VMware Cloud Community
lightbrew
Contributor
Contributor
Jump to solution

root added to new role loses privileges

While trying out a few things, I added 'root' to a custom created Role. Now on the 'Permissions' tab, root shows up as having the "Administrator" role (orginal) as well as my new custome created role.

Now when I reconnected through VI as root, I don't have the normal root privileges; for e.g., I can't add users, change roles etc.

Any idea how to fix this ?

Thanks.

Reply
0 Kudos
1 Solution

Accepted Solutions
athlon_crazy
Virtuoso
Virtuoso
Jump to solution

Restart mgmt-vmware service on esx 3.5.0 u1 can cause VMs to restart. However, you can just disable VMs auto restart if you afraid of :

$vimsh -n -e "hostsvc/autostartmanager/enable_autostart 0"






vcbMC-1.0.6 Beta

vcbMC-1.0.7 Lite

http://www.no-x.org

http://www.no-x.org

View solution in original post

Reply
0 Kudos
6 Replies
athlon_crazy
Virtuoso
Virtuoso
Jump to solution

Try remove all custom role entity(custom role) for user "root" as below :

1) Check which managed entity belongs to custom role and has been assigned to which user :

vimsh -n -e "vimsvc/auth/roles_permissions Role"

$vimsh -n -e "vimsvc/auth/roles_permissions Test"

$ vimsvc/auth/role_permissions Test

(vim.AuthorizationManager.Permission) [

(vim.AuthorizationManager.Permission) {

dynamicType = <unset>,

entity = 'vim.Folder:ha-folder-root',

principal = "admin",

group = false,

roleId = 10,

propagate = true,

}

]

2) Removed custom role (Test) entity (vim.Folder:ha-folder-root) from user (admin) :

vimsh -n -e "vimsvc/auth/entity_permission_remove managed_entity 'username' group Role propogate"

I tested this with ESX 3.5 and it's working fine..

$vimsh -n -e "vimsvc/auth/entity_permission_remove vim.Folder:ha-folder-root 'admin' false Test true"

vcbMC-1.0.6 Beta

vcbMC-1.0.7 Lite

http://www.no-x.org

http://www.no-x.org
lightbrew
Contributor
Contributor
Jump to solution

Thanks Athlon.

I tried what you suggested, but I get a "Permission Denied" error. The only difference in my case (from what you have tried) is that instead of 'admin' the user in my case is 'root' itself.

Below are my logs...

============================================

$ vimsvc/auth/role_permissions "VM Administrator"

(vim.AuthorizationManager.Permission) [

(vim.AuthorizationManager.Permission) {

dynamicType = ,

entity = 'vim.Folder:ha-folder-root',

principal = "root",

group = false,

roleId = 17,

propagate = true,

}

]

$ vimsvc/auth/entity_permission_remove vim.Folder:ha-folder-root 'root' false "VM Administrator" true

============BEGIN FAILED METHOD CALL DUMP============

Invoking on

Arg entity:

'vim.Folder:ha-folder-root'

Arg user:

"root"

Arg isGroup:

false

Fault Msg: "Permission to perform this operation was denied."

============END FAILED METHOD CALL DUMP============

(vim.fault.NoPermission) {

dynamicType = ,

object = 'vim.Folder:ha-folder-root',

privilegeId = "Authorization.ModifyPermissions",

msg = "Permission to perform this operation was denied."

}

==================================

Reply
0 Kudos
athlon_crazy
Virtuoso
Virtuoso
Jump to solution

Try this :

1) Create new user

$useradd -g admin -G users -s /bin/bash -d /home/usera -m usera

2) Add Administrator Role to new user

$vimsh -n -e “vimsvc/auth/entity_permission_add vim.Folder:ha-folder-root ‘usera’ false Admin true”

3) Edit your "root" permission via -vi-client

If you are totally no permission to assign new user role even as "root" user, perhaps you need to play around with authorization.xml :

$vi /etc/vmware/hostd/authorization.xml

hints :

1-root roleID must equal to "-1"

2-copy from other ESX or make it default






vcbMC-1.0.6 Beta

vcbMC-1.0.7 Lite

http://www.no-x.org

http://www.no-x.org
lightbrew
Contributor
Contributor
Jump to solution

Thanks again.

Giving admin role to the new user again gave me the "Permission Denied" error.

I'll try modifying the authorization.xml file. From what I understand, that'd require me to restart the mgmt-vmware service. I hope that wouldn't affect the running VMs, as we have a few folks using some VMs currently.

Reply
0 Kudos
athlon_crazy
Virtuoso
Virtuoso
Jump to solution

Restart mgmt-vmware service on esx 3.5.0 u1 can cause VMs to restart. However, you can just disable VMs auto restart if you afraid of :

$vimsh -n -e "hostsvc/autostartmanager/enable_autostart 0"






vcbMC-1.0.6 Beta

vcbMC-1.0.7 Lite

http://www.no-x.org

http://www.no-x.org
Reply
0 Kudos
lightbrew
Contributor
Contributor
Jump to solution

Thanks.

Modifying the authorization.xml file worked.

Thanks for the tip on preventing the VM restarts.

Just wondering however... is this behavior as intended or is it a bug ?

I mean, shouldn't a user being part of two Roles have permissions as per the 'Union' of the two permission sets ?!

Reply
0 Kudos