Permission management at pool-level

floh · Jun 26, 2020

Hello!

I have a question referred to the permission of certain users to manage one pool (which I want to let him manage).

I want to give a certain user the rights to manage a pool. For example: The Controlling-Guy which is familiar with the proxmox-gui should be able to resize the disk of one controlling-vm. But he should not be able to switch the network.

Or: The team should be allowed to switch the network (disconnect, and connect, or switch die vmbr assigend to the interface) but not to change the memory or cpu cores.

I know this use-case is very fine granular - the question is: Is this kind of permission management already implemented or is it like: "you can manage all hardware or no hardware (of the VM) at all."?

Best wishes
Flo

t.lamprecht · Jun 26, 2020

Hi,

floh said:
I know this use-case is very fine granular - the question is: Is this kind of permission management already implemented or is it like: "you can manage all hardware or no hardware (of the VM) at all."?

It is implemented to a certain degree. For your case you may want to create a custom role, for the HD resize thing it could have the Datastore.AllocateSpace and VM.Config.Disk privilege, e.g:

Screenshot_2020-06-26 prod1 - Proxmox Virtual Environment.png

Then add this as permission to the respective pool, for example if you have a group for the controlling-guys:

Then all members of that team have the privileges from that role on all pool resources.
https://pve.proxmox.com/pve-docs/chapter-pveum.html#pveum_permission_management

floh · Jun 26, 2020

Ohh that's nice!

Thanks for that - haven thought that way.

One additional question -which I guess isn't implemented (yet):
Is there a way to define like: the pool "controlling" is allowed to have 50 CPU cores.
So I can give a controlling-team-member the right to change the cpu but to limit it so he cannot give their vms in the pool in total 50 CPUS but he cannot use more that that?

I know it's a very specific request - but do you know if there is a way to build something like that? Is there a work-around?^^

My thought would be to tell them that they are only allowed to use (f.ex) 50 Cores and I'll monitor their total assigned CPUs via some simple API-requests and once they assign more that (f.ex) 50 Cores I can manually scold them.
But it would be nice if you have already implemented that ;-)

best regards
Flo

t.lamprecht · Jun 26, 2020

floh said:
Is there a way to define like: the pool "controlling" is allowed to have 50 CPU cores.
So I can give a controlling-team-member the right to change the cpu but to limit it so he cannot give their vms in the pool in total 50 CPUS but he cannot use more that that?

No, currently that's not implemented from our side. To have something like this is on the long-term roadmap though.

floh said:
there is a way to build something like that? Is there a work-around?^^

One could move this logic out in its own VM start hook script, where the user and the used CPU counts are checked and if more than allowed the script aborts the start of that VM, more hands on but a workaround. https://pve.proxmox.com/pve-docs/chapter-qm.html#_hookscripts

floh said:
My thought would be to tell them that they are only allowed to use (f.ex) 50 Cores and I'll monitor their total assigned CPUs via some simple API-requests and once they assign more that (f.ex) 50 Cores I can manually scold them.

That would certainly work too

Search

Search

Permission management at pool-level

floh

Active Member

t.lamprecht

Proxmox Staff Member

floh

Active Member

t.lamprecht

Proxmox Staff Member