Permissions and roles

kcalliauw

Active Member
Jan 13, 2012
42
0
26
Belgium
Hi all,

I've upgraded to the RC1 release today and I'm trying out the new permissions model. I've created a group and a user belonging to that group using the Proxmox VE authentication method. After that, I've added a resource pool with a few vm's in it and the storage that these VM's use (KVM with NFS shares). Added permissions "PVEVMAdmin" to this resource pool.

Now, when logging in as this user I can manage the VM's correctly, but since this user doesn't have access to any of the physical nodes, wouldn't it make more sense to not show these in the interface?
Ideally I would be able to limit the user's view to a view where the user sees only what he/she has access to. Since I've appointed only VM administration rights, the user has no business knowing on which physical server his VM is running on or how many physical nodes there are in the datacenter. Is it possible to do this in configuration files or through the CLI? Am I missing something?

Edit: also, PVEDatastoreUser -> I want my users to be able to upload ISO files to their datastores, is that Datastore.AllocateTemplate they need? How would I add that permission to the PVEDatastoreUser role? Is there anything they would be able to do besides upload ISO files that they shouldn't be able to do?

In any case, awesome job on the new release!

Best regards,
Koen
 
Last edited:
Ideally I would be able to limit the user's view to a view where the user sees only what he/she has access to. Since I've appointed only VM administration rights, the user has no business knowing on which physical server his VM is running on or how many physical nodes there are in the datacenter. Is it possible to do this in configuration files or through the CLI? Am I missing something?

Role "PVEVMAdmin" has VM.Migrate privilege, so I guess it is quite useful to see the nodes.

Anyways, the plan is to create some kind of user portal, only showing a limited GUI.


Edit: also, PVEDatastoreUser -> I want my users to be able to upload ISO files to their datastores, is that Datastore.AllocateTemplate they need? How would I add that permission to the PVEDatastoreUser role?

The plan was that the 'PVEDatastoeAdmin' uploads the templates.

Or you create a new role (but we do not have a GUI currently).

Is there anything they would be able to do besides upload ISO files that they shouldn't be able to do?

No.
 
Hi,

I understand that the nodes are visible for migration purposes. I'm looking forward to the locked-down GUI. Is there any way I could hide the tabs and GUI elements that the user doesn't have permission to? Right now it just gives them an error message, which isn't exactly user-friendly.

As for the ISO uploading, I did something like this:

Code:
pveum roleadd PVEDatastorePowerUser -privs "Datastore.AllocateSpace Datastore.Audit Datastore.AllocateTemplate"

Then I removed the PVEDatastoreUser permission from the resource pool and added PVEDatastorePowerUser instead. However, I can't upload ISO files to the datastores (not even with PVEDatastoreAdmin). At the end of the upload progress it displays this error: "Error 403: Permission check failed". I noticed that when selecting the ISO file in the upload dialog as my user ExtJS fills something in like C:\fakepath\myiso.iso as the filename. It doesn't do that when uploading as Administrator (root).

Best regards,
Koen
 
You can't modify predefined roles - create a new on instead.

I assume that's what I did? If not with "pveum roleadd" , what is the correct command for adding roles?

edit: please note the "Power" in PVEDatastorePowerUser, which is a non-existing and thus new role.

Cheers,
K!
 
Last edited:
I assume that's what I did? If not with "pveum roleadd" , what is the correct command for adding roles?
edit: please note the "Power" in PVEDatastorePowerUser, which is a non-existing and thus new role.

Oh, I can see it now. You have done everything correctly, but there was a bug in the file upload permission check.

I just uploaded a fix for that. Please can you update and test?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!