[SOLVED] What privilege for "Download from URL" (ISO storage)

woodstock

Renowned Member
Feb 18, 2016
45
2
73
Hi everybody,

I have setup a user (PVE realm) in my cluster hat has all Datastore.* privileges.

This user can upload ISO images but cannot use Download from URL. The button is disabled.

What privilege does this user need to use this function?

Regards and Thanks.
 
  • Like
Reactions: Tmanok
Last edited:
Thanks for your fast reply and for pointing to the definition.

Unfortunately Sys.Modify is a way too high privilege for our user.

To be honest, I don't understand the connection between uploading ISO files and Sys.Modify (create/modify/remove node network parameters [1]) and Sys.Audit (view node status/config, Corosync cluster config, and HA config [1]).
I really look forward to the roadmaps point Project "Cattle and Pets" hoping it lets me define the privileges better.

[1] https://pve.proxmox.com/wiki/User_Management
 
To be honest, I don't understand the connection between uploading ISO files and Sys.Modify
When you download a file, the URL gets resolved on the PVE host itself. If your server is sitting in a locked-down/separate network, this might allow a user to probe for different hosts that they shouldn't even be allowed to access. You can also check the original commit message (with this exact reasoning) here [1]. We've thought about whether this might be too harsh of a restriction, and you're welcome to open a report on our bugzilla instance [2], where others can chime in too.

[1] https://git.proxmox.com/?p=pve-manager.git;a=commit;h=591e8a8ffbae0d9653450f6eadd5240db3c75019
[2] https://bugzilla.proxmox.com/