I need opinions and some knowledge on this question. Does anyone see a problem with giving server owners the ability to query their vms using Power CLI? Just becoming familiar with Power CLI so i'm not fully comfortable with giving users the ability yet. I have seen what bad SQL queries can do to a server not sure how power CLI could effect a cluster?
All the PowerCLI cmdlets require the user to have the correct permission to execute them.
For example, if a user has a Read-Only permission on a specific guest, he will not be able to do any destructive work on that guest.
So, if your permssions/privileges are applied correctly to your users, you can safely give them access to PowerCLI.
They won't be able to do what you didn't allow them to do.
____________
Blog: LucD notes
Twitter: lucd22
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I guess my fear is - could they write something that might query their vms every 1 minute or something crazy and cause a huge load on the cluster? For instance the server owner who is requesting has about 150 vms spread across 15 hosts. I'm sure it is fine but just want to make sure there are no surprises. My other question is will i be able to tell when someone is running queries? Would it show up in the logs of the host or the vms?
I guess my fear is - could they write something that might query their vms every 1 minute or something crazy and cause a huge load on the cluster? For instance the server owner who is requesting has about 150 vms spread across 15 hosts. I'm sure it is fine but just want to make sure there are no surprises. My other question is will i be able to tell when someone is running queries? Would it show up in the logs of the host or the vms?
Yes, they can write something that will bombard the VC db with queries.
Luckily you find out about most of the tasks a user launches against a vSphere server with the Get-VIEvent cmdlet when you use the -Username parameter.
____________
Blog: LucD notes
Twitter: lucd22
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I would suggest looking into the Hytrust appliance to control access. The current problem w/ the API is that it cannot be locked down to disallow mass change to environment, so something as harmless as granting access to change a vm's network segment could blow up in your face if the user decided to run that against all their vm's.
Querying in general usually isn't something to worry about except in the case below, but a query would usually just take a long time on their end unless they use the get-view cmdlet.
Chris Nakagaki (Zsoldier)
I am out of the office at this time. If you need immediate assistance please contact the mg help desk 804-649-6594.