Different privileges for root and user with Administrator role?

[gabbegubben]

I have setup a "normal" user with the Aministrator role and have been using this to manage my cluster without problem for quite a while. For some reason, I wanted to check what ACME account I had set up, and I could not find it. I thought I was going crazy until I realized that the ACME menu item really WAS missing.


I logged out and logged in as "root" instead, and there it was!

Is this a bug, or is there a difference between the root user and a user with the Administrator role?

Another place where there might be a difference between root and the Administrator is when I tried to destroy a Ceph monitor node. With the administrator I got this message:


I am running PVE 7.3-3 with the pve-enterprise repositories.

 

[Matthias.]

https://pve.proxmox.com/pve-docs/api-viewer/#/cluster/acme/account/{name}
If you check the API documentation, that endpoint is indeed root only.

The ceph thing is a bug, I sent a fix to the list. https://lists.proxmox.com/pipermail/pve-devel/2023-January/055421.html

 

[gabbegubben]

OK, thanks for the info! (and the fix)

 

[fabian]

https://pve.proxmox.com/pve-docs/api-viewer/#/cluster/acme/account/{name}
If you check the API documentation, that endpoint is indeed root only.

although we have discussed in the past that this restriction could be lifted (ordering certificates via ACME does work with Adminsitrator accounts, it's just the ACME account management part that is root only).

 

[gabbegubben]

although we have discussed in the past that this restriction could be lifted (ordering certificates via ACME does work with Adminsitrator accounts, it's just the ACME account management part that is root only).

My main issue with this was just the fact that I could not find the ACME account managent as non-root. If there was a place holder informing me that I need to be root to perform ACME account management it would not be as confusing.

On a side note, if you look at the documentation for PVE GUI:
https://pve.proxmox.com/pve-docs/chapter-pve-gui.html#_content_panels
the text references the ACME-entry but in the screenshot it is missing (since the logged in user is not root).

 

[guerbywork]

although we have discussed in the past that this restriction could be lifted (ordering certificates via ACME does work with Adminsitrator accounts, it's just the ACME account management part that is root only).

Same here: it took me a while to see that ACME account management was root only.

We migrated to per administrator @pve account instead of root@pam to follow best security practices but we had to go back to root@pam for so far for certificates and if we want to host/updates/upgrade (greyed out for non root@pam)

I don't know if there are other parts of the API that are root@pam only?

 

[gabbegubben]

I don't know if there are other parts of the API that are root@pam only?

The only other thing I have found is the ability to delete (destroy) Ceph OSD:s.

 

[scyto]

this restriction could be lifted

This seems an odd restriction with little to no security benefit?

 

[scyto]

Also i found i can't not use the _Shell feature - is that expected?

"Connection failed (Error 403: Permission check failed (realm mydomain.com !~ pam))

and two seconds later i find my own answer, sorry https://forum.proxmox.com/threads/c...l-with-activedirectory-user.69370/post-565980