I am building a stand alone ESXi host that will hold many Linux VMs to be used by associates that are going through Linux training. As an administrator, I would like to stay out of the picture as much as possible, while keeping people from abusing resources on my host. I have a pretty cool mechanism set up that will allow trainees to SSH to my host with a non-root account that immediately runs a login shell script. The script provisions them a custom VM and then assigns their domain account basic "virtual machine user" permissions to the new VM.
I've taken care of keeping things locked down, or eliminating their ability to break out of the script sufficiently enough. I have one piece of the puzzle that is stumping me though.
My standard "virtual machine user" role looks like this:
"Global.CancelTask",
"ScheduledTask.Create",
"ScheduledTask.Delete",
"ScheduledTask.Edit",
"ScheduledTask.Run",
"System.Anonymous",
"System.Read",
"System.View",
"VirtualMachine.Interact.AnswerQuestion",
"VirtualMachine.Interact.ConsoleInteract",
"VirtualMachine.Interact.DeviceConnection",
"VirtualMachine.Interact.GuestControl",
"VirtualMachine.Interact.PowerOff",
"VirtualMachine.Interact.PowerOn",
"VirtualMachine.Interact.Reset",
"VirtualMachine.Interact.SetCDMedia",
"VirtualMachine.Interact.SetFloppyMedia",
"VirtualMachine.Interact.Suspend",
"VirtualMachine.Interact.ToolsInstall"
I created a newer role that I'm calling "VM User with Delete". It is a clone of what you see above but I also have given it the following permissions:
"Datastore.DeleteFile", (I'm not sure this one is needed)
"VirtualMachine.Inventory.Delete" (This one should have been good enough)
It isn't working though. I even went so far as to create another role at the top level that doesn't propagate but gives them these permissions:
"Host.Local.DeleteVM",
"VirtualMachine.Inventory.Delete"
It still doesn't let them delete their VM though. When they try, they receive the following error message which seems to point to the ""VirtualMachine.Inventory.Delete" that I already gave them.
Permission to perform this operation was denied.
You do not hold privilege "Virtual machine > Inventory > Remove" on virtual machine "TraineesVM"
Call "VirtualMachine.Destroy" for object "TraineesVM" on ESXi "MyHost" failed.
Anyone got any ideas?
I guess when the trainee tries to delete their VM it evokes a "Destroy_task". And the only listed requirement seems to be that they have one permission:
When you add "VirtualMachine.Inventory.Delete" at the top level and then do a "vim-cmd vimsvc/auth/permissions" you will find that it creates a permission entry on 4 entities:
entity = 'vim.ComputeResource:ha-compute-res'
entity = 'vim.Folder:ha-folder-root'
entity = 'vim.HostSystem:ha-host'
entity = 'vim.ResourcePool:ha-root-pool'
I thought maybe I could use "vim-cmd vimsvc/auth/entity_permission_add" to manually add only one of those back in, and that I might be able to find a combo that would work. But that seems to be a dead end. If you add only the entry for 'vim.Folder:ha-folder-root' you gain the ability to delete the VM, but you still can delete all the others as well.
So it would seem that the minimum permissions to delete a VM are "VirtualMachine.Inventory.Delete" applied to the 'vim.Folder:ha-folder-root' entity, combined with some manner of permissions that let you see VMs and then since you are overwriting permissions at the VM level, you would need to repeat giving the user "VirtualMachine.Inventory.Delete" on the actual VM.
This appears to be the answer... However, I'm going to leave this unanswered just in case someone wants to come up with something crafty that works. :smileymischief: