Resource pool users unable to clone a VM

[jgalvin]

Hello,

I have a use case that I am unable to get working as I had hoped. I have a user account 'student1' in the group 'student'. I also have a resource pool called 'student1'. The pool ACL is configured to use the '@student' group.

I have several VMs in the 'student1' resource pool. The problem I am having is that the 'student1' user cannot clone any VMs. I get an Error 'Permission check failed (403)'. I think the source of the problem, or at least my observation, is that the Resource Pool cannot be selected in the Clone VM input box (due to role permissions).

Should a user constrained by a resource pool be able to clone a VM? I wanted to give these users the abilities to use and manage VMs, but do so without seeing other students.

Here is the listing from my /etc/pve/user.cfg file:

user:root@pam:1:0::::::
user:student1@pve:1:0::::::
user:student2@pve:1:0::::::

group:student:student1@pve,student2@pve::

pool:student1::100,101:local:

role:student:Datastore.AllocateSpace,Datastore.Audit,VM.Allocate,VM.Audit,VM.Clone,VM.Config.CDROM,VM.Console,VM.PowerMgmt:

acl:1:/pool/student1:student1@pve:student:

To test, I added a new resource pool ACL where the 'student1' user was a 'PVEAdmin' role and it worked. But this wasn't desirable cause the account could see the actual 'student1' resource pool, and also all the other capabilities of this role. I believe the 'Pool.Audit' permission makes this possible.

Thank you for any assistance you can provide. I greatly appreciate your time.

Jim

 

[s.lendl]

I tried to set this up myself on PVE 8.0.4 with user@pam

The Pool.Audit permission is required to select the resource pool.
For the user, to view its own permissions, the Sys.Audit permission would be required. In my tests, I was unable to see it.

To clone a VM i also needed the SDN.Use permissions.

Here (part) of my /etc/pve/user.cfg

pool:test-pool::108,109::

role:Student:Datastore.AllocateSpace,Datastore.Audit,Pool.Audit,SDN.Use,VM.Allocate,VM.Audit,VM.Clone,VM.Config.CDROM,VM.Console,VM.PowerMgmt:

acl:1:/pool/test-pool:user@pam:Student:

 

[jgalvin]

Hello stfl,

Thank you for testing this! I really appreciated that! I am still on Proxmox 7.4-16, but I was able to add the Pool.Audit and SDN.Use permissions to the 'student' role. This did allow me to successfully clone a VM, yes! As a test I removed the SDN.Use permission and the cloning still worked. I'll need to perform more testing, but at least things are working.

My hope was to be able to clone a VM but not have the user see their Pool in the left-side navigation area. Is that possible?

Again, thank you for your help!

Jim

​

 

[s.lendl]

SDN.Use permission is needed from PVE 8.0 onwards.

You can limit the user/group permissions to specific VMs. Otherwise, what you're trying to achieve is unfortunately not possible.