Resource pool users unable to clone a VM

J

jgalvin

New Member
Aug 29, 2023
2
0
1
Hello,

I have a use case that I am unable to get working as I had hoped. I have a user account 'student1' in the group 'student'. I also have a resource pool called 'student1'. The pool ACL is configured to use the '@student' group.

I have several VMs in the 'student1' resource pool. The problem I am having is that the 'student1' user cannot clone any VMs. I get an Error 'Permission check failed (403)'. I think the source of the problem, or at least my observation, is that the Resource Pool cannot be selected in the Clone VM input box (due to role permissions).

Should a user constrained by a resource pool be able to clone a VM? I wanted to give these users the abilities to use and manage VMs, but do so without seeing other students.

Here is the listing from my /etc/pve/user.cfg file:

Code: 
user:root@pam:1:0::::::
user:student1@pve:1:0::::::
user:student2@pve:1:0::::::

group:student:student1@pve,student2@pve::

pool:student1::100,101:local:

role:student:Datastore.AllocateSpace,Datastore.Audit,VM.Allocate,VM.Audit,VM.Clone,VM.Config.CDROM,VM.Console,VM.PowerMgmt:

acl:1:/pool/student1:student1@pve:student:

To test, I added a new resource pool ACL where the 'student1' user was a 'PVEAdmin' role and it worked. But this wasn't desirable cause the account could see the actual 'student1' resource pool, and also all the other capabilities of this role. I believe the 'Pool.Audit' permission makes this possible.

Thank you for any assistance you can provide. I greatly appreciate your time.

Jim
 
Last edited:
I tried to set this up myself on PVE 8.0.4 with user@pam

The Pool.Audit permission is required to select the resource pool.
For the user, to view its own permissions, the Sys.Audit permission would be required. In my tests, I was unable to see it.

To clone a VM i also needed the SDN.Use permissions.

Here (part) of my /etc/pve/user.cfg

Code: 
pool:test-pool::108,109::

role:Student:Datastore.AllocateSpace,Datastore.Audit,Pool.Audit,SDN.Use,VM.Allocate,VM.Audit,VM.Clone,VM.Config.CDROM,VM.Console,VM.PowerMgmt:

acl:1:/pool/test-pool:user@pam:Student:
 
  • Like
Reactions: lectrician1
Hello stfl,

Thank you for testing this! I really appreciated that! I am still on Proxmox 7.4-16, but I was able to add the Pool.Audit and SDN.Use permissions to the 'student' role. This did allow me to successfully clone a VM, yes! As a test I removed the SDN.Use permission and the cloning still worked. I'll need to perform more testing, but at least things are working.

My hope was to be able to clone a VM but not have the user see their Pool in the left-side navigation area. Is that possible?

Again, thank you for your help!

Jim

 
SDN.Use permission is needed from PVE 8.0 onwards.

You can limit the user/group permissions to specific VMs. Otherwise, what you're trying to achieve is unfortunately not possible.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom