[pve-devel] [PATCHES] Add VM.Snapshot.Rollback privilege

Dietmar Maurer dietmar at proxmox.com
Sat Sep 9 16:47:53 CEST 2017


First, thanks for that patch! 

Further comments inline:

> there is only one privilege for controlling the access to snapshots, 
> i.e. VM.Snapshot. This makes it impossible to separate administrative 
> access (create, update, delete) from user access (rollback) to 
> snapshots.

rollback destroys all current data, so this is more dangerous than
create, update or delete a snapshot. IMHO, nothing a user should be
allowed to do.

> Changing and deleting snapshots can be very sensible 
> operations in certain environments, e.g. if snapshots are 
> programmatically used for resetting unit test VMs in an automated test 
> environment (our use-case). Separating the ability to setup snapshots 
> from using them becomes crucial in such environments. This separation 
> can be achieved with an additional privilege, i.e. VM.Snapshot.Rollback, 
> allowing read and rollback access to snapshots only. 

For such automated test environment, I would simply clone a template.
The admin can prepare the template, and the test user has full control over 
the cloned test machine.

Would that work in your scenario?

Also, please read: https://pve.proxmox.com/wiki/Developer_Documentation
for details about patches and CLA ...

Regards,

Dietmar




More information about the pve-devel mailing list