Concepts and techniques you’ll need to master
What a role is and how to create it and assign users and groups to it
How to assign permissions to objects in the inventory
The difference between VirtualCenter security and ESX Server security
The limitations of Web Access
With great power comes great responsibility. Your responsibility is to make sure that the virtual infrastructure you have deployed is secure and that role-based access has been implemented so that the right users have the necessary security permissions to perform their daily tasks. This chapter is dedicated to security in VMware Infrastructure.
The VMware Infrastructure security model consists of both VirtualCenter security and ESX Server security. The security model revolves around users and groups that are assigned roles. These roles constitute a collection of rights or privileges to perform certain tasks.
The cornerstones of the VMware Infrastructure (VI) security model are the users, groups, roles, privileges, and permissions that you can assign at different levels and to different objects within your infrastructure. Properly configuring and assigning these rights and permissions enables you to enforce accountability. Taking a closer look at each of these cornerstones helps you better design your security solution:
• User and group: An account that is allowed to log in to the VMware infrastructure. A group is a collection of accounts with rights to log in and perform other tasks within the VMware Infrastructure.
• Role: A collection of privileges that a user or group is allowed to perform.
• Privilege: An allowed action or function within a role. In other words, a privilege allows a user or group to perform a certain task.
• Permission: A right assigned to an object in the inventory and grants a user or group the right to interact with that object according to selected roles and privileges.
Familiarizing yourself with roles is an imperative task of building your access control into the Virtual Infrastructure. To help you get started, Table 8.1 shows a set of default roles available to you.
The easiest way to get to the Roles panel is to log in to ESX Server or VirtualCenter using your VI client. Click the Administration tab and then the Roles tab, as shown in Figure 8.1.
EXAM ALERT
The VCP exam is sure to quiz you on the difference between the ESX host roles and the VC Server roles, so make sure you know which roles belong where.
On the Roles panel, you can right-click any role and edit it. However, we recommend that you maintain the integrity of the existing roles and create your own custom roles if the need arises. To do so, you can right-click anywhere in the Roles pane and click Add to start the new role creation, as shown in Figure 8.2.
After you have crafted the appropriate roles for your environment, it is time to apply them to the right inventory object to allow your users and groups access only to the part of the inventory tree that you want them to have access to. To apply permissions, find the object in the tree on which you want to implement security, right-click it, and select Add Permission. This brings you to a screen similar to the one shown in Figure 8.3 that allows you to choose a user or group and assign the corresponding role that you want the user or group to have for this inventory object.
When assigning permissions, you may choose to have these permissions propagate from the object where the permission originated and downward to all the child objects. To do this, simply place a check mark in the check box next to Propagate to Child Objects, as shown in Figure 8.3.
If a conflict arises when assigning permissions, the most restrictive of the permissions takes precedence. For instance, if a user is part of a group in the Administrator role but the user is explicitly assigned a Read-Only role on a particular object, the most restrictive of the permissions takes precedence, thereby allowing the user only Read-Only permissions to the object. Keep in mind though that if permissions do not propagate down to any child objects, the user has Read-Only permission over the object but has full permissions over the child objects. The reason behind this is Propagate permissions is not enabled, which means you are slapping explicit permissions on this object only, but not its child object. The child objects in this case inherit the permissions given to the user’s group.
EXAM ALERT
Knowing how permissions are applied and the precedence of permissions are topics that are sure to come up on the exam.
When explicitly assigned, permissions take precedence and the most restrictive permissions are enforced.
VirtualCenter is a Windows-based application to be installed on a Windows-based operating system. It has two types of directory repositories to select from:
• Local: If VirtualCenter is installed on a Windows server that is part of a workgroup, the users and groups that are local members of this server can be configured to have access in VirtualCenter.
• Domain: If VirtualCenter is part of an Active Directory domain, in addition to the ability to configure local users and groups, you can also configure users and groups from Active Directory.
By default, the local Administrators group is assigned the Administrator role at the top of the inventory list in VirtualCenter. If the VC server is member of a domain, the Domain Admins group is also added by default.
The ESX Server security revolves around the Service Console, and because the Service Console operating system is based on Red Hat Linux, the users and groups that you find in the ESX Server are Linux users and groups. These users and groups can be configured to grant direct access to an ESX host.
TIP
Do not configure permissions using ESX users and groups. The reason behind this is the permissions you assign on a per ESX Server level do not propagate to other ESX hosts; therefore, using a common users and groups directory makes it easier to manage permissions.
By default, the following users are assigned the Administrator role in ESX Server:
• root is the equivalent of the administrator in the Windows world and is the highest user account that is created by default.
• vpxuser is added to the Administrators group in ESX after the ESX Server is joined to VirtualCenter. VirtualCenter uses this user to authenticate itself to the ESX host to send preapproved commands.
While the vpxuser is used to authenticate VirtualCenter to ESX Server and pass preapproved commands, the root account actually executes these commands. So in this case, the vpxuser acts merely as a secure bridge between VirtualCenter and the ESX host, while the root user account is tasked with executing VirtualCenter tasks.
Web Access is designed to allow you to manage virtual machines from anywhere without requiring special software to be installed on the host from which you are trying to connect. Web Access is not as robust or feature friendly as the VI client, and it allows for limited functionality but can be useful when you need to perform certain tasks from a machine that does not have the VI client installed or if you need to pass an administrative tool with limited features to a group like the helpdesk, for example.
To access Web Access, you need to point your Internet browser to either the IP address or fully qualified domain name (FQDN) of your ESX host or your VirtualCenter Server. If you point to your ESX host, you are able to manage virtual machines that are on this host only. If you log in to VirtualCenter Web Access, you are able to manage all your VMs.
After logging in to Web Access, you can select any VM in the list and you are able to perform the following tasks, shown in Figure 8.4:
• Enumerate VMs
• Launch console access to a VM
• Manipulate all power functions against a VM
• View a VM’s status
• Edit VM configuration
EXAM ALERT
The exam will surely challenge your knowledge of the difference between Web Access and the full VI client. Know the limitations of the Web Access compared to the full VI client.
CAUTION
You cannot create VMs from Web Access; this function requires the VI in order to be completed.
NOTE
To launch a VM’s console from Web Access, you need to have installed the VMware Virtual Infrastructure plug-in in your browser.
The minimum system requirements to successfully connect and log in to Web Access are as follows:
On a Windows machine:
• Internet Explorer 6.0 or higher
• Firefox 1.0.7 or higher
• Netscape Navigator 7.0 or higher
• Mozilla 1.x
On a Linux machine:
• Firefox 1.0.7 or higher
• Mozilla 1.x
• Netscape Navigator 7.0 or higher
One of the very cool things you can do with Web Access is to generate a regular web URL to a particular virtual machine. This URL gives you or any user you send it to direct access to this virtual machine. This capability is useful when you want to provide someone access to a virtual machine directly; you can just as easily paste the URL link into an email and send it to that person.
To generate a URL for a VM, you can simply click the Generate Remote Console URL link shown in Figure 8.4. This brings you to a screen similar to the one shown in Figure 8.5 that allows you to configure different settings to control which user interface features the user has access to.
1. What is a collection of privileges called in the security model of a VMware Infrastructure?
A. Role
B. Right
C. Access
D. Permission
2. Choose two roles that are default VirtualCenter roles.
A. Night-shift Operator
B. VCB User
C. Backup Administrator
D. Virtual Machine User
3. Which version of Internet Explorer is the minimum that can be used with Web Access?
A. 4.0
B. 5.0
C. 6.0
D. 7.0
4. Choose the roles that are not default ESX Server roles.
A. Read-Only
B. No Access
C. Datacenter Administrator
D. Resource Pool Administrator
5. Which version of Mozilla Firefox is the minimum that can be used with Web Access?
A. 1.0.4
B. 1.0.5
C. 1.0.6
D. 1.0.7
6. True or false: When using Web Access, you can access VMs only by accessing the VirtualCenter Server.
A. True
B. False
7. Approximately how many privileges are there by default in VMware Infrastructure?
A. 50
B. 75
C. 100
D. 150
8. True or false: Web Access can be used to create virtual machines.
A. True
B. False
9. True or false: ESX Server and VirtualCenter Server users and groups can be synchronized.
A. True
B. False
10. Which two user accounts are assigned to the ESX Server Administrator role by default?
A. adm
B. vpxuser
C. vpx
D. root
Answers to Exam Prep Questions
1. Answer A is correct. A collection of privileges is known as a role in a VMware Infrastructure.
2. Answers B and D are correct. From the list provided, the two roles that are available by default on a VirtualCenter server are VMware Consolidated Backup (VCB) User and Virtual Machine User.
3. Answer C is correct. Internet Explorer version 6.0 is the minimum that can be used to access Web Access.
4. Answers C and D are correct. The two roles that are not default ESX Server roles are Datacenter Administrator and Resource Pool Administrator.
5. Answer D correct. The minimum version of Mozilla Firefox that is supported with Web Access is 1.0.7.
6. Answer B, False, is correct. You can access the Web Access console by either pointing to the ESX Server or VirtualCenter Server IP address or FQDN. When pointing to the ESX host, you see only the VMs on that host, whereas when pointing the web access to the VC server, you see all the VMs.
7. Answer C is correct. There are approximately 100 privileges by default.
8. Answer B, False, is correct. Web Access cannot be used to create virtual machines. Web Access can be used only to manage VMs. To create virtual machines, you need to use the VI client.
9. Answer B, False, is correct. ESX Server and VirtualCenter Server users and groups cannot be synchronized.
10. Answers B and D are correct. The two user accounts that are assigned the administrator role by default on the ESX Server are root and vpxuser.