Second User for Proxmox (not root)

[mikhmv]

Hi,
I started like Proxmox. It is working pretty well. Of course exist possibility to improve it.

now questions about users:
1. How to create second user for proxmox which can only start virtual machines and use them?
2. How to create other user with full control for VMs but not root?

Could you like to give information member which groups should be this user?

Thank you advance,
Max

 

[tom]

Hi,
I started like Proxmox. It is working pretty well. Of course exist possibility to improve it.

now questions about users:
1. How to create second user for proxmox which can only start virtual machines and use them?
2. How to create other user with full control for VMs but not root?

Could you like to give information member which groups should be this user?

Thank you advance,
Max

no possible yet, see roadmap.

 

[dignus]

Tom,

will you guys implement an LDAP connector?

Johan

 

[dietmar]

will you guys implement an LDAP connector?

Well, we already have such thing for our mail-gateway product. So it is maybe possible to reuse that. I guess just for password verification?

- Dietmar

 

[gm2x]

2. How to create other user with full control for VMs but not root?

I've done like this... Add user with 'adduser' command. Manually edit /etc/passwd and change UID and GID for that user to 0. When you authenticated, you'll be like 'root' user for the system. This is not exactly what you want, because when you login via ssh, you'll be superuser. And maybe there is more convinient way to do.

 

[dignus]

Well, we already have such thing for our mail-gateway product. So it is maybe possible to reuse that. I guess just for password verification?

- Dietmar

Yes indeed, one passwd DB to rule 'em all!

 

[dignus]

Or create a user wih adduser and start playing with sudo and vzctl.

It's not possib;e within the interface anyway, 2nd user can only do stuff from command line.

 

[gm2x]

It's not possib;e within the interface anyway, 2nd user can only do stuff from command line.

Well, with UID change it is possible to login to web interface with new user credintals.

 

[dignus]

Well, with UID change it is possible to login to web interface with new user credintals.

Yes, but our collegue user wanted a "stop-start VM" user only.

 

[mangoo]

Yes, but our collegue user wanted a "stop-start VM" user only.

Yes, it would be great if per-user VM configuration was possible - i.e.:
- root can view/create/stop everything, as now
- other users can view and stop only VMs assigned to them and make some, but not all configuration changes (i.e. they should not be able to add/change disks, MAC addresses, increase RAM/CPUs, view server logs etc.)


I understand it's on the Roadmap already, but I wonder how it will look like when it's done. Let's wait

 

[mikhmv]

mangoo: agree with you

 

[gm2x]

I've done like this... Add user with 'adduser' command. Manually edit /etc/passwd and change UID and GID for that user to 0.

It's even enough to change GID only. Also i found 'audit' read-only user role in some perl file, but i can't understand how to use it.

 

[ender]

I know it is old thread, but maybe my solution will be helpful.

I've changed Utils.pm to use pveadmins group instead of root.
Add system group "pveadmins". Add users to new group.
Then patch /usr/share/perl5/PVE/Utils.pm to use pveadmins group instead of root.
After that restart /etc/init.d/pvedaemon restart
Should works fine

Patch:

--- orig/Utils.pm	2011-01-26 14:51:51.000000000 +0100
+++ Utils.pm	2011-01-26 14:54:06.000000000 +0100
@@ -182,11 +182,17 @@
     my ($name, $passwd, $uid, $gid) = getpwnam ($username);
     my $groupname = getgrgid($gid) || 'nogroup';
 
-    # fixme: what groups are allowed?
-    if ($groupname ne 'root') {
-	syslog ('info', "auth failed: group '$groupname' is not in the list of allowed groups");
-	return undef;
-    }
+    # PROXMOX GROUP AUTH group auth 
+    my $group_ref = PVE::Utils::get_group_members("pveadmins");
+    my $ismember  = PVE::Utils::check_group_member($username,$group_ref);
+    if($ismember){  
+       syslog('info',"PROXMOX GROUP AUTH: $username is member of pveadmins");
+       $groupname="root";
+    }
+    else{
+       syslog('info',"PROXMOX GROUP AUTH: $username isn't member of pveadmins");
+       return undef;
+    };
 
     return $groupname;
 }
@@ -984,5 +990,24 @@
     }
 }
 
+# PROXMOX GROUP AUTH group auth
+sub get_group_members {
+   my $access_group_name;
+   ($access_group_name) = @_;
+   my ($name, $passwd, $gid, $members) = getgrnam($access_group_name);
+   my @group_arr = split " ",$members;
+   return \@group_arr;
+};
+
+# PROXMOX GROUP AUTH group auth
+sub check_group_member {
+   my ($login,$group_ref) = @_;
+   return 1 if $login eq "root"; # access for root else check group
+   my @group_arr = @$group_ref;
+   my $res = grep {$login eq $_} @group_arr;
+   return $res;
+};
+
+
 1;

 

[JohnDoe]

without modification it is possible to add more users, but only with all / root privileges.
you have to add a new systemuser belonging to the system group root.
in this case the user don't need a home directory, no shell (e.g. for no ssh):

$ adduser NEW_USER_NAME --no-create-home --ingroup root --shell /bin/false

 

[ender]

i know, but you create user with gid 0 (gm2x wrote about this). my solution works with any system group (for example, you may integrate proxmox with identity system like freeipa, without create system user, etc.).

 

[JohnDoe]

I only wanted to give a detailed, secure and functioning option for more unexperienced users and those who don't want to change the proxmox-webgui-sources.

best regards