User access to see Data Center/Node Summary

[Jayz]

Hello,

I created new audit user in Proxmox VE(5, 6).
This user can`t see Summary in Datacenter and Node menu.

How I can add access to see those Summary`s?

 

[Dominic]

What settings did you choose exactly?

It would be great if you could temporarily create a user testuser and post only the config of that user, that means something like

grep testuser /etc/pve/user.cfg

and then delete testuser again.

For example, with something like PVEAuditor on Path /

acl:1:/:testuser@pve:PVEAuditor:

you should see the Summary entry (and multiple others). You might have to log out and log in again to be sure to have all changes applied.

 

[Jayz]

cat /etc/pve/user.cfg

group:Auditors:test-user@pve::

pool:Auditors::1402,255003,255004,3001,3108,3109,3620,6930,6931,6932,6933,6934,7004,7005,7006,7050,7060,75001,77101,89100:backup,local,lvm1:

role:Auditoratastore.Audit,SDN.Audit,Sys.Audit,Sys.Console,Sys.Syslog,VM.Audit,VM.Backup,VM.Console,VM.Monitor,VM.PowerMgmt,VM.Snapshot:

acl:1:/pool/AuditorsAuditors:Auditor:

 

[Dominic]

Some letters seem to be missing in the last code snippet? Nevertheless, I think you should try to change the path of your premission, for example to /.

The last line could then look like this:

acl:1:/:@Auditors:Auditors:

 

[Jayz]

I created own Pool - Auditors, own Group - Auditors and own Role - Auditor

 

[Jayz]

If i add

acl:1:/:@Auditors:Auditors:

I can`t see Storages, VM`s and Summary too.

 

[Jayz]

I checked some Roles and only root user can see Summary.

 

[Dominic]

I created own Pool - Auditors, own Group - Auditors and own Role - Auditor

This can be seen in the code snippet and I recreated it.

If i add

acl:1:/:@Auditors:Auditors:

I can`t see Storages, VM`s and Summary too.

Have you reloaded your browser window? Because this

I checked some Roles and only root user can see Summary.

should certainly not be the true on an up to date Proxmox VE installation (proxmox-ve: 6.2-2 (running kernel: 5.4.65-1-pve)).

For reference, this is the relevant part of my test configuration:

➜  ~ cat /etc/pve/user.cfg | grep Auditors
group:Auditors:testuser@pve::
pool:Auditors::109:iso:
role:Auditors:Datastore.Audit,SDN.Audit,Sys.Audit,Sys.Console,Sys.Syslog,VM.Audit,VM.Backup,VM.Console,VM.Monitor,VM.PowerMgmt,VM.Snapshot:
acl:1:/:@Auditors:Auditors:

It has exactly the same permissions for the role and the group, pool & user are equivalent.

With

acl:1:/:@Auditors:Auditors:

it is possible to see the node summary, as well as all other VM summaries. This kind makes your pool kind of useless. However, it is certainly not only the root user that can see the node summary.

Changing that line to

acl:1:/pool/Auditors:@Auditors:Auditors:

and reloading your browser window restricts the view to the VMs and storages (in my configuration VM 109 and storage "iso", in your case VM 1402, 255003, ...) of the pool "Auditors". In this case, and with the rest of your user configuration, you see the summaries of the VMs in the pool "Auditors", but not the node summary.

 

[Jayz]

I reload and logoff/logon everytime, when I change permissions.
I already have this line

acl:1:/pool/Auditors:@Auditors:Auditors:

But I still don't see Node and Data Center Summary, like this Summary:

 

[Jayz]

cat /etc/pve/user.cfg

user:test-user@pve:1:0::::test user::
user:root@pam:1:0:::root@localhost.localdomain:::

group:Auditors:test-user@pve::

pool:Auditors::1402,255003,255004,3001,3108,3109,3620,6930,6931,6932,6933,6934,7004,7005,7006,7050,7060,75001,77101,89100:backup,local,lvm1:

role:Auditor:Datastore.Audit,SDN.Audit,Sys.Audit,Sys.Console,Sys.Syslog,VM.Audit,VM.Backup,VM.Console,VM.Monitor,VM.PowerMgmt,VM.Snapshot:

acl:1:/pool/Auditors:@Auditors:Auditor:

 

[Dominic]

I already have this line

acl:1:/pool/Auditors:@Auditors:Auditors:

But I still don't see Node and Data Center Summary (...)

This is exactly what I tried to explain before:

Changing that line to

acl:1:/pool/Auditors:@Auditors:Auditors:

and reloading your browser window restricts the view to the VMs and storages (in my configuration VM 109 and storage "iso", in your case VM 1402, 255003, ...) of the pool "Auditors". In this case, and with the rest of your user configuration, you see the summaries of the VMs in the pool "Auditors", but not the node summary.

All the permissions that your role "Auditors" have are only applied to elements of your pool "Auditors". Neither the datacenter nor the node summary are part of those elementts. What is required is that the Sys.Audit privilege is assigned to your "Auditors" group for the paths "/" and "/nodes/<your_node>". You can do this by appending something like the following to your configuration:

role:summaryViewer:Sys.Audit
acl:0:/nodes/dev:@Auditors:summaryViewer # Node summary
acl:0:/:@Auditors:summaryViewer # Datacenter summary

In this code snippet, "dev" is the name of my node. You have to change this to the name of your node. This code snippet creates a new role summaryViewer that has as only privilege Sys.Audit. It gives the "Auditors" group this role / the privilege exactly for the two required paths.

You should remove the "comments" with the #. They didn't change the behavior in the GUI but are actually not allowed.

 

[Jayz]

Thanks. Now it's working.
One more question. Is there any variable, like $hostname, instead the name of my node?

Berfore
acl:0:/nodes/dev:@Auditors:summaryViewer # Node summary

After
acl:0:/nodes/$hostname:@Auditors:summaryViewer # Node summary

 

[Dominic]

Is there any variable, like $hostname, instead the name of my node?

I don't think so.

 

[Jayz]

I don't think so.

Ok. Thank you.