Created user permissions not reflected in API

justjosh

Well-Known Member
Nov 4, 2019
103
2
58
59
Hi all,

Still completely new to this ecosystem. I'm trying to create a PVE authenticated user with permissions to create other users with PVEVMUser permissions.

Steps I've taken:

1. Datacenter > Permissions > Users > Add (Realm: PVE)
2. Datacenter > Pools > Create
3. Pool_Name > Permissions > Add > User Permission (Role: PVEAdmin)

I am failing at permission Realm.AllocateUser.

Permissions under PVEAdmin are:

Code:
VM.Migrate, VM.Config.CDROM, VM.Config.Network, Datastore.AllocateTemplate, VM.Config.Memory, VM.Config.CPU, Datastore.Audit, VM.Backup, Pool.Allocate, VM.Config.Options, Sys.Console, Sys.Syslog, VM.Monitor, VM.Config.HWType, Sys.Audit, VM.Clone, Permissions.Modify, VM.Allocate, User.Modify, Group.Allocate, Datastore.Allocate, VM.Audit, VM.Snapshot, VM.Config.Disk, VM.PowerMgmt, Datastore.AllocateSpace, VM.Console, VM.Snapshot.Rollback, Realm.AllocateUser

But ticket permissions from /access/ticket seem to indicate that certain features are not exposed:

Code:
        "cap": {
            "storage": {
                "Datastore.AllocateSpace": 1,
                "Datastore.Allocate": 1,
                "Datastore.Audit": 1,
                "Datastore.AllocateTemplate": 1,
                "Permissions.Modify": 1
            },
            "access": {},
            "dc": {},
            "nodes": {},
            "vms": {
                "VM.Audit": 1,
                "Permissions.Modify": 1,
                "VM.Config.Disk": 1,
                "VM.Migrate": 1,
                "VM.Config.Memory": 1,
                "VM.Config.Network": 1,
                "VM.Config.HWType": 1,
                "VM.Backup": 1,
                "VM.Config.CDROM": 1,
                "VM.Snapshot": 1,
                "VM.Monitor": 1,
                "VM.Console": 1,
                "VM.PowerMgmt": 1,
                "VM.Snapshot.Rollback": 1,
                "VM.Config.Options": 1,
                "VM.Allocate": 1,
                "VM.Config.CPU": 1,
                "VM.Clone": 1
            }
        },

I've tried creating a new role and assigning all permissions to the user but am still getting the same response for the ticket, even as the permissions match the root user entirely:

Code:
VM.Audit, VM.Config.Disk, VM.PowerMgmt, VM.Allocate, Group.Allocate, Datastore.Audit, Realm.AllocateUser, VM.Monitor, VM.Config.Network, Pool.Allocate, VM.Config.Options, Datastore.AllocateTemplate, VM.Config.CDROM, Sys.Syslog, VM.Console, Sys.Modify, VM.Snapshot.Rollback, VM.Migrate, User.Modify, VM.Clone, Sys.Audit, VM.Backup, Permissions.Modify, VM.Config.HWType, Sys.PowerMgmt, VM.Snapshot, VM.Config.Memory, VM.Config.CPU, Sys.Console, Realm.Allocate, Datastore.AllocateSpace, Datastore.Allocate

Ticket permissions are still the same:

Code:
        "cap": {
            "storage": {
                "Datastore.AllocateSpace": 1,
                "Datastore.Allocate": 1,
                "Datastore.Audit": 1,
                "Datastore.AllocateTemplate": 1,
                "Permissions.Modify": 1
            },
            "access": {},
            "dc": {},
            "nodes": {},
            "vms": {
                "VM.Audit": 1,
                "Permissions.Modify": 1,
                "VM.Config.Disk": 1,
                "VM.Migrate": 1,
                "VM.Config.Memory": 1,
                "VM.Config.Network": 1,
                "VM.Config.HWType": 1,
                "VM.Backup": 1,
                "VM.Config.CDROM": 1,
                "VM.Snapshot": 1,
                "VM.Monitor": 1,
                "VM.Console": 1,
                "VM.PowerMgmt": 1,
                "VM.Snapshot.Rollback": 1,
                "VM.Config.Options": 1,
                "VM.Allocate": 1,
                "VM.Config.CPU": 1,
                "VM.Clone": 1
            }
        },

The root user generates a different ticket with everything:

Code:
        "cap": {
            "storage": {
                "Datastore.Audit": 1,
                "Datastore.AllocateSpace": 1,
                "Datastore.Allocate": 1,
                "Permissions.Modify": 1,
                "Datastore.AllocateTemplate": 1
            },
            "nodes": {
                "Sys.Audit": 1,
                "Sys.PowerMgmt": 1,
                "Sys.Syslog": 1,
                "Sys.Modify": 1,
                "Sys.Console": 1,
                "Permissions.Modify": 1
            },
            "vms": {
                "VM.PowerMgmt": 1,
                "VM.Config.Disk": 1,
                "VM.Allocate": 1,
                "VM.Config.CDROM": 1,
                "VM.Console": 1,
                "VM.Snapshot": 1,
                "VM.Config.Options": 1,
                "Permissions.Modify": 1,
                "VM.Config.Memory": 1,
                "VM.Config.HWType": 1,
                "VM.Audit": 1,
                "VM.Snapshot.Rollback": 1,
                "VM.Config.Network": 1,
                "VM.Monitor": 1,
                "VM.Clone": 1,
                "VM.Config.CPU": 1,
                "VM.Backup": 1,
                "VM.Migrate": 1
            },
            "access": {
                "User.Modify": 1,
                "Group.Allocate": 1,
                "Permissions.Modify": 1
            },
            "dc": {
                "Sys.Audit": 1
            }
        },

Also, it seems like the Realm permissions are not showing up for root user either?

Logging into the GUI directly with the created user, I only see the options Storage and Users under Datacenter in addition to the option to create VM/CTs. However, the Datacenter > Users section is read-only, I only see 1 user which is the same user I'm logged in as and the only options available are Password/TFA. The Add/Edit/Remove options are greyed out. This is even though I have given the user the exact same permissions as the root user.

What am I doing wrong?

Thanks!
 
Last edited:
the ticket API call only returns a "broadened" capability overview (mainly for the GUI to know which parts to even display, or not ;))

I recommend reading https://pve.proxmox.com/pve-docs/pve-admin-guide.html#chapter_user_management

I think what you probably want is a user that has ACLs
- to allocate and modify users on your custom realm (PVEUserAdmin limited to your custom realm)
- modify a group (add/remove members) (PVEUserAdmin on that group path)

with that group having an ACL which has role PVEVMUser on /vms (or a pool, or some pre-defined list of VM paths).