Monitoring Proxmox via API
Create a monitoring group Add PVEAuditor role to monitoring group Create lpar2rrd user under monitoring group
The following is taken almost verbatim from the PVE User Management Documentation1
Permission Management #
In order for a user to perform an action (such as listing, modifying or deleting parts of a VM’s configuration), the user needs to have the appropriate permissions.
Proxmox VE uses a role and path based permission management system. An entry in the permissions table allows a user, group or token to take on a specific role when accessing an object or path. This means that such an access rule can be represented as a triple of (path, user, role), (path, group, role) or (path, token, role), with the role containing a set of allowed actions, and the path representing the target of these actions.
Roles #
A role is simply a list of privileges. Proxmox VE comes with a number of predefined roles, which satisfy most requirements.
Administrator:
: has full privileges
NoAccess:
: has no privileges (used to forbid access)
PVEAdmin:
: can do most tasks, but has no rights to modify system settings (Sys.PowerMgmt, Sys.Modify, Realm.Allocate)
PVEAuditor:
: has read only access
PVEDatastoreAdmin:
: create and allocate backup space and templates
PVEDatastoreUser:
: allocate backup space and view storage
PVEPoolAdmin:
: allocate pools
PVESysAdmin:
: User ACLs, audit, system console and system logs
PVETemplateUser:
: view and clone templates
PVEUserAdmin:
: manage users
PVEVMAdmin:
: fully administer VMs
PVEVMUser:
: view, backup, configure CD-ROM, VM console, VM power management
------
You can see the whole set of predefined roles in the GUI.
You can add new roles via the GUI or the command line.
#### From the GUI:
- navigate to the Permissions → Roles tab from Datacenter
- Click on the Create button.
- There you can set a role name and select any desired privileges from the Privileges drop-down menu.
#### To add a role through the command line
You can use the `pveum` CLI tool,
##### Examples:
`pveum role add PVE_Power-only --privs "VM.PowerMgmt VM.Console"`
`pveum role add Sys_Power-only --privs "Sys.PowerMgmt Sys.Console"`
Privileges #
A `privilege` is the right to perform a specific action.
To simplify management, lists of privileges are grouped into `roles`, which can then be used in the permission table.
Note that privileges cannot be directly assigned to users and paths without being part of a role.
##### We currently support the following privileges:
Permissions.Modify:
: modify access permissions
Sys.PowerMgmt:
: node power management (start, stop, reset, shutdown, …)
Sys.Console:
: console access to node
Sys.Syslog:
: view syslog
Sys.Audit:
: view node status/config, Corosync cluster config, and HA config
Sys.Modify:
: create/modify/remove node network parameters
Sys.Incoming:
: allow incoming data streams from other clusters (experimental)
Group.Allocate:
: create/modify/remove groups
Pool.Allocate:
: create/modify/remove a pool
Pool.Audit:
: view a pool
Realm.Allocate:
: create/modify/remove authentication realms
Realm.AllocateUser:
: assign user to a realm
User.Modify:
: create/modify/remove user access and details.
VM.Allocate:
: create/remove VM on a server
VM.Migrate:
: migrate VM to alternate server on cluster
VM.PowerMgmt:
: power management (start, stop, reset, shutdown, …)
VM.Console:
: console access to VM
VM.Monitor:
: access to VM monitor (kvm)
VM.Backup:
: backup/restore VMs
VM.Audit:
: view VM config
VM.Clone:
: clone/copy a VM
VM.Config.Disk:
: add/modify/remove disks
VM.Config.CDROM:
: eject/change CD-ROM
VM.Config.CPU:
: modify CPU settings
VM.Config.Memory:
: modify memory settings
VM.Config.Network:
: add/modify/remove network devices
VM.Config.HWType:
: modify emulated hardware types
VM.Config.Options:
: modify any other VM configuration
VM.Config.Cloudinit:
: modify Cloud-init parameters
VM.Snapshot:
: create/delete VM snapshots
Datastore.Allocate:
: create/modify/remove a datastore and delete volumes
Datastore.AllocateSpace:
: allocate space on a datastore
Datastore.AllocateTemplate:
: allocate/upload templates and ISO images
Datastore.Audit:
: view/browse a datastore
Objects and Paths #
Access permissions are assigned to objects, such as virtual machines, storages or resource pools.
We use file system like paths to address these objects.
These paths form a natural tree, and permissions of higher levels (shorter paths) can optionally be propagated down within this hierarchy.
Paths can be templated.
When an API call requires permissions on a templated path, the path may contain references to parameters of the API call.
These references are specified in curly braces: `{}`.
Some parameters are implicitly taken from the API call’s URI.
For instance, the permission path `/nodes/{node}` when calling `/nodes/mynode/status` requires permissions on `/nodes/mynode`,
while the path `{path}` in a `PUT` request to `/access/acl` refers to the method’s `path` parameter.
Some examples are:
`/nodes/{node}`:
: Access to Proxmox VE server machines
`/vms`:
: Covers all VMs
`/vms/{vmid}`:
: Access to specific VMs
`/storage/{storeid}`:
: Access to a specific storage
`/pool/{poolname}`:
: Access to resources contained in a specific pool
`/access/groups`:
: Group administration
`/access/realms/{realmid}`:
: Administrative access to realms
Inheritance #
As mentioned earlier, object paths form a file system like tree, and permissions can be inherited by objects down that tree
(the propagate flag is set by default).
We use the following inheritance rules:
- Permissions for individual users always replace group permissions.
- Permissions for groups apply when the user is member of that group.
- Permissions on deeper levels replace those inherited from an upper level.
Additionally, privilege separated tokens can never have permissions on any given path that their associated user does not have.
Pools #
Pools can be used to group a set of virtual machines and datastores.
You can then simply set permissions on pools (/pool/{poolid}), which are inherited by all pool members.
This is a great way to simplify access control.
Which Permissions Do I Need? #
The required API permissions are documented for each individual method, and can be explored interactively with the PVE-api-viewer2
The permissions are specified as a list, which can be interpreted as a tree of logic and access-check functions:
["and", ...] and ["or", ...]
Each(and) or any(or) further element in the current list has to be true.
["perm", , [ ... ], ...]
The path is a templated parameter (see Objects and Paths). All (or, if the any option is used, any) of the listed privileges must be allowed on the specified path. If a require-param option is specified, then its specified parameter is required even if the API call’s schema otherwise lists it as being optional.
["userid-group", [ ... ], ...]
The caller must have any of the listed privileges on /access/groups. In addition, there are two possible checks, depending on whether the groups_param option is set:
groups_param is set: The API call has a non-optional groups parameter and the caller must have any of the listed privileges on all of the listed groups.
groups_param is not set: The user passed via the userid parameter must exist and be part of a group on which the caller has any of the listed privileges (via the /access/groups/ path).
["userid-param", "self"]
The value provided for the API call’s userid parameter must refer to the user performing the action (usually in conjunction with or, to allow users to perform an action on themselves, even if they don’t have elevated privileges).
["userid-param", "Realm.AllocateUser"]
The user needs Realm.AllocateUser access to /access/realm/, with referring to the realm of the user passed via the userid parameter. Note that the user does not need to exist in order to be associated with a realm, since user IDs are passed in the form of @.
["perm-modify", ]
The path is a templated parameter (see Objects and Paths). The user needs either the Permissions.Modify privilege or, depending on the path, the following privileges as a possible substitute:
/storage/...: additionally requires 'Datastore.Allocate`
/vms/...: additionally requires 'VM.Allocate`
/pool/...: additionally requires 'Pool.Allocate`
If the path is empty, Permission.Modify on /access is required.
Command Line Tool #
Most users will simply use the GUI to manage users.
But there is also a fully featured command line tool called `pveum` (short for “Proxmox VE User Manager”).
Please note that all Proxmox VE command line tools are wrappers around the API, so you can also access those functions through the REST API.
Here are some simple usage examples.
To show help, type:
: `pveum`
To show detailed help about a specific command:
: `pveum help user add`
Create a new user:
: `pveum user add testuser@pve -comment "Just a test"`
Set or change the password (not all realms support this):
: `pveum passwd testuser@pve`
Disable a user:
: `pveum user modify testuser@pve -enable 0`
Create a new group:
: `pveum group add testgroup`
Create a new role:
: `pveum role add PVE_Power-only -privs "VM.PowerMgmt VM.Console"`
------
#### examples
It is possible that an administrator would want to create a group of users with full administrator rights (without using the root account).
1) Define the group:
`pveum group add admin -comment "System Administrators"`
2) Assign the role:
`pveum acl modify / -group admin -role Administrator`
3) Add users to the new admin group:
`pveum user modify testuser@pve -group admin`
You can give read only access to users by assigning the `PVEAuditor` role to users or groups.
Example 1:
: Allow user joe@pve to see everything:
`pveum acl modify / -user joe@pve -role PVEAuditor`
Example 2:
: Allow user joe@pve to see all virtual machines:
`pveum acl modify /vms -user joe@pve -role PVEAuditor`
###### If you want to delegate user management to user joe@pve, you can do that with:
`pveum acl modify /access -user joe@pve -role PVEUserAdmin`
User `joe@pve` can now:
- Add users.
- Remove users.
- Change user attributes; such as passwords.
This is a very powerful role, and you most likely want to limit it to selected realms and groups.
###### The following example allows joe@pve to modify users within the realm pve, if they are members of group customers:
`pveum acl modify /access/realm/pve -user joe@pve -role PVEUserAdmin`
`pveum acl modify /access/groups/customers -user joe@pve -role PVEUserAdmin`
**Note** The user is able to add other users, but only if they are members of the group `customers` and within the realm `pve`.
Permissions on API tokens are always a subset of those of their corresponding user, meaning that an API token can’t be used to carry out a task that the backing user has no permission to do.
This section will demonstrate how you can use an API token with separate privileges, to limit the token owner’s permissions further.
- Give the user joe@pve the role PVEVMAdmin on all VMs:
`pveum acl modify /vms -user joe@pve -role PVEVMAdmin`
- Add a new API token with separate privileges, which is only allowed to view VM information
*(for example, for monitoring purposes)*:
`pveum user token add joe@pve monitoring -privsep 1`
`pveum acl modify /vms -token 'joe@pve!monitoring' -role PVEAuditor`
- Verify the permissions of the user and token are different:
- Inspect user privileges:
`pveum user permissions joe@pve`
- Inspect token privileges:
`pveum user token permissions joe@pve monitoring`
Proxmox Default Roles #
An enterprise is usually structured into several smaller departments, and it is common that you want to assign resources and delegate management tasks to each of these.
Let’s assume that you want to set up a pool for a software development department.
1) First, create a group:
`pveum group add developers -comment "Our software developers"`
2) Create a new user which is a member of that group:
`pveum user add developer1@pve -group developers -password`
Note The "-password" parameter will prompt you for a password
3) Then we create a resource pool for our development department to use:
`pveum pool add dev-pool --comment "IT development pool"`
4) Finally, we can assign permissions to that pool:
`pveum acl modify /pool/dev-pool/ -group developers -role PVEAdmin`
5) Our software developers can now administer the resources assigned to that pool.