6 Replies Latest reply on Jun 17, 2018 4:49 PM by Bayu Wibowo

    NSX Manager - Account

    rajeevsrikant Expert
    Community WarriorsvExpert

      I am planning to automate certain NSX operations using REST API

      For this I need to use the credentials of the NSX Manager to use REST API

      NSX manager by default has only 1 account "admin"

       

      I don't want to use this account. Below is what i am planing.

      1. Create one additional account in NSX Manager using REST API

      2. Assign the role as "security admin" to this user. This user will have rights to create & delete IPsets & Security group

      3. Use this account in REST API to execute the commands.

       

      Let me know if this will work,

        • 1. Re: NSX Manager - Account
          lhoffer Hot Shot
          VMware EmployeesvExpert

          As of 6.4, users with roles other than the Enterprise Admin role have read-only access via the API and can only use the "GET" method so since it sounds like you'll want your new user to be able to use PUT/POST and DEL, they'll need the Enterprise Admin role.  Further detail in the Managing User Rights section of the admin guide.

           

          Prior to 6.4, SSO users didn't get API access so the method outlined in this VMware Knowledge Base article had to be used to create API users via the CLI.

          • 2. Re: NSX Manager - Account
            rajeevsrikant Expert
            vExpertCommunity Warriors

            Thanks.

            i am running NSX version 6.3.2

             

            When I created the user via CLI as mentioned in the VMware article, that particular account is not visible in the users tab in the NSX manager.

            but when i create the user via REST API it is visible in the NSX Manager GUI.

             

            Is this the normal behaviour ?

             

            If i create a new user via REST API in NSX Manager will i be able to use this account for REST API to make changes

            • 3. Re: NSX Manager - Account
              Bayu Wibowo Master
              User ModeratorsCommunity Warriors

              NSX Manager CLI user account is managed locally and separate from the user account management in the vSphere Web Client.

              So when you create a new user in the CLI, that user will not be visible from the vSphere Client and is expected/normal behavior as per this doc: Create a User with Web Interface Access Using CLI

                   The created user is not listed in the Networking & Security > System > Users and Domains > Users tab. Also, no role is assigned to the user.

              The CLI user account will have no access to both NSX plugin in the vSphere Client and REST API calls, REST API calls will throw an error that the user does not have any role in NSX Manager.

              To assign an NSX role to the CLI user account to access NSX plugin from the vSphere Web Client and REST API, assign it through REST API with other user for example admin user as per the same doc:

                   Assign the required role to the user using the REST API. You can assign auditor (Auditor), security_admin (Security Administrator), or super_user (System Administrator) role as follows:

                   POST - https://<NSX-IP>/api/2.0/services/usermgmt/role/<username>?isCli=true 
                   <accessControlEntry>
                   <role>auditor</role> # Enter the required role #
                   <resource>
                   <resourceId>globalroot-0</resourceId>
                   </resource>
                   </accessControlEntry>
              Bayu Wibowo | vExpert NSX, VCIX6-DCV/NV, Cisco Champion, AWS-SAA
              Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
              https://nz.linkedin.com/in/bayupw | twitter @bayupw
              • 4. Re: NSX Manager - Account
                rajeevsrikant Expert
                Community WarriorsvExpert

                Thanks Bayu

                I am summarizing my understanding & let me know if it is right.

                 

                1. Create a new user using CLI

                2. Assign the role to the user created using via REST API

                3. Then this user will have permission or rights to use REST API

                 

                Let me know if my understanding is right.

                • 5. Re: NSX Manager - Account
                  rajeevsrikant Expert
                  vExpertCommunity Warriors

                  I am able to set the user via REST API & also able to set the privilege as below
                  But there was no option to set the password for the  accounts created via REST API ?

                  Am i missing some thing to set the password for these accounts.

                   

                  • 6. Re: NSX Manager - Account
                    Bayu Wibowo Master
                    Community WarriorsUser Moderators

                    The user you have created is an NSX CLI User local to the NSX Manager and created through CLI.

                    To change the password, you need to login to the CLI of NSX Manager, go to privilege mode and use the cli password command

                    https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.4/nsx_64_cli.pdf

                    Bayu Wibowo | vExpert NSX, VCIX6-DCV/NV, Cisco Champion, AWS-SAA
                    Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
                    https://nz.linkedin.com/in/bayupw | twitter @bayupw