From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id D8A06B17C for ; Wed, 6 Apr 2022 13:58:13 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 8B3612A792 for ; Wed, 6 Apr 2022 13:58:13 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 187A62A5D3 for ; Wed, 6 Apr 2022 13:58:07 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id D88F5458F0 for ; Wed, 6 Apr 2022 13:58:06 +0200 (CEST) From: Oguz Bektas To: pve-devel@lists.proxmox.com Date: Wed, 6 Apr 2022 13:57:34 +0200 Message-Id: <20220406115734.898714-18-o.bektas@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220406115734.898714-1-o.bektas@proxmox.com> References: <20220406115734.898714-1-o.bektas@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.527 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pve-devel] [PATCH v3 docs 17/17] pveum: add SU privilege and SA role X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2022 11:58:13 -0000 Signed-off-by: Oguz Bektas --- v2->v3: * separate SU and SA from the general privileges list (since they're not categorized easily) * put actual notes inside and warn about potential danger and limitations regarding the privilege/role pveum.adoc | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/pveum.adoc b/pveum.adoc index a5c8906..60c357d 100644 --- a/pveum.adoc +++ b/pveum.adoc @@ -684,7 +684,11 @@ Roles A role is simply a list of privileges. Proxmox VE comes with a number of predefined roles, which satisfy most requirements. -* `Administrator`: has full privileges +* `SuperAdministrator`: has full privileges including `SuperUser` + +NOTE: `SuperAdministrator` role is equivalent to 'root@pam', be careful when giving it to a user! + +* `Administrator`: has all privileges except `SuperUser` * `NoAccess`: has no privileges (used to forbid access) * `PVEAdmin`: can do most tasks, but has no rights to modify system settings (`Sys.PowerMgmt`, `Sys.Modify`, `Realm.Allocate`) * `PVEAuditor`: has read only access @@ -725,6 +729,12 @@ assigned to users and paths without being part of a role. We currently support the following privileges: +* `SuperUser`: modify root-only configuration options (dangerous! don't give this privilege to untrusted users) + +NOTE: the `SuperUser` privilege alone is not enough to provide root-equivalent access to a user. + +NOTE: certain actions on users with this privilege are restricted, such as modifying password or 2FA settings. + Node / System related privileges:: * `Permissions.Modify`: modify access permissions -- 2.30.2