SDN create VNet permission

B

Big4SMK

Active Member
Jun 7, 2017
27
2
43
41
Let's say I create an SDN zone called "ExampleZone" with one VNet called "ExampleVNet". My goal is for a User "ExampleUser" to be able to create additional VNets in that zone.

Going through the API hierarchy in the docs here he seems to need SDN.Audit and SDN.Allocate for the /sdn/zones/ExampleZone endpoint. However, even though I gave ExampleUser SDN.Audit, SDN.Allocate and SDN.Use permissions on that endpoint, he still doesn't see the SDN item under the Datacenter view to add additional VNets.

The user is able to use ExampleVNet for a vm, just not create additional VNets.

I'm wondering what else I need to add on pve 8.2.4 to enable the user to add VNets in their zone.
 
Last edited:
I just tried that to no avail, with or without propagation. Thank you for the suggestion though!
 
I manage to have the SDN management widgets to pop up under "Datacenter" by giving my user the role PVEAdmin on / (non-propagating) and the role PVESDNAdmin on /sdn (non-propagating). I am trying to narrow the PVEAdmin privilege on / now. Also, although I do find the SDN management widgets, the user cannot create any new zone because it cannot "see" any IPAM. Did you find any solution since your last post?
 
I tinkered with permissions for a few hours, and I found the following:

* For the SDN menu, give privileges to your user/group:
- Sys.audit on /, no propagation
- SDN.audit on /sdn, no propagation
* For the IPAMs, including pve
- SDN.audit on /sdn/ipams, propagation
* Connect to VM Bridge:
- SDN.Use on /sdn/zones/localnetwork, propagate (all bridges)
- SDN.Use on /sdn/zones/localnetwork/<bridge>, propagate (specific bridge)
- SDN.Use on /sdn/zones/<zone>/<net>, propagate (specific SDN zone/net)
* Create Net in zone
- SDN.Allocate on /sdn/zones/zone, propagate
- SDN.Allocate on /sdn, no propagate

I did not try whether the user-created SDN networks do work as intended.
 
You must log in or register to reply here.
Top Bottom