Hello everyone,
I am currently in the final stages of configuring my server and having it in production.
In general I always use a couple of accounts from most privileged to least privileged.
I have created 2 users extra users (not the real usernames):
User1
User2
root is used as "super admin" and is (in general) only used for system updates or changing user permissions.
User1 is used as "system admin" and is used to do admin tasks.
It has has path / and role PVEAdmin.
User2 is used as "user" and is the account I want to login with as default. (Since it is the least privileged user.)
And here is where my lack of knowledge starts to show of the PVE permission system.
I added the following permissions:
Path /pool/user2 with role PVEDatastoreUser
Path /pool/user2 with role PVEVMUser
Path /pool/user2 with role PVEPoolUser
Path /pool/user2 with role PVETemplateUser
Path /sdn/zones with role PVESDNUser
And every permission as Propagate set to true.
Pool user2 is configured with vm-disk-zfs as storage and VM 900 & 901 as these are my templates to create new VMs from.
I have not added local-zfs as storage since I do not want User2 to be able to use/access local-zfs. (It should only be used to store template disks/data to clone from.)
Whenever I clone a template I select:
Mode: Full clone
Target Storage: vm-disk-zfs
Resource Pool: user2
But when I click on clone i get a 403 permission error. (Message: Permission check failed (403))
I have also tried to give it access to the local-zfs storage via the pool to see if it needs permission to the local-zfs storage to clone from but I still get the 403 error. (And I prefere to keep local-zfs hidden from User2 as I only want user2 to use vm-disk-zfs)
I want User2 to be able to clone 900 and 901 to the vm-disk-zfs storage and configure cloud-init and the network bridge. (SInce I have both a SNAT and a WAN network)
I do not want User2 to be able to modify the system resources like cores and RAM. (If I need to change that I can do that via User1)
Does anyone know what permission I missed that is causing the 403 error?
Thanks in advance.
I am currently in the final stages of configuring my server and having it in production.
In general I always use a couple of accounts from most privileged to least privileged.
I have created 2 users extra users (not the real usernames):
User1
User2
root is used as "super admin" and is (in general) only used for system updates or changing user permissions.
User1 is used as "system admin" and is used to do admin tasks.
It has has path / and role PVEAdmin.
User2 is used as "user" and is the account I want to login with as default. (Since it is the least privileged user.)
And here is where my lack of knowledge starts to show of the PVE permission system.
I added the following permissions:
Path /pool/user2 with role PVEDatastoreUser
Path /pool/user2 with role PVEVMUser
Path /pool/user2 with role PVEPoolUser
Path /pool/user2 with role PVETemplateUser
Path /sdn/zones with role PVESDNUser
And every permission as Propagate set to true.
Pool user2 is configured with vm-disk-zfs as storage and VM 900 & 901 as these are my templates to create new VMs from.
I have not added local-zfs as storage since I do not want User2 to be able to use/access local-zfs. (It should only be used to store template disks/data to clone from.)
Whenever I clone a template I select:
Mode: Full clone
Target Storage: vm-disk-zfs
Resource Pool: user2
But when I click on clone i get a 403 permission error. (Message: Permission check failed (403))
I have also tried to give it access to the local-zfs storage via the pool to see if it needs permission to the local-zfs storage to clone from but I still get the 403 error. (And I prefere to keep local-zfs hidden from User2 as I only want user2 to use vm-disk-zfs)
I want User2 to be able to clone 900 and 901 to the vm-disk-zfs storage and configure cloud-init and the network bridge. (SInce I have both a SNAT and a WAN network)
I do not want User2 to be able to modify the system resources like cores and RAM. (If I need to change that I can do that via User1)
Does anyone know what permission I missed that is causing the 403 error?
Thanks in advance.