proxmox-mirrors/pve-docs
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-docs synced 2025-04-29 11:58:28 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update and extend permission documentation

Browse Source 
adapt to recent changes:
- PVESDNUser role, SDN.Use privilege
- Permissions.Modify no longer part of PVESysAdmin and PVEAdmin
- PVE reserved prefix for builtin roles

and add some notes and warnings about dangerous aspects of permission
management, and missing parts.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2023-06-14 13:08:30 +02:00 committed by Thomas Lamprecht
parent 85d0c3bf62
commit 3c67d55903
1 changed files with 24 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
pveum.adoc
View File

@ -766,16 +766,20 @@ of predefined roles, which satisfy most requirements.
* `Administrator`: has full privileges * `Administrator`: has full privileges
* `NoAccess`: has no privileges (used to forbid access) * `NoAccess`: has no privileges (used to forbid access)
* `PVEAdmin`: can do most tasks, but has no rights to modify system settings (`Sys.PowerMgmt`, `Sys.Modify`, `Realm.Allocate`) * `PVEAdmin`: can do most tasks, but has no rights to modify system settings
(`Sys.PowerMgmt`, `Sys.Modify`, `Realm.Allocate`) or permissions
(`Permissions.Modify`)
* `PVEAuditor`: has read only access * `PVEAuditor`: has read only access
* `PVEDatastoreAdmin`: create and allocate backup space and templates * `PVEDatastoreAdmin`: create and allocate backup space and templates
* `PVEDatastoreUser`: allocate backup space and view storage * `PVEDatastoreUser`: allocate backup space and view storage
* `PVEPoolAdmin`: allocate pools * `PVEPoolAdmin`: allocate pools
* `PVESysAdmin`: User ACLs, audit, system console and system logs * `PVESysAdmin`: audit, system console and system logs
* `PVETemplateUser`: view and clone templates * `PVETemplateUser`: view and clone templates
* `PVEUserAdmin`: manage users * `PVEUserAdmin`: manage users
* `PVEVMAdmin`: fully administer VMs * `PVEVMAdmin`: fully administer VMs
* `PVEVMUser`: view, backup, configure CD-ROM, VM console, VM power management * `PVEVMUser`: view, backup, configure CD-ROM, VM console, VM power management
* `PVESDNAdmin`: manage SDN configuration
* `PVESDNUser`: access to bridges/vnets
You can see the whole set of predefined roles in the GUI. You can see the whole set of predefined roles in the GUI.
@ -790,10 +794,12 @@ To add a role through the command line, you can use the 'pveum' CLI tool, for
example: example:
[source,bash] [source,bash]
---- ----
pveum role add PVE_Power-only --privs "VM.PowerMgmt VM.Console" pveum role add VM_Power-only --privs "VM.PowerMgmt VM.Console"
pveum role add Sys_Power-only --privs "Sys.PowerMgmt Sys.Console" pveum role add Sys_Power-only --privs "Sys.PowerMgmt Sys.Console"
---- ----
NOTE: Roles starting with `PVE` are always builtin, custom roles are not
allowed use this reserved prefix.
Privileges Privileges
~~~~~~~~~~ ~~~~~~~~~~
@ -820,6 +826,8 @@ Node / System related privileges::
* `Realm.Allocate`: create/modify/remove authentication realms * `Realm.Allocate`: create/modify/remove authentication realms
* `Realm.AllocateUser`: assign user to a realm * `Realm.AllocateUser`: assign user to a realm
* `User.Modify`: create/modify/remove user access and details. * `User.Modify`: create/modify/remove user access and details.
* `SDN.Allocate`: manage SDN configuration
* `SDN.Audit`: view SDN configuration
Virtual machine related privileges:: Virtual machine related privileges::
@ -840,6 +848,7 @@ Virtual machine related privileges::
* `VM.Config.Options`: modify any other VM configuration * `VM.Config.Options`: modify any other VM configuration
* `VM.Config.Cloudinit`: modify Cloud-init parameters * `VM.Config.Cloudinit`: modify Cloud-init parameters
* `VM.Snapshot`: create/delete VM snapshots * `VM.Snapshot`: create/delete VM snapshots
* `SDN.Use`: access SDN vnets and local network bridges
Storage related privileges:: Storage related privileges::
@ -848,6 +857,12 @@ Storage related privileges::
* `Datastore.AllocateTemplate`: allocate/upload templates and ISO images * `Datastore.AllocateTemplate`: allocate/upload templates and ISO images
* `Datastore.Audit`: view/browse a datastore * `Datastore.Audit`: view/browse a datastore
WARNING: Both `Permissions.Modify` and `Sys.Modify` should be handled with
care, as they allow modifying aspects of the system and its configuration that
are dangerous or sensitive.
WARNING: Carefully read the section about inheritance below to understand how
assigned roles (and their privileges) are propagated along the ACL tree.
Objects and Paths Objects and Paths
~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~
@ -888,6 +903,7 @@ set by default). We use the following inheritance rules:
* Permissions for individual users always replace group permissions. * Permissions for individual users always replace group permissions.
* Permissions for groups apply when the user is member of that group. * Permissions for groups apply when the user is member of that group.
* Permissions on deeper levels replace those inherited from an upper level. * Permissions on deeper levels replace those inherited from an upper level.
* `NoAccess` cancels all other roles on a given path.
Additionally, privilege separated tokens can never have permissions on any Additionally, privilege separated tokens can never have permissions on any
given path that their associated user does not have. given path that their associated user does not have.
@ -956,7 +972,11 @@ depending on the path, the following privileges as a possible substitute:
* `/vms/...`: requires 'VM.Allocate` * `/vms/...`: requires 'VM.Allocate`
* `/pool/...`: requires 'Pool.Allocate` * `/pool/...`: requires 'Pool.Allocate`
+ +
If the path is empty, `Permission.Modify` on `/access` is required. If the path is empty, `Permissions.Modify` on `/access` is required.
+
If the user does not have the `Permissions.Modify` privilege, they can only
delegate subsets of their own privileges on the given path (e.g., a user with
`PVEVMAdmin` could assign `PVEVMUser`, but not `PVEAdmin`).
Command Line Tool Command Line Tool
----------------- -----------------