Which priviledge is needed for disconnect a network interface?

[ednt]

Hi,

I want to give a user the right to disconnect a network interface for simulation purposes.

I tried: VM.Config.Network, Sys.Modify, SDN.Use
without success.
Also the role PVEVMAdmin is not allowed to do this.

With VM.Config.Network I can edit the network card, but I can not choose a bridge and so, the Apply Button is 'greyed out'
No chance to disconnect.

Any hint, which priviledge is required?

This should be able with 'lower' rights.

Btw,: PVE 9.1.5 and up to date.

 

[mkoeppl]

Hi!

You should be able to connect/disconnect with VM.Config.Network and the SDN.Use permission (on any used bridge or vnet). Have you tried these together? PVEVMAdmin is not allowed to do this because it lacks the necessary SDN permissions.

 

[ednt]

I combined all 3 mentioned flags in one additional role.
The button in the edit Network-card is not clickable.

The user can still not disconnect the network.

And If I don't use SDN?

 

[mkoeppl]

Could you please post the output of cat /etc/pve/user.cfg and the config of the VM you're trying to edit?

And If I don't use SDN?

When you edit the network config, you're basically updating the VM's config. The update function for the VM config also always checks for bridge access. If you don't use SDN, 'localnetwork' is used for this permission check (as in, do you have permission SDN.Use for e.g. /sdn/zones/localnetwork/vmbr0). So you need to have the permission SDN.Use on the used bridge or VNet.

 

[ednt]

user.cfg:

userve_backup_snapshot@pve:1:0::::::
tokenve_backup_snapshot@pve!SnapShots:0:1::
user:root@pam:1:0:::xxx@xxxx.xxx:::
user:student_101@pve:1:0::::::
user:student_102@pve:1:0::::::
user:student_103@pve:1:0::::::
user:student_104@pve:1:0::::::
user:student_105@pve:1:0::::::

group:students:student_101@pve,student_102@pve,student_103@pve,student_104@pve,student_105@pve::

pool:Verwaltung::100,101,102,110,111,130,200::
pool:student_101roxMox:101001,101002,101003,101011,101012::
pool:student_102roxMox:102001,102002,102003,102011,102012::
pool:student_103roxMox:103001,103002,103003,103011,103012::
pool:student_104roxMox:104001,104002,104003,104011,104012::
pool:student_105roxMox:105001,105002,105003,105011,105012::

role:Network:SDN.Use,Sys.Modify,VM.Config.Network:

acl:1:/ve_backup_snapshot@pve,pve_backup_snapshot@pve!SnapShots:Administrator:
acl:1:/pool/student_101:student_101@pveVEVMUser:
acl:1:/pool/student_102:student_102@pveVEVMUser:
acl:1:/pool/student_103:student_103@pveVEVMUser:
acl:1:/pool/student_104:student_104@pve:Network,PVEVMUser:
acl:1:/pool/student_105:student_105@pveVEVMUser:
acl:1:/storage/localstudentsVEDatastoreUser:

I used student_104 for the tests


Config:

agent: 1
boot: order=virtio0;ide2;net0
cores: 4
cpu: host
ide2: none,media=cdrom
memory: 8192
meta: creation-qemu=10.1.2,ctime=1770276921
name: s104-pve-1
net0: virtio=BC:24:110:95:9E,bridge=vmbr4,firewall=1,tag=1004
net1: virtio=BC:24:11:90:CF:3D,bridge=vmbr2,firewall=1,tag=1040
net2: virtio=BC:24:11:BF:F7:1B,bridge=vmbr2,firewall=1,tag=1041
net3: virtio=BC:24:11:3D:F3:08,bridge=vmbr2,firewall=1,tag=1042
net4: virtio=BC:24:11:19:23:05,bridge=vmbr2,firewall=1,tag=1043
numa: 0
ostype: l26
scsihw: virtio-scsi-single
smbios1: uuid=e448d1f0-452a-4610-8a3a-6f5ce7250563
sockets: 1
virtio0: local-lvm:vm-104001-disk-0,cache=writeback,iothread=1,size=32G
virtio1: local-lvm:vm-104001-disk-1,cache=writeback,iothread=1,size=64G
virtio2: local-lvm:vm-104001-disk-2,cache=writeback,iothread=1,size=64G
vmgenid: 073ea7b8-29bd-4cd9-a618-160d28fda653

 

[ednt]

Is it a bug or do I something wrong?