[SOLVED] What privilege for "Download from URL" (ISO storage)
- Thread starter woodstock
- Start date
Hi,
you need
.
[1] https://git.proxmox.com/?p=pve-mana...68a617fe82025e14ccb3e97a2ad17fe6e;hb=HEAD#l54
[2] https://pve.proxmox.com/pve-docs/api-viewer/index.html#/nodes/{node}/storage/{storage}/download-url
you need
Datastore.AllocateTemplate, Sys.Audit and Sys.Modify for the button to be enabled. See also here [1] and here [2] (under the "required permissions" section) .[1] https://git.proxmox.com/?p=pve-mana...68a617fe82025e14ccb3e97a2ad17fe6e;hb=HEAD#l54
[2] https://pve.proxmox.com/pve-docs/api-viewer/index.html#/nodes/{node}/storage/{storage}/download-url
Last edited:
Thanks for your fast reply and for pointing to the definition.
Unfortunately
To be honest, I don't understand the connection between uploading ISO files and
I really look forward to the roadmaps point Project "Cattle and Pets" hoping it lets me define the privileges better.
[1] https://pve.proxmox.com/wiki/User_Management
Unfortunately
Sys.Modify is a way too high privilege for our user.To be honest, I don't understand the connection between uploading ISO files and
Sys.Modify (create/modify/remove node network parameters [1]) and Sys.Audit (view node status/config, Corosync cluster config, and HA config [1]).I really look forward to the roadmaps point Project "Cattle and Pets" hoping it lets me define the privileges better.
[1] https://pve.proxmox.com/wiki/User_Management
When you download a file, the URL gets resolved on the PVE host itself. If your server is sitting in a locked-down/separate network, this might allow a user to probe for different hosts that they shouldn't even be allowed to access. You can also check the original commit message (with this exact reasoning) here [1]. We've thought about whether this might be too harsh of a restriction, and you're welcome to open a report on our bugzilla instance [2], where others can chime in too.
[1] https://git.proxmox.com/?p=pve-manager.git;a=commit;h=591e8a8ffbae0d9653450f6eadd5240db3c75019
[2] https://bugzilla.proxmox.com/
I believe this change should allow downloading from URL without granting
https://lists.proxmox.com/pipermail/pve-devel/2024-February/061842.html
However, I haven't been able to get it to work. Are there instructions somewhere on exactly what permissions need to be granted upon what resources for this to work?
Sys.Modify:https://lists.proxmox.com/pipermail/pve-devel/2024-February/061842.html
However, I haven't been able to get it to work. Are there instructions somewhere on exactly what permissions need to be granted upon what resources for this to work?
Hi, I know it's more than a year later, but I've just made it work.
For instance, I gave PVEAdmin access to a pool, but downloading url didn't work, so I gave the user Sys.AccessNetwork permission for the "/" path and it fixed it.