restrict access to a pool of vm to some users only

P

pascalc

Member
Apr 28, 2021
7
0
6
55
I want to put some vm in a group such that :
only one group of users can operate the vm
all other users not in this group cannot start the vm

Is this possible.

I started by defining a restricted pool for the restricted vm
then set a restricted group and put authorized users in this group
then set a permission of administrator upon the restricted pool for restricted group

now how can I configure that any user not in the restricted group cannot access the restricted pool ? there is no @all user group
 
hi,

pascalc said:
now how can I configure that any user not in the restricted group cannot access the restricted pool ?
Click to expand...
that should already be the case. one exception to note would be the root@pam user which has access to everything by default.
users with "Administrator" privilege on the path "/" can also see it.

but other non-admin users shouldn't be able to view/start/stop the VM if you've made the permissions correctly.
 
I managed to do it like this, since all my users are in an "Admin" group .

creer un groupe pastouche : peut gerer les vms du pool pastouche

pveum group add pastouche --comment "peut gerer les vms du pool pastouche"

creer un pool pastouche : indique les vms protegees des autres groupes

pveum pool add pastouche --comment "vms protegees"

creer un user adminpastouche : dans le groupe pastouche

pveum user add adminpastouche -group pastouche --comment "admin pool pastouche" -password

perm sur /pool/pastouche du group @pastouche = PVEAdmin

pveum acl modify /pool/pastouche -group pastouche -role PVEAdmin

perm sur /pool/pastouche du group @admin = NoAccess

pveum acl modify /pool/pastouche -group Admin -role NoAccess


Now only roo@pam and pastouche@pve can access vms in pool pastouche :)

thanks
 
Pca said:
I managed to do it like this, since all my users are in an "Admin" group .

creer un groupe pastouche : peut gerer les vms du pool pastouche

pveum group add pastouche --comment "peut gerer les vms du pool pastouche"

creer un pool pastouche : indique les vms protegees des autres groupes

pveum pool add pastouche --comment "vms protegees"

creer un user adminpastouche : dans le groupe pastouche

pveum user add adminpastouche -group pastouche --comment "admin pool pastouche" -password

perm sur /pool/pastouche du group @pastouche = PVEAdmin

pveum acl modify /pool/pastouche -group pastouche -role PVEAdmin

perm sur /pool/pastouche du group @admin = NoAccess

pveum acl modify /pool/pastouche -group Admin -role NoAccess


Now only roo@pam and pastouche@pve can access vms in pool pastouche :)

thanks
Click to expand...
seems fine, be aware that if you add a new user outside of your NoAccess group they might still have privileges to view/edit the VM (if they still have Admin privilege on /)
 
yes but all our users are either in group "Admin" or in group "PveUser" which have no access to pool pastouche

1658778374982.png
 
Pca said:
yes but all our users are either in group "Admin" or in group "PveUser" which have no access to pool pastouche
Click to expand...
To recap, you add x number of vm to each of the group you want, like doing 1 by 1 : pveum acl modify /vms/101 -user pveUser -role noAccess .. ?
merci
 
You must log in or register to reply here.
Top Bottom