How to create new user account similar to root

[bond347]

Hi All,

I have a 3 hosts cluster setup. I wanted to create a new user account "pveuser1" and give permissions similar to or almost similar to root user account.

1. Do i need to create pveuser1 in all 3 hosts?
2. How to give root permission to the user?

Hope you get some replies.

 

[leesteken]

I have no experience with users but maybe the Proxmox manual can get you started?

 

[fabian]

no, user configuration is shared across the cluster. if you want to create it in the PAM realm, you do need to first create the actual system user on each node though.

you can then give that user roles (Administrator is the one with all privileges) on paths. note that some parts/features are restricted to the actual root@pam user with no way to delegate - see https://bugzilla.proxmox.com/show_bug.cgi?id=2582

 

[bond347]

Hi Leesteken and Fabian,

Thanks for replies.

I'm bit confuse with Linux PAM and PVE Authentication.

What i wanted was, create group "admin" with Administrator role and assign user1 to group "admin". This way, i just grant/revoke permission from the group rather than user itself. user1 must be able to:
1. Can login to proxmox gui as administrator
2. Can navigate/access to the 3 host-cluster.
3. Able to create VMs, storage, etc.
4. Able to ssh to hosts

Note: Like user root, can login to GUI and do all the works and also can ssh to the hosts too.

So, what user authentication method and what should i do to create the user?

 

[fabian]

if you want SSH, then you need a PAM user. create the user on the system (e.g., with "adduser"), then make PVE aware of it (by adding it to the PAM realm in PVE), then give it the ACLs you desire.

 

[Dunuin]

In addition to that you can also create custom roles. Then assign the privileges you like to that role and give these users that role. This way you don't have to assign all those single privileges to each of those admin users.
This is then similar to assigning users to group, if you think of the roles like some kind of group.

 

[bond347]

if you want SSH, then you need a PAM user. create the user on the system (e.g., with "adduser"), then make PVE aware of it (by adding it to the PAM realm in PVE), then give it the ACLs you desire.

Hi Fabian,

Thanks for guides. Managed to create a PAM user in each systems and create PAM user account on PVE too.

My user1 is part of a Administrator group. I was able to SSH-in. However, when i execute commands i see error "#cat: /etc/pve/user.cfg: Permission denied"

What was wrong? Which steps do i missed out?

 

[fabian]

that file is not readable by regular PAM users, only by www-data and root.

 

[John_Taie]

What if i want to create a account i want this account "Admin2" Can access to the cluster node and also have permission to create new VM but cannot delete VM

 

[LnxBil]

What if i want to create a account i want this account "Admin2" Can access to the cluster node and also have permission to create new VM but cannot delete VM

There is no privilege that allows the creating but prohibits the deletion. If you want to have a single measurement against accidental deletion, your can protect VMs so that they cannot be deleted until the protection flag is manually removed. From a security stand point, this is not the same as you want, but maybe solves the actual problem you want to taccle.

 

[John_Taie]

There is no privilege that allows the creating but prohibits the deletion. If you want to have a single measurement against accidental deletion, your can protect VMs so that they cannot be deleted until the protection flag is manually removed. From a security stand point, this is not the same as you want, but maybe solves the actual problem you want to taccle.

Well thanks for your apllication.And based on this question, I would like to ask one more question about whether promox ve supports newly created accounts to view and manage only their own virtual machines?

 

[fabian]

guests don't have ownership in PVE, but you can define ACLs that are limited to specific guests or pools and their contained guests.