From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH docs] Update and extend permission documentation
Date: Wed, 14 Jun 2023 13:08:30 +0200 [thread overview]
Message-ID: <20230614110830.424518-1-f.gruenbichler@proxmox.com> (raw)
adapt to recent changes:
- PVESDNUser role, SDN.Use privilege
- Permissions.Modify no longer part of PVESysAdmin and PVEAdmin
- PVE reserved prefix for builtin roles
and add some notes and warnings about dangerous aspects of permission
management, and missing parts.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
pveum.adoc | 28 ++++++++++++++++++++++++----
1 file changed, 24 insertions(+), 4 deletions(-)
diff --git a/pveum.adoc b/pveum.adoc
index 342fc06..3f6c997 100644
--- a/pveum.adoc
+++ b/pveum.adoc
@@ -766,16 +766,20 @@ of predefined roles, which satisfy most requirements.
* `Administrator`: has full privileges
* `NoAccess`: has no privileges (used to forbid access)
-* `PVEAdmin`: can do most tasks, but has no rights to modify system settings (`Sys.PowerMgmt`, `Sys.Modify`, `Realm.Allocate`)
+* `PVEAdmin`: can do most tasks, but has no rights to modify system settings
+ (`Sys.PowerMgmt`, `Sys.Modify`, `Realm.Allocate`) or permissions
+ (`Permissions.Modify`)
* `PVEAuditor`: has read only access
* `PVEDatastoreAdmin`: create and allocate backup space and templates
* `PVEDatastoreUser`: allocate backup space and view storage
* `PVEPoolAdmin`: allocate pools
-* `PVESysAdmin`: User ACLs, audit, system console and system logs
+* `PVESysAdmin`: audit, system console and system logs
* `PVETemplateUser`: view and clone templates
* `PVEUserAdmin`: manage users
* `PVEVMAdmin`: fully administer VMs
* `PVEVMUser`: view, backup, configure CD-ROM, VM console, VM power management
+* `PVESDNAdmin`: manage SDN configuration
+* `PVESDNUser`: access to bridges/vnets
You can see the whole set of predefined roles in the GUI.
@@ -790,10 +794,12 @@ To add a role through the command line, you can use the 'pveum' CLI tool, for
example:
[source,bash]
----
-pveum role add PVE_Power-only --privs "VM.PowerMgmt VM.Console"
+pveum role add VM_Power-only --privs "VM.PowerMgmt VM.Console"
pveum role add Sys_Power-only --privs "Sys.PowerMgmt Sys.Console"
----
+NOTE: Roles starting with `PVE` are always builtin, custom roles are not
+allowed use this reserved prefix.
Privileges
~~~~~~~~~~
@@ -820,6 +826,8 @@ Node / System related privileges::
* `Realm.Allocate`: create/modify/remove authentication realms
* `Realm.AllocateUser`: assign user to a realm
* `User.Modify`: create/modify/remove user access and details.
+* `SDN.Allocate`: manage SDN configuration
+* `SDN.Audit`: view SDN configuration
Virtual machine related privileges::
@@ -840,6 +848,7 @@ Virtual machine related privileges::
* `VM.Config.Options`: modify any other VM configuration
* `VM.Config.Cloudinit`: modify Cloud-init parameters
* `VM.Snapshot`: create/delete VM snapshots
+* `SDN.Use`: access SDN vnets and local network bridges
Storage related privileges::
@@ -848,6 +857,12 @@ Storage related privileges::
* `Datastore.AllocateTemplate`: allocate/upload templates and ISO images
* `Datastore.Audit`: view/browse a datastore
+WARNING: Both `Permissions.Modify` and `Sys.Modify` should be handled with
+care, as they allow modifying aspects of the system and its configuration that
+are dangerous or sensitive.
+
+WARNING: Carefully read the section about inheritance below to understand how
+assigned roles (and their privileges) are propagated along the ACL tree.
Objects and Paths
~~~~~~~~~~~~~~~~~
@@ -888,6 +903,7 @@ set by default). We use the following inheritance rules:
* Permissions for individual users always replace group permissions.
* Permissions for groups apply when the user is member of that group.
* Permissions on deeper levels replace those inherited from an upper level.
+* `NoAccess` cancels all other roles on a given path.
Additionally, privilege separated tokens can never have permissions on any
given path that their associated user does not have.
@@ -956,7 +972,11 @@ depending on the path, the following privileges as a possible substitute:
* `/vms/...`: requires 'VM.Allocate`
* `/pool/...`: requires 'Pool.Allocate`
+
-If the path is empty, `Permission.Modify` on `/access` is required.
+If the path is empty, `Permissions.Modify` on `/access` is required.
++
+If the user does not have the `Permissions.Modify` privilege, they can only
+delegate subsets of their own privileges on the given path (e.g., a user with
+`PVEVMAdmin` could assign `PVEVMUser`, but not `PVEAdmin`).
Command Line Tool
-----------------
--
2.39.2
next reply other threads:[~2023-06-14 11:08 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-14 11:08 Fabian Grünbichler [this message]
2023-06-14 11:43 ` [pve-devel] applied: " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230614110830.424518-1-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.