public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Pavel Tide <Pavel.TIde@veeam.com>,
	Fiona Ebner <f.ebner@proxmox.com>,
	Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] Bug 2582 roadmap
Date: Fri, 25 Oct 2024 08:21:40 +0200	[thread overview]
Message-ID: <49119c69-221c-4503-b9a2-09c2016be13b@proxmox.com> (raw)
In-Reply-To: <IA0PR14MB676740F40B90FBABA72410E3936C2@IA0PR14MB6767.namprd14.prod.outlook.com>

Hello,

Am 20/09/2024 um 14:32 schrieb Pavel Tide:
> 1) Connect via SSH to the PVE node and deploy a helper virtual machine (so that users don't have to do it manually)
> 2) Access the Proxmox VE API to perform other backup-related tasks (those that cannot be done via SSH)
> 
> In item #1 - the new VM deployment involved usage of root/sudo.
> 
> In item #2 - certain tasks that are performed via API also require root/sudo. We have managed to move those to the SSH part of the workflow, so now users can use one non-root account to perform all necessary operations (instead of using root or having to use two separate accounts).
> 
> We think that in future there might be a situation where we might need a superuser level of privileges while accessing the API, and there will be no workaround to move the operation to the SSH part of the workflow. This will result in forcing our joint users to use 'root' account again, which they hate to do and also deem as an not secure practice.

Which situations/API calls would that be? It would be definitively
helpful to get specifics here, as otherwise it's hard to help and also a
bit hard to tell for sure if the Sys.Root privilege feature request
would even help here.
As that privilege would only allow current root-only API calls to be
used by non-root admin accounts, but it would not allow the account to
gain root access on the system just by having that privilege.

In general, I think it would be better to do less, not more, stuff
manually in the long term and rather check out the in-development
external backup provider API [0], as that would allow easier and safer
access to VM and CT data while integrating better with the existing PVE
stack, ideally reducing the potential for fallout on either site.

[0]: https://lore.proxmox.com/pve-devel/20240813132829.117460-1-f.ebner@proxmox.com/

- Thomas


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


  parent reply	other threads:[~2024-10-25  6:21 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-09-10 10:18 Pavel Tide via pve-devel
2024-09-13  7:59 ` Fiona Ebner
2024-09-20 12:32   ` Pavel Tide via pve-devel
     [not found]   ` <IA0PR14MB676740F40B90FBABA72410E3936C2@IA0PR14MB6767.namprd14.prod.outlook.com>
2024-10-24 14:27     ` Pavel Tide via pve-devel
2024-10-25  6:21     ` Thomas Lamprecht [this message]
     [not found] <IA0PR14MB6767A0575DBA79C4F53006E7939A2@IA0PR14MB6767.namprd14.prod.outlook.com>
2024-09-12  9:59 ` Pavel Tide via pve-devel
  -- strict thread matches above, loose matches on Subject: below --
2024-09-06 11:17 Pavel Tide via pve-devel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=49119c69-221c-4503-b9a2-09c2016be13b@proxmox.com \
    --to=t.lamprecht@proxmox.com \
    --cc=Pavel.TIde@veeam.com \
    --cc=f.ebner@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal