IPset and SecGroups accessible from Users

S

Sakis

Active Member
Proxmox Subscriber
Aug 14, 2013
121
6
38
We are checking firewall options at proxmox ve 4.X in order to give clients control on rules. We create for our clients a PVEVMUser user and give them rights to their kvm. Mainly for Console and Start-Stop.

In Datacenter lever we use plenty IPSet lists and Security Groups.

In order for firewall to work we may use the default PVEVMAdministrators or a new custom level with VM.Config.Network access.

Why datacenter options for IPset and SecGroups are exposed to PVEVMAdministrators?

Testing with even lower privileges we see that a PVEVMUser cannot save rules (ok) but can see firewall button in gui and browse IPsets also.
Firewall> Add Rule > Source and gets list of IPsets with dropdown
Firewall > Insert: Security Group> Security group and gets list of Groups with dropdown

Is this the expected behavior?
Am i missing something in the firewall concept? I hoped that users have total isolation to xxx.fw rules only at kvm level.
 
We have names like:
Ceph_network
Local_network
Admin_network
Office_network
VPN_network
etc

Why a PVEVMUser should be able to browse this information in first place? Since the user cannot edit firewall why it is shown in the GUI?
I thought its obvious that users shouldn't be able to see configurations in lower level than their for security reasons.

ps: This "issue" is also relevant with users been able to see other node-names in cluster that their server is not hosted there. In general i believe users see a lot more than needed.
 
Sakis said:
Why a PVEVMUser should be able to browse this information in first place? Since the user cannot edit firewall why it is shown in the GUI?
I thought its obvious that users shouldn't be able to see configurations in lower level than their for security reasons.
Click to expand...

Please can you file a bug report at bugzilla.proxmox.com. Maybe we can hide some information in that case...
 
You must log in or register to reply here.
Top Bottom