« SPEC SFS2008 Verifies You Can Run Faster on Fewer Disks with PAM | Main | Running ESX4 on a Cloned Boot LUN »

November 21, 2009

Comments

Scott Lowe

Question, Vaughn: with this new configuration, are all connections to the controllers still proxied as this service account? How do you provide different levels of access to the controllers based on a user's role within vCenter Server?

Vaughn Stewart

Scott,

Thanks for asking this question. The role based access (RBAC) established in this post is configured on the storage side. I have reached out to the VSC engineering team to obtain the vCenter RBAC settings. Once IreceiveI will share.

Just to clarify, connections are not 'proxied'. The VSC configures I/O settings outside of the I/O path.

Hope this helps.

Vaughn Stewart

I have just confirmed that the VSC version 1.0 does not have the capability for delegated user access in vCenter; however, version 2.0 will add this functionality.

Aaron Delp

Vaughn - Can you use the same account on the storage for SMVI during configuration or should you configure another account for SMVI as well according to SMVI best practice?

It would be nice to only create one account on the storage instead of two.

Thank you!

Aaron Delp

Just takeing a look at the SMVI 2.0 manual and it looks like if you added the following to the role above you could maybe combine the roles and then only have to create one account:

useradmin role add api-access -a api-*,login-http-admin,cli-ifconfig

Vaughn, do you know if any other products will require access like this? I haven't played with most of the others yet so I haven't had a chance to check.

Thoughts?

Vaughn Stewart

I am planning to post the RBAC for SRM, RCU, and SMVI. Maybe I'll take your lead and create a single user acct for all. Thanks for the suggestion!

Aaron Delp

No problem at all! I would be VERY interested in such a post. My only concern is that by bleeding all the RBAC's together it might lead to a security hole in one of the products.

I would love to see more documentation on how the NetApp virtualization products co-exist.

Thank you!

Aaron Delp

Hey Vaughn - Just installing this today and I have a suggestion for you. Can you change the "role-name" part in to be actual roles like the SMVI manual? It is VERY helpful for cutting and pasting into a Putty session on the filer. I just did it and now I have a "role-name" role on my filer :)

The same goes for username.

Thanks!!

Vaughn Stewart

Aaron - I'll ping you offline as I have some questions for you.

sanman

Vaughn,
IS there a read only account for VSC?

Dejan Ilic

Hello.
There is actually an error in spelling in Netapp TR-3749 and you blog is correct :)

Here is the result if I follow the TR-3795 instruction on our Netapp.

netapp-i> useradmin role add "vcenter" -a login-http-admin,api-aggr-list-info,api-cf-get-partner,api-cfstatus,api-disk-list-info,api-ems-autosupport-log,api-fcp-adapter-list-info,api-fcp-get-cfmode,apilicense-list-info,api-lun-get-vdisk-attributes,api-lun-list-info,api-lun-map-list-info,api-nfs-exportfslist-rules,api-qtree-list,api-snmp-get,api-snmp-get-next,api-system-get-info,api-system-getversion,api-volume-autosize-get,api-volume-list-info,api-volume-options-list-info

Invalid capabilities: api-cfstatus,apilicense-list-info,api-nfs-exportfslist-rules,api-system-getversion
Could not add role . Error: Invalid capability

Dejan Ilic

I'm actualy equaly nervous about letting VSC loose on our production system. I would like to know that it is limited to just reading info and not changing anything (except when allowed).

The comments to this entry are closed.

TRUSTe CLICK TO VERIFY