[SOLVED] Version 3.2-2 api access via cli

[needanewername]

I'm trying to use the api to supply data to a homepage widget but I can't seem to get access.

Here's what I'm trying at the moment:

root@homepage:~# curl -i -L -k -u apiro@pbs:redactedpassword  https://192.168.6.6:8007/api2/json/status/datastore-usage
Enter host password for user 'apiro@pbs':
HTTP/1.1 401 Unauthorized
content-length: 63
date: Mon, 06 May 2024 13:24:03 GMT

authentication failed - no authentication credentials provided.

As far as I can see, I'm providing credentials (yes, its the right password) but the PBS server is telling me "no authentication credentials provided"

Am I going mad or is it something simple I'm missing?

 

[iamralf]

For the API access, one needs an API token. Otherwise it will not work.
https://pbs.proxmox.com/docs/user-management.html#api-tokens

 

[needanewername]

Thanks, I've given that a go as well:

root@homepage:~# curl -v -i -L -k -H 'Authorization:PVEAPIToken=root@pam!testTOKENID=515bd94c-8617-40d2-a741-dac929886d04' https://192.168.6.6:8007/api2/json/status/datastore-usage
*   Trying 192.168.6.6:8007...
* Connected to 192.168.6.6 (192.168.6.6) port 8007 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: O=Proxmox Backup Server; OU=86E94150-FF5B-468E-BE8F-BC7E8814C519; CN=REDACTED
*  start date: May  3 19:35:08 2024 GMT
*  expire date: Sep  4 19:35:08 3023 GMT
*  issuer: O=Proxmox Backup Server; OU=86E94150-FF5B-468E-BE8F-BC7E8814C519; CN=REDACTED
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
* using HTTP/1.x
> GET /api2/json/status/datastore-usage HTTP/1.1
> Host: 192.168.6.6:8007
> User-Agent: curl/7.88.1
> Accept: */*
> Authorization:PVEAPIToken=root@pam!testTOKENID=515bd94c-8617-40d2-a741-dac929886d04
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
< content-length: 63
content-length: 63
< date: Mon, 06 May 2024 13:43:33 GMT
date: Mon, 06 May 2024 13:43:33 GMT

<
* Connection #0 to host 192.168.6.6 left intact
authentication failed - no authentication credentials provided.

As well as:

root@homepage:~# curl -v -i -L -k -H 'Authorization:PVEAPIToken=apiro@pbs!homepageTOKENID=e1343409-99a4-4745-b2ed-7adfe778b81f' https://192.168.6.6:8007/api2/json/status/datastore-usage
*   Trying 192.168.6.6:8007...
* Connected to 192.168.6.6 (192.168.6.6) port 8007 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: O=Proxmox Backup Server; OU=86E94150-FF5B-468E-BE8F-BC7E8814C519; CN=REDACTED
*  start date: May  3 19:35:08 2024 GMT
*  expire date: Sep  4 19:35:08 3023 GMT
*  issuer: O=Proxmox Backup Server; OU=86E94150-FF5B-468E-BE8F-BC7E8814C519; CN=REDACTED
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
* using HTTP/1.x
> GET /api2/json/status/datastore-usage HTTP/1.1
> Host: 192.168.6.6:8007
> User-Agent: curl/7.88.1
> Accept: */*
> Authorization:PVEAPIToken=apiro@pbs!homepageTOKENID=e1343409-99a4-4745-b2ed-7adfe778b81f
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
< content-length: 63
content-length: 63
< date: Mon, 06 May 2024 13:48:39 GMT
date: Mon, 06 May 2024 13:48:39 GMT

<
* Connection #0 to host 192.168.6.6 left intact
authentication failed - no authentication credentials provided.

Permissions for user apiro@pbs:

root@pbs01:~# proxmox-backup-manager user permissions apiro@pbs
Privileges with (*) have the propagate flag set

Path: /datastore
- Datastore.Allocate (*)
- Datastore.Audit (*)
- Datastore.Backup (*)
- Datastore.Modify (*)
- Datastore.Prune (*)
- Datastore.Read (*)
- Datastore.Verify (*)
- Permissions.Modify (*)
- Realm.Allocate (*)
- Remote.Audit (*)
- Remote.Modify (*)
- Remote.Read (*)
- Sys.Audit (*)
- Sys.Console (*)
- Sys.Modify (*)
- Sys.PowerManagement (*)
- Tape.Audit (*)
- Tape.Modify (*)
- Tape.Read (*)
- Tape.Write (*)

Permissions for user apiro@pbs!homepage:

root@pbs01:~# proxmox-backup-manager user permissions 'apiro@pbs!homepage'
Privileges with (*) have the propagate flag set

Path: /datastore
- Datastore.Audit (*)
- Sys.Audit (*)

It doesn't even work on the PBS itself:

root@pbs01:~# curl -i -L -k -H 'Authorization:PVEAPIToken=apiro@pbs!homepageTOKENID=e1343409-99a4-4745-b2ed-7adfe778b81f' https://192.168.6.6:8007/api2/json/status/datastore-usage
HTTP/1.1 401 Unauthorized
content-length: 63
date: Mon, 06 May 2024 13:58:21 GMT

authentication failed - no authentication credentials provided.

ACLs look like:

root@pbs01:~# proxmox-backup-manager acl list
┌────────────────────┬────────────┬───────────┬────────┐
│ ugid               │ path       │ propagate │ roleid │
╞════════════════════╪════════════╪═══════════╪════════╡
│ apiro@pbs          │ /datastore │         1 │ Audit  │
├────────────────────┼────────────┼───────────┼────────┤
│ apiro@pbs!homepage │ /datastore │         1 │ Audit  │
└────────────────────┴────────────┴───────────┴────────┘

I'm at a bit of a loss...

 

[needanewername]

Turns out this was made up of several PEBKAC errors.

After regenerating the API key, I noticed I wasn't providing the right token name and further digging revealed that I wasn't formatting the request correctly either.

So,

root@homepage:~# curl -i -L -k -H 'Authorization: PBSAPIToken=apiro@pbs!homepage:65698571-a05f-465f-8772-2c5ec4a32f7e' https://192.168.6.6:8007/api2/json/status/datastore-usage

Works:

HTTP/1.1 200 OK
content-type: application/json;charset=UTF-8
content-length: 10295
date: Mon, 06 May 2024 21:28:36 GMT

The rest came easily after that. For those who need to know, this is the acl I have that works for the homepage Proxmox Backup Server widget:

root@pbs01:~# proxmox-backup-manager acl list
┌────────────────────┬────────────────┬───────────┬────────┐
│ ugid               │ path           │ propagate │ roleid │
╞════════════════════╪════════════════╪═══════════╪════════╡
│ apiro@pbs          │ /datastore     │         1 │ Audit  │
├────────────────────┼────────────────┼───────────┼────────┤
│ apiro@pbs          │ /system/status │         1 │ Audit  │
├────────────────────┼────────────────┼───────────┼────────┤
│ apiro@pbs!homepage │ /datastore     │         1 │ Audit  │
├────────────────────┼────────────────┼───────────┼────────┤
│ apiro@pbs!homepage │ /system/status │         1 │ Audit  │
└────────────────────┴────────────────┴───────────┴────────┘

Thank you for your tolerance.