Can not update VMs with Self-Service User

[princess-glimmr]

Hi there,

I recently started using your terraform provider for my homelab, but seem to have encountered a problem there. I already messaged about it on the discord server & created this issue accordingly.

What I wanted to realize

My primary goal was to provision my VMs through terraform, but not giving XO-admin rights to my terraform-user at the same time, as the XCP-NG host also contains other VMs which shouldn't be managed by terraform yet. (simply because I originally was doing a tutorial)

I tried to realize this by using the Self Service in XO & constrained my terraform user to only a resourceSet.

Description / Problem

While doing so I discovered a problem with the parameters, that the UpdateVm(..) function gives to the vm.set call. It seems, that whenever the XO-API receives a parameter for the resourceSet it checks if the user also is an XO-admin and throws an exception otherwise. [Source]

const resourceSetId = extract(params, 'resourceSet')
  if (resourceSetId !== undefined) {
    if (this.user.permission !== 'admin') {
      throw unauthorized()
    }

    await this.setVmResourceSet(vmId, resourceSetId, true)
  }

This made me play around with the XO-CLI a bit and, at least I think, the intended usage of the vm.set endpoint is to only add the parameters that need to be changed, which should probably also be the only ones (beside the id), that were listed by terraform in the apply/plan.

Possible Solution

Filter the parameters before adding them to the vm.set call

Reproduction

XO

Preparation

• create a demo user in XO with only User rights
• assign the user to a group(e.g. terraform) in XO
• create a resourceSet/self-service (e.g. test) with access to all resources and is managed by your group
  • doesn't need to be all, but helps demonstrate, that it's not a permission issue with any single resource
  • Note: for Networks I only selected Pool-wide network, as anything else caused my host to be listed as excluded
• no ACLs are required

  Verification:

• login with your demo user to XO
• create, update & delete a VM through the web-UI to check your account permissions are correct

Terraform / CLI

• now provision a VM through the attached terraform files
  • minor changes to fit your setup are probably required
• change the name_label to something else
• try to update the VM through terraform

Result

You are most likely to receive a permission problem in your CLI now:

╷
│ Error: jsonrpc2: code 2 message: not enough permissions: {"object":{}}
│ 
│   with xenorchestra_vm.vm,
│   on vm.tf line 29, in resource "xenorchestra_vm" "vm":
│   29: resource "xenorchestra_vm" "vm" {
│ 
╵

Also in XenOrchestra, you should see an entry to your Settings->Logs saying not enough permission with the following information:

vm.set
{
  "CPUs": 1,
  "affinityHost": "",
  "auto_poweron": false,
  "high_availability": "",
  "id": "<some-id>",
  "memoryMax": 2147467264,
  "name_description": "",
  "name_label": "XO terraform tutorial",
  "resourceSet": "<some-resourceset-id>"
}
{
  "code": 2,
  "data": {
    "object": {}
  },
  "message": "not enough permissions",
  "name": "XoError",
  "stack": "XoError: not enough permissions
    at unauthorized (/home/node/xen-orchestra/packages/xo-common/src/api-errors.js:21:32)
    at Object.apply (file:///home/node/xen-orchestra/packages/xo-server/src/api/vm.mjs:532:13)
    at Object.call (/home/node/xen-orchestra/node_modules/golike-defer/src/index.js:85:19)
    at Api.callApiMethod (file:///home/node/xen-orchestra/packages/xo-server/src/xo-mixins/api.mjs:304:33)"
}

EDIT: typos & fixed XO source link

[ddelnano]

Apologies that this has taken so long to get addressed, but this is fixed in v0.23.1!