PlateSpin Migrate includes unique user roles (and a tool for creating them in a VMware data center) that make it possible for non-administrative VMware users (or “enabled users”) to perform Migrate lifecycle operations in the VMware environment. These roles makes it possible for you, as a service provider, to segment your VMware cluster to allow multitenancy: where multiple Migrate targets are instantiated in your data center to accommodate Migrate customers or “tenants” who want to keep their data and evidence of their existence separate from and inaccessible to other customers who also use your data center.
This section includes the following information:
PlateSpin Migrate requires certain privileges to access and perform tasks in the VMware platforms for making the Migrate workflow and functionality possible in that environment. The PlateSpinRole.xml file included in the PlateSpin Migrate Server installation directory defines some VMware custom roles and minimum required privileges for these roles.
The following three roles are used when establishing a multi-tenant vCenter environment and are recreated by a PlateSpin VMware role tool (PlateSpin.VMwareRoleTool.exe) included with the PlateSpinRole.xml file in the Migrate-Install-folder\PlateSpin Migrate Server\bin\VMwareRolesTool directory:
PlateSpin Virtual Machine Manager
PlateSpin Virtual Infrastructure Manager
PlateSpin User
The following four roles are used to filter out resources for which the user does not have sufficient privileges to perform migrations. However, these roles are not recreated by the PlateSpin VMware role tool.
PlateSpin Datastore Manager
PlateSpin Network Manager
PlateSpin Cluster Manager
PlateSpin VM User
This section includes the following information:
From the location where the role tool is installed, run the tool from the command line, using this basic syntax:
PlateSpin.VMwareRoleTool.exe /host=[hostname/IP] /user=[user name] /role=[the role definition file name and location] /create
Apply the following parameters as needed when you use PlateSpin.VMwareRoleTool.exe to create or update roles in vCenter:
/create |
(mandatory) Creates the roles defined by the /role parameter |
/get_all_privileges |
Display all server-defined privileges |
/get_compatible_roles |
Display all roles that are compatible to the role defined by /role |
/check_role=[role name] |
Check the given role for compatibility with the role defined by /role |
Optional Flags |
|
/interactive |
Run the tool with interactive options that allow you to choose to create individual roles, check role compatibility, or list all compatible roles. For information about using the tool in interactive mode, see VMware Role Tool to Verify Permissions to the Roles (KB 7018547). |
/password=[password] |
Provide the VMware password (bypasses the password prompt) |
/verbose |
Display detailed information |
Usage: PlateSpin.VMwareRoleTool.exe /host=houston_sales /user=pedrom /role=PlateSpinRole.xml /create
Resulting Actions:
The role definition tool runs on the houston_sales vCenter server, which has an administrator with the user name pedrom.
In the absence of the /password parameter, the tool prompts for the user password, which you enter.
The tool accesses the role definition file, PlateSpinRole.xml, which is located in the same directory as the tool executable (there was no need to further define its path).
The tool locates the definition file and is instructed (/create) to create the roles defined in the contents of that file in the vCenter environment.
The tool accesses the definition file and creates the new roles (including the appropriate minimum privileges for defined, limited access) inside vCenter.
The new custom roles are to be assigned to users later in vCenter.
For information about using the tool, see VMware Role Tool to Verify Permissions to the Roles (KB 7018547).
You use the vCenter client to manually create and assign the PlateSpin custom roles. This requires creating the roles with the enumerated privileges as defined in PlateSpinRole.xml. When you create manually, there is no restriction on the name of the role. The only restriction is that the role names you create as equivalents to those in the definition file have all of the appropriate minimum privileges from the definition file.
For more information about how to create custom roles in vCenter, see Managing VMware VirtualCenter Roles and Permissions in the VMware Technical Resource Center.
You use the vCenter client to view the minimal privileges set for the PlateSpin custom roles.
In vCenter, select a custom role:
PlateSpin Virtual Machine Manager
PlateSpin Virtual Infrastructure Manager
PlateSpin User
PlateSpin Datastore Manager
PlateSpin Network Manager
PlateSpin Cluster Manager
PlateSpin VM User
Click Edit to view the privileges settings in the Edit Role dialog.
For example, the following figure shows some of the privileges set for the PlateSpin Virtual Machine Manager role.
As you set up a multitenancy environment, you need to provision a single Migrate server per customer or “tenant.” You assign this Migrate server an enabled user with special Migrate VMware roles. This enabled user creates the Migrate target. As service provider, you maintain this user’s credentials and do not disclose them to your tenant customer.
The following table lists the roles you need to define for the enabled user. It also includes more information about the purpose of the role:
vCenter platform for Role Assignment |
Role Assignment Specifics |
Propagate Instructions |
More Information |
---|---|---|---|
Root of vCenter inventory tree. |
Assign the enabled user the PlateSpin Virtual Infrastructure Manager (or equivalent) role. |
For security reasons, define the permission as non-propagating. |
This role is needed to monitor tasks being performed by the Migrate software and to end any stale VMware sessions. |
All data center objects where the enabled user needs access |
Assign the enabled user the PlateSpin Virtual Infrastructure Manager (or equivalent) role. |
For security reasons, define the permission as non-propagating. |
This role is needed to allow access to the data center’s datastores for file upload/download. Define the permission as non-propagating. |
Each cluster to be added to Migrate as a target, and each member host in the cluster |
Assign the enabled user the PlateSpin Virtual Infrastructure Manager (or equivalent) role. |
Propagation is at the discretion of the VMware administrator. |
To assign to a host, propagate the permission from the cluster object or create an additional permission on each cluster host. If the role is assigned on the cluster object and is propagated, no further changes are necessary when you add a new host to the cluster. However, propagating this permission has security implications. |
Each Resource Pool where the enabled user needs access. |
Assign the enabled user the PlateSpin Virtual Machine Manager (or equivalent) role. |
Propagation is at the discretion of the VMware administrator. |
Although you can assign access to any number of Resource Pools in any location in the tree, you must assign the enabled user this role on at least one Resource Pool. |
Each VM folder where the enabled user needs access |
Assign the enabled user the PlateSpin Virtual Machine Manager (or equivalent) role. |
Propagation is at the discretion of the VMware administrator. |
Although you can assign access to any number of VM Folders in any location in the tree, you must assign the enabled user this role on at least one folder. |
Each Network where the enabled user needs access. Distributed Virtual Networks with a dvSwitch and a dvPortgroup |
Assign the enabled user the PlateSpin Virtual Machine Manager (or equivalent) role. |
Propagation is at the discretion of the VMware administrator. |
Although you can assign access to any number of networks in any location in the tree, you must assign the enabled user this role on at least one folder.
|
Each Datastore and Datastore Cluster where the enabled user needs access |
Assign the enabled user the PlateSpin Virtual Machine Manager (or equivalent) role. |
Propagation is at the discretion of the VMware administrator. |
The enabled user must have been assigned this role on at least one Datastore or Datastore Cluster. For Datastore Clusters, the permission must be propagated to the contained datastores. Not providing access to an individual member of the cluster causes both prepare and full replications to fail |
The following table shows the role you can assign to the customer or tenant user.
vCenter platform for Role Assignment |
Role Assignment Specifics |
Propagate Instructions |
More Information |
---|---|---|---|
Each resource pool(s) and folder(s) where the customer's VMs will be created. |
Assign the tenant user the PlateSpin User (or equivalent) role. |
Propagation is at the discretion of the VMware administrator. |
This tenant is a member of the PlateSpin Administrators group on the PlateSpin Migrate server and is also on the vCenter server. If the tenant will be granted the ability to change the resources used by the VM (that is, networks, ISO images, and so forth), grant this user the necessary permissions on those resources. For example, if want to you allow the customer to change the network where their VM is attached, this user should be assigned the Read-only role (or better) on all of the networks being made accessible to the customer. |
The figure below illustrates a Virtual Infrastructure in the vCenter console. The objects labeled in blue are assigned the Infrastructure Manager role. The objects labeled in green are assigned the Virtual Machine Manager role. The tree does not show VM folders, Networks and Datastores. Those objects are assigned the PlateSpin Virtual Machine Manager role.
Figure 13-3 Roles assigned in vCenter
PlateSpin software uses an enabled user only to perform protection lifecycle operations. From your perspective as a service provider, an end user never has access to the enabled user’s credentials and is unable to access the same set of VMware resources. In an environment where multiple Migrate servers are configured to use the same vCenter environment, Migrate prevents possibilities for cross-client access. The major security implications include:
With the PlateSpin Virtual Infrastructure Manager role assigned to the vCenter object, every enabled user can see (but not affect) the tasks performed by every other user.
Because there is no way to set permissions on datastore folders/subfolders, all enabled users with permissions on a datastore have access to all other enabled users’ disks stored on that datastore.
With the PlateSpin Virtual Infrastructure Manager role assigned to the cluster object, every enabled user is able to turn off/on HA or DRS on the entire cluster
With the PlateSpin User role assigned at the storage cluster object, every enabled user is able to turn off/on SDRS for the entire cluster
Setting the PlateSpin Virtual Infrastructure Manager Role on the DRS Cluster object and propagating this role allows the enabled user to see all VMs placed in the default resource pool and/or default VM folder. Also, propagation requires the administrator to explicitly set the enabled user to have a “no-access” role on every resource pool/VM folder that he or she should not have access to.
Setting the PlateSpin Virtual Infrastructure Manager Role on the vCenter object allows the enabled user to end sessions of any other user connected to the vCenter.
NOTE:Remember, in these scenarios, different enabled users are actually different instances of the PlateSpin software.