[SOLVED] LDAP Users can't access storages

[Noirvent]

Hello,

I'm a little at a despair with this.

I we currently use PVE 4.4-22 (without sub) who work like a charm, as long as I use the root account.

I've connected proxmox to our OpenLDAP server so my users can authenticate against, and I've defined some pools to seperate my "in production" VMs from VMs my users could create for testing/incubating purpose.
(Ideally I'll like a system where people can create their own VM but can't access VMs create by others, but I'll keep that for later, one problem at a time)

The LDAP realm works, and and my users can authenticate and see the pools i've defined for them based on their groups (in proxmox, not ldap) membership.

So i've defined permission like

/pool/testpool @atelier PVEVMAdmin true(propagate)
/storage/gluster-vms @users PVEDatastoreUser true(propagate)

/storage/gluster-vms is a GlusterFS storage (but the problem is the same with local and nfs storages)

The problem is when I log in with an LDAP User (which is member of @atelier and @users), they can correctly access the pools I've defined (and only thoses), but they cannot access the storage (either to select ISOs or create hard disk). Only the initial root account can.
The problem arise even with users with the PVEAdmin privilege.

What could I did wrong ?

 

[wolfgang]

Hi,

(either to select ISOs or create hard disk).

For creating a hard Disk you need more privilege.
PVEDatastoreUser only allows "allocate backup space and view storage".

can you please post the user config.

cat /etc/pve/user.cfg

 

[Noirvent]

Hello,
thanks for your reply.

Here's my /etc/pve/user.cfg

user:user1@company.tld:1:0:User1:User1:user1@company.tld:::
user:user2@company.tld:1:0:User2:User2:user2@company.tld:::
user:user3@company.tld:1:0:User3:User3:user3@company.tld:::
user:root@pam:1:0:::it@company.tld:::

group:admins:user2@company.tld::
group:itopie:user3@company.tld,user2@company.tld::
group:atelier:::
group:apprentis:user1@company.tld::
group:users:user1@company.tld,user3@company.tld,user2@company.tld::

pool:testpool:Test Area:110,114:gluster-vms:
pool:inubo:inubo production servers:107,106,105,103,109,104,101,108:gluster-vms,local-lvm:
pool:itopie:itopie internal servers:112,111,116,113,115,102:local-lvm,gluster-vms:
pool:atelier:atelier test servers:::


acl:1:/pool/atelier:@admins:PVEAdmin:
acl:1:/pool/atelier:@itopie:PVEAuditor:
acl:1:/pool/atelier:@atelier:PVEDatastoreUser,PVEVMAdmin:
acl:1:/pool/inubo:@users,@apprentis,@atelier:NoAccess:
acl:1:/pool/inubo:@admins:PVEAdmin:
acl:1:/pool/inubo:@itopie:PVEAuditor:
acl:1:/pool/itopie:user2@company.tld:Administrator:
acl:1:/pool/itopie:@admins:PVEAdmin:
acl:1:/pool/itopie:@apprentis:PVEAuditor:
acl:1:/pool/itopie:@itopie:PVEDatastoreUser,PVEVMAdmin,PVEVMUser:
acl:1:/pool/testpool:@admins:PVEAdmin:
acl:1:/pool/testpool:@itopie:PVEAdmin,PVEDatastoreUser,PVEVMAdmin:
acl:1:/pool/testpool:@apprentis,@atelier:PVEDatastoreUser,PVEVMAdmin:
acl:1:/storage/gluster-vms:@itopie:PVEDatastoreAdmin:
acl:1:/storage/gluster-vms:@users:PVEDatastoreUser:
acl:1:/storage/local-lvm:@users:PVEDatastoreUser:

But

For creating a hard Disk you need more privilege.
PVEDatastoreUser only allows "allocate backup space and view storage".

Neither my "user1", "user2" and "user3" can access any storage (and by cannot access, I mean the input field has a red border and the dropdown menu is totally empty). Even though user2 has PVEAdmin and PVEVMAdmin role...

 

[wolfgang]

The problem is this line

acl:1:/pool/inubousers,@apprentis,@atelier:NoAccess:

In our permission system if a resource is forbidden you can't access it.
You forbid local-storage and gluster-fs over pool inubo so you are no more allowed to access it over other path.

 

[Noirvent]

Okay, I just tested and it seems to work.
I didnt understand that NoAccess meant to override other access. So I deleted the NoAccess and just let the unwanted groups out of my prod pool and I got the same effect, except they indeed can access storage now.

Thousands of thanks.

I'm already satisfied with this, but while I'm at it I may just ask, is there a way to permit basic users to create their own VMs but non-editable by others non-admin users ?