starred/proxcenter-ui
1
0
Fork 0
mirror of https://github.com/adminsyspro/proxcenter-ui.git synced 2026-04-25 22:45:55 +03:00
Code Issues 28 Projects Releases 1 Packages Wiki Activity

[GH-ISSUE #9] Permission Issue #119

New issue
Closed
opened 2026-03-13 17:12:14 +03:00 by kerem · 7 comments
kerem commented 2026-03-13 17:12:14 +03:00
Owner
Copy link

Originally created by @tep1997 on GitHub (Feb 18, 2026).
Original GitHub issue: https://github.com/adminsyspro/proxcenter-ui/issues/9

I've successfully added 3 nodes to Proxcenter and I can see and interact with them properly. However, if I try to restart, stop, or power-off a VM, I get the below error.

Image
Originally created by @tep1997 on GitHub (Feb 18, 2026). Original GitHub issue: https://github.com/adminsyspro/proxcenter-ui/issues/9 I've successfully added 3 nodes to Proxcenter and I can see and interact with them properly. However, if I try to restart, stop, or power-off a VM, I get the below error. <img width="1003" height="101" alt="Image" src="https://github.com/user-attachments/assets/2713b232-9aa8-429b-9629-0c8360bcf3d9" />
kerem closed this issue 2026-03-13 17:12:19 +03:00
kerem commented 2026-03-13 17:12:24 +03:00
Author
Owner
Copy link

@adminsyspro commented on GitHub (Feb 18, 2026):

Hi,

You need to adjust you PVE permissions. You can either give ProxCenter full admin/root rights, or you can give them whatever you want.

In you example, it's the VM.PowerMgmt which is missing.

Regards.

<!-- gh-comment-id:3922781056 --> @adminsyspro commented on GitHub (Feb 18, 2026): Hi, You need to adjust you PVE permissions. You can either give ProxCenter full admin/root rights, or you can give them whatever you want. In you example, it's the VM.PowerMgmt which is missing. Regards.
kerem commented 2026-03-13 17:12:30 +03:00
Author
Owner
Copy link

@tep1997 commented on GitHub (Feb 18, 2026):

So, I gave both the Proxcenter User and API Audit permissions. Does that give enough permissions?

Image
<!-- gh-comment-id:3922799991 --> @tep1997 commented on GitHub (Feb 18, 2026): So, I gave both the Proxcenter User and API Audit permissions. Does that give enough permissions? <img width="760" height="557" alt="Image" src="https://github.com/user-attachments/assets/3c5019a5-df7b-4832-a0c7-94c211bde2e7" />
kerem commented 2026-03-13 17:12:35 +03:00
Author
Owner
Copy link

@adminsyspro commented on GitHub (Feb 18, 2026):

I think you need to put permission at / without privileges separation.

<!-- gh-comment-id:3922813609 --> @adminsyspro commented on GitHub (Feb 18, 2026): I think you need to put permission at / without privileges separation.
kerem commented 2026-03-13 17:12:40 +03:00
Author
Owner
Copy link

@tep1997 commented on GitHub (Feb 18, 2026):

That's how it was setup, at /.

<!-- gh-comment-id:3922886840 --> @tep1997 commented on GitHub (Feb 18, 2026): That's how it was setup, at /.
kerem commented 2026-03-13 17:12:45 +03:00
Author
Owner
Copy link

@turnipy commented on GitHub (Feb 18, 2026):

For me nothing worked until I linked the token to my root superuser account in proxmox cluster using this in proxmox cli:
pveum user token add root@pam proxcenter --privsep 0

Trying to attach to a seperate api-user account even when giving admin, still gave me those errors:
eg. This didnt work - giving admin to both user and token
pveum aclmod / --user api-user@pve --roles PVEAdmin
pveum aclmod / --token 'api-user@pve!proxcenter' --roles PVEAdmin

<!-- gh-comment-id:3923169888 --> @turnipy commented on GitHub (Feb 18, 2026): For me nothing worked until I linked the token to my root superuser account in proxmox cluster using this in proxmox cli: pveum user token add root@pam proxcenter --privsep 0 Trying to attach to a seperate api-user account even when giving admin, still gave me those errors: eg. This didnt work - giving admin to both user and token pveum aclmod / --user api-user@pve --roles PVEAdmin pveum aclmod / --token 'api-user@pve!proxcenter' --roles PVEAdmin
kerem commented 2026-03-13 17:12:50 +03:00
Author
Owner
Copy link

@adminsyspro commented on GitHub (Feb 19, 2026):

Thanks for the detailed troubleshooting, this is a common Proxmox gotcha related to API token privilege separation.

The issue

By default, Proxmox API tokens are created with privsep=1 (privilege separation enabled). This means the token has its own separate permissions, independent from the user it's attached to — even if the user is root@pam or has PVEAdmin.

So even if your user has full admin rights, the token itself starts with zero permissions unless you explicitly assign them to the token.

The fix

Option A — Disable privilege separation (simplest):

pveum user token add root@pam proxcenter --privsep 0

This makes the token inherit all permissions from the user account.

Option B — Keep privsep but assign permissions to the token:

pveum aclmod / --token 'youruser@pve!proxcenter' --roles PVEAdmin

Note: you must assign the role to the token (user!tokenid), not just the user.

Why it works for viewing but not for actions

GET requests to list nodes/VMs typically require only Sys.Audit or VM.Audit, which may be partially granted. But actions like start/stop/reboot require VM.PowerMgmt, VM.Console, etc. — which are missing when the token has no explicit permissions.

We'll improve the UX in a future update by validating token permissions when adding a connection, so this kind of issue is caught early. For now, using --privsep 0 on a dedicated user (or root) is the easiest path.

<!-- gh-comment-id:3925077542 --> @adminsyspro commented on GitHub (Feb 19, 2026): Thanks for the detailed troubleshooting, this is a common Proxmox gotcha related to **API token privilege separation**. ## The issue By default, Proxmox API tokens are created with `privsep=1` (privilege separation **enabled**). This means the token has **its own separate permissions**, independent from the user it's attached to — even if the user is `root@pam` or has `PVEAdmin`. So even if your user has full admin rights, the token itself starts with **zero permissions** unless you explicitly assign them to the token. ## The fix **Option A — Disable privilege separation** (simplest): ```bash pveum user token add root@pam proxcenter --privsep 0 ``` This makes the token inherit all permissions from the user account. **Option B — Keep privsep but assign permissions to the token**: ```bash pveum aclmod / --token 'youruser@pve!proxcenter' --roles PVEAdmin ``` Note: you must assign the role to the **token** (`user!tokenid`), not just the user. ## Why it works for viewing but not for actions `GET` requests to list nodes/VMs typically require only `Sys.Audit` or `VM.Audit`, which may be partially granted. But actions like start/stop/reboot require `VM.PowerMgmt`, `VM.Console`, etc. — which are missing when the token has no explicit permissions. --- We'll improve the UX in a future update by validating token permissions when adding a connection, so this kind of issue is caught early. For now, using `--privsep 0` on a dedicated user (or root) is the easiest path.
kerem commented 2026-03-13 17:12:55 +03:00
Author
Owner
Copy link

@tep1997 commented on GitHub (Feb 19, 2026):

Went with Option A, but still seeing the same error message. Output from the command:

Image
<!-- gh-comment-id:3928176587 --> @tep1997 commented on GitHub (Feb 19, 2026): Went with Option A, but still seeing the same error message. Output from the command: <img width="554" height="182" alt="Image" src="https://github.com/user-attachments/assets/c9556bbd-b39f-4ed4-9250-6056868284b2" />
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dependabot/npm_and_yarn/frontend/eslint-config-next-16.2.3
dependabot/npm_and_yarn/frontend/eslint-10.2.0
dependabot/npm_and_yarn/frontend/iconify/tools-5.0.11
dependabot/npm_and_yarn/frontend/mui/material-9.0.0
dependabot/npm_and_yarn/frontend/stylelint-17.7.0
dependabot/npm_and_yarn/frontend/types/node-25.6.0
dependabot/github_actions/softprops/action-gh-release-3
dependabot/npm_and_yarn/frontend/tailwindcss-4.2.2
dependabot/npm_and_yarn/frontend/tailwindcss/postcss-4.2.2
v1.3.5
latest
v1.3.4
v1.3.3
v1.3.2
v1.3.1
v1.3.0
v1.2.5
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.0
v1.0.0
Labels
Clear labels   
bug

   
enhancement

   
feature-request

   
pull-request

Mirrored from GitHub Pull Request

No labels
bug
enhancement
feature-request
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/proxcenter-ui#119
No description provided.