Hi Folks,
I've recently tried in Proxmox Backup Server to create a new account for a new admin with full admin permissions, but there's some existing shortcomings that are noteworthy that I want the general public to be aware of. (I'm currently using v2.4-3 and these issues appear to exist even in the latest v3.2 versions too).
This user was created in the @PBS realm, and granted the "Admin" role with full permissions to full scope.
I have opened a bug report on the matter for Proxmox Backup Server: https://bugzilla.proxmox.com/show_bug.cgi?id=6052
And I also have already opened one for Proxmox VE as it has generally an identical/similar matter: https://bugzilla.proxmox.com/show_bug.cgi?id=5791
To date I'm not really seeing traction from the Proxmox devs on addressing this problem, and I really hope we can get traction here.
The core of the problem here is when there are more than 1 (>1) admins in the environment that _require_ full access, including elevated Shell/CLI access, to be able to do their job. The reason you do NOT want to use root@pam accounts for this is because you _cannot prove who did what and when_. So in environments where you need to audit operations, or review previous malicious actions (intentional or not) you _literally cannot prove who did what when the root@pam account is used_.
This issue is important in Proxmox Backup Server yes, and even more important for the Proxmox VE environment when dealing with clusters as in that case you can be dealing with possibly a whole team of admins that need this.
So if you are someone that cares about this stuff, please step into the above bug reports and lend your thoughts. I really want the Proxmox devs to get these added to some roadmap so they can get corrected soon-ish.
If there's anything more I can do to help on this greater topic, please let me know and I'll do my best to help!
I've recently tried in Proxmox Backup Server to create a new account for a new admin with full admin permissions, but there's some existing shortcomings that are noteworthy that I want the general public to be aware of. (I'm currently using v2.4-3 and these issues appear to exist even in the latest v3.2 versions too).
This user was created in the @PBS realm, and granted the "Admin" role with full permissions to full scope.
- Sys.Console being granted doesn't work and in the webGUI produces HTTP 400 error. Even in incognito and all cookies/cache cleared/refreshed.
- The user has no capability to log into the Shell/CLI at all, and in-turn cannot do sudo/elevated functions in similar vein to the root@pam account
- Only the root@pam account really is capable of doing actual Shell/CLI functions without completely undocumented and extreme steps taken.
I have opened a bug report on the matter for Proxmox Backup Server: https://bugzilla.proxmox.com/show_bug.cgi?id=6052
And I also have already opened one for Proxmox VE as it has generally an identical/similar matter: https://bugzilla.proxmox.com/show_bug.cgi?id=5791
To date I'm not really seeing traction from the Proxmox devs on addressing this problem, and I really hope we can get traction here.
The core of the problem here is when there are more than 1 (>1) admins in the environment that _require_ full access, including elevated Shell/CLI access, to be able to do their job. The reason you do NOT want to use root@pam accounts for this is because you _cannot prove who did what and when_. So in environments where you need to audit operations, or review previous malicious actions (intentional or not) you _literally cannot prove who did what when the root@pam account is used_.
This issue is important in Proxmox Backup Server yes, and even more important for the Proxmox VE environment when dealing with clusters as in that case you can be dealing with possibly a whole team of admins that need this.
So if you are someone that cares about this stuff, please step into the above bug reports and lend your thoughts. I really want the Proxmox devs to get these added to some roadmap so they can get corrected soon-ish.
If there's anything more I can do to help on this greater topic, please let me know and I'll do my best to help!
