VMware Cloud Community
JonWeatherhead
Contributor
Contributor
‎12-04-2012 08:31 AM

Minimum Permissions to delete a VM

I am building a stand alone ESXi host that will hold many Linux VMs to be used by associates that are going through Linux training.  As an administrator, I would like to stay out of the picture as much as possible, while keeping people from abusing resources on my host.  I have a pretty cool mechanism set up that will allow trainees to SSH to my host with a non-root account that immediately runs a login shell script.  The script provisions them a custom VM and then assigns their domain account basic "virtual machine user" permissions to the new VM.

I've taken care of keeping things locked down, or eliminating their ability to break out of the script sufficiently enough.  I have one piece of the puzzle that is stumping me though.

QUESTION:
What permissions do I need to add to their role if I want them to be able to delete their VM when done with the training?

My standard "virtual machine user" role looks like this:

         "Global.CancelTask",
         "ScheduledTask.Create",
         "ScheduledTask.Delete",
         "ScheduledTask.Edit",
         "ScheduledTask.Run",
         "System.Anonymous",
         "System.Read",
         "System.View",
         "VirtualMachine.Interact.AnswerQuestion",
         "VirtualMachine.Interact.ConsoleInteract",
         "VirtualMachine.Interact.DeviceConnection",
         "VirtualMachine.Interact.GuestControl",
         "VirtualMachine.Interact.PowerOff",
         "VirtualMachine.Interact.PowerOn",
         "VirtualMachine.Interact.Reset",
         "VirtualMachine.Interact.SetCDMedia",
         "VirtualMachine.Interact.SetFloppyMedia",
         "VirtualMachine.Interact.Suspend",
         "VirtualMachine.Interact.ToolsInstall"

I created a newer role that I'm calling "VM User with Delete".  It is a clone of what you see above but I also have given it the following permissions:

         "Datastore.DeleteFile", (I'm not sure this one is needed)
         "VirtualMachine.Inventory.Delete" (This one should have been good enough)

It isn't working though.  I even went so far as to create another role at the top level that doesn't propagate but gives them these permissions:

         "Host.Local.DeleteVM",
         "VirtualMachine.Inventory.Delete"

It still doesn't let them delete their VM though.  When they try, they receive the following error message which seems to point to the ""VirtualMachine.Inventory.Delete" that I already gave them.

          Permission to perform this operation was denied.

          You do not hold privilege "Virtual machine > Inventory > Remove" on virtual machine "TraineesVM"


          Call "VirtualMachine.Destroy" for object "TraineesVM" on ESXi "MyHost" failed.

Anyone got any ideas?

Reply
0 Kudos
2 Replies
JonWeatherhead
Contributor
Contributor
‎12-04-2012 10:42 AM

I guess when the trainee tries to delete their VM it evokes a "Destroy_task".  And the only listed requirement seems to be that they have one permission:

Required Privileges:
When object is VirtualMachine - VirtualMachine.Inventory.Delete

The thing that stinks is that having this permission on strictly just the ManagedEntity (the VM) isn't good enough.  It has to be granted at the top level and allowed to propagate to everything down stream.  Unfortunately this also would give the user the ability to delete other VMs as well.  I've got to believe there is a way around this problem, but I'm drawing a blank.
Reply
0 Kudos
JonWeatherhead
Contributor
Contributor
‎12-04-2012 11:45 AM

When you add "VirtualMachine.Inventory.Delete" at the top level and then do a "vim-cmd vimsvc/auth/permissions" you will find that it creates a permission entry on 4 entities:

entity = 'vim.ComputeResource:ha-compute-res'

entity = 'vim.Folder:ha-folder-root'

entity = 'vim.HostSystem:ha-host'

entity = 'vim.ResourcePool:ha-root-pool'

I thought maybe I could use "vim-cmd vimsvc/auth/entity_permission_add" to manually add only one of those back in, and that I might be able to find a combo that would work.  But that seems to be a dead end.  If you add only the entry for 'vim.Folder:ha-folder-root' you gain the ability to delete the VM, but you still can delete all the others as well.

So it would seem that the minimum permissions to delete a VM are "VirtualMachine.Inventory.Delete" applied to the 'vim.Folder:ha-folder-root' entity, combined with some manner of permissions that let you see VMs and then since you are overwriting permissions at the VM level, you would need to repeat giving the user "VirtualMachine.Inventory.Delete" on the actual VM.

This appears to be the answer... However, I'm going to leave this unanswered just in case someone wants to come up with something crafty that works. :smileymischief:

Reply
0 Kudos