clone vm but rights problem

Discussion in 'Proxmox VE: Installation and configuration' started by immo, Apr 16, 2019.

  1. immo

    immo Member

    Joined:
    Nov 20, 2014
    Messages:
    60
    Likes Received:
    0
    I do have a problem with the clone vm. My specific api user is PVEAdmin but he got always forbidden if he tries to clone a vm (template).
    I really miss something which tells the which specific right is missing.
    My own user has the administrator role and he can for sure clone the vm.
    But the only difference is just something not important. Or do I missed someting ?

    Administrator has additonal:
    Realm.AllocateUser
    Sys.Modify
    Sys.PowerMgmt

    Thats nothing which is listed at the API explanation. Or ?
     
  2. dcsapak

    dcsapak Proxmox Staff Member
    Staff Member

    Joined:
    Feb 1, 2016
    Messages:
    3,634
    Likes Received:
    331
    on which paths does the user has this permission
    in order to clone a vm the user also has to have permission on the target path

    e.g.
    existing vmid 100: /vms/100
    new vmid: 200: /vms/200

    to clone from 100 to 200 the user needs the permission on both paths (or on /vms with propagate on, or on a pool which contains that paths)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. immo

    immo Member

    Joined:
    Nov 20, 2014
    Messages:
    60
    Likes Received:
    0
    thats clear for me. The user has
    1> 'path': '/vms/1001', 'roleid': 'PVEVMAdmin',
    2> 'path': '/', 'roleid': 'PVEAuditor',
    3> 'path': '/', 'roleid': 'PVEAdmin'

    The task is to clone 1001
    I guess the problem is that the first role overrules the third one cos of more detailed path.

    My expectation is that it is an OR not an AND if roles are merged on the target VM.

    An /vms/1001 PVEVMAdmin should add rights to the rights you have on the whole cluster not remove the more general ones
     
  4. immo

    immo Member

    Joined:
    Nov 20, 2014
    Messages:
    60
    Likes Received:
    0
    even more irritated. Just took all the rights the user has

    so source is VM Clone allowed

    [{'path': '/vms/1001', 'roleid': 'PVEVMAdmin', 'rights': ['VM.Backup', 'VM.Config.Disk', 'VM.Console', 'VM.Migrate', 'VM.Config.CPU', 'VM.Snapshot', 'VM.PowerMgmt', 'VM.Config.CDROM', 'VM.Config.Options', 'VM.Config.Memory', 'VM.Config.Network', 'VM.Clone', 'VM.Snapshot.Rollback', 'VM.Monitor', 'VM.Audit', 'VM.Config.HWType', 'VM.Allocate']},
    {'path': '/', 'roleid': 'PVEAuditor', 'rights': ['Datastore.Audit', 'VM.Audit', 'Sys.Audit']},
    {'path': '/', 'roleid': 'PVEAdmin', 'rights': ['VM.Backup', 'VM.Config.Disk', 'VM.Console', 'Sys.Console', 'VM.Migrate', 'Permissions.Modify', 'VM.Config.CPU', 'VM.Snapshot', 'Datastore.Audit', 'VM.PowerMgmt', 'VM.Config.CDROM', 'VM.Config.Memory', 'VM.Config.Options', 'Group.Allocate', 'Sys.Audit', 'VM.Config.Network', 'VM.Clone', 'VM.Monitor', 'Pool.Allocate', 'VM.Audit', 'VM.Snapshot.Rollback', 'Realm.AllocateUser', 'VM.Config.HWType', 'Datastore.Allocate', 'Datastore.AllocateTemplate', 'User.Modify', 'Datastore.AllocateSpace', 'VM.Allocate', 'Sys.Syslog']}]

    API Docu says
    You need 'VM.Clone' permissions on /vms/{vmid}, and 'VM.Allocate' permissions on /vms/{newid} (or on the VM pool /pool/{pool}). You also need 'Datastore.AllocateSpace' on any used storage.
    Check: ["and",["perm","/vms/{vmid}",["VM.Clone"]], ["or",["perm","/vms/{newid}",["VM.Allocate"]],
    ["perm","/pool/{pool}",["VM.Allocate"],"require_param","pool"]]]

    should all are given by the above roles
     
  5. dcsapak

    dcsapak Proxmox Staff Member
    Staff Member

    Joined:
    Feb 1, 2016
    Messages:
    3,634
    Likes Received:
    331
    do you have enabled 'propagate' ? if not, then the acl for '/' is really only for '/' and not for '/vms/YYYY'

    can you post your '/etc/pve/user.cfg' ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. immo

    immo Member

    Joined:
    Nov 20, 2014
    Messages:
    60
    Likes Received:
    0
    I shorten the file a lot.
    Code:
    user:iwetzel@maria:1:0:Immo:Wetzel:immo.***@***.com:::
    user:pyprox@pve:1:0::::for RegtestLibraryFunctions::
    
    group:Admin:iwetzel@maria,jschneider@maria
    group:regtestlib:pyprox@pve:RegtestLibrary:
    group:Regtest:mkrause@maria:TeamLibrary:
    group:Team:iwetzel@maria:NoText
    
    acl:1:/@Admin:Administrator:
    acl:1:/@regtestlib/PVEAdmin:
    acl:1:/vms/1001/@regtestlib:
    
    
    I guess the 1 is propagate and thats the default for all
     
    #6 immo, Apr 17, 2019
    Last edited: Apr 17, 2019
  7. dcsapak

    dcsapak Proxmox Staff Member
    Staff Member

    Joined:
    Feb 1, 2016
    Messages:
    3,634
    Likes Received:
    331
    those lines look weird, are they like this in the file?(there seem to be ':' missing)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. immo

    immo Member

    Joined:
    Nov 20, 2014
    Messages:
    60
    Likes Received:
    0
    let me see ... At the beginning it showed always smileys in stead of @p: ...

    and yes there was something lost.

    Code:
    user:iwetzel@maria:1:0:Immo:Wetzel:immo.***@***.com:::
    user:pyprox@pve:1:0::::for RegtestLibraryFunctions::
    
    group:Admin:iwetzel@maria,jschneider@maria::
    group:regtestlib:pyprox@pve:RegtestLibrary:
    group:Regtest:mkrause@maria:TeamLibrary:
    group:Team:iwetzel@maria:NoText:
    
    acl:1:/:@Admin:Administrator:
    acl:1:/:@regtestlib:PVEAdmin:
    acl:1:/vms/1001:@regtestlib:PVEVMAdmin:
    
    

    Yes we do have community subscription and have reed the documentation too
     
  9. immo

    immo Member

    Joined:
    Nov 20, 2014
    Messages:
    60
    Likes Received:
    0
    And at the end the question is why not telling the missing right at the API response ?
     
  10. immo

    immo Member

    Joined:
    Nov 20, 2014
    Messages:
    60
    Likes Received:
    0
    OK issue cleared.
    • Permissions for individual users always replace group permissions.
    replace is the nasty one.
    If the user is member of Admin group
    and has the role PVEAuditor

    -> he is just PVEAuditor

    The shorten user.cfg was too short :-(

    But this is worse. At least on the same level group and user rights should be an extension not an contradiction.
    Even on more specific level a high grade role should not be overwritten by a low grade rule. I now there is no weighting between roles but in fact these makes things worse especially with unclear fault messages. (forbidden)
     
  11. dcsapak

    dcsapak Proxmox Staff Member
    Staff Member

    Joined:
    Feb 1, 2016
    Messages:
    3,634
    Likes Received:
    331
    this is intended and documented:

     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. immo

    immo Member

    Joined:
    Nov 20, 2014
    Messages:
    60
    Likes Received:
    0
    even if intended it must not be good... Seems to make the common right handling vice versa. But yeah... Its written somewhere in the deep. No the request could be at least to have more informative error messages
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice