Create CT - Permission check failed (403)

Mr.BlueBear

Member
Apr 3, 2018
15
0
21
43
A user is trying to create a CT using the PVE WebUI in a specific Pool (in this case, the pool is called "Dev"). The first error message he got was:
"Permission check failed (/pool/Dev, Permissions.Modify|Pool.Allocate) (403)"

I then added the "PVEPoolAdmin" role to the user on "/pool/Dev", however, now I get a "Permission check failed (403)" with no other hints.

What roles are required for a user to be able to create a CT in a pool ?


PVE version:
proxmox-ve: 6.4-1 (running kernel: 5.4.128-1-pve)
pve-manager: 6.4-13 (running version: 6.4-13/9f411e79)
 

dcsapak

Proxmox Staff Member
Staff member
Feb 1, 2016
8,039
986
163
34
Vienna
you require at least 'VM.Allocate' rights on the pool (or /vms/VMID) and Datastore.AllocateSpace (on the pool(if the storage is in the pool) or the storage)
 

Mr.BlueBear

Member
Apr 3, 2018
15
0
21
43
If that is the case, then there is a bug with the LXC Container create. The user is part of a group which has permissions on the Pool with the built-in role PVEVMAdmin and on the storage with the built-in role PVEDatastoreUser. Both these built-in roles have VM.Allocate and Datastore.AllocateSpace respectively.

So I am at a lost to why the Container creation gets a "Permission check failed (403)"...
 

dcsapak

Proxmox Staff Member
Staff member
Feb 1, 2016
8,039
986
163
34
Vienna
are there any vmid pre-assigned to the pool? a user creating a ct must have vm.allocate on '/vms/VMID' (e.g. /vms/100) OR on the pool but only if the vmid the user selects is preassigned into the pool
 

Mr.BlueBear

Member
Apr 3, 2018
15
0
21
43
No, there are no pre-assigned VMIDs on the pool.

Even after pre-assigning a VMID (e.g. /vms/200) with the proper vm.allocate, I still get a "Permission check failed (/pool/Dev, Permissions.Modify|Pool.Allocate) (403)" because the CT creation process also requires Pool.Allocate, not just vm.allocate.
Once Pool.Allocate is added to the user, it works.

However, giving a user Pool.Allocate on a pool allows him to change permissions for other users/vms on this pool and escalate privileges for any user to a higher level. This is security risk if you just want to allow a user basic access and the possibility to create a CT only.
Also, pre-assigning VMIDs for each user to remember is messy. This will definitely lead to user errors and VM using auto-generated IDs stealing CT pre-assigned IDs.
 

dcsapak

Proxmox Staff Member
Staff member
Feb 1, 2016
8,039
986
163
34
Vienna
i meant pre assigning a non-existing vmid to a pool. in your scenario, the user tries to modify the pool, which needs 'Pool.Allocate'
also you need Permissions.Modify on the vm, because adding it to a pool changes its permissions
 

Mr.BlueBear

Member
Apr 3, 2018
15
0
21
43
Yes. pre-assigning non-existing VMIDs to a pool is what I understood too.

So yes, pre-assigning non-existing VMIDs to a pool and giving the user Permissions.Modify or Pool.Allocate works.
However, if the user deletes the CT, it also deletes the associated permissions. This is a good workflow to delete permissions when the VM or CT is deleted, but it also basically means that once the user runs out of pre-assigned VMIDs to use or deletes the CT, they will need to ask an Admin for more. This doesn't really make the user autonomous.

To me this make using CTs in Proxmox more clunky than VMs as with VMs in a pool, users only need the built-in role PVEVMAdmin (no need for Permissions.Modify or Pool.Allocate) to create a VM.
 

dcsapak

Proxmox Staff Member
Staff member
Feb 1, 2016
8,039
986
163
34
Vienna
To me this make using CTs in Proxmox more clunky than VMs as with VMs in a pool, users only need the built-in role PVEVMAdmin (no need for Permissions.Modify or Pool.Allocate) to create a VM.
ok i just reproduced that and it seems like a bug. we removed the permissions modify check for pools on vms ages ago, but did not for containers...
would you mind opening a bug? https://bugzilla.proxmox.com
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!