permissions required

Z

Zappy

Member
Mar 30, 2022
77
11
13
I am starting a thread since the question was burried in the annoncement thread....

what is the minimal token permission , and the optimal permission?
i prefer use token instead of Username/Password

Thanks
 
  • Like
Reactions: bv-joey
hi, sorry for the late answer:

first, we already only use tokens for communication. when you set up the remote with a user/password, we automatically create a token on the cluster that will be used instead

the answer to the actual question is: what ever permissions you give to the token ;) of course if some action on the pdm side requires more permissions than the token has it's not possible. but e.g. a pure 'Audit' token should still see all of the information, but will not be able to start/stop/migrate/etc. guests

Our plan is to flesh out the ACL system a bit more so that one can maybe give also some permissions on the pdm side for pdm users
 
Thanks for the answer,

no worries about the delay...
dcsapak said:
first, we already only use tokens for communication. when you set up the remote with a user/password, we automatically create a token on the cluster that will be used instead
Click to expand...
Ok good to know , so if i use token instead of Username/password , is it all good ?
dcsapak said:
the answer to the actual question is: what ever permissions you give to the token ;) of course if some action on the pdm side requires more permissions than the token has it's not possible. but e.g. a pure 'Audit' token should still see all of the information, but will not be able to start/stop/migrate/etc. guests
Click to expand...
You did not quite pin point the question.
I do know it is what ever permission i give the token :)
but in security , there is a rule who say "dont give than needed"...
so i will reformulate.
what the minimum permission is required for PDM to be fully operational ?

and if it is not too much , can we have a sort of table :
with this permission BTM will not Be able to do X,Y, Z
with this permission BTM will not Be able to do A, B, C
etc...

like in PBS

pbs_token_perm.PNG
dcsapak said:
Our plan is to flesh out the ACL system a bit more so that one can maybe give also some permissions on the pdm side for pdm users
Click to expand...
Great.
thanks
 
Zappy said:
what the minimum permission is required for PDM to be fully operational ?
Click to expand...
currently, you'd need *.Audit for most things (e.g. the status/metrics/etc) and for start/stop/shutdown/migrate you need the same privs as on pve itself, so e.g. VM.Migrate, VM.PowerMgmt, Datastore.Allocate for e.g. a remote migration ( so we can allocate disks) etc.

Zappy said:
and if it is not too much , can we have a sort of table :
Click to expand...
this may make sense as we're nearing the first stable release, but for now this will be very much in flux so it would be a moving target and outdated most of the time.

Basically if there is an action to be done on the PVE side, the token needs the permission that is needed on PVE for that action (which is obviously IMO), but since we don't have a table there for such things, we currently don't have it for PDM either (yet)
 
Thanks for all the details.
amazing , i am really exciting by PDM.... , i think you already know that it was well received.
keep the great work

Thanks
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom