There are 2 special authentication domains name 'pve' and 'pam':
- * pve: stores paswords to "/etc/pve/priv/shadow.cfg" (SHA256 crypt);
+ * pve: stores passwords to "/etc/pve/priv/shadow.cfg" (SHA256 crypt);
* pam: use unix 'pam'
VM.PowerMgmt: power management (start, stop, reset, shutdown, ...)
VM.Console: console access to VM
VM.Monitor: access to VM monitor (kvm)
+ VM.Backup: backup/restore VMs
+ VM.Clone: Clone VM or VM template
VM.Audit: view VM config
VM.Config.XXX: modify VM config
VM.Config.Options: modify any other VM configuration
Pool.Allocate: create/remove/modify a pool.
+ Pool.Audit: view a pool
Datastore.Allocate: create/remove/modify a data store.
Datastore.AllocateSpace: allocate space on a datastore
+ Datastore.AllocateTemplate: allocate/upload templates and iso images
Datastore.Audit: view/browse a datastore
Permissions.Modify: modify access permissions
role:
- defines a sets of priviledges
+ defines a sets of privileges
predefined roles:
ACL and Objects:
================
-An access control list (ACL) is a list of permissions attached to an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object.
-
-Object: A Virtual machine, Network (bridge, venet), Hosts, Host Memory, Storage, ...
-
-We can identify our objects by an unique (file system like) path, which also defines a tree like hierarchy relation. ACL can be inherited. Permissions are inherited if the propagate flag is set on the parent. Child permissions always overwrite inherited permissions. User permission takes precedence over all group permissions. If multiple group permission apply the resulting role is the union of all those group priviledges.
+An access control list (ACL) is a list of permissions attached to an object.
+The list specifies who or what is allowed to access the object and what
+operations are allowed to be performed on the object.
+
+Object: A Virtual machine, Network (bridge, venet), Hosts, Host Memory,
+Storage, ...
+
+We can identify our objects by an unique (file system like) path, which also
+defines a tree like hierarchy relation. ACL can be inherited. Permissions are
+inherited if the propagate flag is set on the parent. Child permissions always
+overwrite inherited permissions. User permission takes precedence over all
+group permissions. If multiple group permission apply the resulting role is the
+union of all those group privileges.
There is at most one object permission per user or group
projects / pve-access-control.git / blobdiff