Use Api-token for adding/removing usb devices

[jamin587]

Cause of corona our Developers are working at home, but as we need to work with limited number of embedded hardware devices we are currently preparing a "Remote Lab" infrastructure. We run a cluster with three nodes. One of them is used to run personal vms for developers, which should be easily configured to start with different usb-devices connected. For testing we added an api-token for root with full permissions. But we get an error "only root can modify usb0 config for real devices". In the task log it shows "... root@pam ... VM XXX configure error..."

Can an API-token not be used as full password replacement?

"
API tokens come in two basic types:

• separated privileges: the token needs to be given explicit access with ACLs, its effective permissions are calculated by intersecting user and token permissions.
• full privileges: the token permissions are identical to that of the associated user."

Activating Privilege Separation gives an error:


Permissions for root@pam token



BR
Benni

 

[dcsapak]

Can an API-token not be used as full password replacement?

mhmm.. we have someplaces where we hardcoded root@pam, though i am not sure if this should work with a token belonging to root....
can you please open a bug on https://bugzilla.proxmox.com ? there we can discuss if that is indeed a bug or maybe an enhancement?

Activating Privilege Separation gives an error:

this is a bug, i already sent a patch to the devel list:
https://lists.proxmox.com/pipermail/pve-devel/2021-February/047027.html