Privileges propagation question

Nov 10, 2020
15
21
8
41
Sweden
Hi :)
I have a noobish question about the propagation of privileges. I'm curious as to how it's currently implemented and if i'm doing something fundamentally wrong.

I use LDAP and let's say i have three groups in LDAP, lets call them Admin , SemiAdmin and Developer for the sake of clarity.
These groups are mapped to roles:

Admin -> builtin Administrator
Developer -> custom role: powermngt, console, snapshots, audit vms
SemiAdmin -> custom role: like developer but can change hardware config on VMs aswell

Now let's say my permissions in the permissions tab are:

/ @admin Administrator true
/ @SemiAdmin SemiAdmin-CustomRole true
/pool/DEV @Developer Developer-CustomRole true
/pool/MQ @Developer Developer-CustomRole true

I know the documentation says that permissions down the tree replaces those above, but it doesn't say on what level. Is it per role? per object? etc. What i basically want to achieve here is to let Admin be just that for the whole cluster and give the developers access to certain pools. The same goes for the SemiAdmin but with less privileges than Admin.

Now what happens to my user (and this is key) that's a member of both Admin and Developer is that i'm unable to administrate for instance the pools mentioned above. If i try to add a VM to the pools i get a permission denied. But if i login with a user that's a member of only the Admin group it's all good. I can still be an Administrator everywhere except where the Developer role is granted some access.

So it seems to me as if the permissions inheritance is on a role basis which is super nice but it also seems as there's something fishy with how it deduce what roles i actually have when you have multiple roles.

A remedy to this is to add the Admin group for each and every pool, but this is to me not the way it's intended and leads to an adminsitrative hell that doesnt scale very well with lots of pools and subsequently added roles (in which aforementioned admin is also a member of :)). Example:

/ @admin Administrator true
/ @SemiAdmin SemiAdmin-CustomRole true
/pool/DEV @admin Administrator true
/pool/DEV @Developer Developer-CustomRole true
....100 more pools with different privileges but where I as admin should still be admin
/pool/MQ @admin Administrator true
/pool/MQ @Developer Developer-CustomRole true

Given this i'm either not grasping the inheritance model or there's something wrong with it when a user has multiple roles "assigned".

Oh and I'm on PVE 8.0.4.

Thoughts anyone?

Best regards
Marcus
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!