Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

In the ITS Private Cloud we have implemented the best of VMware vCenter authorization management along with our internal directory for authentication and authorization. This configuration allows us to manage permissions on objects such as virtual machines, networks, domains and folders with a good level of granularity and efficiency.

The latest version of the ITS Private Cloud RESTful API provides an interface to list permissions o a given object, thus end users can verify who has access to what in their environment. Permissions are set to groups (preferably), but there are cases a specific user needs access temporarily to a given object. The problem arises when the temporarily becomes permanent - to solve this, we have exposed a resource in the RESTful API and implemented in the VSS Command Line interface to list permissions on networks, folders and virtual machines and if a group is permitted, list the group members to verify everyone in the group is allowed to access the object. If you believe a user is not supposed to be allowed, please contact us ASAP at vss(at)eis.utoronto.ca.

This document will guide you through the process of listing permissions on folder objects, but you also can apply this method on networks and virtual machines.

Object

First of all, we should get either the moref or UUID of the object to list permissions. In this case, the folder moref can be queried by vss compute folder ls as follows:

vss-cli compute folder ls -f name=Folder

moref        name     parent    path
-----------  -------  --------  ----------------------------
group-v1234  Folder   Public    Public > Folder

Moref group-v1234 is now our target to list permissions. Validate if the folder is correct by getting its info with vss compute folder get <moref> as shown below:

vss-cli compute folder get group-v1234

Path                : Public > Folder
Parent              : Public
Name                : Folder


vss-cli compute folder get Folder

Path                : Public > Folder
Parent              : Public
Name                : Folder

Permission

Permissions in the folder command can be listed by the vss compute folder get <moref-or-name> perm command:

Usage: vss-cli compute folder get [OPTIONS] MOREF_OR_NAME COMMAND [ARGS]...

  Get given folder info.

Options:
  --help  Show this message and exit.

Commands:
  perm  list permissions.
  vms   list virtual machines.

For instance, querying folder group-v1234 permissions would look like:

vss-cli compute folder get group-v1234 perm

principal             group    propagate
--------------------  -------  -----------
VSKEY5\vc51-VSSPriv   True     True
VSKEY5\vc51-VSSTest   True     True
VSKEY5\jm1            False    True

The output shows that vc51-VSSTest and vc51-VSSPriv group has been granted to access the folder and should propagate to any children contained, however members are not listed. On the other hand, user jm1 has been granted to the folder and its children.

Group members

There are a couple of restrictions in order to get group info and members:

  • you should be a member of the group

  • group should be prefixed by vc5

To get group basic info, use vss-cli account get group <group_name> as follows:

vss-cli account get group vc51-VSSTest

cn                  : vc51-VSSTest
description         : VSS Development Testing and Continuous Integration
create_timestamp    : 20170303022113Z
modify_timestamp    : 20180712175916Z
unique_member_count : 5
unique_member       : ....

If you do are not member of a given group, expect the following output:

vss-cli account get group vc51-VSSPriv --member
Error: status: 401; message: User has no membership on vc51-VSSPriv; error: unauthorized

If one of the group members is no longer authorized to access, please let us know ASAP.

  • No labels