Security
This will be a very brief section on VMware security I am not going to cover every aspect of security within VMware but will lightly touch on the commonly used area's. Both the ESXi standalone server and vCenter security is the same, the only difference is where the users and groups come from, if using a ESXi stand-alone configuration they are held locally on the ESXi server, however if you use vCenter you can take advantage of Active Directory (AD) in Windows plus it can be stored locally. Note that users and groups come from the underlying O/S, if using stand-alone ESXi server then the users/groups will be held locally on the server (/etc/passwd and /etc/group), if using a vCenter running on Windows 2008, then these will be local windows accounts or if part of a domain then these will be domain accounts, you cannot administer user accounts or group via VMware only roles.
The VMware model of security involes three components: roles, groups and users, this type of setup is very similar to databases. First you create roles of responsibility then you can add users/groups to allow them to perform tasks. As vCenter has an organization of system folders, datacenter objects and subfolders, a system of inheritance does exist, if you set a role on a folder, it will pass your privileges down the folder hierarchy, vCenter does a good job of hiding objects that a user has no privilege to see. There are 11 predefined roles, I have highlighted which are available to vSphere client and to vCenter
| Role | Availability |
Description |
| No Access | ESXi and vCenter |
this role has no priviliges and can be used to deny access to an object. You can use the No Access role to deny a user access to an object when that user has been granted permissions to a parent object. |
| Read-Only | gives you the ability to only view objects, thus no changes can be made | |
| Administrator | This has the highest level of privileges and thus you can access all objects which includes managing them | |
| Virtual Machine User | vCenter only |
This role assigns a privilege only to VM's, you can power on/off/reset a VM, open a remote console, |
| Virtual Machine Power User | This extends the role above to include edit some of the VM settings, create and revert snapshots | |
| Resource Pool Administrator | This role has the ability to create resource pool of CPU and RAM and allocate groups of VMs to the pool | |
| Datacenter Administrator | This role allows you to create datacenter objects but you have very limited access with VM's. | |
| Virtual Machine Administrator | This role allows full control over VM's inclduing deleting them. | |
| VMware Consolidated Backup User | Allows just enough privileges for Consolidated backups to function | |
| Datastore Consumer | It has only one privilege the ability to allocate space to a datastore | |
| Network Consumer | it has only one privilege "assign network to a virtual machine, host service console, VMKernel virtual NIC or physical" under the network privilege |
User and Roles can be managed from the ESXI host directly, using thew manage screen and the Security & Users tab, from here you have two sections called Users and Roles
When you install ESXi a number of accounts are created.
| root | this account has full access, the password is as per the password you entered during the installation, it is also used when you add you ESXi host to vCenter. |
| dcui | this account primary role is to configure hosts for lockdown mode from the direct console, the user is used as the agent for the DCUI and should not be modified or used to login to your ESXi server. |
| vpxuser | this account is used by vCenter to issue commands to your ESXi server regardless of the end user that is connected to vCenter server, this user is granted the administrator role. |
| Users | To create a new user select add user from the user screen, notice this screen does not detail the vpxuser and dcui users as they are really used by ESXi internally.
A popup window will appear asking for the username, description and password of the new user
and thats it, now you can add roles to the user to give them permissions to do things on the ESXi host. |
So lets create a role and assign some privileges
| Roles | To create a role, select the Role section from the manage screen, then select the add role button
Type in a meaningful name, then start selecting the privileges for this role, I am not going to cover all the privileges here, I have just selected "virtual machine", this in itself greatly expands into many privileges.
As you can see the new role appears at the bottom, with a newly created role you can either edit or remove it
|
Using Roles and privileges to access a certain VM can a bit of a task as you need to create the privileges from the top down, first creating a user then the role and finally assigning privileges
| assign a privilege |
Oddly the permissions are in a different screen, right-click on manage and select Permissions
The permissions screen list the users, simply highlight a user and select the assign role button (you can also add users here as well)
You can either select a predefined role which will select the permissions for that role
Or you can select individual permissions as in the below using the NewRole which has very specific permissions
|
Personally I just stick to the already created roles and generally do not need to create additional roles, most of the time I can get away with using the root account, virtual machine user and read-only roles.
If you want to improve on security regarding the datastores, you can add permissions on those datastores, go to the datastore main screen, highlight the datastore and right-click and select permissions
Here you can add uers and roles that are alow to acccess the datastore.
