VMware Cloud Community
alexanderjn
Enthusiast
Enthusiast

Minimal vCenter permissions for a user to upload files to a datastore in 6.5

Hi all,

Recently worked on an upload issue and figured it was worth posting here in case anyone else ever encounters something similar.

Environment:

  • vCenter 6.5 build 5973321
  • ESXi 6.5 build 5310538 (image profile ESXi-6.5.0-4564106-standard)
  • The web browser used to upload files
  • The vCenter account of the user who will be uploading files already has
    • A role containing the privileges "Datastore > Browse datastore" and "Datastore > Low level file operations" applied to the datastore where files will be uploaded
    • The "Read-Only" role applied to the host objects (propagating to children or not) that are mounting the datastore where files will be uploaded

Symptoms:

  • The user can create folders in the datastore browser
  • In the vSphere Web Client (Flex UI) after choosing a file to upload, the UI refreshes but the file is not uploaded
  • In the vSphere Client (HTML5) attempting to upload a file errors with the message "Failed to transfer data. For more information check out the logs."
  • In the vCenter web client log (/var/log/vmware/vsphere-client/logs/vsphere_client_virgo.log) entries similar to the following appear
    • [<date>] [ERROR] data-service-pool-786        70005481 100911 200867 com.vmware.vsphere.client.storage.impl.DatastorePropertyProvider  Not able to acquire generic service ticket for the purpose of file transfer com.vmware.vim.binding.vim.fault.NoPermission: Permission to perform this operation was denied.
    • [<date>] [ERROR] http-bio-9090-exec-3         70005482 100912 200867 com.vmware.vise.vim.http.transport.FileUploadRequestHandler       Failed to transfer data to url: https://<esxi_fqdn>/folder/<folder_name>/<file_being_uploaded_name>?dcPath=ha-datacenter&dsName=<datastore_name> java.io.IOException: Error writing request body to server

(apparent) Cause:

  • In order to transfer files to a datastore via a host, the user apparently requires the privilege "Host > Configuration > System Management" applied to the hosts mounting the datastore, NOT the "Read Only" role. The role containing the privilege "Host > Configuration > System Management" for the user does not need to propagate to the children of the host object. Hat tip to petermie​ and Mincho Tonev in the post User with Administrator role can't upload files to datastores for finding that.

Hope this helps someone down the line.

13 Replies
ivanerben
Enthusiast
Enthusiast

Hi,

thanks for this post! It seems this permission is also required to download file from datastore by user.

And now I not sure, if I want to allow user "to manipulate the file system on the host."  :smileyconfused:

Host Configuration Privileges

Host > Configuration > System Management  - Allows extensions to manipulate the file system on the host.

Reply
0 Kudos
alexanderjn
Enthusiast
Enthusiast

So, just to add another wrench into the mix, it appears that there's a problem when vCenter is running version 6.5 but the hosts are still on 6.0. I'm just going to copy paste the info I submitted in an SR (18791435705) to VMware. At the moment the only workaround appears to be upgrading the hosts to 6.5.

Problem Description:

    After upgrading from vCenter 6.0 to 6.5 users with roles that allowed them to upload files to datastores (for example ISO images) can no longer do so if the cluster is running ESXi 6.0 but have no problems if the cluster is running ESXi 6.5. For 6.5 the permission "Host > Configuration > System Management" needed to be added to the user's role for them to be able to upload files to datastores mounted to 6.5 clusters, but they are no longer able to upload to datastores mounted to 6.0 clusters.

Environment:

    vCenter: 6.5 build 8024368 (version 6.5.0.15000)

    Cluster 1: ESXi 6.5.0 build 7967591

    Cluster 2: ESXi 6.0.0 build 5572656

    Datastore 1: Mounted to all hosts in Cluster 1

    Datastore 2: Mounted to all hosts in Cluster 2

    Browser: Firefox 59.0.1 (64-bit)

    Browser Certificate Exceptions:

        vCenter (by fqdn)

        All ESXi hosts in clusters 1 and 2 (by fqdn)

    Permissions:

        Set at datastore objects "Datastore 1" and "Datastore 2" [propagating to children]

            Datastore > Browse datastore

            Datastore > Low level file operations

        Set at cluster objects "Cluster 1" and "Cluster 2" [propagating to children]

            Host > Configuration > System Management

    Symptoms:

        Attempting to upload a file to Datastore 1 succeeds

        Attempting to upload a file to Datastore 2 fails

    Errors:

        In vSphere Web Client and vSphere Client: "The operation failed for an undetermined reason. Typically this problem occurs due to certificates that the browser does not trust. If you are using self-signed or custom certificates, open the URL below in a new browser tab and accept the certificate, then retry the operation. https://<<vCenter FQDN>>. If this does not resolve the problem, other possible solutions are shown in this KB article: http://kb.vmware.com/kb/2147256

       

        In vSphere Web Client and vSphere Client log file: [YYY-MM-DDTHH:MM:SS.SSSZ] [ERROR] http-bio-9090-exec-133       70077100 102659 201669 com.vmware.vise.vim.http.transport.FileUploadRequestHandler       Failed to transfer data to url: https://<<vCenter FQDN>>:443/folder/<<datastore folder>>/<<file being uploaded>>?dcPath=<<vCenter_Datacenter_Object>>&dsName=<<vCenter_Datastore_Object>> java.io.IOException: Error writing request body to server

JulienSoulet
Contributor
Contributor

Hello Alexander,

I want to say thank you to you, because you solved one of my problem.

Regards,

Julien.

Reply
0 Kudos
StuDuncanHPE
Enthusiast
Enthusiast

Working through this problem right now.  In my environment:

The Flex client has this issue - user cannot upload file to datastore.

The HTML5 client does not - user CAN upload file to datastore.

I can log in/out back & forth, this is repeatable.

Certs are installed, reboots are rebooted.

Adding your fix above did NOT allow the Flex client to upload. User has full privileges on Datastore.

Reply
0 Kudos
SP2911
Contributor
Contributor

Hi could you check if downloaded the trusted root certificate 

1:: Just type the Fqdn of your vcenter server in the Browser

2:: on the Right corner Bottom, you will get an option for Download trusted root certificate

3:: install the same.

4:: close the browser

5:: navigate again, you should be able to upload the files on the datastore.

Reply
0 Kudos
StuDuncanHPE
Enthusiast
Enthusiast

Yes, the certs were previously installed.  They show in Firefox security.

pastedImage_0.png

This is repeatable on at least 3 computers:

Install certs, can't upload via Flash, can upload via HTML5.

VCSA 6.5u1g - build 8024368

Reply
0 Kudos
SP2911
Contributor
Contributor

Just stop the service and start

Confirm once  Done

Reply
0 Kudos
StuDuncanHPE
Enthusiast
Enthusiast

Everything has been rebooted - server, client system.  Still doesn't work in Flash.

Reply
0 Kudos
warnox
Enthusiast
Enthusiast

I'm seeing exactly the same thing with VC 6.5 managing 6.0 hosts. Datastores which are on 6.5 hosts don't have this permissions issue. I've asked VMware for an update, using your SR.

Reply
0 Kudos
bryanvaneeden
Hot Shot
Hot Shot

Any updates on this? I am also seeing this issue but can't seem to find any resolution Smiley Sad.

Visit my blog at https://vcloudvision.com!
Reply
0 Kudos
StuDuncanHPE
Enthusiast
Enthusiast

I did not find a solution for it on 6.5

My only solution for it was to upgrade to VCSA 6.7d.  This resolved it.

Reply
0 Kudos
shdwlynx
Contributor
Contributor

Alex's original permissions list almost worked for me to allow downloading files from a datastore.  I needed to add Cryptographic operations > Direct Access (but surprisingly, not Decrypt, although if it doesn't work for you without Decrypt, try adding that, too).  So here's my full list of the minimal permissions required to download files from a datastore in vCenter 6.5:

  1. Cryptographic operations
    • Direct Access
  2. Datastore
    • Browse datastore
    • Low level file operations
  3. Host
    • Configuration
      • System Management

I'm I the only one who cannot find this kind of specific advice in VMware's official documentation?  If I'm the only fool, I'd love to be pointed in the right direction with a URL (along with a text-based bread crumb list for the inevitable day when the URL no longer works when VMware changes their documentation structure.)

Otherwise, I hope this helps someone else!

GalNeb
Enthusiast
Enthusiast

Even all this did not work in the HTML5 client.  Had to resort to the Flash / Web Client to get an upload to work.  As soon as NetApp gets off their ass and releases their plugins for 6.7 we will upgrade to an HTML5 client that actually works.

Old enough to know better, young enough to try anyway
Reply
0 Kudos