[pve-devel] [PATCH access-control] VM.Snapshot.Rollback privilege added

Thomas Lamprecht t.lamprecht at proxmox.com
Tue Sep 19 11:19:03 CEST 2017


On 09/19/2017 10:49 AM, Dietmar Maurer wrote:
>> As it has already the VM.Backup priv, which means it can already make
>> a (snapshot) backup *and* restore them - i.e. change over the data/state
>> of the VM.
> 
> I thought restore needs allocate permission on the storage?
> 

OK, yes AllocateSpace is needed.

As Matthias stated in his first patch:

> [...] to separate administrative access (create, update, delete) from
> user access (rollback) to snapshots

so we could see this as VMUser right.
But as this is still easily possible for the ones who want user to have
it's probably still better as you made it and keep it under admin.
So this is really an opt-in priv.

With this the whole series looks OK to me.




More information about the pve-devel mailing list