Nested pools

jfguillaume

New Member
May 30, 2023
3
0
1
Hello,

This is going to be a mix of two problems that are sort of linked.

We use pools to both provide an easy way to manage access and to sort our virtual machines.

Let's say we got the following tree :
Code:
INFRA
  |- DNS
   |- LDAP
   |    |- PROD
   |    |- PREPROD
   |    |- TEST
And the groups "General Admins", "Ldaps Admins", "Ldaps Prod Admins", "Ldaps Prod Admins", "DNS Admins", etc.
We would like for example the group "Ldaps Admins" to have access to pool LDAP and it's children (actual and those that might be added afterwards), "Ldaps Prod Admins" to have access only on the pool Prod (and pool added as it's children afterwards) inside LDAP and so on.

Right now, the resources pool tree is a flat tree, which can get quite uneasy to navigate and require to add permission on each nodes.

Is there a way to have nested resources pools in PVE ?

Secondary, is there a way to organize virtual machine in folders / tree just for visual purpose ?

Cheers,
Jeff
 
Is there a way to have nested resources pools in PVE ?

Secondary, is there a way to organize virtual machine in folders / tree just for visual purpose ?
That is currently a no for both questions.

If you are using a somewhat recent version, you should be able to assign tags to guests though. With tags and/or a naming scheme and the search (very top of the GUI or Summary panels) you should get a quick view of the guests belonging to a "group".

Don't forget, that you can enable additional columns in the Summary panels. Hover over a column heading and a small arrow-down button should show up that gives you access to enable/disable columns.

Guest can only be part of one resource pool. So you will end up with quite a few resource pools, depending on how fine grained you need your permissions to be.

If the initial assignment of permissions for groups to the resource pools is that much work, consider scripting it. The pveum man page should give you some idea on what you can do. The file /etc/pve/user.cfg contains the user, group and permission settings.
 
Hello,

Thank you for you fast reply.
That is currently a no for both questions.
Is this a hard no or is this in your roadmap ?
If you are using a somewhat recent version, you should be able to assign tags to guests though. With tags and/or a naming scheme and the search (very top of the GUI or Summary panels) you should get a quick view of the guests belonging to a "group".

Don't forget, that you can enable additional columns in the Summary panels. Hover over a column heading and a small arrow-down button should show up that gives you access to enable/disable columns.
That's kind of how we do, I was wondering if there was another way.
Guest can only be part of one resource pool. So you will end up with quite a few resource pools, depending on how fine grained you need your permissions to be.
Yep, that's currently our issue.
If the initial assignment of permissions for groups to the resource pools is that much work, consider scripting it. The pveum man page should give you some idea on what you can do. The file /etc/pve/user.cfg contains the user, group and permission settings.
We will try to see how we can script our way out of this.

Thanks again for your time.

Cheers,
Jeff
 
Is this a hard no or is this in your roadmap ?
I found an older feature request in our bugtracker that seems to request what you want.

Looks like it didn't get a lot of interest, as no one else chimed in since then.
 
@aaron I see the feature request was marked as "fixed in pve-manager >= 8.1.0". Is there any documentation on this feature yet?
 
@aaron I see the feature request was marked as "fixed in pve-manager >= 8.1.0". Is there any documentation on this feature yet?

Maybe this helps already?:
Access control
Support nested pools up to a nesting depth of 3 levels for greater flexibility in structuring VMs and containers (issue 1148).
Pool names can now contain at most two slashes (allowing to structure them as parent/child/grandchild).
Permissions are inherited along the path according to the usual inheritance rules.
https://pve.proxmox.com/wiki/Roadmap#Proxmox_VE_8.1
 
  • Like
Reactions: bmernz

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!