User access to see Data Center/Node Summary

Jayz

Active Member
Apr 30, 2019
27
1
43
46
Hello,

I created new audit user in Proxmox VE(5, 6).
This user can`t see Summary in Datacenter and Node menu.
not summary_020-10-08 11-52-07.png not summary2_2020-10-08 11-52-41.png
How I can add access to see those Summary`s?summary1_2020-10-08 11-19-47.pngSummary2_020-10-08 11-20-31.png
 

Attachments

  • not summary_020-10-08 11-52-07.png
    not summary_020-10-08 11-52-07.png
    2.7 KB · Views: 7
Last edited:
What settings did you choose exactly?

It would be great if you could temporarily create a user testuser and post only the config of that user, that means something like
Code:
grep testuser /etc/pve/user.cfg
and then delete testuser again.

For example, with something like PVEAuditor on Path /
Code:
acl:1:/:testuser@pve:PVEAuditor:
you should see the Summary entry (and multiple others). You might have to log out and log in again to be sure to have all changes applied.
 
Last edited:
cat /etc/pve/user.cfg

Code:
group:Auditors:test-user@pve::

pool:Auditors::1402,255003,255004,3001,3108,3109,3620,6930,6931,6932,6933,6934,7004,7005,7006,7050,7060,75001,77101,89100:backup,local,lvm1:

role:Auditoratastore.Audit,SDN.Audit,Sys.Audit,Sys.Console,Sys.Syslog,VM.Audit,VM.Backup,VM.Console,VM.Monitor,VM.PowerMgmt,VM.Snapshot:

acl:1:/pool/AuditorsAuditors:Auditor:
 
Some letters seem to be missing in the last code snippet? Nevertheless, I think you should try to change the path of your premission, for example to /.

The last line could then look like this:
Code:
acl:1:/:@Auditors:Auditors:
 
I created own Pool - Auditors, own Group - Auditors and own Role - Auditor
 
If i add
Code:
acl:1:/:@Auditors:Auditors:
I can`t see Storages, VM`s and Summary too.
 
Last edited:
I checked some Roles and only root user can see Summary.
 
Last edited:
I created own Pool - Auditors, own Group - Auditors and own Role - Auditor
This can be seen in the code snippet and I recreated it.
If i add
Code:
acl:1:/:@Auditors:Auditors:
I can`t see Storages, VM`s and Summary too.
Have you reloaded your browser window? Because this
I checked some Roles and only root user can see Summary.
should certainly not be the true on an up to date Proxmox VE installation (proxmox-ve: 6.2-2 (running kernel: 5.4.65-1-pve)).

For reference, this is the relevant part of my test configuration:

Code:
➜  ~ cat /etc/pve/user.cfg | grep Auditors
group:Auditors:testuser@pve::
pool:Auditors::109:iso:
role:Auditors:Datastore.Audit,SDN.Audit,Sys.Audit,Sys.Console,Sys.Syslog,VM.Audit,VM.Backup,VM.Console,VM.Monitor,VM.PowerMgmt,VM.Snapshot:
acl:1:/:@Auditors:Auditors:

It has exactly the same permissions for the role and the group, pool & user are equivalent.

With
Code:
acl:1:/:@Auditors:Auditors:
it is possible to see the node summary, as well as all other VM summaries. This kind makes your pool kind of useless. However, it is certainly not only the root user that can see the node summary.

Changing that line to
Code:
acl:1:/pool/Auditors:@Auditors:Auditors:
and reloading your browser window restricts the view to the VMs and storages (in my configuration VM 109 and storage "iso", in your case VM 1402, 255003, ...) of the pool "Auditors". In this case, and with the rest of your user configuration, you see the summaries of the VMs in the pool "Auditors", but not the node summary.
 
I reload and logoff/logon everytime, when I change permissions.
I already have this line
Code:
acl:1:/pool/Auditors:@Auditors:Auditors:
But I still don't see Node and Data Center Summary, like this Summary:
 

Attachments

  • summary1_2020-10-08 11-19-47.png
    summary1_2020-10-08 11-19-47.png
    46.7 KB · Views: 8
  • Summary2_020-10-08 11-20-31.png
    Summary2_020-10-08 11-20-31.png
    50 KB · Views: 8
cat /etc/pve/user.cfg
Code:
user:test-user@pve:1:0::::test user::
user:root@pam:1:0:::root@localhost.localdomain:::

group:Auditors:test-user@pve::

pool:Auditors::1402,255003,255004,3001,3108,3109,3620,6930,6931,6932,6933,6934,7004,7005,7006,7050,7060,75001,77101,89100:backup,local,lvm1:

role:Auditor:Datastore.Audit,SDN.Audit,Sys.Audit,Sys.Console,Sys.Syslog,VM.Audit,VM.Backup,VM.Console,VM.Monitor,VM.PowerMgmt,VM.Snapshot:

acl:1:/pool/Auditors:@Auditors:Auditor:
 
I already have this line
Code:
acl:1:/pool/Auditors:@Auditors:Auditors:
But I still don't see Node and Data Center Summary (...)

This is exactly what I tried to explain before:
Changing that line to
Code:
acl:1:/pool/Auditors:@Auditors:Auditors:
and reloading your browser window restricts the view to the VMs and storages (in my configuration VM 109 and storage "iso", in your case VM 1402, 255003, ...) of the pool "Auditors". In this case, and with the rest of your user configuration, you see the summaries of the VMs in the pool "Auditors", but not the node summary.
All the permissions that your role "Auditors" have are only applied to elements of your pool "Auditors". Neither the datacenter nor the node summary are part of those elementts. What is required is that the Sys.Audit privilege is assigned to your "Auditors" group for the paths "/" and "/nodes/<your_node>". You can do this by appending something like the following to your configuration:
Code:
role:summaryViewer:Sys.Audit
acl:0:/nodes/dev:@Auditors:summaryViewer # Node summary
acl:0:/:@Auditors:summaryViewer # Datacenter summary
In this code snippet, "dev" is the name of my node. You have to change this to the name of your node. This code snippet creates a new role summaryViewer that has as only privilege Sys.Audit. It gives the "Auditors" group this role / the privilege exactly for the two required paths.

You should remove the "comments" with the #. They didn't change the behavior in the GUI but are actually not allowed.
 
Last edited:
Thanks. Now it's working.
One more question. Is there any variable, like $hostname, instead the name of my node?
Rich (BB code):
Berfore
acl:0:/nodes/dev:@Auditors:summaryViewer # Node summary

After
acl:0:/nodes/$hostname:@Auditors:summaryViewer # Node summary
 
Last edited:
Is there any variable, like $hostname, instead the name of my node?
I don't think so.