13 Replies Latest reply on Nov 16, 2018 8:58 AM by GalNeb

    Minimal vCenter permissions for a user to upload files to a datastore in 6.5

    alexanderjn Enthusiast

      Hi all,

       

      Recently worked on an upload issue and figured it was worth posting here in case anyone else ever encounters something similar.

       

      Environment:

      • vCenter 6.5 build 5973321
      • ESXi 6.5 build 5310538 (image profile ESXi-6.5.0-4564106-standard)
      • The web browser used to upload files
      • The vCenter account of the user who will be uploading files already has
        • A role containing the privileges "Datastore > Browse datastore" and "Datastore > Low level file operations" applied to the datastore where files will be uploaded
        • The "Read-Only" role applied to the host objects (propagating to children or not) that are mounting the datastore where files will be uploaded

       

      Symptoms:

      • The user can create folders in the datastore browser
      • In the vSphere Web Client (Flex UI) after choosing a file to upload, the UI refreshes but the file is not uploaded
      • In the vSphere Client (HTML5) attempting to upload a file errors with the message "Failed to transfer data. For more information check out the logs."
      • In the vCenter web client log (/var/log/vmware/vsphere-client/logs/vsphere_client_virgo.log) entries similar to the following appear
        • [<date>] [ERROR] data-service-pool-786        70005481 100911 200867 com.vmware.vsphere.client.storage.impl.DatastorePropertyProvider  Not able to acquire generic service ticket for the purpose of file transfer com.vmware.vim.binding.vim.fault.NoPermission: Permission to perform this operation was denied.
        • [<date>] [ERROR] http-bio-9090-exec-3         70005482 100912 200867 com.vmware.vise.vim.http.transport.FileUploadRequestHandler       Failed to transfer data to url: https://<esxi_fqdn>/folder/<folder_name>/<file_being_uploaded_name>?dcPath=ha-datacenter&dsName=<datastore_name> java.io.IOException: Error writing request body to server

       

      (apparent) Cause:

      • In order to transfer files to a datastore via a host, the user apparently requires the privilege "Host > Configuration > System Management" applied to the hosts mounting the datastore, NOT the "Read Only" role. The role containing the privilege "Host > Configuration > System Management" for the user does not need to propagate to the children of the host object. Hat tip to petermie and Mincho Tonev in the post User with Administrator role can't upload files to datastores for finding that.

       

      Hope this helps someone down the line.