Proxmox and the Ressource-Pool Permissions.

OverwhelmedDev

New Member
Jan 19, 2023
4
0
1
Hello everyone!

my question is about the permissions within a proxmox cluster. We have 8 nodes in our cluster and want to make some of them available for other users via the resource pools. So I created users, added these users to a group and allowed this group to access the pool.
Within the pool I have shared the local storages for example and also a test VM.
So far so good, but now I would like to remove a few cluster nodes from the pool. These should not be available for the pool as node. So I went through the group permissions and selected the node with "NoAccess" but either this doesn't seem to work or there must be another way?

A few details so you can work with it:
Users:
user1@pve - Group1
user2@pve - Group1

Group:
Group1

Pools:
Pool1

Rights:
/nodes/terra - @Group1 - NoAccess - Propagate = True
/pool/Pool1 - @Group1 - PVEAdmin - Propagate = True

Pool Members:
A Tamplate and some Storages. Shouldn't be that important?

How do I get the node "Terra" to not be available to the pool.
Maybe someone can also answer me directly if it is possible not to offer single VMBRs in the pool.

Addendum: There is no LDAP / Active Directory or any other kind of user organization. I would like to realize this only with the "board means".
Proxmox Version: 7.3.6
 
the nodes are not really entities that you can give access to (or take access away) in that fashion - while there are ACL checks for /nodes/{node}, those are only used when doing actually node-specific stuff:
- changing network settings
- installing/.. certificates
- querying/managing services which are running
- querying/installing updates
- ..

they are not used to limit access to the fact that the node exists, or to disallow moving/managing/.. guests to/on any particular node.
 
Thank you for the quick reply.
Is there any other way to tell the pool or the group that no new VMs can be created on a node? Or that migration to this node is prohibited?

The point is that I would like to give different pools to different groups, which can be assigned to different nodes by me and can also expand by nodes in the pool if necessary.
 
no, that is not possible at the moment. you can restrict allocation/migration entirely for your pool users, and handle that somewhere else (e.g., by having your own higher-privileged layer that does the migration/allocation and ensures that the node restrictions are honored, or doing those actions manually upon requests by the users).
 
Thank you very much for your help, 48 hours of despair have dissolved into "just can't do it". That's ok for me, after all, it simply wasn't up to me.

"...at the moment..." sounds a little bit like "it is on our roadmap"?
If this is really on your roadmap, I think it's great. It would make controlling multi-user instances much easier.
Thanks for all your Work!
 
there are no concrete plans at the moment, but it might be something that could be included if we ever do a bigger "revamp" of the ACL architecture.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!