[SOLVED] Administrator User cannot create VM - Permission check failed (403)

[Razva]

Hello,

I want to create a new user that is able to create VMs by itself, but without seeing other VMs on the node. I've been playing with permissions in the last hours but unfortunately I can't find out what's the issue.

As a last solution, for testing purposes, I've added Administrator privileges to the user. Even so, the user gets this error, every time he tries to click Finish.

Permission check failed (403)

At this point the user has:

• Administrator @ Pool -> Permissions
• Administrator @ local-lvm
• Administrator @ storage (CIFS mount for ISO and backups)
• The Pool has local-lvm and storage @ Members

Any hints why this is not working? Any way to see the logs?

Thank you!

 

[chotaire]

My guess: You only gave access to storage, not to /vms (also check out path /nodes)

 

[Razva]

My guess: You only gave access to storage, not to /vms (also check out path /nodes)

We currently don't have any /vms or /nodes mounted/used. Is there something that I'm missing?

 

[Razva]

Any hints, please?

 

[fiona]

Hi,
as @chotaire already said, you need to add two more permissions for your user. One with path /vms and role PVEVMAdmin and one with path /nodes and role PVEVMAdmin should be sufficient.

 

[Razva]

Hi,
as @chotaire already said, you need to add two more permissions for your user. One with path /vms and role PVEVMAdmin and one with path /nodes and role PVEVMAdmin should be sufficient.

Can you please let me know how should I do that? I can't find any way of adding custom paths to the Pool. Thank you very much!

 

[chotaire]

 

[Razva]

Great, thank you!

Will this allow the user/group to view all VMs, or just the ones that he creates? Thank you again!

 

[chotaire]

If they get the role PVEVMAdmin they can see all existing and future VMs if you give them access to /vms.
Is that what you intend? Also please read about the role PVEVMUser.

 

[chotaire]

https://pve.proxmox.com/wiki/User_Management

 

[Razva]

If they get the role PVEVMAdmin they can see all existing and future VMs if you give them access to /vms.
Is that what you intend?

Nope, my target is to allow a specific user/group to create VMs that only he can manage, without seeing VMs created by other users/groups. Any way to achieve this?

 

[Razva]

https://pve.proxmox.com/wiki/User_Management

Yup, I've already read the documentation, but it doesn't specifies any way of isolating users from eachother without disabling their permission to create VMs. Most specifically VM.Allocate. When allow this, will it allow it by default to see/manage all the VMs?

 

[chotaire]

If you've already played with Privileges, you could just test it with a user that you have created? Then report back if it works or if something is not working as intended. It's always a good idea to try abusing your own server as ordinary user, so you know what you're doing instead of relying on an advice by a random forum user Try configuring GROUP permissions the way you want them, and then add two users to this group and see if they can fiddle with each others VMs (or even see them).

 

[Razva]

If you've already played with Privileges, you could just test it with a user that you have created? Then report back if it works or if something is not working as intended. It's always a good idea to try abusing your own server as ordinary user, so you know what you're doing instead of relying on an advice by a random forum user Try configuring GROUP permissions the way you want them, and then add two users to this group and see if they can fiddle with each others VMs (or even see them).

I'm doing exactly that. I'm currently creating a custom Role and play with it. I'll get back in a couple of minutes. Thanks again!

 

[chotaire]

Hint: I think this kind of configuration needs a "pool" to be created under Permissions. One pool for each user (or one for multiple users if they want to administrate each others VMs). Someone please step in if this is not required, I am not going to test this now.

 

[Razva]

If you've already played with Privileges, you could just test it with a user that you have created? Then report back if it works or if something is not working as intended. It's always a good idea to try abusing your own server as ordinary user, so you know what you're doing instead of relying on an advice by a random forum user Try configuring GROUP permissions the way you want them, and then add two users to this group and see if they can fiddle with each others VMs (or even see them).

Ooook, so it seems that I'm stuck at /vms. As long as I'm assigning VM.Audit permission to the Group, all the VMs on the node appear on the user's WebUI. Without VM.Audit permission the user can't see its own VMs. Sooo...is there any way to work around this, without manually specifying each VM?

 

[chotaire]

Please scroll up

 

[Razva]

Please scroll up

Making a Pool for each user will not help because all users with VM.Audit rights can see other Pools's VMs. I've just tested this as well.

 

[chotaire]

Then you have given global permissions. You need to give specific permissions to the specific pool for a group or a user. There is even an example in documentation how to make a group become PVEAdmin of a pool.

pveum aclmod /pool/dev-pool/ -group developers -role PVEAdmin

It can't be that hard

 

[chotaire]

And don't forget: A pool is simply a set of virtual machines and data stores. You can create pools on the GUI. After that you can add resources to the pool (VMs, Storage). And then you give a user or group access to that pool with specific roles. Which means that a user or group can have access to multiple pools with different roles.