d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
main
proxmox/docs/04-configuration/UDM_PRO_API_LIMITATIONS.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

249 lines
7.1 KiB
Markdown
Raw Permalink Blame History

# UDM Pro API Limitations and Configuration
**Last Updated:** 2025-01-20
**Status:** API write access limitations documented
---
## Summary
The UDM Pro configuration via API has significant limitations:
1. **Official API (API Key):** Read access to many endpoints, write access limited to ACL Rules, Firewall Zones, Traffic Matching Lists
2. **Private API (Username/Password):** Requires local admin account without 2FA/SSO
3. **Network/VLAN Creation:** Not available via Official API (read-only for networks)
4. **DHCP Reservations/Port Profiles:** Not available via Official API (requires web UI)
---
## API Mode Comparison
### Official API Mode
**Authentication:** API Key only (no username/password)
**Base URL:** `https://192.168.0.1/proxy/network/integration/v1/`
**Location:** Local UDM Pro (192.168.0.1)
**Endpoints Available (Read Access):**
-`/sites` - List sites
-`/sites/{siteId}/networks` - List networks/VLANs
-`/sites/{siteId}/networks/{networkId}` - Get network details
-`/sites/{siteId}/devices` - List devices
-`/sites/{siteId}/clients` - List clients
-`/sites/{siteId}/acl-rules` - List ACL/firewall rules
-`/sites/{siteId}/firewall/zones` - List firewall zones
-`/sites/{siteId}/traffic-matching-lists` - List traffic matching lists
-`/sites/{siteId}/wans` - List WAN interfaces
-`/info` - Application information
**Endpoints Available (Write Access):**
-`/sites/{siteId}/acl-rules` - Create/update/delete ACL rules (with limitations)
-`/sites/{siteId}/firewall/zones` - Create/update/delete firewall zones
-`/sites/{siteId}/traffic-matching-lists` - Create/update/delete traffic matching lists
**Endpoints NOT Available:**
- ❌ Network/VLAN creation (read-only for networks)
- ❌ Network/VLAN modification (read-only for networks)
- ❌ DHCP reservations (`/dhcp-reservations` - 404 NOT_FOUND)
- ❌ Port profiles (`/port-profiles` - 404 NOT_FOUND)
- ❌ System configuration (hostname, timezone, NTP, backups)
- ❌ Individual WAN details (`/wans/{wanId}` - 404 NOT_FOUND)
**Current API Key:** `_6WXEiH2tMDkrO3jKc54SKa53fHZE-Wg`
**Status:** ✅ Working (read access confirmed, write access for ACL Rules/Firewall Zones/Traffic Matching Lists)
**Known Limitations:**
- Cannot create ACL rules blocking overlapping source/destination networks
- Network creation/modification not supported
- DHCP reservations require web UI
- Port profiles require web UI
### Private API Mode
**Authentication:** Username/Password (cookie-based session)
**Endpoints Available:**
- ✅ Read networks/VLANs
- ✅ Read devices
- ✅ Read clients
- ✅ Read system info
- ❌ Create/modify networks (403 Forbidden - permission issue)
**Account Status:**
- `unifi_api`: ✅ Read access working, ❌ Write access blocked (403)
- `nsatoshi2007`: ❌ Authentication failed
**Requirements:**
- Local admin account (not SSO/cloud account)
- No 2FA enabled
- Full network management permissions
---
## Current Configuration
### Environment Variables (`~/.env`)
```bash
UNIFI_UDM_URL=https://192.168.0.1
UNIFI_API_MODE=official
UNIFI_API_KEY=_6WXEiH2tMDkrO3jKc54SKa53fHZE-Wg
UNIFI_USERNAME=nsatoshi2007
UNIFI_PASSWORD="L@kers2010$$"
UNIFI_SITE_ID=default
UNIFI_VERIFY_SSL=false
```
### Current Status
- **Official API:** ✅ Working (read access to 10+ endpoints, write access for ACL Rules/Firewall Zones/Traffic Matching Lists)
- **Private API (unifi_api):** ✅ Read access, ❌ Write access blocked (403)
- **Private API (nsatoshi2007):** ❌ Authentication failed (2FA/SSO incompatible)
---
## Solutions for Network Configuration
### Option 1: Manual Configuration (Recommended)
Use the UniFi Network web interface to configure VLANs:
1. Access: `https://192.168.0.1`
2. Follow: [UDM_PRO_COMPLETE_MANUAL_GUIDE.md](./UDM_PRO_COMPLETE_MANUAL_GUIDE.md)
**Pros:**
- Full access to all features
- No permission issues
- Visual interface
**Cons:**
- Manual process
- Time-consuming for many VLANs
### Option 2: Create Local Admin with Write Permissions
1. Access UniFi Network web UI
2. Navigate to **Settings****System Settings****Users**
3. Create a new local admin account:
- Username: (choose a name)
- Password: (choose a strong password)
- Role: Full Admin / Network Admin
- **Important:** Ensure it's a local account (not SSO)
- **Important:** Do NOT enable 2FA
4. Update `~/.env`:
```bash
UNIFI_API_MODE=private
UNIFI_USERNAME=<new-username>
UNIFI_PASSWORD="<new-password>"
```
5. Test network creation via API
**Pros:**
- Automated configuration possible
- Scriptable
**Cons:**
- Requires account creation
- Must ensure proper permissions
### Option 3: Grant Write Permissions to Existing Account
If you have an existing local admin account:
1. Access UniFi Network web UI
2. Navigate to **Settings** → **System Settings** → **Users**
3. Edit the account (e.g., `unifi_api`)
4. Verify/update role to include network management permissions
5. Ensure account is local (not SSO)
6. Ensure 2FA is disabled
7. Test network creation
**Pros:**
- Uses existing account
- Automated configuration possible
**Cons:**
- May require permission changes
- Must verify account type
---
## Troubleshooting Authentication
### Private API Authentication Fails
**Symptoms:**
- `403 Forbidden` or `401 Unauthorized`
- "Invalid username or password"
- "2fa token required"
**Possible Causes:**
1. Account doesn't exist locally
2. Wrong password
3. Account is SSO/cloud-only (not local)
4. 2FA is enabled (Private API doesn't support 2FA)
5. Account is disabled
**Solutions:**
1. Verify account exists and is local
2. Reset password
3. Create new local admin account
4. Disable 2FA if enabled
5. Check account status in web UI
### Write Access Blocked (403 Forbidden)
**Symptoms:**
- Read access works (can list networks, devices)
- Write access fails (cannot create/modify)
**Possible Causes:**
1. Insufficient permissions/role
2. Account role doesn't include network management
3. API endpoint requires different permissions
**Solutions:**
1. Check user role in **Settings** → **System Settings** → **Users**
2. Update role to include network management permissions
3. Verify account has "Full Admin" or "Network Admin" role
4. Try creating networks via web UI to verify account permissions
---
## Verification
### Test Official API (Read-Only)
```bash
cd /home/intlc/projects/proxmox
export UNIFI_API_MODE=official
pnpm --filter unifi-api exec node dist/cli/index.js sites
```
### Test Private API (Read Access)
```bash
cd /home/intlc/projects/proxmox
export UNIFI_API_MODE=private
pnpm --filter unifi-api exec node dist/cli/index.js networks
```
### Test Private API (Write Access)
```bash
cd /home/intlc/projects/proxmox
NODE_TLS_REJECT_UNAUTHORIZED=0 node scripts/unifi/configure-vlans-node.js
```
---
## Related Documentation
- [UDM_PRO_STATUS.md](./UDM_PRO_STATUS.md) - Configuration status
- [UDM_PRO_CONFIGURATION_CHECKLIST.md](./UDM_PRO_CONFIGURATION_CHECKLIST.md) - Complete configuration checklist
- [UNIFI_API_SETUP.md](./UNIFI_API_SETUP.md) - API setup guide
- [UNIFI_CONFIGURATION_STATUS.md](./UNIFI_CONFIGURATION_STATUS.md) - Current configuration status
---
**Last Updated:** 2025-01-20
Reference in New Issue View Git Blame Copy Permalink