Permissions are the wrong way around

C

codingspiderfox

Member
May 21, 2020
54
15
13
36
What I want to achieve is that I have a user that can only view data in the Web UI and power on / off only certain nodes to save power and avoid accidental poweroff of nodes that I can't power on with etherwake remotely.

I have a cluster with node A,B,C,D

I have a PVE Authentication Server User called "web"

Created group "Remote-Maintenance" and only user "web@pve" is in that group

Created role

Remote-MaintenanceUser
Privileges: Datastore.Audit Pool.Audit Sys.Audit Sys.Syslog VM.Audit VM.Backup VM.Clone VM.Config.CPU VM.Config.Memory VM.Migrate VM.Monitor VM.PowerMgmt VM.Snapshot

Created role
Allow-BackupNodePowerMgmt
Privileges: Sys.PowerMgmt

Created permission:
Path: /
User/Group/API Token: @Remote-Maintenance
Role: PVEAuditor
Propagate: true

Created permission:
Path: /
User/Group/API Token: @Remote-Maintenance
Role: Remote-MaintenanceUser
Propagate: true

Created permission:
Path: /nodes/B
User/Group/API Token: @Remote-Maintenance
Role: Remote-Allow-BackupNodePowerMgmt
Propagate: true

Now when logging in with the user I can shutdown Nodes A,C,D
What I wanted is that I can shutdown B but not A,C,D
 
works here without problems
i tested a more simplified setup:
1 role with only Sys.PowerMgmt
testuser has PVEAuditor on / and sys.powermgmt role on /nodes/somenode
could not shutoff another node with the error:

Permission check failed (/nodes/pve7, Sys.PowerMgmt) (403)

edit: can you post your /etc/pve/user.cfg ?
 
Here is my /etc/pve/user.cfg

Code: 
user:root@pam:1:0:::mail@example.com:::
user:web@pve:1:0::::COMMENT.::

group:Remote-Maintenance:web@pve::


role:Allow-BackupNodePowerMgmt:Sys.PowerMgmt:
role:Remote-MaintenanceUser:Datastore.Audit,Pool.Audit,Sys.Audit,Sys.Syslog,VM.Audit,VM.Backup,VM.Clone,VM.Config.CPU,VM.Config.Memory,VM.Migrate,VM.Monitor,VM.PowerMgmt,VM.Snapshot:

acl:0:/:@Remote-Maintenance:PVEAuditor,Remote-MaintenanceUser:
acl:1:/nodes/legolas:@Remote-Maintenance:Allow-BackupNodePowerMgmt:
 
sorry for the late answer:

did you actually try shut down the nodes? as i said it works here as expected (the button is still enabled, but the backend will not let you power off)
 
You must log in or register to reply here.
Top Bottom