VMware Networking Community
rajeevsrikant
Expert
Expert
‎05-22-2018 06:26 PM

NSX Manager - Account

I am planning to automate certain NSX operations using REST API

For this I need to use the credentials of the NSX Manager to use REST API

NSX manager by default has only 1 account "admin"

I don't want to use this account. Below is what i am planing.

1. Create one additional account in NSX Manager using REST API

2. Assign the role as "security admin" to this user. This user will have rights to create & delete IPsets & Security group

3. Use this account in REST API to execute the commands.

Let me know if this will work,

0 Kudos
6 Replies
lhoffer
VMware Employee
VMware Employee
‎05-23-2018 06:44 AM

As of 6.4, users with roles other than the Enterprise Admin role have read-only access via the API and can only use the "GET" method so since it sounds like you'll want your new user to be able to use PUT/POST and DEL, they'll need the Enterprise Admin role.  Further detail in the Managing User Rights​ section of the admin guide.

Prior to 6.4, SSO users didn't get API access so the method outlined in this VMware Knowledge Base​ article had to be used to create API users via the CLI.

0 Kudos
rajeevsrikant
Expert
Expert
‎05-23-2018 04:54 PM

Thanks.

i am running NSX version 6.3.2

When I created the user via CLI as mentioned in the VMware article, that particular account is not visible in the users tab in the NSX manager.

but when i create the user via REST API it is visible in the NSX Manager GUI.

Is this the normal behaviour ?

If i create a new user via REST API in NSX Manager will i be able to use this account for REST API to make changes

0 Kudos
bayupw
Leadership
Leadership
‎05-24-2018 05:39 PM

NSX Manager CLI user account is managed locally and separate from the user account management in the vSphere Web Client.

So when you create a new user in the CLI, that user will not be visible from the vSphere Client and is expected/normal behavior as per this doc: Create a User with Web Interface Access Using CLI

     The created user is not listed in the Networking & Security > System > Users and Domains > Users tab. Also, no role is assigned to the user.

The CLI user account will have no access to both NSX plugin in the vSphere Client and REST API calls, REST API calls will throw an error that the user does not have any role in NSX Manager.

To assign an NSX role to the CLI user account to access NSX plugin from the vSphere Web Client and REST API, assign it through REST API with other user for example admin user as per the same doc:

     Assign the required role to the user using the REST API. You can assign auditor (Auditor), security_admin (Security Administrator), or super_user (System Administrator) role as follows:

     POST - https://<NSX-IP>/api/2.0/services/usermgmt/role/<username>?isCli=true 
     <accessControlEntry> 
     <role>auditor</role> # Enter the required role # 
     <resource> 
     <resourceId>globalroot-0</resourceId> 
     </resource> 
     </accessControlEntry>
Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
0 Kudos
rajeevsrikant
Expert
Expert
‎05-24-2018 08:10 PM

Thanks Bayu

I am summarizing my understanding & let me know if it is right.

1. Create a new user using CLI

2. Assign the role to the user created using via REST API

3. Then this user will have permission or rights to use REST API

Let me know if my understanding is right.

0 Kudos
rajeevsrikant
Expert
Expert
‎05-28-2018 07:25 PM

I am able to set the user via REST API & also able to set the privilege as below
But there was no option to set the password for the  accounts created via REST API ?

Am i missing some thing to set the password for these accounts.

pastedImage_0.png

0 Kudos
bayupw
Leadership
Leadership
‎06-17-2018 04:49 PM

The user you have created is an NSX CLI User local to the NSX Manager and created through CLI.

To change the password, you need to login to the CLI of NSX Manager, go to privilege mode and use the cli password command

pastedImage_1.png

https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.4/nsx_64_cli.pdf

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
0 Kudos