First, thanks for that patch! Further comments inline:
> there is only one privilege for controlling the access to snapshots, > i.e. VM.Snapshot. This makes it impossible to separate administrative > access (create, update, delete) from user access (rollback) to > snapshots. rollback destroys all current data, so this is more dangerous than create, update or delete a snapshot. IMHO, nothing a user should be allowed to do. > Changing and deleting snapshots can be very sensible > operations in certain environments, e.g. if snapshots are > programmatically used for resetting unit test VMs in an automated test > environment (our use-case). Separating the ability to setup snapshots > from using them becomes crucial in such environments. This separation > can be achieved with an additional privilege, i.e. VM.Snapshot.Rollback, > allowing read and rollback access to snapshots only. For such automated test environment, I would simply clone a template. The admin can prepare the template, and the test user has full control over the cloned test machine. Would that work in your scenario? Also, please read: https://pve.proxmox.com/wiki/Developer_Documentation for details about patches and CLA ... Regards, Dietmar _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
