While trying out a few things, I added 'root' to a custom created Role. Now on the 'Permissions' tab, root shows up as having the "Administrator" role (orginal) as well as my new custome created role.
Now when I reconnected through VI as root, I don't have the normal root privileges; for e.g., I can't add users, change roles etc.
Any idea how to fix this ?
Thanks.
Restart mgmt-vmware service on esx 3.5.0 u1 can cause VMs to restart. However, you can just disable VMs auto restart if you afraid of :
$vimsh -n -e "hostsvc/autostartmanager/enable_autostart 0"
vcbMC-1.0.6 Beta
vcbMC-1.0.7 Lite
Try remove all custom role entity(custom role) for user "root" as below :
1) Check which managed entity belongs to custom role and has been assigned to which user :
vimsh -n -e "vimsvc/auth/roles_permissions Role"
$vimsh -n -e "vimsvc/auth/roles_permissions Test"
$ vimsvc/auth/role_permissions Test
(vim.AuthorizationManager.Permission) [
(vim.AuthorizationManager.Permission) {
dynamicType = <unset>,
entity = 'vim.Folder:ha-folder-root',
principal = "admin",
group = false,
roleId = 10,
propagate = true,
}
]
2) Removed custom role (Test) entity (vim.Folder:ha-folder-root) from user (admin) :
vimsh -n -e "vimsvc/auth/entity_permission_remove managed_entity 'username' group Role propogate"
I tested this with ESX 3.5 and it's working fine..
$vimsh -n -e "vimsvc/auth/entity_permission_remove vim.Folder:ha-folder-root 'admin' false Test true"
vcbMC-1.0.6 Beta
vcbMC-1.0.7 Lite
Thanks Athlon.
I tried what you suggested, but I get a "Permission Denied" error. The only difference in my case (from what you have tried) is that instead of 'admin' the user in my case is 'root' itself.
Below are my logs...
============================================
$ vimsvc/auth/role_permissions "VM Administrator"
(vim.AuthorizationManager.Permission) [
(vim.AuthorizationManager.Permission) {
dynamicType = ,
entity = 'vim.Folder:ha-folder-root',
principal = "root",
group = false,
roleId = 17,
propagate = true,
}
]
$ vimsvc/auth/entity_permission_remove vim.Folder:ha-folder-root 'root' false "VM Administrator" true
============BEGIN FAILED METHOD CALL DUMP============
'vim.Folder:ha-folder-root'
"root"
false
Fault Msg: "Permission to perform this operation was denied."
============END FAILED METHOD CALL DUMP============
(vim.fault.NoPermission) {
dynamicType = ,
object = 'vim.Folder:ha-folder-root',
privilegeId = "Authorization.ModifyPermissions",
msg = "Permission to perform this operation was denied."
}
==================================
Try this :
1) Create new user
$useradd -g admin -G users -s /bin/bash -d /home/usera -m usera
2) Add Administrator Role to new user
$vimsh -n -e “vimsvc/auth/entity_permission_add vim.Folder:ha-folder-root ‘usera’ false Admin true”
3) Edit your "root" permission via -vi-client
If you are totally no permission to assign new user role even as "root" user, perhaps you need to play around with authorization.xml :
$vi /etc/vmware/hostd/authorization.xml
hints :
1-root roleID must equal to "-1"
2-copy from other ESX or make it default
vcbMC-1.0.6 Beta
vcbMC-1.0.7 Lite
Thanks again.
Giving admin role to the new user again gave me the "Permission Denied" error.
I'll try modifying the authorization.xml file. From what I understand, that'd require me to restart the mgmt-vmware service. I hope that wouldn't affect the running VMs, as we have a few folks using some VMs currently.
Restart mgmt-vmware service on esx 3.5.0 u1 can cause VMs to restart. However, you can just disable VMs auto restart if you afraid of :
$vimsh -n -e "hostsvc/autostartmanager/enable_autostart 0"
vcbMC-1.0.6 Beta
vcbMC-1.0.7 Lite
Thanks.
Modifying the authorization.xml file worked.
Thanks for the tip on preventing the VM restarts.
Just wondering however... is this behavior as intended or is it a bug ?
I mean, shouldn't a user being part of two Roles have permissions as per the 'Union' of the two permission sets ?!