json/access/permissions"

{"data":{"/storage/local":{"Datastore.Audit":null,"Permissions.Modify":null,"VM.Snapshot.Rollback":null,"Sys.Modify":null,"User.Modify":null,"VM.Config.Cloudinit":null,"VM.Console":null,"VM.PowerMgmt":null,"VM.Config.Network":null,"VM.Config.CPU":null,"VM.Monitor":null,"VM.Config.Memory":null,"VM.Allocate":null,"Datastore.AllocateSpace":null,"Sys.Console":null,"VM.Config.Disk":null,"VM.Config.Options":null,"VM.Backup":null,"Sys.PowerMgmt":null,"VM.Config.CDROM":null,"Pool.Allocate":null,"Realm.AllocateUser":null,"Sys.Syslog":null,"Sys.Audit":null,"Datastore.Allocate":null,"SDN.Audit":null,"Datastore.AllocateTemplate":null,"Realm.Allocate":null,"VM.Snapshot":null,"Pool.Audit":null,"Group.Allocate":null,"VM.Clone":null,"VM.Config.HWType":null,"VM.Migrate":null,"VM.Audit":null,"SDN.Allocate":null},"/vms/111":{"VM.Backup":null,"VM.Audit":null,"VM.Config.Cloudinit":null,"VM.PowerMgmt":null,"VM.Console":null,"VM.Config.CDROM":null}}
 
With both user and API permissions assigned to VM

curl -f -s -S -k --header 'Authorization: PVEAPIToken=manish@pve!monitoring=b9b0c035-3fe2-46e9-9374-299854b44b12' "https://172.19.200.121:8006/api2/json/access/permissions"

{"data":{"/vms/111":{"VM.Config.CDROM":1,"VM.Backup":1,"VM.Audit":1,"VM.Config.Cloudinit":1,"VM.PowerMgmt":1,"VM.Console":1},"/storage/local":{"VM.Monitor":null,"VM.Config.CPU":null,"VM.Config.Network":null,"VM.Console":null,"VM.PowerMgmt":null,"VM.Config.Cloudinit":null,"User.Modify":null,"Sys.Modify":null,"VM.Snapshot.Rollback":null,"Permissions.Modify":null,"Datastore.Audit":null,"VM.Backup":null,"VM.Config.Options":null,"VM.Config.Disk":null,"Sys.Console":null,"Datastore.AllocateSpace":null,"VM.Allocate":null,"VM.Config.Memory":null,"SDN.Audit":null,"Datastore.Allocate":null,"Sys.Audit":null,"Sys.Syslog":null,"Realm.AllocateUser":null,"VM.Config.CDROM":null,"Pool.Allocate":null,"Sys.PowerMgmt":null,"SDN.Allocate":null,"VM.Audit":null,"VM.Migrate":null,"VM.Config.HWType":null,"VM.Clone":null,"Group.Allocate":null,"Pool.Audit":null,"VM.Snapshot":null,"Datastore.AllocateTemplate":null,"Realm.Allocate":null}}}
 
It can be clearly seen that after add users to the VM permission then only VM.Audit:1 and many others are showing permissions
 
Is it because of this

"
API tokens come in two basic types:
  • Separated privileges: The token needs to be given explicit access with ACLs. Its effective permissions are calculated by intersecting user and token permissions."

"

If that is the case, its my bad that I did not see that in the documentation
 
please post the relevant parts of /etc/pve/user.cfg - without the information on what exactly you configured nobody will be able to tell what's going on..
 
user:manish@pve:1:0::::::

token:manish@pve!monitoring:0:1::

user:root@pam:1:0:::manish@istrac.gov.in::x:




group:VMUSERS:manish@pve::

acl:1:/storage/local:manish@pve!monitoring:Administrator:

acl:1:/vms/111:manish@pve,manish@pve!monitoring:PVEVMUser:
 
if your API token has the privsep flag set it can at most have the privileges of the corresponding user. unfortunately there is a bug in the displayed permission tree (the actual permission checks in the backend are fine though, the display will be fixed in libpve-access-control >= 7.1-6!). all those with null/undefined instead of 1/0 for the propagate flag should actually be filtered out for the display just like for the checks.

e.g., user Administrator / with propagate, token PVEVMUser /vms/123 => token only gets PVEVMUser (this is correctly displayed right now)
e.g., user PVEVMUser / with propagate, token Administrator /vms/123 => token only gets PVEVMUser (but it is currently bugged and displays Administrator with undef propagation except for the privs part of PVEVMUser, which are correctly displayed with propagation 1)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!