[SOLVED] Administrator User cannot create VM - Permission check failed (403)

[fiona]

EDIT: Please ignore this and see my next post.

Then you have given global permissions. You need to give specific permissions to the specific pool for a group or a user. There is even an example in documentation how to make a group become PVEAdmin of a pool.

pveum aclmod /pool/dev-pool/ -group developers -role PVEAdmin

It can't be that hard

Sadly, it is that hard.

Yup, I've already read the documentation, but it doesn't specifies any way of isolating users from eachother without disabling their permission to create VMs. Most specifically VM.Allocate. When allow this, will it allow it by default to see/manage all the VMs?

AFAICT, there is currently no simple way to acheive such a separation. To allow a user to allocate a VM (with a specific ID), you have to add it to the pool first using

pvesh set pools/<POOLNAME1> -vms 1000,1001,1002,1003
pvesh set pools/<POOLNAME2> -vms 2000,2001,2002,2003

Then users with the right permissions on the pool can allocate VMs with those IDs and they will be invisible to users of the other pool.
Another pitfall is: when a VM is deleted, the ID is not "bound" to the pool anymore.

So maybe you can achieve what you want to do, using a script that monitors the file /etc/pve/user.cfg and re-adds VM IDs in a specific range whenever it goes missing. But please don't modify the file directly and use the appropriate pvesh set pools/<POOLNAME> -vms <ID,ID,...> command instead.

In a future version PVE might support using fixed VM ranges for pools or users. If you like, you can create a feature request on the bugzilla, so we can keep track of the issue more easily.

 

[fiona]

Forget what I said in my last post. Once you have the resource pools and if the user has the VM.Allocate permission for that resource pool, it should work. All you have to do is select the resource pool in the "General" tab when you create the VM.