Hi everyone,
I'm experimenting with ProxmoxVE and I must say that it's an amazing product!
I've been testing permissions and I've noticed something unexpected.
There's a group called GR1 with one user USR1.
The goal I want to achieve is for everyone from GR1 to be able to view all VMs(PVEVMUser) , but give admin rights (PVEVMAdmin) for single users for single VMs.
I added those permissions:
Instead of desired behavior I encountered this:
If the user USR1 is NOT a part of group GR1, but has PVEVMAdmin role for VM 101 then he can only see vm 101 and has full control over this one VM. (Thats OK)
If the user USR1 IS a part of group GR1 and has NOT PVEVMAdmin role for VM 101, then he can view and perform basic tasks on all VMs. (Also OK)
If the user USR1 IS a part of group GR1, and has PVEVMAdmin role for VM 101, then he can manage all VMs as admin, just as if he had admin permissions for all VMs. (Thats the issue)
This seems pretty weird, I'm not sure if this is a bug, desired behavior or just I'm missing something here.
Output of pveversion -v
I'm experimenting with ProxmoxVE and I must say that it's an amazing product!
I've been testing permissions and I've noticed something unexpected.
There's a group called GR1 with one user USR1.
The goal I want to achieve is for everyone from GR1 to be able to view all VMs(PVEVMUser) , but give admin rights (PVEVMAdmin) for single users for single VMs.
I added those permissions:
- group GR1 PVEVMUser, with path /vms
- user USR1 PVEVMAdmin with path /vms/101
Instead of desired behavior I encountered this:
If the user USR1 is NOT a part of group GR1, but has PVEVMAdmin role for VM 101 then he can only see vm 101 and has full control over this one VM. (Thats OK)
If the user USR1 IS a part of group GR1 and has NOT PVEVMAdmin role for VM 101, then he can view and perform basic tasks on all VMs. (Also OK)
If the user USR1 IS a part of group GR1, and has PVEVMAdmin role for VM 101, then he can manage all VMs as admin, just as if he had admin permissions for all VMs. (Thats the issue)
This seems pretty weird, I'm not sure if this is a bug, desired behavior or just I'm missing something here.
Output of pveversion -v
Code:
root@pve:~# pveversion -v
proxmox-ve: 6.1-2 (running kernel: 5.3.18-3-pve)
pve-manager: 6.1-8 (running version: 6.1-8/806edfe1)
pve-kernel-helper: 6.1-8
pve-kernel-5.3: 6.1-6
pve-kernel-5.3.18-3-pve: 5.3.18-3
pve-kernel-5.3.18-2-pve: 5.3.18-2
ceph-fuse: 12.2.11+dfsg1-2.1+b1
corosync: 3.0.3-pve1
criu: 3.11-3
glusterfs-client: 5.5-3
ifupdown: residual config
ifupdown2: 2.0.1-1+pve8
ksm-control-daemon: 1.3-1
libjs-extjs: 6.0.1-10
libknet1: 1.15-pve1
libpve-access-control: 6.0-6
libpve-apiclient-perl: 3.0-3
libpve-common-perl: 6.0-17
libpve-guest-common-perl: 3.0-5
libpve-http-server-perl: 3.0-5
libpve-storage-perl: 6.1-5
libqb0: 1.0.5-1
libspice-server1: 0.14.2-4~pve6+1
lvm2: 2.03.02-pve4
lxc-pve: 3.2.1-1
lxcfs: 4.0.1-pve1
novnc-pve: 1.1.0-1
proxmox-mini-journalreader: 1.1-1
proxmox-widget-toolkit: 2.1-3
pve-cluster: 6.1-4
pve-container: 3.0-23
pve-docs: 6.1-6
pve-edk2-firmware: 2.20200229-1
pve-firewall: 4.0-10
pve-firmware: 3.0-7
pve-ha-manager: 3.0-9
pve-i18n: 2.0-4
pve-qemu-kvm: 4.1.1-4
pve-xtermjs: 4.3.0-1
qemu-server: 6.1-7
smartmontools: 7.1-pve2
spiceterm: 3.1-1
vncterm: 1.6-1
zfsutils-linux: 0.8.3-pve1