I have a question about HA permissions during VM creation when using the WebUI 'Create VM' wizard.
A bit of background.
1. openid realm - OPR
2. groups associated with the realm
- OpenIDRealmAdmins
- OpenIDRealmOperators
root@pve01:~# pveversion
pve-manager/9.1.6/71482d1833ded40a (running kernel: 6.17.13-2-pve)
If I login to the WebUI as a user that is a member of the OpenIDRealmOperators, and click 'DataCenter' under the 'Server View', I don't see the HA menu. This is expected, as the user doesn't have permissions.
When I create a VM as that user, I can check the 'Add to HA' checkbox. Once the wizard has completed, the VM will show as enabled under HA.
In the permissions section of the WebUI I see the following permissions for the OpenIDRealmOperators group
My understanding is that you needed the 'Sys.Console' permission at the root of the tree to manipulate HA?
If I check the user permissions via the CLI
root@pve01:~# pveum user permissions test-account@domain.com@OPR --output-format json-pretty | grep -i 'sys\.'
root@pve01:~#
1. Is this a bug?
2. Am I not understanding the permissions structure correctly?
3. Is this by design? i.e. a VM can be added to HA at creation by a user without permission, but not further manipulated if they don't have the permissions?
Thanks,
Mike
A bit of background.
1. openid realm - OPR
2. groups associated with the realm
- OpenIDRealmAdmins
- OpenIDRealmOperators
root@pve01:~# pveversion
pve-manager/9.1.6/71482d1833ded40a (running kernel: 6.17.13-2-pve)
If I login to the WebUI as a user that is a member of the OpenIDRealmOperators, and click 'DataCenter' under the 'Server View', I don't see the HA menu. This is expected, as the user doesn't have permissions.
When I create a VM as that user, I can check the 'Add to HA' checkbox. Once the wizard has completed, the VM will show as enabled under HA.
In the permissions section of the WebUI I see the following permissions for the OpenIDRealmOperators group
| Path | Uesr/Group/API Token | Role | Propagate |
| / | @OpenIDRealmOperators-OPR | PVEPoolUser | true |
| / | @OpenIDRealmOperators-OPR | PVEVMAdmin | true |
| /pool/operators | @OpenIDRealmOperators-OPR | PVETemplateUser | true |
| /pool/operators | @OpenIDRealmOperators-OPR | PVEPoolAdmin | true |
| /pool/operators | @OpenIDRealmOperators-OPR | PVEVMAdmin | true |
| /sdn/zones/operators | @OpenIDRealmOperators-OPR | PVESDNUser | true |
| /storage/operators-high | @OpenIDRealmOperators-OPR | PVEDatastoreUser | true |
| /storage/operators-medium | @OpenIDRealmOperators-OPR | PVEDatastoreUser | true |
| /storage/esximport | @OpenIDRealmOperators-OPR | PVEDatastoreAdmin | true |
| /storage/nfsdata | @OpenIDRealmOperators-OPR | PVEDataStoreAdmin | true |
My understanding is that you needed the 'Sys.Console' permission at the root of the tree to manipulate HA?
If I check the user permissions via the CLI
root@pve01:~# pveum user permissions test-account@domain.com@OPR --output-format json-pretty | grep -i 'sys\.'
root@pve01:~#
1. Is this a bug?
2. Am I not understanding the permissions structure correctly?
3. Is this by design? i.e. a VM can be added to HA at creation by a user without permission, but not further manipulated if they don't have the permissions?
Thanks,
Mike