Fine-Grained Access Control (aka restrict access to a specific VM group)

[dec]

Hello,

I would like to give a read-only access to a VM backup group (VM with ID 100), but I'm unable to see any documentation about that.
I tried multiple path combinations but I'm pretty sure that it is not implemented, can you confirm that ?

acl:1:/datastore/vhd1/vm/100:public-reader@pbs:DatastoreReader
acl:1:/datastore/vhd1/qemu/100:public-reader@pbs:DatastoreReader

A workaround would be to backup each VM under a specific namespace but that will require to create a duplicated PBS storage in PVE for each namespace ?

 

[ggoller]

Hi!
this is not currently possible, you will have to put them into namespace, and then declare the permissions on them.
If you think this would be a great addition, you could create a feature request here: https://bugzilla.proxmox.com/
More info on the ACLs here: https://pbs.proxmox.com/docs/user-management.html#access-control

 

[fabian]

you could also setup a sync job into a new namespace (if done within the same datastore, it's almost free, since it will only need to copy the metadata part, not the chunks), to avoid the need for duplicate PBS storages. one sync job and namespace per VM/group, for example.

 

[dec]

@ggoller , for the record, I made a feature request: https://bugzilla.proxmox.com/show_bug.cgi?id=5046

@fabian , I tried to use namespaces but I didn't think it was necessary to declare the namespace at the PVE storage level (in fact I thought it was set at the backup job level). I was hoping that by giving namespace rights to the user, he would have direct access to the hierarchy in PVE:

pbs-storage:
-- Root:
--- vm/100
--- vm/101
--- [-] Namespace1
------ vm/102
------ vm/103
--- [-] Namespace2
------ vm/105
------ vm/106

But that's not the case and current implementation require to create 3 PBS storage in PVE for the same PBS server:

pbs-storage-root:
--- vm/100
--- vm/101

pbs-storage-namespace1:
--- vm/102
--- vm/103

pbs-storage-namespace2:
--- vm/105
--- vm/106

 

[fabian]

yes, if you need access to the "limited" namespace in PVE, then you need to configure it as storage as well. I am not sure what your intended use case is - to allow users to restore backups, but not make them? maybe you could describe it a bit more?

 

[dec]

I'm planning a course for my students on 5/6 VM and obviously I don't want them to be able to make any backups but I also want to give them access to existing backup progressively.