[PVE-User] Create user to manage his own VMs

Mikhail m at plus-plus.su
Tue Jul 8 11:59:43 CEST 2014 

Hello,

I'm using latest Proxmox version on a single-node setup right now.

We're migrating our old hardware servers to this proxmox node. One of
the old hardware servers is a VMware ESXi machine running various VMs.
The whole server is controlled by one of the departments. We would like
to get rid of this VMware ESXi machine and migrate it's VMs to existent
proxmox.

What I want is to have a separate user within Proxmox that will have
dedicated storage and will be able to create/delete/manage his own VMs
inside proxmox, and his access is only limited to these VMs.

I came across this document:

http://pve.proxmox.com/wiki/User_Management

and so far I've done the following:

(our storage model is LVM based setup on hardware RAID10):

1) created LV with size of 100G, formatted it and mounted on the proxmox
host node lets say as "/mnt/test"
2) added "/mnt/test" as a local directory storage
3) created pool "testpool"
4) created group "testgroup"
5) created user "testuser" and added that user into "testgroup" group
6) created permissions for "@testgroup" on /pool/testpool:
PVEDatastoreAdmin, PVEVMAdmin, PVEDatastoreUser
7) added storage "/mnt/test" into "testpool" pool

Now "testuser" can login into Proxmox, he sees that storage "/mnt/test",
he is limited to this storage. All other VMs within Proxmox are unseen
to this user. The user is unable to create new VMs because "/vms/"
permissions path is not added to that user's group - that would expose
all running and existent VMs. So overcome this I've created permissions
for "@testgroup" to "/vms/1111" and "/vms/2222" with "PVEVMAdmin"
privileges and this seem to solve the problem - testuser can now create
two VMs with ids 1111 and 2222, and then manage them from within Proxmox.

Is this the right approach? Is there any better solution to accomplish
the task - ie is it possible to specify VM id range in the permission
settings (like "/vms/100-200" to avoid creating 100 permission sets for
each vm id within 100-200 range)? Is it possible to limit resource usage
(CPU and RAM, I've found the way to limit storage) for group/user/pool?

Thanks,
Mikhail.

More information about the pve-user mailing list