PDM - how manage Users permissions on different clusters ?

[carnyx.io]

Hello Community,

We have 4 Proxmox clusters grouped into a single PDM.

We want to manage access rights globally from the PDM for 8 users.

These 8 users would be affected on 5 standard user "profiles" :

• Full Admin on all clusters
• Full Admin of cluster 1 and VMs admin only (PVEVMAdmin role) on clusters 2, 3 et 4
• VMs admin only on all cluster
• VMs admin only on a specific pool of clusters 2, 3 et 4
• VMs admin only on a specific pool of cluster 1

On the clusters themselves, I can create pools and groups, and assign permissions to them.

But I dont see how to link them to the user accounts created in PDM.

Any idea ?

 

[carnyx.io]

no idea ?

 

[dcsapak]

hi,

currently the users/privileges/groups/etc are completely separate between pve and pdm

so if you want to manage the PVE roles you have to do it there,

on PDM, there are separate users/privs for pdm, and itself has access with the user/token you gave when you set up the remotes

i can see how a global overview management for users could make sense (similar to how we show the global updates/firewall/etc at the moment), if you want you can open an enhancement request on our bugtracker: https://bugzilla.proxmox.com

 

[carnyx.io]

thanks for your answer Dominic

I'll open an evolution request on the bugtracker.

At a minimum, it would be desirable to be able to associate each PDM user with a specific token on each remote.
If we have only one token to connect a remote, I think we won't be able to have differents rights.

 

[dcsapak]

If we have only one token to connect a remote, I think we won't be able to have differents rights.

well you can give a pdm user privileges to specific things on the pve remotes so he'll only see (and can interact with) those. It does not give automatic privileges to the pve cluster itself, since the pdm user is not automatically logged in to pve

 

[carnyx.io]

Thank you very much for your answer.

From my understanding, the maximum rights that can be granted to a PDM user are those of the connection token between PDM and the remote.

So, if a connection token with "root" privileges is set on the remote, the PDM user will have root privileges on the PvE after manual connection on PvE cluster or read-only access (if "auditor" role in PDM Access Control permission).

Therefore, PDM actually can only be used by general administrators (full access) or for read-only access.

In my opinion, read-only access isn't very useful. Our VMs are monitored by Grafana, our physical Dell servers by OME, and backups are monitored by email alerts in case of problems.

PDM is very interesting project , but if you want to compete with VMware's vCenter, you need to be able to manage user rights directly within PDM and manage PvE remotes directly from PDM, without additionnal connection on PvE cluster.

Personally, I don't plan to deploy PDM to our IT team in the immediate future.
Perhaps in version 1.1 ou 2... depend of evolution of project, specially "rights management"