Fine-Grained Access Control (aka restrict access to a specific VM group)

D

dec

Member
Jan 26, 2022
8
4
8
40
Hello,

I would like to give a read-only access to a VM backup group (VM with ID 100), but I'm unable to see any documentation about that.
I tried multiple path combinations but I'm pretty sure that it is not implemented, can you confirm that ?

Code: 
acl:1:/datastore/vhd1/vm/100:public-reader@pbs:DatastoreReader
acl:1:/datastore/vhd1/qemu/100:public-reader@pbs:DatastoreReader

A workaround would be to backup each VM under a specific namespace but that will require to create a duplicated PBS storage in PVE for each namespace ?
 
you could also setup a sync job into a new namespace (if done within the same datastore, it's almost free, since it will only need to copy the metadata part, not the chunks), to avoid the need for duplicate PBS storages. one sync job and namespace per VM/group, for example.
 
@ggoller , for the record, I made a feature request: https://bugzilla.proxmox.com/show_bug.cgi?id=5046

@fabian , I tried to use namespaces but I didn't think it was necessary to declare the namespace at the PVE storage level (in fact I thought it was set at the backup job level). I was hoping that by giving namespace rights to the user, he would have direct access to the hierarchy in PVE:

pbs-storage:
-- Root:
--- vm/100
--- vm/101
--- [-] Namespace1
------ vm/102
------ vm/103
--- [-] Namespace2
------ vm/105
------ vm/106

But that's not the case and current implementation require to create 3 PBS storage in PVE for the same PBS server:

pbs-storage-root:
--- vm/100
--- vm/101

pbs-storage-namespace1:
--- vm/102
--- vm/103

pbs-storage-namespace2:
--- vm/105
--- vm/106
 
yes, if you need access to the "limited" namespace in PVE, then you need to configure it as storage as well. I am not sure what your intended use case is - to allow users to restore backups, but not make them? maybe you could describe it a bit more?
 
I'm planning a course for my students on 5/6 VM and obviously I don't want them to be able to make any backups but I also want to give them access to existing backup progressively.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back