What Permissions are needed on the PVE/PBS-Remotes for a Datacenter Manager User?

[982134098123]

Hello,
im planning on deploying DCM for our sites. Following this guide:
https://www.proxmox.com/images/download/pdm/docs/proxmox-datacenter-manager-1-0.pdf
everything is running.
For a better segregation i didnt used the Root-User for the Connection but created a own user. At this Point i couldnt find a recommendation on the Permissions for this user. Have i overread this or am i missing something?

 

[dcsapak]

it depends on what you want pdm to do.

In essence, the pdm token for the pve cluster needs the same permissions for it's action as when you do it on pve directly.

e.g if you want to start/stop vms, the token needs the VM.PowerMgmt permissions (or higher) for those vms.

if you just want a unified dashboard with fast access to the pve pages, audid permissions would be enough

Note that currently PDM does not know beforehand which actions it can do or not (this could be improved later of course) so it just fails if you try to do something the token is not allowed to.

 

[982134098123]

I assumed the failure of unprivileged actions.
I will then just trail and error my way to least privileges for most effects. thanks for the follow up.

 

[PanZvedavy]

Please add permissions level on target hosts needed for PDM to a PDM documentation:
a) for maximum PDM functionality = PDM-max
b) for minimum functionality = PDM-min
Or even better! add PDM roles directly to PVE and PBS so users wont need to elaborate what exactly is needed. And as development of PDM will naturaly progress, users wont need to elaborate additional set of permissions after PDM update, it will be updated in PVE and PBS too.

Thx!

 

[f4242]

Hi,

I think there is something wrong with the PDM security model. Instead of using a generic token with full permission on PVE side, PDM should forward the user authentication to PVE (retreive some kind of temporary token with user's permissions). Each user would need an access at PVE level (well on PVE cluster level) but I think this is good price to pay for better security.

 

[982134098123]

Hi,

I think there is something wrong with the PDM security model. Instead of using a generic token with full permission on PVE side, PDM should forward the user authentication to PVE (retreive some kind of temporary token with user's permissions). Each user would need an access at PVE level (well on PVE cluster level) but I think this is good price to pay for better security.

I think the better approach for large deployment would be, that more features like Console Proxy etc. will be implemented in the PDM. That way you could implement AAA on the PDM level and the user dont need to interact with the PVEs itself. As for https://bugzilla.proxmox.com/show_bug.cgi?id=7131 this is already planned.

 

[fabian]

Hi,

I think there is something wrong with the PDM security model. Instead of using a generic token with full permission on PVE side, PDM should forward the user authentication to PVE (retreive some kind of temporary token with user's permissions). Each user would need an access at PVE level (well on PVE cluster level) but I think this is good price to pay for better security.

that would just be more complicated, but still require PDM to have all that access to PVE.. it would also make certain optimizations impossible, like collecting metrics/tasks/status/.. once and exposing it to different PDM users (with filtering).

 

[f4242]

that would just be more complicated, but still require PDM to have all that access to PVE.. it would also make certain optimizations impossible, like collecting metrics/tasks/status/.. once and exposing it to different PDM users (with filtering).

Best would be the use of both I guess.

A low privilege service account for PDM, I understand it would just need readonly access. Plus the privilege token of the administrator that allow the admin to do everything he need.

I'm currently evaluating PDM and this security model makes me uncomfortable. This make PDM a great big target for hackers. If this server is compromised, the attacker gain access to the complete infrastructure. Outch.

 

[fabian]

Best would be the use of both I guess.

A low privilege service account for PDM, I understand it would just need readonly access. Plus the privilege token of the administrator that allow the admin to do everything he need.

I'm currently evaluating PDM and this security model makes me uncomfortable. This make PDM a great big target for hackers. If this server is compromised, the attacker gain access to the complete infrastructure. Outch.

if your PDM is compromised, and you login using your PVE admin credentials (under your proposed scheme), the same is true. if you are worried about this risk, don't use your PDM for administration at all, just use it as a dashboard.

 

[f4242]

if your PDM is compromised, and you login using your PVE admin credentials (under your proposed scheme), the same is true. if you are worried about this risk, don't use your PDM for administration at all, just use it as a dashboard.

Not necessary. You are right if the administrator credentials are stolen, you are done. 2FA can help here while not perfect

But PDM server could be hacked without the use of an administrator credential. The high privilege token could be stolen and used against all proxmox ressources wihtout any form of 2FA. Without any accountability. The attacker would also had access to backup. Just by writing this, it's so scary that I think I'm just done with PDM until security model is reviewed. Very powerful tool like PDM need high security. Yes, security is complicated, I hate that too, but this is required.