From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 57EBBA1351 for ; Wed, 14 Jun 2023 13:08:37 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 3BC901B126 for ; Wed, 14 Jun 2023 13:08:37 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Wed, 14 Jun 2023 13:08:36 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id D558E45543 for ; Wed, 14 Jun 2023 13:08:35 +0200 (CEST) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pve-devel@lists.proxmox.com Date: Wed, 14 Jun 2023 13:08:30 +0200 Message-Id: <20230614110830.424518-1-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.072 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pve-devel] [PATCH docs] Update and extend permission documentation X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jun 2023 11:08:37 -0000 adapt to recent changes: - PVESDNUser role, SDN.Use privilege - Permissions.Modify no longer part of PVESysAdmin and PVEAdmin - PVE reserved prefix for builtin roles and add some notes and warnings about dangerous aspects of permission management, and missing parts. Signed-off-by: Fabian Grünbichler --- pveum.adoc | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/pveum.adoc b/pveum.adoc index 342fc06..3f6c997 100644 --- a/pveum.adoc +++ b/pveum.adoc @@ -766,16 +766,20 @@ of predefined roles, which satisfy most requirements. * `Administrator`: has full privileges * `NoAccess`: has no privileges (used to forbid access) -* `PVEAdmin`: can do most tasks, but has no rights to modify system settings (`Sys.PowerMgmt`, `Sys.Modify`, `Realm.Allocate`) +* `PVEAdmin`: can do most tasks, but has no rights to modify system settings + (`Sys.PowerMgmt`, `Sys.Modify`, `Realm.Allocate`) or permissions + (`Permissions.Modify`) * `PVEAuditor`: has read only access * `PVEDatastoreAdmin`: create and allocate backup space and templates * `PVEDatastoreUser`: allocate backup space and view storage * `PVEPoolAdmin`: allocate pools -* `PVESysAdmin`: User ACLs, audit, system console and system logs +* `PVESysAdmin`: audit, system console and system logs * `PVETemplateUser`: view and clone templates * `PVEUserAdmin`: manage users * `PVEVMAdmin`: fully administer VMs * `PVEVMUser`: view, backup, configure CD-ROM, VM console, VM power management +* `PVESDNAdmin`: manage SDN configuration +* `PVESDNUser`: access to bridges/vnets You can see the whole set of predefined roles in the GUI. @@ -790,10 +794,12 @@ To add a role through the command line, you can use the 'pveum' CLI tool, for example: [source,bash] ---- -pveum role add PVE_Power-only --privs "VM.PowerMgmt VM.Console" +pveum role add VM_Power-only --privs "VM.PowerMgmt VM.Console" pveum role add Sys_Power-only --privs "Sys.PowerMgmt Sys.Console" ---- +NOTE: Roles starting with `PVE` are always builtin, custom roles are not +allowed use this reserved prefix. Privileges ~~~~~~~~~~ @@ -820,6 +826,8 @@ Node / System related privileges:: * `Realm.Allocate`: create/modify/remove authentication realms * `Realm.AllocateUser`: assign user to a realm * `User.Modify`: create/modify/remove user access and details. +* `SDN.Allocate`: manage SDN configuration +* `SDN.Audit`: view SDN configuration Virtual machine related privileges:: @@ -840,6 +848,7 @@ Virtual machine related privileges:: * `VM.Config.Options`: modify any other VM configuration * `VM.Config.Cloudinit`: modify Cloud-init parameters * `VM.Snapshot`: create/delete VM snapshots +* `SDN.Use`: access SDN vnets and local network bridges Storage related privileges:: @@ -848,6 +857,12 @@ Storage related privileges:: * `Datastore.AllocateTemplate`: allocate/upload templates and ISO images * `Datastore.Audit`: view/browse a datastore +WARNING: Both `Permissions.Modify` and `Sys.Modify` should be handled with +care, as they allow modifying aspects of the system and its configuration that +are dangerous or sensitive. + +WARNING: Carefully read the section about inheritance below to understand how +assigned roles (and their privileges) are propagated along the ACL tree. Objects and Paths ~~~~~~~~~~~~~~~~~ @@ -888,6 +903,7 @@ set by default). We use the following inheritance rules: * Permissions for individual users always replace group permissions. * Permissions for groups apply when the user is member of that group. * Permissions on deeper levels replace those inherited from an upper level. +* `NoAccess` cancels all other roles on a given path. Additionally, privilege separated tokens can never have permissions on any given path that their associated user does not have. @@ -956,7 +972,11 @@ depending on the path, the following privileges as a possible substitute: * `/vms/...`: requires 'VM.Allocate` * `/pool/...`: requires 'Pool.Allocate` + -If the path is empty, `Permission.Modify` on `/access` is required. +If the path is empty, `Permissions.Modify` on `/access` is required. ++ +If the user does not have the `Permissions.Modify` privilege, they can only +delegate subsets of their own privileges on the given path (e.g., a user with +`PVEVMAdmin` could assign `PVEVMUser`, but not `PVEAdmin`). Command Line Tool ----------------- -- 2.39.2