mirror of
git://git.proxmox.com/git/pve-docs.git
synced 2025-01-26 10:03:45 +03:00
7d48940bf0
Because our parser is not smart enough to do it better.
546 lines
17 KiB
Plaintext
546 lines
17 KiB
Plaintext
[[chapter_user_management]]
|
|
ifdef::manvolnum[]
|
|
pveum(1)
|
|
========
|
|
include::attributes.txt[]
|
|
:pve-toplevel:
|
|
|
|
NAME
|
|
----
|
|
|
|
pveum - Proxmox VE User Manager
|
|
|
|
|
|
SYNOPSIS
|
|
--------
|
|
|
|
include::pveum.1-synopsis.adoc[]
|
|
|
|
|
|
DESCRIPTION
|
|
-----------
|
|
endif::manvolnum[]
|
|
ifndef::manvolnum[]
|
|
User Management
|
|
===============
|
|
include::attributes.txt[]
|
|
:pve-toplevel:
|
|
endif::manvolnum[]
|
|
|
|
// Copied from pve wiki: Revision as of 16:10, 27 October 2015
|
|
|
|
Proxmox VE supports multiple authentication sources, e.g. Linux PAM,
|
|
an integrated Proxmox VE authentication server, LDAP, Microsoft Active
|
|
Directory.
|
|
|
|
By using the role based user- and permission management for all
|
|
objects (VMs, storages, nodes, etc.) granular access can be defined.
|
|
|
|
|
|
[[pveum_users]]
|
|
Users
|
|
-----
|
|
|
|
{pve} stores user attributes in `/etc/pve/user.cfg`.
|
|
Passwords are not stored here, users are instead associated with
|
|
<<pveum_authentication_realms,authentication realms>> described below.
|
|
Therefore a user is internally often identified by its name and
|
|
realm in the form `<userid>@<realm>`.
|
|
|
|
Each user entry in this file contains the following information:
|
|
|
|
* First name
|
|
* Last name
|
|
* E-mail address
|
|
* Group memberships
|
|
* An optional Expiration date
|
|
* A comment or note about this user
|
|
* Whether this user is enabled or disabled
|
|
* Optional two factor authentication keys
|
|
|
|
|
|
System administrator
|
|
~~~~~~~~~~~~~~~~~~~~
|
|
|
|
The system's root user can always log in via the Linux PAM realm and is an
|
|
unconfined administrator. This user cannot be deleted, but attributes can
|
|
still be changed and system mails will be sent to the email address
|
|
assigned to this user.
|
|
|
|
|
|
[[pveum_groups]]
|
|
Groups
|
|
~~~~~~
|
|
|
|
Each user can be member of several groups. Groups are the preferred
|
|
way to organize access permissions. You should always grant permission
|
|
to groups instead of using individual users. That way you will get a
|
|
much shorter access control list which is easier to handle.
|
|
|
|
|
|
[[pveum_authentication_realms]]
|
|
Authentication Realms
|
|
---------------------
|
|
|
|
As {pve} users are just counterparts for users existing on some external
|
|
realm, the realms have to be configured in `/etc/pve/domains.cfg`.
|
|
The following realms (authentication methods) are available:
|
|
|
|
Linux PAM standard authentication::
|
|
In this case a system user has to exist (eg. created via the `adduser`
|
|
command) on all nodes the user is allowed to login, and the user
|
|
authenticates with their usual system password.
|
|
+
|
|
[source,bash]
|
|
----
|
|
useradd heinz
|
|
passwd heinz
|
|
groupadd watchman
|
|
usermod -a -G watchman heinz
|
|
----
|
|
|
|
Proxmox VE authentication server::
|
|
This is a unix like password store (`/etc/pve/priv/shadow.cfg`).
|
|
Password are encrypted using the SHA-256 hash method.
|
|
This is the most convenient method for for small (or even medium)
|
|
installations where users do not need access to anything outside of
|
|
{pve}. In this case users are fully managed by {pve} and are able to
|
|
change their own passwords via the GUI.
|
|
|
|
LDAP::
|
|
It is possible to authenticate users via an LDAP server (eq.
|
|
openldap). The server and an optional fallback server can be
|
|
configured and the connection can be encrypted via SSL.
|
|
+
|
|
Users are searched under a 'Base Domain Name' (`base_dn`), with the
|
|
user name found in the attribute specified in the 'User Attribute Name'
|
|
(`user_attr`) field.
|
|
+
|
|
For instance, if a user is represented via the
|
|
following ldif dataset:
|
|
+
|
|
----
|
|
# user1 of People at ldap-test.com
|
|
dn: uid=user1,ou=People,dc=ldap-test,dc=com
|
|
objectClass: top
|
|
objectClass: person
|
|
objectClass: organizationalPerson
|
|
objectClass: inetOrgPerson
|
|
uid: user1
|
|
cn: Test User 1
|
|
sn: Testers
|
|
description: This is the first test user.
|
|
----
|
|
+
|
|
The 'Base Domain Name' would be `ou=People,dc=ldap-test,dc=com` and the user
|
|
attribute would be `uid`.
|
|
+
|
|
If {pve} needs to authenticate (bind) to the ldap server before being
|
|
able to query and authenticate users, a bind domain name can be
|
|
configured via the `bind_dn` property in `/etc/pve/domains.cfg`. Its
|
|
password then has to be stored in `/etc/pve/priv/ldap/<realmname>.pw`
|
|
(eg. `/etc/pve/priv/ldap/my-ldap.pw`). This file should contain a
|
|
single line containing the raw password.
|
|
|
|
Microsoft Active Directory::
|
|
|
|
A server and authentication domain need to be specified. Like with
|
|
ldap an optional fallback server, optional port, and SSL
|
|
encryption can be configured.
|
|
|
|
|
|
Two factor authentication
|
|
-------------------------
|
|
|
|
Each realm can optionally be secured additionally by two factor
|
|
authentication. This can be done by selecting one of the available methods
|
|
via the 'TFA' dropdown box when adding or editing an Authentication Realm.
|
|
When a realm has TFA enabled it becomes a requirement and only users with
|
|
configured TFA will be able to login.
|
|
|
|
Currently there are two methods available:
|
|
|
|
Time based OATH (TOTP)::
|
|
This uses the standard HMAC-SHA1 algorithm where the current time is hashed
|
|
with the user's configured key. The time step and password length
|
|
parameters are configured.
|
|
+
|
|
A user can have multiple keys configured (separated by spaces), and the
|
|
keys can be specified in Base32 (RFC3548) or hexadecimal notation.
|
|
+
|
|
{pve} provides a key generation tool (`oathkeygen`) which prints out a
|
|
random key in Base32 notation which can be used directly with various OTP
|
|
tools, such as the `oathtool` command line tool, the Google authenticator
|
|
or FreeOTP Android apps.
|
|
|
|
YubiKey OTP::
|
|
For authenticating via a YubiKey a Yubico API ID, API KEY and validation
|
|
server URL must be configured, and users must have a YubiKey available. In
|
|
order to get the key ID from a YubiKey, you can trigger the YubiKey once
|
|
after connecting it to USB and copy the first 12 characters of the typed
|
|
password into the user's 'Key IDs' field.
|
|
+
|
|
Please refer to the
|
|
https://developers.yubico.com/OTP/[YubiKey OTP] documentation for how to use the
|
|
https://www.yubico.com/products/services-software/yubicloud/[YubiCloud] or
|
|
https://developers.yubico.com/Software_Projects/YubiKey_OTP/YubiCloud_Validation_Servers/[
|
|
host your own verification server].
|
|
|
|
|
|
[[pveum_permission_management]]
|
|
Permission Management
|
|
---------------------
|
|
|
|
In order for a user to perform an action (such as listing, modifying or
|
|
deleting a parts of a VM configuration), the user needs to have the
|
|
appropriate permissions.
|
|
|
|
{pve} uses a role and path based permission management system. An entry in
|
|
the permissions table allows a user or group to take on a specific role
|
|
when accessing an 'object' or 'path'. This means an such an access rule can
|
|
be represented as a triple of '(path, user, role)' or '(path, group,
|
|
role)', with the role containing a set of allowed actions, and the path
|
|
representing the target of these actions.
|
|
|
|
|
|
[[pveum_roles]]
|
|
Roles
|
|
~~~~~
|
|
|
|
A role is simply a list of privileges. Proxmox VE comes with a number
|
|
of predefined roles which satisfies most needs.
|
|
|
|
* `Administrator`: has all privileges
|
|
* `NoAccess`: has no privileges (used to forbid access)
|
|
* `PVEAdmin`: can do most things, but miss rights to modify system settings (`Sys.PowerMgmt`, `Sys.Modify`, `Realm.Allocate`).
|
|
* `PVEAuditor`: read only access
|
|
* `PVEDatastoreAdmin`: create and allocate backup space and templates
|
|
* `PVEDatastoreUser`: allocate backup space and view storage
|
|
* `PVEPoolAdmin`: allocate pools
|
|
* `PVESysAdmin`: User ACLs, audit, system console and system logs
|
|
* `PVETemplateUser`: view and clone templates
|
|
* `PVEUserAdmin`: user administration
|
|
* `PVEVMAdmin`: fully administer VMs
|
|
* `PVEVMUser`: view, backup, config CDROM, VM console, VM power management
|
|
|
|
You can see the whole set of predefined roles on the GUI.
|
|
|
|
Adding new roles can currently only be done from the command line, like
|
|
this:
|
|
|
|
[source,bash]
|
|
----
|
|
pveum roleadd PVE_Power-only -privs "VM.PowerMgmt VM.Console"
|
|
pveum roleadd Sys_Power-only -privs "Sys.PowerMgmt Sys.Console"
|
|
----
|
|
|
|
|
|
Privileges
|
|
~~~~~~~~~~
|
|
|
|
A privilege is the right to perform a specific action. To simplify
|
|
management, lists of privileges are grouped into roles, which can then
|
|
be used in the permission table. Note that privileges cannot directly be
|
|
assigned to users and paths without being part of a role.
|
|
|
|
We currently use the following privileges:
|
|
|
|
Node / System related privileges::
|
|
|
|
* `Permissions.Modify`: modify access permissions
|
|
* `Sys.PowerMgmt`: Node power management (start, stop, reset, shutdown, ...)
|
|
* `Sys.Console`: console access to Node
|
|
* `Sys.Syslog`: view Syslog
|
|
* `Sys.Audit`: view node status/config
|
|
* `Sys.Modify`: create/remove/modify node network parameters
|
|
* `Group.Allocate`: create/remove/modify groups
|
|
* `Pool.Allocate`: create/remove/modify a pool
|
|
* `Realm.Allocate`: create/remove/modify authentication realms
|
|
* `Realm.AllocateUser`: assign user to a realm
|
|
* `User.Modify`: create/remove/modify user access and details.
|
|
|
|
Virtual machine related privileges::
|
|
|
|
* `VM.Allocate`: create/remove new VM to server inventory
|
|
* `VM.Migrate`: migrate VM to alternate server on cluster
|
|
* `VM.PowerMgmt`: power management (start, stop, reset, shutdown, ...)
|
|
* `VM.Console`: console access to VM
|
|
* `VM.Monitor`: access to VM monitor (kvm)
|
|
* `VM.Backup`: backup/restore VMs
|
|
* `VM.Audit`: view VM config
|
|
* `VM.Clone`: clone/copy a VM
|
|
* `VM.Config.Disk`: add/modify/delete Disks
|
|
* `VM.Config.CDROM`: eject/change CDROM
|
|
* `VM.Config.CPU`: modify CPU settings
|
|
* `VM.Config.Memory`: modify Memory settings
|
|
* `VM.Config.Network`: add/modify/delete Network devices
|
|
* `VM.Config.HWType`: modify emulated HW type
|
|
* `VM.Config.Options`: modify any other VM configuration
|
|
* `VM.Snapshot`: create/remove VM snapshots
|
|
|
|
Storage related privileges::
|
|
|
|
* `Datastore.Allocate`: create/remove/modify a data store, delete volumes
|
|
* `Datastore.AllocateSpace`: allocate space on a datastore
|
|
* `Datastore.AllocateTemplate`: allocate/upload templates and iso images
|
|
* `Datastore.Audit`: view/browse a datastore
|
|
|
|
|
|
Objects and Paths
|
|
~~~~~~~~~~~~~~~~~
|
|
|
|
Access permissions are assigned to objects, such as a virtual machines,
|
|
storages or pools of resources.
|
|
We use file system like paths to address these objects. These paths form a
|
|
natural tree, and permissions of higher levels (shorter path) can
|
|
optionally be propagated down within this hierarchy.
|
|
|
|
[[pveum_templated_paths]]
|
|
Paths can be templated. When an API call requires permissions on a
|
|
templated path, the path may contain references to parameters of the API
|
|
call. These references are specified in curly braces. Some parameters are
|
|
implicitly taken from the API call's URI. For instance the permission path
|
|
`/nodes/{node}` when calling '/nodes/mynode/status' requires permissions on
|
|
`/nodes/mynode`, while the path `{path}` in a PUT request to `/access/acl`
|
|
refers to the method's `path` parameter.
|
|
|
|
Some examples are:
|
|
|
|
* `/nodes/{node}`: Access to {pve} server machines
|
|
* `/vms`: Covers all VMs
|
|
* `/vms/{vmid}`: Access to specific VMs
|
|
* `/storage/{storeid}`: Access to a storages
|
|
* `/pool/{poolname}`: Access to VMs part of a <<pveum_pools,pool>>
|
|
* `/access/groups`: Group administration
|
|
* `/access/realms/{realmid}`: Administrative access to realms
|
|
|
|
|
|
Inheritance
|
|
^^^^^^^^^^^
|
|
|
|
As mentioned earlier, object paths form a file system like tree, and
|
|
permissions can be inherited down that tree (the propagate flag is set
|
|
by default). We use the following inheritance rules:
|
|
|
|
* Permissions for individual users always replace group permissions.
|
|
* Permissions for groups apply when the user is member of that group.
|
|
* Permissions replace the ones inherited from an upper level.
|
|
|
|
|
|
[[pveum_pools]]
|
|
Pools
|
|
~~~~~
|
|
|
|
Pools can be used to group a set of virtual machines and data
|
|
stores. You can then simply set permissions on pools (`/pool/{poolid}`),
|
|
which are inherited to all pool members. This is a great way simplify
|
|
access control.
|
|
|
|
|
|
What permission do I need?
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
The required API permissions are documented for each individual
|
|
method, and can be found at http://pve.proxmox.com/pve-docs/api-viewer/
|
|
|
|
The permissions are specified as a list which can be interpreted as a
|
|
tree of logic and access-check functions:
|
|
|
|
`["and", <subtests>...]` and `["or", <subtests>...]`::
|
|
Each(`and`) or any(`or`) further element in the current list has to be true.
|
|
|
|
`["perm", <path>, [ <privileges>... ], <options>...]`::
|
|
The `path` is a templated parameter (see
|
|
<<pveum_templated_paths,Objects and Paths>>). All (or , if the `any`
|
|
option is used, any) of the listed
|
|
privileges must be allowed on the specified path. If a `require-param`
|
|
option is specified, then its specified parameter is required even if the
|
|
API call's schema otherwise lists it as being optional.
|
|
|
|
`["userid-group", [ <privileges>... ], <options>...]`::
|
|
The callermust have any of the listed privileges on `/access/groups`. In
|
|
addition there are two possible checks depending on whether the
|
|
`groups_param` option is set:
|
|
+
|
|
* `groups_param` is set: The API call has a non-optional `groups` parameter
|
|
and the caller must have any of the listed privileges on all of the listed
|
|
groups.
|
|
* `groups_param` is not set: The user passed via the `userid` parameter
|
|
must exist and be part of a group on which the caller has any of the listed
|
|
privileges (via the `/access/groups/<group>` path).
|
|
|
|
`["userid-param", "self"]`::
|
|
The value provided for the API call's `userid` parameter must refer to the
|
|
user performing the action. (Usually in conjunction with `or`, to allow
|
|
users to perform an action on themselves even if they don't have elevated
|
|
privileges.)
|
|
|
|
`["userid-param", "Realm.AllocateUser"]`::
|
|
The user needs `Realm.AllocateUser` access to `/access/realm/<realm>`, with
|
|
`<realm>` refering to the realm of the user passed via the `userid`
|
|
parameter. Note that the user does not need to exist in order to be
|
|
associated with a realm, since user IDs are passed in the form of
|
|
`<username>@<realm>`.
|
|
|
|
`["perm-modify", <path>]`::
|
|
The `path` is a templated parameter (see
|
|
<<pveum_templated_paths,Objects and Paths>>). The user needs either the
|
|
`Permissions.Modify` privilege, or,
|
|
depending on the path, the following privileges as a possible substitute:
|
|
+
|
|
* `/storage/...`: additionally requires 'Datastore.Allocate`
|
|
* `/vms/...`: additionally requires 'VM.Allocate`
|
|
* `/pool/...`: additionally requires 'Pool.Allocate`
|
|
+
|
|
If the path is empty, `Permission.Modify` on `/access` is required.
|
|
|
|
Command Line Tool
|
|
-----------------
|
|
|
|
Most users will simply use the GUI to manage users. But there is also
|
|
a full featured command line tool called `pveum` (short for ``**P**roxmox
|
|
**VE** **U**ser **M**anager''). Please note that all Proxmox VE command
|
|
line tools are wrappers around the API, so you can also access those
|
|
function through the REST API.
|
|
|
|
Here are some simple usage examples. To show help type:
|
|
|
|
[source,bash]
|
|
pveum
|
|
|
|
or (to show detailed help about a specific command)
|
|
|
|
[source,bash]
|
|
pveum help useradd
|
|
|
|
Create a new user:
|
|
|
|
[source,bash]
|
|
pveum useradd testuser@pve -comment "Just a test"
|
|
|
|
Set or Change the password (not all realms support that):
|
|
|
|
[source,bash]
|
|
pveum passwd testuser@pve
|
|
|
|
Disable a user:
|
|
|
|
[source,bash]
|
|
pveum usermod testuser@pve -enable 0
|
|
|
|
Create a new group:
|
|
|
|
[source,bash]
|
|
pveum groupadd testgroup
|
|
|
|
Create a new role:
|
|
|
|
[source,bash]
|
|
pveum roleadd PVE_Power-only -privs "VM.PowerMgmt VM.Console"
|
|
|
|
|
|
Real World Examples
|
|
-------------------
|
|
|
|
|
|
Administrator Group
|
|
~~~~~~~~~~~~~~~~~~~
|
|
|
|
One of the most wanted features was the ability to define a group of
|
|
users with full administrator rights (without using the root account).
|
|
|
|
Define the group:
|
|
|
|
[source,bash]
|
|
pveum groupadd admin -comment "System Administrators"
|
|
|
|
Then add the permission:
|
|
|
|
[source,bash]
|
|
pveum aclmod / -group admin -role Administrator
|
|
|
|
You can finally add users to the new 'admin' group:
|
|
|
|
[source,bash]
|
|
pveum usermod testuser@pve -group admin
|
|
|
|
|
|
Auditors
|
|
~~~~~~~~
|
|
|
|
You can give read only access to users by assigning the `PVEAuditor`
|
|
role to users or groups.
|
|
|
|
Example1: Allow user `joe@pve` to see everything
|
|
|
|
[source,bash]
|
|
pveum aclmod / -user joe@pve -role PVEAuditor
|
|
|
|
Example1: Allow user `joe@pve` to see all virtual machines
|
|
|
|
[source,bash]
|
|
pveum aclmod /vms -user joe@pve -role PVEAuditor
|
|
|
|
|
|
Delegate User Management
|
|
~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
If you want to delegate user managenent to user `joe@pve` you can do
|
|
that with:
|
|
|
|
[source,bash]
|
|
pveum aclmod /access -user joe@pve -role PVEUserAdmin
|
|
|
|
User `joe@pve` can now add and remove users, change passwords and
|
|
other user attributes. This is a very powerful role, and you most
|
|
likely want to limit that to selected realms and groups. The following
|
|
example allows `joe@pve` to modify users within realm `pve` if they
|
|
are members of group `customers`:
|
|
|
|
[source,bash]
|
|
pveum aclmod /access/realm/pve -user joe@pve -role PVEUserAdmin
|
|
pveum aclmod /access/groups/customers -user joe@pve -role PVEUserAdmin
|
|
|
|
NOTE: The user is able to add other users, but only if they are
|
|
members of group `customers` and within realm `pve`.
|
|
|
|
|
|
Pools
|
|
~~~~~
|
|
|
|
An enterprise is usually structured into several smaller departments,
|
|
and it is common that you want to assign resources to them and
|
|
delegate management tasks. A pool is simply a set of virtual machines
|
|
and data stores. You can create pools on the GUI. After that you can
|
|
add resources to the pool (VMs, Storage).
|
|
|
|
You can also assign permissions to the pool. Those permissions are
|
|
inherited to all pool members.
|
|
|
|
Lets assume you have a software development department, so we first
|
|
create a group
|
|
|
|
[source,bash]
|
|
pveum groupadd developers -comment "Our software developers"
|
|
|
|
Now we create a new user which is a member of that group
|
|
|
|
[source,bash]
|
|
pveum useradd developer1@pve -group developers -password
|
|
|
|
NOTE: The -password parameter will prompt you for a password
|
|
|
|
I assume we already created a pool called ``dev-pool'' on the GUI. So we can now assign permission to that pool:
|
|
|
|
[source,bash]
|
|
pveum aclmod /pool/dev-pool/ -group developers -role PVEAdmin
|
|
|
|
Our software developers can now administrate the resources assigned to
|
|
that pool.
|
|
|
|
|
|
ifdef::manvolnum[]
|
|
include::pve-copyright.adoc[]
|
|
endif::manvolnum[]
|
|
|