From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH docs] Update and extend permission documentation
Date: Wed, 14 Jun 2023 13:08:30 +0200 [thread overview]
Message-ID: <20230614110830.424518-1-f.gruenbichler@proxmox.com> (raw)
adapt to recent changes:
- PVESDNUser role, SDN.Use privilege
- Permissions.Modify no longer part of PVESysAdmin and PVEAdmin
- PVE reserved prefix for builtin roles
and add some notes and warnings about dangerous aspects of permission
management, and missing parts.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
pveum.adoc | 28 ++++++++++++++++++++++++----
1 file changed, 24 insertions(+), 4 deletions(-)
diff --git a/pveum.adoc b/pveum.adoc
index 342fc06..3f6c997 100644
--- a/pveum.adoc
+++ b/pveum.adoc
@@ -766,16 +766,20 @@ of predefined roles, which satisfy most requirements.
* `Administrator`: has full privileges
* `NoAccess`: has no privileges (used to forbid access)
-* `PVEAdmin`: can do most tasks, but has no rights to modify system settings (`Sys.PowerMgmt`, `Sys.Modify`, `Realm.Allocate`)
+* `PVEAdmin`: can do most tasks, but has no rights to modify system settings
+ (`Sys.PowerMgmt`, `Sys.Modify`, `Realm.Allocate`) or permissions
+ (`Permissions.Modify`)
* `PVEAuditor`: has read only access
* `PVEDatastoreAdmin`: create and allocate backup space and templates
* `PVEDatastoreUser`: allocate backup space and view storage
* `PVEPoolAdmin`: allocate pools
-* `PVESysAdmin`: User ACLs, audit, system console and system logs
+* `PVESysAdmin`: audit, system console and system logs
* `PVETemplateUser`: view and clone templates
* `PVEUserAdmin`: manage users
* `PVEVMAdmin`: fully administer VMs
* `PVEVMUser`: view, backup, configure CD-ROM, VM console, VM power management
+* `PVESDNAdmin`: manage SDN configuration
+* `PVESDNUser`: access to bridges/vnets
You can see the whole set of predefined roles in the GUI.
@@ -790,10 +794,12 @@ To add a role through the command line, you can use the 'pveum' CLI tool, for
example:
[source,bash]
----
-pveum role add PVE_Power-only --privs "VM.PowerMgmt VM.Console"
+pveum role add VM_Power-only --privs "VM.PowerMgmt VM.Console"
pveum role add Sys_Power-only --privs "Sys.PowerMgmt Sys.Console"
----
+NOTE: Roles starting with `PVE` are always builtin, custom roles are not
+allowed use this reserved prefix.
Privileges
~~~~~~~~~~
@@ -820,6 +826,8 @@ Node / System related privileges::
* `Realm.Allocate`: create/modify/remove authentication realms
* `Realm.AllocateUser`: assign user to a realm
* `User.Modify`: create/modify/remove user access and details.
+* `SDN.Allocate`: manage SDN configuration
+* `SDN.Audit`: view SDN configuration
Virtual machine related privileges::
@@ -840,6 +848,7 @@ Virtual machine related privileges::
* `VM.Config.Options`: modify any other VM configuration
* `VM.Config.Cloudinit`: modify Cloud-init parameters
* `VM.Snapshot`: create/delete VM snapshots
+* `SDN.Use`: access SDN vnets and local network bridges
Storage related privileges::
@@ -848,6 +857,12 @@ Storage related privileges::
* `Datastore.AllocateTemplate`: allocate/upload templates and ISO images
* `Datastore.Audit`: view/browse a datastore
+WARNING: Both `Permissions.Modify` and `Sys.Modify` should be handled with
+care, as they allow modifying aspects of the system and its configuration that
+are dangerous or sensitive.
+
+WARNING: Carefully read the section about inheritance below to understand how
+assigned roles (and their privileges) are propagated along the ACL tree.
Objects and Paths
~~~~~~~~~~~~~~~~~
@@ -888,6 +903,7 @@ set by default). We use the following inheritance rules:
* Permissions for individual users always replace group permissions.
* Permissions for groups apply when the user is member of that group.
* Permissions on deeper levels replace those inherited from an upper level.
+* `NoAccess` cancels all other roles on a given path.
Additionally, privilege separated tokens can never have permissions on any
given path that their associated user does not have.
@@ -956,7 +972,11 @@ depending on the path, the following privileges as a possible substitute:
* `/vms/...`: requires 'VM.Allocate`
* `/pool/...`: requires 'Pool.Allocate`
+
-If the path is empty, `Permission.Modify` on `/access` is required.
+If the path is empty, `Permissions.Modify` on `/access` is required.
++
+If the user does not have the `Permissions.Modify` privilege, they can only
+delegate subsets of their own privileges on the given path (e.g., a user with
+`PVEVMAdmin` could assign `PVEVMUser`, but not `PVEAdmin`).
Command Line Tool
-----------------
--
2.39.2
next reply other threads:[~2023-06-14 11:08 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-14 11:08 Fabian Grünbichler [this message]
2023-06-14 11:43 ` [pve-devel] applied: " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230614110830.424518-1-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox