Use Api-token for adding/removing usb devices

J

jamin587

Active Member
Jan 10, 2018
11
1
43
Cause of corona our Developers are working at home, but as we need to work with limited number of embedded hardware devices we are currently preparing a "Remote Lab" infrastructure. We run a cluster with three nodes. One of them is used to run personal vms for developers, which should be easily configured to start with different usb-devices connected. For testing we added an api-token for root with full permissions. But we get an error "only root can modify usb0 config for real devices". In the task log it shows "... root@pam ... VM XXX configure error..."

Can an API-token not be used as full password replacement?

"
API tokens come in two basic types:
  • separated privileges: the token needs to be given explicit access with ACLs, its effective permissions are calculated by intersecting user and token permissions.
  • full privileges: the token permissions are identical to that of the associated user."

Activating Privilege Separation gives an error:
1613059672067.png

Permissions for root@pam token
1613059853435.png


BR
Benni
 
Last edited:
jamin587 said:
Can an API-token not be used as full password replacement?
Click to expand...
mhmm.. we have someplaces where we hardcoded root@pam, though i am not sure if this should work with a token belonging to root....
can you please open a bug on https://bugzilla.proxmox.com ? there we can discuss if that is indeed a bug or maybe an enhancement?

jamin587 said:
Activating Privilege Separation gives an error:
Click to expand...
this is a bug, i already sent a patch to the devel list:
https://lists.proxmox.com/pipermail/pve-devel/2021-February/047027.html
 
You must log in or register to reply here.
Top Bottom