fix(provider): Better handling of root@pam token (#386)

Token logins using root@pam!sometoken=uuid are not considered by PVE as 'root' logins, and fail to change VM's arch. Make sure the provider does not try to set/change VM's arch. Co-authored-by: Pavel Boldyrev <627562+bpg@users.noreply.github.com>
2025-07-11 16:25:02 +00:00 · 2023-07-01 15:31:02 +02:00 · 2023-07-01 15:31:02 +02:00 · 03eaf72767
commit 03eaf72767
parent 4da2b682de
5 changed files with 25 additions and 4 deletions
--- a/proxmox/api/authenticator.go
+++ b/proxmox/api/authenticator.go
@ -18,6 +18,10 @@ type Authenticator interface {
 	// IsRoot returns true if the authenticator is configured to use the root
 	IsRoot() bool

+	// IsRootTicket returns true if the authenticator is configured to use the root directly using a login ticket.
+	// (root using token is weaker, cannot change VM arch)
+	IsRootTicket() bool
+
 	// AuthenticateRequest adds authentication data to a new request.
 	AuthenticateRequest(ctx context.Context, req *http.Request) error
 }
--- a/proxmox/api/client.go
+++ b/proxmox/api/client.go
@ -52,6 +52,10 @@ type Client interface {

 	// IsRoot returns true if the client is configured with the root user.
 	IsRoot() bool
+
+	// IsRootTicket returns true if the authenticator is configured to use the root directly using a login ticket.
+	// (root using token is weaker, cannot change VM arch)
+	IsRootTicket() bool
 }

 // Connection represents a connection to the Proxmox Virtual Environment API.
@ -285,6 +289,10 @@ func (c *client) IsRoot() bool {
 	return c.auth.IsRoot()
 }

+func (c *client) IsRootTicket() bool {
+	return c.auth.IsRootTicket()
+}
+
 // validateResponseCode ensures that a response is valid.
 func validateResponseCode(res *http.Response) error {
 	if res.StatusCode < 200 || res.StatusCode >= 300 {
--- a/proxmox/api/ticket_auth.go
+++ b/proxmox/api/ticket_auth.go
@ -113,6 +113,10 @@ func (t *ticketAuthenticator) IsRoot() bool {
 	return t.authData != nil && t.authData.Username == rootUsername
 }

+func (t *ticketAuthenticator) IsRootTicket() bool {
+	return t.IsRoot()
+}
+
 // AuthenticateRequest adds authentication data to a new request.
 func (t *ticketAuthenticator) AuthenticateRequest(ctx context.Context, req *http.Request) error {
 	a, err := t.authenticate(ctx)
--- a/proxmox/api/token_auth.go
+++ b/proxmox/api/token_auth.go
@ -30,6 +30,11 @@ func (t *tokenAuthenticator) IsRoot() bool {
 	return t.username == rootUsername
 }

+func (t *tokenAuthenticator) IsRootTicket() bool {
+	// Logged using a token, therefore not a ticket login
+	return false
+}
+
 func (t *tokenAuthenticator) AuthenticateRequest(_ context.Context, req *http.Request) error {
 	req.Header.Set("Authorization", "PVEAPIToken="+t.token)
 	return nil
--- a/proxmoxtf/resource/vm.go
+++ b/proxmoxtf/resource/vm.go
@ -1629,7 +1629,7 @@ func vmCreateClone(ctx context.Context, d *schema.ResourceData, m interface{}) d
 		}

 		// Only the root account is allowed to change the CPU architecture, which makes this check necessary.
-		if api.API().IsRoot() ||
+		if api.API().IsRootTicket() ||
 			cpuArchitecture != dvResourceVirtualEnvironmentVMCPUArchitecture {
 			updateBody.CPUArchitecture = &cpuArchitecture
 		}
@ -2245,7 +2245,7 @@ func vmCreateCustom(ctx context.Context, d *schema.ResourceData, m interface{})
 	}

 	// Only the root account is allowed to change the CPU architecture, which makes this check necessary.
-	if api.API().IsRoot() ||
+	if api.API().IsRootTicket() ||
 		cpuArchitecture != dvResourceVirtualEnvironmentVMCPUArchitecture {
 		createBody.CPUArchitecture = &cpuArchitecture
 	}
@ -3241,7 +3241,7 @@ func vmReadCustom(
 	} else {
 		// Default value of "arch" is "" according to the API documentation.
 		// However, assume the provider's default value as a workaround when the root account is not being used.
-		if !api.API().IsRoot() {
+		if !api.API().IsRootTicket() {
 			cpu[mkResourceVirtualEnvironmentVMCPUArchitecture] = dvResourceVirtualEnvironmentVMCPUArchitecture
 		} else {
 			cpu[mkResourceVirtualEnvironmentVMCPUArchitecture] = ""
@ -4507,7 +4507,7 @@ func vmUpdate(ctx context.Context, d *schema.ResourceData, m interface{}) diag.D
 		cpuUnits := cpuBlock[mkResourceVirtualEnvironmentVMCPUUnits].(int)

 		// Only the root account is allowed to change the CPU architecture, which makes this check necessary.
-		if api.API().IsRoot() ||
+		if api.API().IsRootTicket() ||
 			cpuArchitecture != dvResourceVirtualEnvironmentVMCPUArchitecture {
 			updateBody.CPUArchitecture = &cpuArchitecture
 		}