restrict access to a pool of vm to some users only

P

pascalc

Member
Apr 28, 2021
7
0
6
54
I want to put some vm in a group such that :
only one group of users can operate the vm
all other users not in this group cannot start the vm

Is this possible.

I started by defining a restricted pool for the restricted vm
then set a restricted group and put authorized users in this group
then set a permission of administrator upon the restricted pool for restricted group

now how can I configure that any user not in the restricted group cannot access the restricted pool ? there is no @all user group
 
hi,

pascalc said:
now how can I configure that any user not in the restricted group cannot access the restricted pool ?
Click to expand...
that should already be the case. one exception to note would be the root@pam user which has access to everything by default.
users with "Administrator" privilege on the path "/" can also see it.

but other non-admin users shouldn't be able to view/start/stop the VM if you've made the permissions correctly.
 
I managed to do it like this, since all my users are in an "Admin" group .

creer un groupe pastouche : peut gerer les vms du pool pastouche

pveum group add pastouche --comment "peut gerer les vms du pool pastouche"

creer un pool pastouche : indique les vms protegees des autres groupes

pveum pool add pastouche --comment "vms protegees"

creer un user adminpastouche : dans le groupe pastouche

pveum user add adminpastouche -group pastouche --comment "admin pool pastouche" -password

perm sur /pool/pastouche du group @pastouche = PVEAdmin

pveum acl modify /pool/pastouche -group pastouche -role PVEAdmin

perm sur /pool/pastouche du group @admin = NoAccess

pveum acl modify /pool/pastouche -group Admin -role NoAccess


Now only roo@pam and pastouche@pve can access vms in pool pastouche :)

thanks
 
Pca said:
I managed to do it like this, since all my users are in an "Admin" group .

creer un groupe pastouche : peut gerer les vms du pool pastouche

pveum group add pastouche --comment "peut gerer les vms du pool pastouche"

creer un pool pastouche : indique les vms protegees des autres groupes

pveum pool add pastouche --comment "vms protegees"

creer un user adminpastouche : dans le groupe pastouche

pveum user add adminpastouche -group pastouche --comment "admin pool pastouche" -password

perm sur /pool/pastouche du group @pastouche = PVEAdmin

pveum acl modify /pool/pastouche -group pastouche -role PVEAdmin

perm sur /pool/pastouche du group @admin = NoAccess

pveum acl modify /pool/pastouche -group Admin -role NoAccess


Now only roo@pam and pastouche@pve can access vms in pool pastouche :)

thanks
Click to expand...
seems fine, be aware that if you add a new user outside of your NoAccess group they might still have privileges to view/edit the VM (if they still have Admin privilege on /)
 
yes but all our users are either in group "Admin" or in group "PveUser" which have no access to pool pastouche

1658778374982.png
 
Pca said:
yes but all our users are either in group "Admin" or in group "PveUser" which have no access to pool pastouche
Click to expand...
To recap, you add x number of vm to each of the group you want, like doing 1 by 1 : pveum acl modify /vms/101 -user pveUser -role noAccess .. ?
merci
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back