1 2 Previous Next 16 Replies Latest reply on Jul 24, 2014 11:47 AM by ryanhulce

    What permissions are needed to deploy from OVA/OVF

    vmproteau Expert

      Our environment is vCenter 4.1 U1 and ESXi 4.1 U1. We have a multi-tenant Lab environment where users are isolated with separate Resource Pools and separate VM, Storage, and Network folders. The users are administrators to all of these.

       

      They want to be able to deploy OVA/OVF templates but, they get this error (attached image) at this point. I'd like to know the minimum permissions required to allow this without exposing other tenants resources.

        • 1. Re: What permissions are needed to deploy from OVA/OVF
          MauroBonder Champion
          User ModeratorsVMware Employees

          You can find some information in the vSphere admin guide (page 225 : Required Privileges for Common Tasks).

           

           

          Don't know if it's enough for you...but with administrator privilegie i know that you do not will there problem.

          • 2. Re: What permissions are needed to deploy from OVA/OVF
            vmproteau Expert

            Thanks but I have looked at that. vCenter permissions are pretty nice but the ability to isolate users in a production environment can be cumbersome and incomplete in some cases. That's why I only do it in the Lab.

             

            I am looking for the specific minimum permssions for OVF/OVA deployment, the levels to apply them to and whether propagation is necessary. The other requirement is the permissions can't allow visibility to other tenant resources.

            • 3. Re: What permissions are needed to deploy from OVA/OVF
              MauroBonder Champion
              User ModeratorsVMware Employees

              SET this permission in one specific host, to not propaget.

              • 4. Re: What permissions are needed to deploy from OVA/OVF
                vmproteau Expert

                Didn't understand what you were saying in your last post.

                • 5. Re: What permissions are needed to deploy from OVA/OVF
                  MauroBonder Champion
                  User ModeratorsVMware Employees

                  to don´t use a permission in vcenter with "Propagate" to all. You can set this permission "Common Tasks" in a specific host of your Cluster.

                   

                  How ? Access you enviroment, click in a specific host when a OVA will be deployed go to table Permissions > Add permission > Remove check box "Propagate to child objetcs" to restrict what user will see .

                   

                  ok ?

                  • 6. Re: What permissions are needed to deploy from OVA/OVF
                    vmproteau Expert

                    I understand how permissions work. As I said I already have a fully functioing lab with many users completely isolated from each other.

                     

                    I'm sorry if I'm not being clear but, what I need are the actual permission that control OVF/OVA deploy tasks are all I need. I have looked and tried a couple but, I haven't found an example in the "Common Tasks" section that applies here.

                    • 7. Re: What permissions are needed to deploy from OVA/OVF
                      MauroBonder Champion
                      User ModeratorsVMware Employees

                      If you already have exported OVF, just click over the OVF and give permission to the virtual machine. If this OVF uses a plugin, that way the user will have full administration of the VM, but not on the plugin

                       

                      too read this guide,maybe help http://www.vmware.com/vmtn/resources/826

                      1 person found this helpful
                      • 8. Re: What permissions are needed to deploy from OVA/OVF
                        vmproteau Expert

                        Sorry, you're just not getting it. I appreciate your assitance but, you need to read this whole thread carefully from the beginning. I can't explain it any clearer. Look at the image I attached.

                        • 9. Re: What permissions are needed to deploy from OVA/OVF
                          Chris Wahl Master

                          I attempted to re-create your environment in my lab. I assigned "administrator" privledges to a test user within a resource pool, network folder, VM folder, and disk folder. I then imported the OVF for CapacityIQ without any issues.

                           

                          To troubleshoot further, I deleted access to the resource pool and could no longer select a host. I then restored that and removed access to the network folder, and got a specific error stating that I had no rights to a network to assign the OVF to.

                          VCDX #104 (DCV, NV) ஃ WahlNetwork.com ஃ @ChrisWahl ஃ Author, Networking for VMware Administrators
                          • 10. Re: What permissions are needed to deploy from OVA/OVF
                            vmproteau Expert

                            It may be at Host level where permissions are lacking. I don't assign any permissions at the Host level. Users have Read at the cluster level (without propogation). However, I suspect I removed Host permissions because it gave visibility to other tenants resource pools and VMs.

                             

                            You can see from the image I attached to the original post that I was attempting to choose the Cluster to deploy too. I'll look on my end but, see if you reproduce my error by removing Host specific permissions for the user. Note: I also give them read only at the DC level (no propogate)

                             

                            Thanks for taking the time to re-create this.

                            • 11. Re: What permissions are needed to deploy from OVA/OVF
                              vmproteau Expert

                              I did add Read Only (no propogate) to each Host and was able to deploy the OVF/OVA without issue.

                               

                              I do remember know why I removed Host permissions. First it wasn't adding anythign I could see at the time but more importantly, originally when trying to determine whether vCenter permissions were sufficient for appropriate isolation, I was impressed to see that even certain log files at the Data Center and Cluster levels were filtered and hidden depending on permissions granted at the various other levels. Unfortunately,certain tasks/logs are visible to all regardless of permissions. So ultimately users are seeing logs and tasks for other tenants.

                               

                              In this case, once Read Only is added to the Host level, additional task/logs are made visible at Data Center and Cluster levels. Also, now there is the addition of another set of tasks/logs visible at the Host level.

                               

                              I recall some additional isolation deficiencies around Template Customization Specifications which could be problematic. Certainly the current level of isolation will be sufficient for most and it is certainly better than alot of multi-tenant applications out there however, for very strict separation it is not 100% possible with current releases.

                               

                              Please post if I'm mistaken and you have eliminated some or all of these exeptions in your environnments.

                              • 12. Re: What permissions are needed to deploy from OVA/OVF
                                Chris Wahl Master

                                vmproteau wrote:

                                 

                                In this case, once Read Only is added to the Host level, additional task/logs are made visible at Data Center and Cluster levels. Also, now there is the addition of another set of tasks/logs visible at the Host level.

                                 

                                I recall some additional isolation deficiencies around Template Customization Specifications which could be problematic. Certainly the current level of isolation will be sufficient for most and it is certainly better than alot of multi-tenant applications out there however, for very strict separation it is not 100% possible with current releases.

                                 

                                Please post if I'm mistaken and you have eliminated some or all of these exeptions in your environnments.

                                 

                                The new logs at the DC/Cluster level should only reflect objects the user can see on objects deeper down in the tree. This is a really nice feature of the client.

                                 

                                I'm most comfortable with the VMware Lab Manager product, as I think it is designed to do what you are trying to do. The vSphere client is mostly geared towards delegation to other parts of the business (in my opinion) rather than giving access or control to clients.

                                VCDX #104 (DCV, NV) ஃ WahlNetwork.com ஃ @ChrisWahl ஃ Author, Networking for VMware Administrators
                                1 person found this helpful
                                • 13. Re: What permissions are needed to deploy from OVA/OVF
                                  vmproteau Expert

                                  Chris Wahl wrote:

                                   

                                  The new logs at the DC/Cluster level should only reflect objects the user can see on objects deeper down in the tree. This is a really nice feature of the client.

                                  Generally this is the case but, certain tasks show up exposing VM names and user names etc.

                                   

                                  I'm most comfortable with the VMware Lab Manager product, as I think it is designed to do what you are trying to do. The vSphere client is mostly geared towards delegation to other parts of the business (in my opinion) rather than giving access or control to clients.

                                   

                                  I'll need to take a look at Lab Manager just to see what that looks like for a multi-tenant Lab. A little bit of overkill for our current environment but, we'll see. We'll probably end up with vCloud director or similar for self service provisioning in our production environement.

                                   

                                  Thanks for the assistance Chris.

                                  • 14. Re: What permissions are needed to deploy from OVA/OVF
                                    Mikeis4AU Lurker

                                    You may have already solved this issue, but I had a similar problem. The specific permission required at the Datacenter level is under vApp "Import", I also selected "View OVF Environment. I use tiered permissons one at the Datacenter level with limited options and the other uses Resource Pool Admin which start at the cluster level. Anyway, thought I would throw my two cents in there if anyone was still looking for the specific permission.

                                    1 2 Previous Next