There are 2 special authentication domains name 'pve' and 'pam':
- * pve: stores paswords to "/etc/pve/priv/shadow.cfg" (SHA256 crypt);
+ * pve: stores passwords to "/etc/pve/priv/shadow.cfg" (SHA256 crypt);
* pam: use unix 'pam'
VM.Console: console access to VM
VM.Monitor: access to VM monitor (kvm)
VM.Backup: backup/restore VMs
- VM.Copy: Copy/Clone VM or VM template
+ VM.Clone: Clone VM or VM template
VM.Audit: view VM config
VM.Config.XXX: modify VM config
VM.Config.Options: modify any other VM configuration
Pool.Allocate: create/remove/modify a pool.
+ Pool.Audit: view a pool
Datastore.Allocate: create/remove/modify a data store.
Datastore.AllocateSpace: allocate space on a datastore
role:
- defines a sets of priviledges
+ defines a sets of privileges
predefined roles:
Object: A Virtual machine, Network (bridge, venet), Hosts, Host Memory, Storage, ...
-We can identify our objects by an unique (file system like) path, which also defines a tree like hierarchy relation. ACL can be inherited. Permissions are inherited if the propagate flag is set on the parent. Child permissions always overwrite inherited permissions. User permission takes precedence over all group permissions. If multiple group permission apply the resulting role is the union of all those group priviledges.
+We can identify our objects by an unique (file system like) path, which also defines a tree like hierarchy relation. ACL can be inherited. Permissions are inherited if the propagate flag is set on the parent. Child permissions always overwrite inherited permissions. User permission takes precedence over all group permissions. If multiple group permission apply the resulting role is the union of all those group privileges.
There is at most one object permission per user or group
projects / pve-access-control.git / blobdiff