Privilege "Permissions.Modify" on pool will not propagade to contained VMs anymore

C

castes

Member
Sep 2, 2021
16
4
8
When giving the "Permissions.Modify" privilege to a user on a pool, I'd expect the user to be able to set permissions on contained members like VMs of that pool.

After upgrading from Proxmox 7 to 8 last week, the following error gets thrown:

"ACL update failed: 400 Parameter verification failed. role: Cannot add role 'PVETemplateUser' with propagation - requires 'Permissions.Modify' or propagated superset of privileges. (500)"

Example:

Pool: /pool/somepool1
User: someuser1
Permissions: User "someuser1" has role "Administrator" on path "/pool/somepool1" with propagation=true.

Trying to add permissions to a VM as member of "somepool1" results in the error given above. Removing already present permissions is possible though.

Package versions: (bookworm pve-enterprise repository)
proxmox-ve: 8.2.0 (running kernel: 6.8.8-2-pve)
pve-manager: 8.2.2
 
please provide more details:
- "pveum user permissions" on the pool for the given user
- "pveum user permissions" on the VM for the given user

also note the release notes for 8.0 about breaking changes in the ACL system:
https://pve.proxmox.com/wiki/Roadmap#Proxmox_VE_8.0
 
The user "someruser1" has 3 roles on "/pool/somepool1": "10-VMAdmin", "PVEPoolAdmin" and "75-PermissionAdmin".

Bash: 
root@node12:~# pveum role list --output-format yaml
---
- privs: VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,VM.Console,VM.Migrate,VM.Monitor,VM.PowerMgmt,VM.Snapshot,VM.Snapshot.Rollback
  roleid: 10-VMAdmin
  special: 0
- privs: Pool.Allocate,Pool.Audit
  roleid: PVEPoolAdmin
  special: 1
- privs: Permissions.Modify
  roleid: 75-PermissionAdmin
  special: 0

This results in the following permissions:
Bash: 
root@node12:~# pveum user permissions someuser1@ldap --path /pool/somepool1 --output-format yaml
---
/pool/somepool1:
  Permissions.Modify: 1
  Pool.Allocate: 1
  Pool.Audit: 1
  VM.Allocate: 1
  VM.Audit: 1
  VM.Backup: 1
  VM.Clone: 1
  VM.Config.CDROM: 1
  VM.Config.CPU: 1
  VM.Config.Cloudinit: 1
  VM.Config.Disk: 1
  VM.Config.HWType: 1
  VM.Config.Memory: 1
  VM.Config.Network: 1
  VM.Config.Options: 1
  VM.Console: 1
  VM.Migrate: 1
  VM.Monitor: 1
  VM.PowerMgmt: 1
  VM.Snapshot: 1
  VM.Snapshot.Rollback: 1

No further permissions are set on the VM (ID 1040) itself:
Bash: 
root@node12:~# pveum user permissions someuser1@ldap --path /vm/1040 --output-format yaml
---
/vm/1040: {}

VMID 1040 is member of pool "somepool1":
Bash: 
root@node12:~# pveum pool list --poolid somepool1 --output-format yaml
---
- comment: some comment
  members:
  - cpu: 0
    disk: 0
    diskread: 0
    diskwrite: 0
    id: qemu/1040
    maxcpu: 8
    maxdisk: 107374182400
    maxmem: 17179869184
    mem: 0
    name: testDesktop
    netin: 0
    netout: 0
    node: node12
    status: stopped
    template: 0
    type: qemu
    uptime: 0
    vmid: 1040
  poolid: somepool1

User "someruser1" is able to do everything with member VMID 1040 granted on the level of the pool "somepool1", except adding new permissions. If some permissions are already present on the path of the VM, it is possible to remove them.

Previously when running Proxmox 7, it was possible to add permissions for members of a pool as long as the user has "Permissions.Modify" privilege on the pool. As far as I understood the ACL changes in Proxmox 8, this should still be possible. Currently "Permissions.Modify" privilege will not be inherited to pool members. At least regarding adding new permissions. Removing permissions is still possible.
When granting "Permissions.Modify" directly on the VM, permission management works as expected.
 
it's /vms/XXX , not /vm/XXX
 
Last edited:
Oops.

Bash: 
root@node12:~# pveum user permissions someuser1@ldap --path /vms/1040 --output-format yaml
---
/vms/1040:
  Permissions.Modify: 0
  Pool.Allocate: 0
  Pool.Audit: 0
  VM.Allocate: 0
  VM.Audit: 0
  VM.Backup: 0
  VM.Clone: 0
  VM.Config.CDROM: 0
  VM.Config.CPU: 0
  VM.Config.Cloudinit: 0
  VM.Config.Disk: 0
  VM.Config.HWType: 0
  VM.Config.Memory: 0
  VM.Config.Network: 0
  VM.Config.Options: 0
  VM.Console: 0
  VM.Migrate: 0
  VM.Monitor: 0
  VM.PowerMgmt: 0
  VM.Snapshot: 0
  VM.Snapshot.Rollback: 0
 
Yes, "Permissions.Modify" is listed in the output for user permissions on the path of the VM.

Thanks for finding the bug so quickly!
 
I've applied and tested the given patch. "Permissions.Modify" on a pool works as expected again. Many thanks!
 
  • Like
Reactions: fabian
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back