Read-Only user in VMWare for ManageIQ


#1

Hello,

I want to create a service role for ManageIQ on the VMWare Cluster.
I need the role to be a read-only one because we will start to use ManageIQ as a Monitoring and Reporting Platform for our VMWare Infraestructure.
How should i change the permissions in detailed in this thread -> Adding VMware vCenter infra provider to got a role that can do the following:

  • Collect all the posible Metrics (C&U)
  • See all the items on the VMWare Infra and correlate the metrics with them.
  • Be able to do forecast of use
  • The role has to be unable to change, start o stop anything on the VMWare platform.

Can you help me on how to adapt that list of permissions ?

Regards


#2

@pablohalamaj it hasn’t been tried but if you don’t need to do operations (e.g. provision a vm, start/stop a vm, retire a vm, etc…) you might be able to get away without things like “Cancel Task”, “Log Event”, “Set custom attribute”, and read-only for everything else.

I would recommend doing it systematically and confirming that the operations you care about still work. If you are able to narrow down the minimal read-only list for something like metrics collection I would love to get that into the docs. Unfortunately we don’t have anything in place to check that we have the required permissions before performing an action or enabling a role so if someone tried to provision a VM it would fail with probably an ugly error message.


#3

And for the record this is the “official” list of permissions:
http://manageiq.org/docs/reference/latest/doc-Managing_Providers/miq/#adding-a-vmware-vcenter-provider, we technically require an administrative user for the main EMS credentials but the list of host permissions is a pretty good place to start if you want to try to pare that down.


#4

Thanks for the answer, after some test, the profile with only “read” permissions didn’t work. I will try to build a LAB in order to report the full errors and:

  • The functionalities availables with a read-only profile
  • the minimum permissions needed for a “monitoring a metrics” only profile on Vmware.

Regards


#5

Interesting, I was able to do collect inventory, events, and metrics with just a read-only user (applied to the datacenter propagated to children) plus profile-driven storage view at the VC level. I’m very interested in seeing what errors you hit when collecting metrics.


#6

Sadly i wasn’t able to build the Lab yet. And the person that test did the test on one of our clients can’t give me more information :frowning_face:
I will return when i get the information or the Lab, the big problem for the lab is to get the VMWare Software to set it up.