Unable to assign ISO for CDROM in VM via API

[wimark_gaidai]

First - I'm doing all with root API-key without limits.
Previously doing with special limited key but not worked too.
What I'm doing? I'm try to insert ISO in virtual CD-ROM.
How I'm doing?
See:

~: $ curl --insecure --silent -H "Authorization: PVEAPIToken=$PVEAPIToken" -X POST --data-urlencode scsi1='local:iso/my_iso.iso,media=cdrom' https://$PVEAPINode:8006/api2/json/nodes/$PVETargetNode/qemu/$PVEVMID/config | jq '.'
{
  "data": null
}

BUT! I can remove ISO from virtual drive easy and it works with unpriveleget limited API-token:

~: $ curl --insecure --silent -H "Authorization: PVEAPIToken=$PVEAPIToken" -X POST --data-urlencode scsi1='none' https://$PVEAPINode:8006/api2/json/nodes/$PVETargetNode/qemu/$PVEVMID/config | jq '.'
{
  "data": "UPID:wm-pve-01:002523EA:07782A44:6495C95F:qmconfig:303:builder@pam!wm-gitlab-runner-host:"
}

I'm try this with some drives - SCSI, IDE, CDROM - with same effects.
So, from host via pvesh it works perfectly:

~: # pvesh set /nodes/wm-pve-01/qemu/303/config -scsi1 local:iso/my_iso.iso,media=cdrom
update VM 303: -scsi1 local:iso/my_iso.iso,media=cdrom

PVE Proxy logs say me 403 Forbidden then try to mount ISO:

root@pam!root_token [23/06/2023:19:00:53 +0300] "POST /api2/json/nodes/wm-pve-01/qemu/303/config HTTP/1.1" 403 13

But dismount is OK:

root@pam!root_token [23/06/2023:19:00:50 +0300] "GET /api2/json/nodes/wm-pve-01/qemu/303/status/current HTTP/1.1" 200 1895

Wat I'm doing wrong?

 

[fweber]

Hi,

This might be a permissions problem. You can run curl with the -v flag to get a more verbose output. Among other things, it will print the HTTP status line, which contains a more detailed error message, for example:

< HTTP/1.1 403 Permission check failed ...

But dismount is OK:

root@pam!root_token [23/06/2023:19:00:50 +0300] "GET /api2/json/nodes/wm-pve-01/qemu/303/status/current HTTP/1.1" 200 1895

I don't think this API call corresponds to an ISO unmount action, it rather looks like a HTTP request that queries the VM status.

 

[wimark_gaidai]

Thnx!
cURL says HTTP/1.1 403 Permission check failed (/storage/local, Datastore.AllocateSpace|Datastore.Audit)
but this permissionsm are allowed.


and it not works this root unlimited permissions too.

 

[wimark_gaidai]

> Authorization: PVEAPIToken=root@pam!root_token=547de1d4-4d9c-4736-8f8e-bf0977903578
> Content-Length: 45
> Content-Type: application/x-www-form-urlencoded
...
< HTTP/1.1 403 Permission check failed (/storage/local, Datastore.AllocateSpace|Datastore.Audit)

 

[fiona]

Hi,
did you also assign the permissions to the tokens?

 

[fweber]

Hi,

First, I'd suggest you censor the API key in your post.

Which version of PVE are you running? Could you please post the output of pveversion -v?

There might be still some permissions missing for root@pam!root_token that prevent this API key from mounting the ISO. Could you post the output of pveum user permissions 'root@pam!root_token'?

 

[wimark_gaidai]

First, I'd suggest you censor the API key in your post.

this is temp key from isolated local server segment. no rscks))

Could you please post the output of pveversion -v?

proxmox-ve: 7.4-1 (running kernel: 5.15.107-2-pve)
pve-manager: 7.4-4 (running version: 7.4-4/4a8501a8)
pve-kernel-5.15: 7.4-3
pve-kernel-5.15.107-2-pve: 5.15.107-2
pve-kernel-5.15.102-1-pve: 5.15.102-1
ceph-fuse: 15.2.17-pve1
corosync: 3.1.7-pve1
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx4
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.24-pve2
libproxmox-acme-perl: 1.4.4
libproxmox-backup-qemu0: 1.3.1-1
libproxmox-rs-perl: 0.2.1
libpve-access-control: 7.4-3
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.4-1
libpve-guest-common-perl: 4.2-4
libpve-http-server-perl: 4.2-3
libpve-rs-perl: 0.7.6
libpve-storage-perl: 7.4-3
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 5.0.2-2
lxcfs: 5.0.3-pve1
novnc-pve: 1.4.0-1
proxmox-backup-client: 2.4.2-1
proxmox-backup-file-restore: 2.4.2-1
proxmox-kernel-helper: 7.4-1
proxmox-mail-forward: 0.1.1-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.7.0
pve-cluster: 7.3-3
pve-container: 4.4-4
pve-docs: 7.4-2
pve-edk2-firmware: 3.20230228-2
pve-firewall: 4.3-2
pve-firmware: 3.6-5
pve-ha-manager: 3.6.1
pve-i18n: 2.12-1
pve-qemu-kvm: 7.2.0-8
pve-xtermjs: 4.16.0-2
qemu-server: 7.4-3
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.8.0~bpo11+3
vncterm: 1.7-1
zfsutils-linux: 2.1.11-pve1

pveum user permissions 'root@pam!root_token'

 

[wimark_gaidai]

All thanks!
SOLVED!
Privelege separation was cause.
Remove solved this problem

 

[fweber]

Hello,

Thanks. The problem is that according to your screenshot, your root@pam!root_token API token only had privileges on the ACL path /vms/303, but on no other ACL paths. In particular, it was missing privileges on the ACL path /storage/local, which is what the error message suggested earlier:

> Authorization: PVEAPIToken=root@pam!root_token=547de1d4-4d9c-4736-8f8e-bf0977903578
> Content-Length: 45
> Content-Type: application/x-www-form-urlencoded
...
< HTTP/1.1 403 Permission check failed (/storage/local, Datastore.AllocateSpace|Datastore.Audit)

In order to fix this, you have to assign relevant roles on the /storage/local path too, or grant them on / and enable the "propagate" flag so they also apply to /storage/local.-

Disabling "Privilege Separation" means that the API token has the same permissions as the associated user. This may be fine for ordinary users with reduced privileges, but it is not advisable in case the associated user is root@pam, because then the API token will likely have a lot of privileges it will not actually need. I would suggest to grant API tokens only the privileges they need to complete their task. I'd suggest to have another look at the relevant sections of our reference manual [0].

[0] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pveum_permission_management

 

[wimark_gaidai]

fweber, thank You!​