Advice/Assistance with permissions

[ShaneJ]

Hi Team,

I have a new PVE cluster that I am trying to configure with access permissions for systems admin staff. I’m really struggling with this so I would appreciate some guidance if possible.

The staff will need to be able to action the following tasks:

• Full control of VM’s (create, remove, edit config etc)
• Add VM’s to HA groups
• Migrate VM’s between hosts
• View host CPU/Memory utilisation
• Access only to Ceph storage pools
• Upload media to CephFS
• View Ceph storage utilisation
• Access only to SDN VNets

Potentially more but that’s what comes to mind as I type this post.

The goal is to essentially allow full VM administration and monitoring of the environment without giving the ability to accidently change system, cluster, ceph settings etc

In an attempt to achieve the above, I have created a user group “SuperAdmin” containing a user “sys.admin”. I have also create a custom role named “SuperAdmin” with the following privileges:

Datastore.Allocate, Datastore.AllocateSpace, Datastore.AllocateTemplate, Datastore.Audit, SDN.Allocate, SDN.Audit, SDN.Use, Sys.Audit, Sys.Console, VM.Allocate, VM.Audit, VM.Clone, VM.Config.CDROM, VM.Config.CPU, VM.Config.Cloudinit, VM.Config.Disk, VM.Config.HWType, VM.Config.Memory, VM.Config.Network, VM.Config.Options, VM.Console, VM.Migrate, VM.Monitor, VM.PowerMgmt, VM.Snapshot.Rollback, VM.Snapshot

I have added the following under permissions for group “SuperAdmin” with the “SuperAdmin” role:

/nodes
/sdn/zones/xxxx
/storage/ceph-iso-store
/storage/ceph-vm-store
/vms

When I login with user “sys.admin”:

Can create VM’s, power on, open view console, stop, edit, remove.
Can migrate VM’s between hosts
View host CPU/Memory utilisation
Have access only to Ceph storage pools
Can upload media to CephFS
Can view Ceph usage

What I am missing right now though is the ability to add VM’s to HA:




I'd appreciate any input and assistance with this.

Thank you

 

[Chris]

Hi,
in order to audit and modify HA settings, you need to give the Sys.Audit and Sys.Console permissions on /.

 

[ShaneJ]

Thanks Chris!

I assigned the PVESysAdmin role to / to save creating a custom role.

Should I have been able to find that information in the docs?

Thanks
Shane

 

[Chris]

Thanks Chris!

I assigned the PVESysAdmin role to / to save creating a custom role.

Should I have been able to find that information in the docs?

Thanks
Shane

For finding the correct permissions is always good to look at the API viewer, as that is also what the WebUI is using to access the contents. As this is generated directly from the API schema, so directly from the code.

E.g. for the HA management, you can have a look at the following API endpoint and its children https://pve.proxmox.com/pve-docs/api-viewer/index.html#/cluster/ha

 

[ShaneJ]

Thanks Chris! Thats excellent!

I'm been trying to add permissions to allow my "SuperAdmin" users to create new users and add them to existing groups. When I assigned the PVEUserAdmin role to /access, this seemed to allow the "SuperAdmin" users to remove permissions. Using the resource you just provided it looks as though this is expected: "Each user/token is allowed to dump their own permissions. A user can dump the permissions of another user if they have 'Sys.Audit' permission on /access."

I'll test to see if it is in fact just their own permissions they can remove. Its not nice, but its probably not a big deal if its just their own and not others.

Thanks again mate!

Shane