Permissions are the wrong way around

C

codingspiderfox

Member
May 21, 2020
54
9
13
35
What I want to achieve is that I have a user that can only view data in the Web UI and power on / off only certain nodes to save power and avoid accidental poweroff of nodes that I can't power on with etherwake remotely.

I have a cluster with node A,B,C,D

I have a PVE Authentication Server User called "web"

Created group "Remote-Maintenance" and only user "web@pve" is in that group

Created role

Remote-MaintenanceUser
Privileges: Datastore.Audit Pool.Audit Sys.Audit Sys.Syslog VM.Audit VM.Backup VM.Clone VM.Config.CPU VM.Config.Memory VM.Migrate VM.Monitor VM.PowerMgmt VM.Snapshot

Created role
Allow-BackupNodePowerMgmt
Privileges: Sys.PowerMgmt

Created permission:
Path: /
User/Group/API Token: @Remote-Maintenance
Role: PVEAuditor
Propagate: true

Created permission:
Path: /
User/Group/API Token: @Remote-Maintenance
Role: Remote-MaintenanceUser
Propagate: true

Created permission:
Path: /nodes/B
User/Group/API Token: @Remote-Maintenance
Role: Remote-Allow-BackupNodePowerMgmt
Propagate: true

Now when logging in with the user I can shutdown Nodes A,C,D
What I wanted is that I can shutdown B but not A,C,D
 
works here without problems
i tested a more simplified setup:
1 role with only Sys.PowerMgmt
testuser has PVEAuditor on / and sys.powermgmt role on /nodes/somenode
could not shutoff another node with the error:

Permission check failed (/nodes/pve7, Sys.PowerMgmt) (403)

edit: can you post your /etc/pve/user.cfg ?
 
Here is my /etc/pve/user.cfg

Code: 
user:root@pam:1:0:::mail@example.com:::
user:web@pve:1:0::::COMMENT.::

group:Remote-Maintenance:web@pve::


role:Allow-BackupNodePowerMgmt:Sys.PowerMgmt:
role:Remote-MaintenanceUser:Datastore.Audit,Pool.Audit,Sys.Audit,Sys.Syslog,VM.Audit,VM.Backup,VM.Clone,VM.Config.CPU,VM.Config.Memory,VM.Migrate,VM.Monitor,VM.PowerMgmt,VM.Snapshot:

acl:0:/:@Remote-Maintenance:PVEAuditor,Remote-MaintenanceUser:
acl:1:/nodes/legolas:@Remote-Maintenance:Allow-BackupNodePowerMgmt:
 
sorry for the late answer:

did you actually try shut down the nodes? as i said it works here as expected (the button is still enabled, but the backend will not let you power off)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back