Access a pool without being able to modify its permissions?

[number5]

I am trying to set up a pool so that its users have certain control over select VMs (snapshotting, mounting CDs, etc), and to provide some degree of logical organization. To do this, I am granting the users the "pool allocate" permission. The issue is that with this permission, it seems, one can go to the pool and modify the permissions in the pool, thus granting themselves additional permissions to the VMs within. I am assuming this is by design. Is there a way to only grant access to a pool, without allowing users to change permissions?

 

[dcsapak]

certain control over select VMs (snapshotting, mounting CDs, etc),

no need for pool allocate permissions here, only VM.*

and to provide some degree of logical organization.

what do you actually need?

I am assuming this is by design.

yes, pool allocate means allocating (incl destroy/edit) pools

Is there a way to only grant access to a pool, without allowing users to change permissions?

sure, the question is, which permissions do the users really need on objects in pools?

in general a permission on a pool is like you gave that permission for each item in the pool, e.g. giving VM.Audit to a pool means the user has VM.Audit on each guest that is in the pool

 

[number5]

no need for pool allocate permissions here, only VM.*

Right, but without pool allocate, users do not see the pools. I might be wrong about this, and if I am, please correct me.

what do you actually need?

I would like users to use pools rather than have to browse the individual servers to find their VMs.

What I am trying to figure out is whether there's a way to provide users access to pools without granting them also the permissions to modify the permissions of the pools they are assigned to.

So, for instance, here is a role I have:

┌──────────────────────┬───────┐
│ key                  │ value │
╞══════════════════════╪═══════╡
│ Pool.Allocate        │ 1     │
├──────────────────────┼───────┤
│ VM.Audit             │ 1     │
├──────────────────────┼───────┤
│ VM.Config.CDROM      │ 1     │
├──────────────────────┼───────┤
│ VM.Config.Cloudinit  │ 1     │
├──────────────────────┼───────┤
│ VM.Config.HWType     │ 1     │
├──────────────────────┼───────┤
│ VM.Config.Options    │ 1     │
├──────────────────────┼───────┤
│ VM.Console           │ 1     │
├──────────────────────┼───────┤
│ VM.Monitor           │ 1     │
├──────────────────────┼───────┤
│ VM.PowerMgmt         │ 1     │
├──────────────────────┼───────┤
│ VM.Snapshot          │ 1     │
├──────────────────────┼───────┤
│ VM.Snapshot.Rollback │ 1     │
└──────────────────────┴───────┘

The VM permissions are the only permissions I would like a user assigned to a pool to have. However, with pool allocate (which, if I understand correctly, is the only way a user can even see a pool), a user can re-add themselves to the pool as administrator (or whatever other role they choose), modifying the permissions they were initially granted by their role.

With the risk of repeating myself, I am assuming this is by design. If it is by design, my question then is, is there a way to make it so that a user can only access pools, without being able to modify their permissions or those of the objects contained therein, unless they have explicit permissions to do so (e.g., they have permissions modify)?

 

[dcsapak]

ah ok , yes now i understand. yes, to see the actual pools and not only the content, one needs Pool.Allocate atm. Maybe this is a bit too much, and we need a 'Pool.Audit' also?
would you mind opening an enhancement request here: https://bugzilla.proxmox.com ?

just one question, why is it a problem when the users only see the content instead of the pools in the server view? they still can use the 'pool' view in the gui to ignore the nodes for the resources they can use, there they see the pools anyway

 

[number5]

ah ok , yes now i understand. yes, to see the actual pools and not only the content, one needs Pool.Allocate atm. Maybe this is a bit too much, and we need a 'Pool.Audit' also?
would you mind opening an enhancement request here: https://bugzilla.proxmox.com ?

Yes, I will definitely open an enhancement request. Thank you.

just one question, why is it a problem when the users only see the content instead of the pools in the server view? they still can use the 'pool' view in the gui to ignore the nodes for the resources they can use, there they see the pools anyway

It is not so much that it's a problem as much as it is and inconvenience. Although currently in testing, the solution I am working on might end up becoming part of an educational environment, and providing a clear organization helps these users and their instructors.

Thanks again for all the help!
------------------
Editing to add the enhancement request: https://bugzilla.proxmox.com/show_bug.cgi?id=3402