X-Git-Url: https://git.proxmox.com/?p=pve-docs.git;a=blobdiff_plain;f=pveum.adoc;h=14fff2563f0df0e9dd6b6a71e3b1a8708afec541;hp=9350be9c95900c7f1982f5ce6513ce8b60948a8f;hb=de0983cb5feb38143ada8d2f9fa99d4f7102d497;hpb=404a158e1b79f205df7f5cf1827dde32ef9a8ea2 diff --git a/pveum.adoc b/pveum.adoc index 9350be9..14fff25 100644 --- a/pveum.adoc +++ b/pveum.adoc @@ -1,6 +1,7 @@ +[[chapter_user_management]] ifdef::manvolnum[] -PVE(1) -====== +pveum(1) +======== include::attributes.txt[] :pve-toplevel: @@ -19,16 +20,12 @@ include::pveum.1-synopsis.adoc[] DESCRIPTION ----------- endif::manvolnum[] - ifndef::manvolnum[] User Management =============== include::attributes.txt[] -endif::manvolnum[] - -ifdef::wiki[] :pve-toplevel: -endif::wiki[] +endif::manvolnum[] // Copied from pve wiki: Revision as of 16:10, 27 October 2015 @@ -40,12 +37,13 @@ By using the role based user- and permission management for all objects (VMs, storages, nodes, etc.) granular access can be defined. +[[pveum_users]] Users ----- {pve} stores user attributes in `/etc/pve/user.cfg`. Passwords are not stored here, users are instead associated with -<> described below. +<> described below. Therefore a user is internally often identified by its name and realm in the form `@`. @@ -70,6 +68,7 @@ still be changed and system mails will be sent to the email address assigned to this user. +[[pveum_groups]] Groups ~~~~~~ @@ -79,7 +78,7 @@ to groups instead of using individual users. That way you will get a much shorter access control list which is easier to handle. -[[authentication-realms]] +[[pveum_authentication_realms]] Authentication Realms --------------------- @@ -188,6 +187,7 @@ https://developers.yubico.com/Software_Projects/YubiKey_OTP/YubiCloud_Validation host your own verification server]. +[[pveum_permission_management]] Permission Management --------------------- @@ -203,6 +203,7 @@ role)', with the role containing a set of allowed actions, and the path representing the target of these actions. +[[pveum_roles]] Roles ~~~~~ @@ -294,7 +295,7 @@ We use file system like paths to address these objects. These paths form a natural tree, and permissions of higher levels (shorter path) can optionally be propagated down within this hierarchy. -[[templated-paths]] +[[pveum_templated_paths]] Paths can be templated. When an API call requires permissions on a templated path, the path may contain references to parameters of the API call. These references are specified in curly braces. Some parameters are @@ -309,7 +310,7 @@ Some examples are: * `/vms`: Covers all VMs * `/vms/{vmid}`: Access to specific VMs * `/storage/{storeid}`: Access to a storages -* `/pool/{poolname}`: Access to VMs part of a < +* `/pool/{poolname}`: Access to VMs part of a <> * `/access/groups`: Group administration * `/access/realms/{realmid}`: Administrative access to realms @@ -326,6 +327,7 @@ by default). We use the following inheritance rules: * Permissions replace the ones inherited from an upper level. +[[pveum_pools]] Pools ~~~~~ @@ -348,8 +350,9 @@ tree of logic and access-check functions: Each(`and`) or any(`or`) further element in the current list has to be true. `["perm", , [ ... ], ...]`:: -The `path` is a templated parameter (see <>). All (or , if the `any` option is used, any) of the listed +The `path` is a templated parameter (see +<>). All (or , if the `any` +option is used, any) of the listed privileges must be allowed on the specified path. If a `require-param` option is specified, then its specified parameter is required even if the API call's schema otherwise lists it as being optional. @@ -380,8 +383,9 @@ associated with a realm, since user IDs are passed in the form of `@`. `["perm-modify", ]`:: -The `path` is a templated parameter (see <>). The user needs either the `Permissions.Modify` privilege, or, +The `path` is a templated parameter (see +<>). The user needs either the +`Permissions.Modify` privilege, or, depending on the path, the following privileges as a possible substitute: + * `/storage/...`: additionally requires 'Datastore.Allocate`