Created user permissions not reflected in API

justjosh

Member
Nov 4, 2019
73
0
6
55
Hi all,

Still completely new to this ecosystem. I'm trying to create a PVE authenticated user with permissions to create other users with PVEVMUser permissions.

Steps I've taken:

1. Datacenter > Permissions > Users > Add (Realm: PVE)
2. Datacenter > Pools > Create
3. Pool_Name > Permissions > Add > User Permission (Role: PVEAdmin)

I am failing at permission Realm.AllocateUser.

Permissions under PVEAdmin are:

Code:
VM.Migrate, VM.Config.CDROM, VM.Config.Network, Datastore.AllocateTemplate, VM.Config.Memory, VM.Config.CPU, Datastore.Audit, VM.Backup, Pool.Allocate, VM.Config.Options, Sys.Console, Sys.Syslog, VM.Monitor, VM.Config.HWType, Sys.Audit, VM.Clone, Permissions.Modify, VM.Allocate, User.Modify, Group.Allocate, Datastore.Allocate, VM.Audit, VM.Snapshot, VM.Config.Disk, VM.PowerMgmt, Datastore.AllocateSpace, VM.Console, VM.Snapshot.Rollback, Realm.AllocateUser

But ticket permissions from /access/ticket seem to indicate that certain features are not exposed:

Code:
        "cap": {
            "storage": {
                "Datastore.AllocateSpace": 1,
                "Datastore.Allocate": 1,
                "Datastore.Audit": 1,
                "Datastore.AllocateTemplate": 1,
                "Permissions.Modify": 1
            },
            "access": {},
            "dc": {},
            "nodes": {},
            "vms": {
                "VM.Audit": 1,
                "Permissions.Modify": 1,
                "VM.Config.Disk": 1,
                "VM.Migrate": 1,
                "VM.Config.Memory": 1,
                "VM.Config.Network": 1,
                "VM.Config.HWType": 1,
                "VM.Backup": 1,
                "VM.Config.CDROM": 1,
                "VM.Snapshot": 1,
                "VM.Monitor": 1,
                "VM.Console": 1,
                "VM.PowerMgmt": 1,
                "VM.Snapshot.Rollback": 1,
                "VM.Config.Options": 1,
                "VM.Allocate": 1,
                "VM.Config.CPU": 1,
                "VM.Clone": 1
            }
        },

I've tried creating a new role and assigning all permissions to the user but am still getting the same response for the ticket, even as the permissions match the root user entirely:

Code:
VM.Audit, VM.Config.Disk, VM.PowerMgmt, VM.Allocate, Group.Allocate, Datastore.Audit, Realm.AllocateUser, VM.Monitor, VM.Config.Network, Pool.Allocate, VM.Config.Options, Datastore.AllocateTemplate, VM.Config.CDROM, Sys.Syslog, VM.Console, Sys.Modify, VM.Snapshot.Rollback, VM.Migrate, User.Modify, VM.Clone, Sys.Audit, VM.Backup, Permissions.Modify, VM.Config.HWType, Sys.PowerMgmt, VM.Snapshot, VM.Config.Memory, VM.Config.CPU, Sys.Console, Realm.Allocate, Datastore.AllocateSpace, Datastore.Allocate

Ticket permissions are still the same:

Code:
        "cap": {
            "storage": {
                "Datastore.AllocateSpace": 1,
                "Datastore.Allocate": 1,
                "Datastore.Audit": 1,
                "Datastore.AllocateTemplate": 1,
                "Permissions.Modify": 1
            },
            "access": {},
            "dc": {},
            "nodes": {},
            "vms": {
                "VM.Audit": 1,
                "Permissions.Modify": 1,
                "VM.Config.Disk": 1,
                "VM.Migrate": 1,
                "VM.Config.Memory": 1,
                "VM.Config.Network": 1,
                "VM.Config.HWType": 1,
                "VM.Backup": 1,
                "VM.Config.CDROM": 1,
                "VM.Snapshot": 1,
                "VM.Monitor": 1,
                "VM.Console": 1,
                "VM.PowerMgmt": 1,
                "VM.Snapshot.Rollback": 1,
                "VM.Config.Options": 1,
                "VM.Allocate": 1,
                "VM.Config.CPU": 1,
                "VM.Clone": 1
            }
        },

The root user generates a different ticket with everything:

Code:
        "cap": {
            "storage": {
                "Datastore.Audit": 1,
                "Datastore.AllocateSpace": 1,
                "Datastore.Allocate": 1,
                "Permissions.Modify": 1,
                "Datastore.AllocateTemplate": 1
            },
            "nodes": {
                "Sys.Audit": 1,
                "Sys.PowerMgmt": 1,
                "Sys.Syslog": 1,
                "Sys.Modify": 1,
                "Sys.Console": 1,
                "Permissions.Modify": 1
            },
            "vms": {
                "VM.PowerMgmt": 1,
                "VM.Config.Disk": 1,
                "VM.Allocate": 1,
                "VM.Config.CDROM": 1,
                "VM.Console": 1,
                "VM.Snapshot": 1,
                "VM.Config.Options": 1,
                "Permissions.Modify": 1,
                "VM.Config.Memory": 1,
                "VM.Config.HWType": 1,
                "VM.Audit": 1,
                "VM.Snapshot.Rollback": 1,
                "VM.Config.Network": 1,
                "VM.Monitor": 1,
                "VM.Clone": 1,
                "VM.Config.CPU": 1,
                "VM.Backup": 1,
                "VM.Migrate": 1
            },
            "access": {
                "User.Modify": 1,
                "Group.Allocate": 1,
                "Permissions.Modify": 1
            },
            "dc": {
                "Sys.Audit": 1
            }
        },

Also, it seems like the Realm permissions are not showing up for root user either?

Logging into the GUI directly with the created user, I only see the options Storage and Users under Datacenter in addition to the option to create VM/CTs. However, the Datacenter > Users section is read-only, I only see 1 user which is the same user I'm logged in as and the only options available are Password/TFA. The Add/Edit/Remove options are greyed out. This is even though I have given the user the exact same permissions as the root user.

What am I doing wrong?

Thanks!
 
Last edited:

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
4,652
735
133
the ticket API call only returns a "broadened" capability overview (mainly for the GUI to know which parts to even display, or not ;))

I recommend reading https://pve.proxmox.com/pve-docs/pve-admin-guide.html#chapter_user_management

I think what you probably want is a user that has ACLs
- to allocate and modify users on your custom realm (PVEUserAdmin limited to your custom realm)
- modify a group (add/remove members) (PVEUserAdmin on that group path)

with that group having an ACL which has role PVEVMUser on /vms (or a pool, or some pre-defined list of VM paths).
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!