Proxmox User Management- Proxmox VE authentication server

Command Line Tool

Most users will simply use the GUI to manage users. But there is also a full featured command line tool called pveum (short for “Proxmox VE User Manager”). Please note that all Proxmox VE command line tools are wrappers around the API, so you can also access those function through the REST API.
Here are some simple usage examples. To show help type:

pveum

or (to show detailed help about a specific command)

pveum help useradd

Create a new user:

pveum useradd testuser@pve -comment "Just a test"

Set or Change the password (not all realms support that):

pveum passwd testuser@pve

Disable a user:

pveum usermod testuser@pve -enable 0

Create a new group:

pveum groupadd testgroup

Create a new role:

pveum roleadd PVE_Power-only -privs "VM.PowerMgmt VM.Console"

Real World Examples

Administrator Group
One of the most wanted features was the ability to define a group of users with full administrator rights (without using the root account).

Define the group:

pveum groupadd admin -comment "System Administrators"

Then add the permission:

pveum aclmod / -group admin -role Administrator

You can finally add users to the new admin group:

pveum usermod testuser@pve -group admin

Auditors

You can give read only access to users by assigning the PVEAuditor role to users or groups.

Example1: Allow user joe@pve to see everything

pveum aclmod / -user joe@pve -role PVEAuditor

Example1: Allow user joe@pve to see all virtual machines

pveum aclmod /vms -user joe@pve -role PVEAuditor

Delegate User Management
If you want to delegate user management to user joe@pve you can do that with:

pveum aclmod /access -user joe@pve -role PVEUserAdmin

User joe@pve can now add and remove users, change passwords and other user attributes. This is a very powerful role, and you most likely want to limit that to selected realms and groups. The following example allows joe@pve to modify users within realm pve if they are members of group customers:

pveum aclmod /access/realm/pve -user joe@pve -role PVEUserAdmin
pveum aclmod /access/groups/customers -user joe@pve -role PVEUserAdmin
Share

6 thoughts on “Proxmox User Management- Proxmox VE authentication server

  1. Please excuse my noob questions.
    I am still having a problem understanding the difference between testuser@pve and testuser@pam both created by pveum and any user created by root with adduser.
    Is there any way that a user created by root with adduser can be granted the administrator, or any role in Proxmox?
    What is the difference between pam users and pve users created with pveum and why would you use one over the other for any particular purpose?

    • pam is OS system users and pve belongs to Proxmox Vitual Environment’s own user schema. Proxmox support both the user database support. You can use either.

      • so “adduser testuser” from an ssh root session should create a testuser@pam account? it does not seem to do that. what am I missing?

        • You’re once again creating a SSH session user (PAM)- the post is about creating a PVE user- not a PAM user. As I replied you back, that PVE users have profile privilege on accessing and managing Proxmox users- such as a user can be an Admin or a user can be just an user.

    • The commands exhibited in this post are based on PVE users.

      Proxmox has 2 different authentication system through it’s webgui. PAM is native server os authentication method (with lesser proxmox role) and there’s another authentication mode through PVE (Proxmox Virtual Enviornment) itself. You can assign different role based virtual machine control to users.

  2. As a followup to my previous question;
    I have created my 1st user account with
    adduser user
    from root but I am not able to add that user to the admin account with
    pveum usermod user@pam -group admin
    update user failed: error during cfs-locked ‘file-user_cfg’ operation: no such user (‘user@pam’)
    cat /etc/passwd reveals user does exist
    user:x:1000:1000:,,,:/home/user:/bin/bash
    It seems as though there is some difference between an user created with adduser and one created with pveum useradd

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.