[BUG] - Proxmox app: Specific API Permissions needed #814
Description
Describe the bug
The documentation suggest only one permission currently:
Requires at least Sys.Audit permission for /nodes path (and propagated).
This will give you information about the node itself (CPU, RAM), but VMs/LXCs.
To Reproduce
Steps to reproduce the behavior:
- Set up API Permission with SysAudit on /nodes in Proxmox
- Test App in Heimdall
- It just displays CPU and RAM
- VM and LXC is just "0/0"
Expected behavior
I would expect
- Documentation mentioning the needed credentials
- The app not showing "0/0" per VMs and LXCs if the permissions are not right.
Screenshots
If permissions are missing:
If permissions are right:
Version info (please complete the following information):
- Heimdall: 2.6.3
- App: Proxmox
- Version of remote application App tries to use: 8.3.3
Additional context
The API Token needs the following permissions:
- Sys.Audit on /nodes
- VM.Audit on /vms
This can be achieved with either the builtin role "PVEAuditor" or a custom role
See
- https://pve.proxmox.com/pve-docs/api-viewer/index.html#/nodes/{node}/status
Required Permissions: Check: ["perm","/nodes/{node}",["Sys.Audit"]] - https://pve.proxmox.com/pve-docs/api-viewer/index.html#/nodes/{node}/qemu.
Required Permissions: Only list VMs where you have VM.Audit permissions on /vms/ - https://pve.proxmox.com/pve-docs/api-viewer/index.html#/nodes/{node}/lxc
Required Permissions: Only list CTs where you have VM.Audit permission on /vms/.
While you could simple untick "Privilege Separation" when creating the API, it would inherit all the users permission. E.g. if you are using the root user, that API would be allowed to do everything on the PVE cluster.
https://pve.proxmox.com/pve-docs/chapter-pveum.html#pveum_tokens