Error creating VM: error creating VM: 403 Permission check failed

[maksimsamt]

Overview of the Issue

New plugin version 1.2.0 introduced PVE pool regression #281.
Unfortunately, newer version 1.2.1 does not solve completely this issue.
It seems that too many permissions are required for Packer build user to create vm/template.
Meanwhile version 1.1.8 with the same setup and Packer build user persmision config works fine.
Similar issue is in the Proxmox upstream API and my workaround how to solve this.

Reproduction Steps

In Proxmox PVE create Packer build user's stuff with isolated permissions.
Build user has only the necessary permissions, no more, no less, for example, does not have / permission.
Inspired by #184:

# 1) Create a new resource pool packer-pool
pveum pool add packer-pool --comment "Hashicorp Packer Proxmox Build Test Pool"
# 2) Create a new group packer-group
pveum group add packer-group -comment "Hashicorp Packer Proxmox Build Test Group"
# 3) Create a new user packer@pve which is a member of that group packer-group
pveum user add packer@pve -group packer-group -comment "Hashicorp Packer Proxmox Build Test User"
pveum passwd packer@pve
# 4) Add a new API token without privilege separation and with no expire for packer user
pveum user token add packer@pve packer-token -privsep 0 --expire 0
# 5) Add the desired datastores (e.g. local-lvm) to packer-pool resource pool
pvesh set /pools/packer-pool --storage local-lvm
# 6) Assign the following privileges to packer-group:
# PVEPoolUser on /pool/packer-pool
pveum acl modify /pool/packer-pool/ -group packer-group -role PVEPoolUser
# PVEDatastoreUser on /pool/packer-pool
pveum acl modify /pool/packer-pool/ -group packer-group -role PVEDatastoreUser
# PVEVMAdmin on /pool/packer-pool
pveum acl modify /pool/packer-pool/ -group packer-group -role PVEVMAdmin
# PVEDatastoreAdmin on /storage/iso
pveum acl modify /storage/iso -group packer-group -role PVEDatastoreAdmin
# PVESDNUser on /sdn/zones/localnetwork
pveum acl modify /sdn/zones/localnetwork -group packer-group -role PVESDNUser

Further, in Packer build scripts use this packer@pve user and /pools/packer-pool pool.
As mentioned above, this setup works in plugin version 1.1.8.
Perhaps, you have to define in packer-plugin-proxmox minimumPermissions as it is in terraform-provider-proxmox and as mentioned above in my workaround how to solve this, will be enough to add only Sys.Audit permission for the root /.
In this case will be necessary to add PVESysAdmin role for the packer-group group:

# add PVESysAdmin for / (group: packer-group):
pveum acl modify / -group packer-group -role PVESysAdmin

Plugin and Packer version

Packer v1.11.2
Plugin v1.2.1
Proxmox PVE v8.2.2

Simplified Packer Buildfile

n/a

Operating system and Environment details

n/a

Log Fragments and crash.log files

==> proxmox-iso.linux-x86_64: Creating VM
==> proxmox-iso.linux-x86_64: Error creating VM: error creating VM: 403 Permission check failed, error status: {"data":null} (params: map[...])

[mpywell]

Hi @maksimsamt

I found when testing #281 these were the permissions I needed to reproduce the build, I definitely didn't need to give any access to /. The issue upstream appears to be the need for /vms access to create a VM, which goes against the idea of using pools. I suspect what's happening is the upstream API library is creating the VM under /, then joining the VM to a pool if configured rather than submitting the VM for creation in the configured pool.

user@pve:~# pveum user permissions poolscopeduser@pve --output-format json-pretty
{
   "/pool/SHARED" : {
      "Pool.Allocate" : 1,
      "Pool.Audit" : 1
   },
   "/sdn/zones/localnetwork" : {
      "SDN.Audit" : 1,
      "SDN.Use" : 1
   },
   "/storage/ISOs" : {
      "Datastore.Allocate" : 1,
      "Datastore.AllocateSpace" : 1,
      "Datastore.AllocateTemplate" : 1,
      "Datastore.Audit" : 1
   },
   "/storage/StandardSSD-lvm" : {
      "Datastore.Allocate" : 1,
      "Datastore.AllocateSpace" : 1,
      "Datastore.AllocateTemplate" : 1,
      "Datastore.Audit" : 1
   },
   "/vms" : {
      "VM.Allocate" : 1,
      "VM.Audit" : 1,
      "VM.Backup" : 1,
      "VM.Clone" : 1,
      "VM.Config.CDROM" : 1,
      "VM.Config.CPU" : 1,
      "VM.Config.Cloudinit" : 1,
      "VM.Config.Disk" : 1,
      "VM.Config.HWType" : 1,
      "VM.Config.Memory" : 1,
      "VM.Config.Network" : 1,
      "VM.Config.Options" : 1,
      "VM.Console" : 1,
      "VM.Migrate" : 1,
      "VM.Monitor" : 1,
      "VM.PowerMgmt" : 1,
      "VM.Snapshot" : 1,
      "VM.Snapshot.Rollback" : 1
   }
}

If I add the PVEVMAdmin role to /pool/SHAREDand remove it from /vms the permission check still fails for the Packer plugin, but I can use the GUI to create a VM in the pool with the scoped user.

I'll try to dig into where the issue lies in the API and raise an issue upstream if we can't work around it in the Packer plugin.

[mpywell]

I've confirmed that proxmox-api-go is no longer submitting Pool to the /nodes/%s/qemu API endpoint config_qemu.go#L720 and moving VMs into a Pool as a post step config_qemu.go#L727-L731.

Raised issue Telmate/proxmox-api-go#366, will try to submit a fix PR for proxmox-api-go soon.