use case:
we have a VSAN 6.2 cluster which we want to monitor with our vROPs 6.2.0 instance
therefore I installed the MPSD 6.0.4 and configured the adapter. The credentials I gave the adapter to pull all needed data from vCenter have read only right in vCenter. According to the user guide of MPSD this is not sufficient:
Verify that the following conditions are met: Read-only credentials are not adequate to connect and collect data from the vCenter Server and fabric CIM servers. You must provide credentials with sufficient privileges. If the user account has limited access to objects in vCenter and the fabric CIM server, you can only collect data from objects for which you have permission.
Further more the adapter log of vROps shows errors like the following:
2016-06-01 10:38:38,199 ERROR [pool-13-thread-5] (11200) com.integrien.adapter3.vsom.datasource.ESXDataSource.connect - Could not initialize CIM client of host Host_x.x.x.x
java.lang.NullPointerException
at com.integrien.adapter3.vsom.util.USAUtil.createWBEMClient(USAUtil.java:428)
at com.integrien.adapter3.vsom.datasource.ESXDataSource.initializeConnectionObjects(ESXDataSource.java:282)
at com.integrien.adapter3.vsom.datasource.ESXDataSource.connect(ESXDataSource.java:7225)
at com.integrien.adapter3.vsom.datasource.ESXDataSource.<init>(ESXDataSource.java:223)
at com.integrien.adapter3.vsom.datasource.VCDataSource.getAllHostDataSources(VCDataSource.java:3934)
at com.integrien.adapter3.vsom.datasource.VCDataSource.discoverResources(VCDataSource.java:375)
at com.integrien.adapter3.vsom.ResourceDiscoveryTask.run(ResourceDiscoveryTask.java:28)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
2016-06-01 10:38:38,200 ERROR [pool-13-thread-5] (11200) com.integrien.adapter3.vsom.datasource.VCDataSource.getAllHostDataSources - Exception thrown while creating ESXDataSource
java.lang.Exception: Could not establish connection with the Host host-74216
at com.integrien.adapter3.vsom.datasource.ESXDataSource.<init>(ESXDataSource.java:224)
at com.integrien.adapter3.vsom.datasource.VCDataSource.getAllHostDataSources(VCDataSource.java:3934)
at com.integrien.adapter3.vsom.datasource.VCDataSource.discoverResources(VCDataSource.java:375)
at com.integrien.adapter3.vsom.ResourceDiscoveryTask.run(ResourceDiscoveryTask.java:28)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
016-06-01 10:38:34,045 ERROR [pool-13-thread-5] (11200) com.integrien.adapter3.vsom.datasource.ESXDataSource.initializeConnectionObjects - Error during initializeConnectionObjects
com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client received SOAP Fault from server: Permission to perform this operation was denied. Please see the server log to find more detail regarding exact cause of the failure.
at com.sun.xml.internal.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:178)
at com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:124)
at com.sun.xml.internal.ws.client.sei.StubHandler.readResponse(StubHandler.java:238)
at com.sun.xml.internal.ws.db.DatabindingImpl.deserializeResponse(DatabindingImpl.java:189)
at com.sun.xml.internal.ws.db.DatabindingImpl.deserializeResponse(DatabindingImpl.java:276)
at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:104)
at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:77)
at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:147)
at com.sun.proxy.$Proxy159.acquireCimServicesTicket(Unknown Source)
at com.integrien.adapter3.vsom.datasource.ESXDataSource.initializeConnectionObjects(ESXDataSource.java:276)
at com.integrien.adapter3.vsom.datasource.ESXDataSource.connect(ESXDataSource.java:7225)
at com.integrien.adapter3.vsom.datasource.ESXDataSource.<init>(ESXDataSource.java:223)
at com.integrien.adapter3.vsom.datasource.VCDataSource.getAllHostDataSources(VCDataSource.java:3934)
at com.integrien.adapter3.vsom.datasource.VCDataSource.discoverResources(VCDataSource.java:375)
at com.integrien.adapter3.vsom.ResourceDiscoveryTask.run(ResourceDiscoveryTask.java:28)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
The question is now which rights are needed for the vROps user to let the adapter successfully execute the tasks to get all needed data ?
Anyone came across this issue?
Regards,
daniel
Have the same issue. Have a case with GSS which hopefully can come up with an answer.
I temporarily gave admin rights to the collector account for vROps. That led to a situation where apparently all VSAN objects are discovered and in status "data receiving".
Nevertheless it seems that relations are not discovered fully and most of the dashboards are empty.
This sounds like the same problem as in previous releases. I guess it still hasn't been fixed
Reference:
vROPS 6.1.0 not displaying vSAN dashboards using Management Pack for Storage Devices
So I think I got the user rights correct - At least it works for me. But I'm not using the mgmt pack for vsan, so there might be more to it.
Name | ParentGroup | Id |
Anonymous | System | System.Anonymous |
View | System | System.View |
Read | System | System.Read |
Storage partition configuration | Configuration | Host.Config.Storage |
CIM interaction | CIM | Host.Cim.CimInteraction |
Profile-driven storage view | Profile-driven storage | StorageProfile.View |
View | Storage views | StorageViews.View |
This is the user right I assigned to my vRops service account. System.Anonymous, System.View and System.Read are there by default so they don't have to be set. Only the last four. Name is what the property is called in the GUI, ParentGroup it the Property tree item which the name is under and Id is the API reference privilege. I have include id has the Id name helps to Id there the property is "hidden". Fx "Host.Cim.CimInteraction", means it a "Host" property and under there the "ParentGroup" will be "CIM" and there a property named "CIM interaction" will be.
See if it work and please provide some feedback.
These In them self are not enough - You need default vRops/vCenter rights as well. See this post Minimum vCenter permissions required for vRealize Operations and vRealize LogInsight