Groups & Roles management not working as expected

WvdW

Renowned Member
Apr 18, 2013
26
1
68
Hi,

I read through the User Management KB article to get some background info and applied that below.
I am currently running version 5.4.13.

I created a new group -> users.
I created a new user account -> user1, and assigned it the new group.
I then added a new permission for the @users group to access /vms/101 and assigned it the role PVEVMAdmin.

When logging in as this new user I cannot see any resources in the web UI at all.
When I change the permission to the path /vms instead of /vms/101 then all the VMs are displayed when logging in as the new user.

Questions:
1. How do I restrict the console access to only VM101 and not show all the VMs? I would have assumed that assigning it the path /vms/101 would do it?
2. What are the absolute minimum privileges I have to assign to a new role to only allow a user to access the console and stop and start a VM? I assigned VM.Console, VM.PowerMgmt and VM.Audit?

Comments:
- It looks like propagation does not correctly update successive changes made to permissions. While testing I assigned various different roles, privileges and permissions. After cleaning them all out on the Permissions page some of the assigned privileges are still applied and active even though there is nothing displayed in Permissions. Do you manually have to restart any services to ensure changes and propagation are applied correctly?

Werner
 
I created a new group -> users.
I created a new user account -> user1, and assigned it the new group.
I then added a new permission for the @users group to access /vms/101 and assigned it the role PVEVMAdmin.
I just followed the steps that you described in the GUI and could see the VM with the new user as expected. Did you do this on the CLI? If yes, then please retry it with a completely new user and group as a test setup in the web GUI.

There is a list of PVE's service daemons and their responsibilities on the wiki.
 
I completed all my steps the first time just in the GUI so no actions were taken through CLI.
 
What are the absolute minimum privileges I have to assign to a new role to only allow a user to access the console and stop and start a VM? I assigned VM.Console, VM.PowerMgmt and VM.Audit?
This is correct.

Do you manually have to restart any services to ensure changes and propagation are applied correctly?
Restarting something should not be necessary.

While testing I assigned various different roles, privileges and permissions
Do you have a reproducible setup? I tried around a bit but did not encounter any problems so far. Are you running a cluster?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!