Is there a reason why the VM.Audit permission allows a user to see the Subscription that applies to a node, including the subscription key, and various other things that a non-admin user should not see?
All I want to do is to create a Role that is suitable for a user who is a customer who has a VM running on one of our Nodes. Specifically, I want them to be able to backup/restore, manage power and access the console for their VM, but nothing else.
There is a predefined Role of PVEVMUser, with permissions of VM.Audit VM.Console VMPowerMgmt VM.Backup and VM.Config.CDROM. Or I can create one that is similar, but excludes VM.Config.CDROM which I don't want. Either option works fine. I can create an @pve user, and in the Permissions section in the GUI for their VM, I can add that user with Role PVEVMUser. No problem. Simple and fast.
But both the pre-defined role or the role I create allows the user to see Node Subscription details in full, including the Subscription key itself. Not only that, but because pve users are Cluster-wide, they can see the Subscription details and key for all nodes, not just the one their VM is running on.
This appears to be because of the VM.Audit permission as far as I can tell. I am not actually clear why VM.Audit is required in order to allow Console/Backup/Power Management, but it seems to be the case. Without that permission, the user can see and do nothing at all other than the existence of nodes in the cluster.
Is showing subscription details like this intended, or it is a bug?
Either way, is there a way to prevent it? I am aware of aclmod but have failed to understand how could be used to block access to the Subscription details for all nodes.
All I want to do is to create a Role that is suitable for a user who is a customer who has a VM running on one of our Nodes. Specifically, I want them to be able to backup/restore, manage power and access the console for their VM, but nothing else.
There is a predefined Role of PVEVMUser, with permissions of VM.Audit VM.Console VMPowerMgmt VM.Backup and VM.Config.CDROM. Or I can create one that is similar, but excludes VM.Config.CDROM which I don't want. Either option works fine. I can create an @pve user, and in the Permissions section in the GUI for their VM, I can add that user with Role PVEVMUser. No problem. Simple and fast.
But both the pre-defined role or the role I create allows the user to see Node Subscription details in full, including the Subscription key itself. Not only that, but because pve users are Cluster-wide, they can see the Subscription details and key for all nodes, not just the one their VM is running on.
This appears to be because of the VM.Audit permission as far as I can tell. I am not actually clear why VM.Audit is required in order to allow Console/Backup/Power Management, but it seems to be the case. Without that permission, the user can see and do nothing at all other than the existence of nodes in the cluster.
Is showing subscription details like this intended, or it is a bug?
Either way, is there a way to prevent it? I am aware of aclmod but have failed to understand how could be used to block access to the Subscription details for all nodes.
