[pve-devel] [PATCH access-control] VM.Snapshot.Rollback privilege added

Thomas Lamprecht t.lamprecht at proxmox.com
Tue Sep 19 10:30:00 CEST 2017


On 09/13/2017 12:30 PM, Matthias Urban wrote:
> VM.Snapshot.Rollback privilege added
> 
> Signed-off-by: Matthias Urban <matthias.urban at pure-systems.com>
> ---
>   PVE/AccessControl.pm | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
> index 7d02cdf..2b610b7 100644
> --- a/PVE/AccessControl.pm
> +++ b/PVE/AccessControl.pm
> @@ -406,6 +406,7 @@ my $privgroups = {
>   	    'VM.Migrate',
>   	    'VM.Monitor',
>   	    'VM.Snapshot',
> +	    'VM.Snapshot.Rollback',

Hmm, we could also add this to the user section below, this would
imply that the PVEVMUser auto generated role would also get this
privilege.

As it has already the VM.Backup priv, which means it can already make
a (snapshot) backup *and* restore them - i.e. change over the data/state
of the VM.

So rollback could be allowed too for VMUser's, or?

That Snapshot creation is forbidden but Backup creation not for VMUsers
feels a bit strange, tbh. If said user has Allocate privs on a respective
storage he could create Snapshots too with the auto-generated PVEVMuser
role?

Anyways, this is not directly related to the rest of this series, just
noticed this when testing...

>   	],
>   	user => [
>   	    'VM.Config.CDROM', # change CDROM media
> 





More information about the pve-devel mailing list