d-bis/loc_az_hci
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
loc_az_hci/scripts/security/setup-proxmox-rbac.sh
defiQUG c39465c2bd
Some checks failed
Test / test (push) Has been cancelled
Details
Initial commit: loc_az_hci (smom-dbis-138 excluded via .gitignore) 
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-08 09:04:46 -08:00

94 lines
2.8 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/bash
source ~/.bashrc
# Setup Proxmox RBAC (Role-Based Access Control)
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
# Load environment variables
if [ -f "$PROJECT_ROOT/.env" ]; then
set -a
source <(grep -v '^#' "$PROJECT_ROOT/.env" | grep -v '^$' | sed 's/#.*$//' | grep '=')
set +a
fi
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() {
echo -e "${GREEN}[INFO]${NC} $1"
}
log_warn() {
echo -e "${YELLOW}[WARN]${NC} $1"
}
log_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
SSH_KEY="${SSH_KEY:-$HOME/.ssh/id_ed25519_proxmox}"
PROXMOX_HOSTS=("192.168.1.206" "192.168.1.49") # ML110 and R630
main() {
log_info "Setting up Proxmox RBAC"
echo ""
for host in "${PROXMOX_HOSTS[@]}"; do
log_info "Configuring RBAC on $host..."
# Check if we can connect
if ! ssh -i "$SSH_KEY" -o StrictHostKeyChecking=no "root@${host}" "pveversion" &>/dev/null; then
log_warn "Cannot connect to $host. Skipping..."
continue
fi
# Create roles
log_info "Creating custom roles..."
ssh -i "$SSH_KEY" -o StrictHostKeyChecking=no "root@${host}" <<'EOF'
set -e
# Create VM Operator role (can manage VMs but not hosts)
pveum role add VMOperator --privs "VM.Allocate VM.Audit VM.Clone VM.Config.CDROM VM.Config.CPU VM.Config.Disk VM.Config.HWType VM.Config.Memory VM.Config.Network VM.Config.Options VM.Monitor VM.PowerMgmt Datastore.Allocate Datastore.Audit"
# Create VM Viewer role (read-only access to VMs)
pveum role add VMViewer --privs "VM.Audit VM.Monitor Datastore.Audit"
# Create Storage Operator role (can manage storage)
pveum role add StorageOperator --privs "Datastore.Allocate Datastore.Audit Datastore.AllocateSpace Datastore.AllocateTemplate"
# Create Network Operator role (can manage networks)
pveum role add NetworkOperator --privs "SDN.Use SDN.Audit Network.Allocate Network.Audit"
echo "Roles created successfully"
EOF
log_info "✓ RBAC roles created on $host"
echo ""
done
log_info "RBAC setup complete!"
echo ""
log_warn "Manual steps required:"
log_info "1. Create users via Web UI: Datacenter → Permissions → Users → Add"
log_info "2. Assign roles to users: Datacenter → Permissions → User → Edit → Roles"
log_info "3. Create API tokens for automation:"
log_info " - Datacenter → Permissions → API Tokens → Add"
log_info " - Store tokens securely in .env file"
echo ""
log_info "Available roles:"
log_info " - VMOperator: Full VM management"
log_info " - VMViewer: Read-only VM access"
log_info " - StorageOperator: Storage management"
log_info " - NetworkOperator: Network management"
}
main "$@"
Reference in New Issue View Git Blame Copy Permalink