[pve-devel] [PATCHES] Add VM.Snapshot.Rollback privilege
Dietmar Maurer
dietmar at proxmox.com
Sat Sep 9 16:47:53 CEST 2017
First, thanks for that patch!
Further comments inline:
> there is only one privilege for controlling the access to snapshots,
> i.e. VM.Snapshot. This makes it impossible to separate administrative
> access (create, update, delete) from user access (rollback) to
> snapshots.
rollback destroys all current data, so this is more dangerous than
create, update or delete a snapshot. IMHO, nothing a user should be
allowed to do.
> Changing and deleting snapshots can be very sensible
> operations in certain environments, e.g. if snapshots are
> programmatically used for resetting unit test VMs in an automated test
> environment (our use-case). Separating the ability to setup snapshots
> from using them becomes crucial in such environments. This separation
> can be achieved with an additional privilege, i.e. VM.Snapshot.Rollback,
> allowing read and rollback access to snapshots only.
For such automated test environment, I would simply clone a template.
The admin can prepare the template, and the test user has full control over
the cloned test machine.
Would that work in your scenario?
Also, please read: https://pve.proxmox.com/wiki/Developer_Documentation
for details about patches and CLA ...
Regards,
Dietmar
More information about the pve-devel
mailing list