Sys.modify authorization

[vitofasano]

Checklist

• I have updated to the latest available Proxmox VE Custom Integration version, see the latest version here.

Describe the issue you are experiencing

When I restart Home Assistant I find this error message:

---

L'utente hass@pve non ha le autorizzazioni sufficienti per accedere alla risorsa {resource}.

Suggerimento sui permessi necessari:

['perm','/nodes/Update proxmox',['Sys.Modify']]

Si prega di consultare la documentazione e verificare le autorizzazioni dell'utente..

---

I close the error and it seems to work fine until the next restart of Home Assistant

to configure proxmox within Home Assistant I followed the official guide, and until some time ago the error did not exist.

In which version of Home Assistant Core do you have the problem?

2024.7.1

What version of Proxmox VE Custom Integration has the issue?

3.4.4

What version of Proxmox VE do you have the problem?

8.2.2

Diagnostics information

No response

Additional information

No response

[MassiPi]

i can confirm.
honestly this is not the first update to the integration that toggles this kind of error, it would be nice to understand how to find out the specific access right that is rising the error. I definitely did not change anything and i'm not using HA to control proxmox, so i'm also quite curious :)

[oerix]

This has been a reoccurring issue for over 3 months now. At this point, feel like removing the integration all together.

[liakjim]

Reverting back to 3.4.2 and this issue is gone.

[Sab44]

I'm having the same issue. The documentation is lacking in that area, as it only says the permission is required to

Get information about available package updates to display on sensors

As far as I can see there is no sensor that would correlate to this in my entities list, so we can't disable it if we don't need it.

[xekil]

same error

[se4n01]

+1 but I did the workaround of adding the permission for my user in the roles section in proxmox UI

This may just be a documentation issue on the readme page, but would be good to know why this is needed in first place.

[xekil]

In my case I gave all the rights and I get this message each time I launch home assistant...

[scottcopus]

Is Sys.Modify a valid Proxmox VE permission anymore?

[MassiPi]

I did the workaround of adding the permission for my user in the roles section in proxmox UI

sorry, but this is not a workaround. This is giving not needed permissions to a user. Simply wrong.

[oerix]

Anyone found a fix yet? surprised this hasn't been resolved yet.

[uneart]

I haven't found a fix, but have the same issue. I find it quite strange that the integration needs Sys.Modify rights. The Proxmox documentation clearly states:

Both Permissions.Modify and Sys.Modify should be handled with care, as they allow modifying aspects of the system and its configuration that are dangerous or sensitive.

From a security perspective I find it to be a high risk to give the home assistant integration rights to modify Proxmox node network settings and such.

[dougiteixeira]

The Proxmox API requires this level of permission to access update information. We, as users, must accept or decline to use the feature that requires this permission.

There is nothing that can be done on the integration side.

[Sab44]

Hey @dougiteixeira thanks for coming back to this issue.
I wonder whether there has been a misunderstanding here.

To recap: we observe a HA repair issue telling us User xxx@pve does not have sufficient permissions to access resource Update Update proxmox.

• we, intentionally, did not grant this permission
• we, intentionally, choose not to fetch the update information from Proxmox

So all this is really about, is to get rid of that HA repair issue. It cannot be ignored permanently, it will keep popping up.
Please consider re-opening this and give us the possibility to opt-out of this functionality and make this repair issue disappear.

[MassiPi]

i second @Sab44
we are not trying to get the integration to walk around proxmox security (lol), we are just saying we do not want to be forced to give modify permission to a user that, for our use, does not need it.
I do not need the modify permission. And also this was working in a previous version of the integration.

[MadWalnut]

@dougiteixeira Also supporting the point @Sab44 made. I do not need the permission and therefore have not granted it for security reasons. Everything works fine as is, it is just the repair popping up after every restart of Home Assistant that is annoying. Any chance to suppress it?

[uneart]

As there are multiple wishes to get some opt-out for this: @dougiteixeira Would it be fine for you if I take a shot at forking the repo to open a PR with a possible solution? This would lift a bit of effort from your shoulders and you'd only need to check/author my PR.

=> Created a pull request #357 with a proposal

[uneart]

@MassiPi @Sab44 @MadWalnut as written earlier I forked the repo to build a proposal. If you have any testing instances of Home assistant running, I'd appreciate if you test the proposed solution by (temporarily) installing my fork through HACS:
https://github.com/uneart/ha-proxmoxve

⚠️ Please be aware that this is only a proposal for now and I have no intention of running a forked variant of this integration permanently. The goal is a PR to this main integration of @dougiteixeira with the maintainers approval. See #357 pull request.