There are 2 special authentication domains name 'pve' and 'pam':
- * pve: stores paswords to "/etc/pve/priv/shadow.cfg" (SHA256 crypt);
+ * pve: stores passwords to "/etc/pve/priv/shadow.cfg" (SHA256 crypt);
* pam: use unix 'pam'
user_list: list of login names
comment: a more verbose description
+pool:
+
+ pool_name: the name of the pool
+ comment: a more verbose description
+ vm_list: list of VMs associated with the pool
+ storage_list: list of storage IDs associated with the pool
+
privileges:
defines rights required to execute actions or read
VM.Migrate: migrate VM to alternate server on cluster
VM.PowerMgmt: power management (start, stop, reset, shutdown, ...)
VM.Console: console access to VM
+ VM.Monitor: access to VM monitor (kvm)
+ VM.Backup: backup/restore VMs
+ VM.Clone: Clone VM or VM template
VM.Audit: view VM config
- VM.Modify: modify VM config
+
+ VM.Config.XXX: modify VM config
+
+ VM.Config.Disk: add/modify/delete Disks
+ VM.Config.CDROM: eject/change CDROM
+ VM.Config.CPU: modify CPU settings
+ VM.Config.Memory: modify Memory settings
+ VM.Config.Network: add/modify/delete Network devices
+ VM.Config.HWType: modify emulated HW type
+ VM.Config.Options: modify any other VM configuration
+
+ Pool.Allocate: create/remove/modify a pool.
+ Pool.Audit: view a pool
Datastore.Allocate: create/remove/modify a data store.
Datastore.AllocateSpace: allocate space on a datastore
+ Datastore.AllocateTemplate: allocate/upload templates and iso images
Datastore.Audit: view/browse a datastore
Permissions.Modify: modify access permissions
VM.Create: create new VM to server inventory
VM.Remove: remove VM from inventory
- VM.MemoryModify: modify memory associated with VM
VM.AddNewDisk: add new disk to VM
VM.AddExistingDisk: add an existing disk to VM
VM.DiskModify: modify disk space for associated VM
VM.UseRawDevice: associate a raw device with VM
VM.PowerOn: power on VM
VM.PowerOff: power off VM
- VM.ConfigureCD: assign a device/image file to VM
VM.CpuModify: modify number of CPUs associated with VM
VM.CpuCyclesModify: modify CPU cycles for VM
VM.NetworkAdd: add network device to VM
role:
- defines a sets of priviledges
+ defines a sets of privileges
predefined roles:
ACL and Objects:
================
-An access control list (ACL) is a list of permissions attached to an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object.
-
-Object: A Virtual machine, Network (bridge, venet), Hosts, Host Memory, Storage, ...
-
-We can identify our objects by an unique (file system like) path, which also defines a tree like hierarchy relation. ACL can be inherited. Permissions are inherited if the propagate flag is set on the parent. Child permissions always overwrite inherited permissions. User permission takes precedence over all group permissions. If multiple group permission apply the resulting role is the union of all those group priviledges.
+An access control list (ACL) is a list of permissions attached to an object.
+The list specifies who or what is allowed to access the object and what
+operations are allowed to be performed on the object.
+
+Object: A Virtual machine, Network (bridge, venet), Hosts, Host Memory,
+Storage, ...
+
+We can identify our objects by an unique (file system like) path, which also
+defines a tree like hierarchy relation. ACL can be inherited. Permissions are
+inherited if the propagate flag is set on the parent. Child permissions always
+overwrite inherited permissions. User permission takes precedence over all
+group permissions. If multiple group permission apply the resulting role is the
+union of all those group privileges.
There is at most one object permission per user or group
projects / pve-access-control.git / blobdiff