vsicm55_m08_accesscontrol.pdf

VMware vSphere: Install, Configure, Manage 369

Access and A

uthentication Control

8

M O D U L E 8

Access and Authentication Control 8Slide 8-1

VSICM55_M08_AccessControl.fm Page 369 Tuesday, November 5, 2013 10:23 AM

370 VMware vSphere: Install, Configure, Manage

You Are HereSlide 8-2


Module 8 Access and Authentication Control 371

Access and A


8ImportanceSlide 8-3



Module LessonsSlide 8-4



Access and A


8Lesson 1: Configuring ESXi Host Access and AuthenticationSlide 8-5



Learner ObjectivesSlide 8-6



Access and A


8Host System PropertiesSlide 8-7

Properties for individual ESXi hosts are configured through the vCenter Web Client. Any host that is managed by a connected vCenter Server is configured in this way. Properties that are set pertain to only the individual connected ESXi host.To view and modify Host Properties

1. In the Object pane on the left of the VMware vSphere Web Client, navigate to Host Properties and select the Manage tab.

2. In the Settings tab, select Security Profile.

3. Configure the host properties.



Configuring Security Profile ServicesSlide 8-8

The Services window displays the name and status of any daemon that is stopped or running. To configure a daemon

1. Select the service in the Name column.

2. In the Service Details window, select the startup policy that you must have for the respective service and click Start.

If the service was already running, and you changed the startup policy, you would click Restart, instead.

3. When you have finished configuring the service, click OK.



Access and A


8Configuring the ESXi FirewallSlide 8-9

The VMware ESXi management interface is protected by a service-oriented and stateless firewall. The firewall can be configured using the vSphere Web Client or at the command line with VMware vSphere ESXi Shell commands.

Firewalls control access to devices in their perimeter by closing all communication pathways, except for those that the administrator explicitly or implicitly designates as authorized. The pathways, or ports, that administrators open in the firewall enable traffic between devices on different sides of the firewall.

With the ESXi firewall engine, rule sets define port rules for each service. For remote hosts, you can specify the IP addresses or range of IP addresses that are allowed to access each service.



Enabling and Disabling Lockdown ModeSlide 8-10

To increase the security of your ESXi hosts, you can put your hosts in lockdown mode.

When you enable lockdown mode, no users other than vpxuser have authentication permissions, nor can they perform operations against the host directly. Lockdown mode forces all operations to be performed through VMware vCenter Server.

When a host is in lockdown mode, you cannot run commands from the VMware vSphere Command-Line Interface (vCLI), from an administration server, or from a script. External software or management tools might not be able to retrieve or modify information from the ESXi host.

NOTE

The root user is still authorized to log in to the direct console user interface (DCUI) when lockdown mode is enabled.To enable or disable lockdown mode, select Configure Lockdown Mode from the Host Properties page and press Enter. Choose to enable or disable.



Access and A


8Integrating ESXi with Active DirectorySlide 8-11

Although day-to-day VMware vSphere management operations are usually done through VMware vSphere Web Client while logged in to vCenter Server, the user sometimes requires direct access to the ESXi host. Examples include when accessing local log files and configuring backups and for monitoring solutions that are configured to use service accounts.

Single Sign-On (SSO) is the recommended way to manage user access to hosts. The Active Directory (AD) domain that users belong to is added to SSO as an identity source. In addition, you can still have local users defined and managed host by host and configured using vSphere Web Client. This can be used in place of, or in addition to, the SSO and AD integration.

You can configure the host to join an AD domain, so a user trying to access the host will be authenticated against the centralized SSO user directory. Any time that you are asked to provide credentials (for example, when using vSphere Web Client to log in directly to the ESXi host), you can enter the user name and password of a user in the domain to which the host is joined. The advantage of this model is that you can now continue to manage user accounts using AD. This model is easier and more secure than trying to manage accounts independently per host.

The only user that is defined by default on the system is the root user. The initial root password is typically set during ESXi installation. It can be changed afterward using vSphere Web Client.



NOTE

root is the only user that is defined on the ESXi host. The root password is not mapped to an AD account. If the host is integrated with AD, local roles can also be granted to AD users and groups. For example, an AD group can be created to include users who should have an administrator role on a subset of ESXi hosts. On those servers, the administrator role can be granted to that AD group. For all other servers, those users would not have an administrator role. ESXi hosts grants administrator access to the AD group named ESX Admins, which allows the creation of a global administrators group.

There are three built-in roles on ESXi hosts: Administrator, Read-only, and No Access. Although you can create custom roles, you would have to create them separately on each ESXi host, so creating them in vCenter Server is preferable.



Access and A


8Review of Learner ObjectivesSlide 8-12



Lesson 2: Configuring Roles and PermissionsSlide 8-13



Access and A


8Learner ObjectivesSlide 8-14



Access Control OverviewSlide 8-15

The authorization to perform tasks in vCenter Server is governed by an access control system. This system allows the vCenter Server administrator to specify in great detail which users or groups can perform which tasks on which objects. The access control system is defined with the following concepts:

Privilege: The ability to perform a specific action or read a specific property. Examples include powering on a virtual machine and creating an alarm.

Role: A collection of privileges. Roles provide a way to aggregate all the individual privileges that are required to perform a higher-level task, such as administering a virtual machine.

Object: An entity upon which actions are performed.

User or group: A user or group who can perform the action.

The combination of a role, a user or group, and an object equals a permission.



Access and A


8Users and GroupsSlide 8-16

A user is an individual authorized to log in to a ESXi host or vCenter Server. You must separately manage local users that are defined on the vCenter Server system and local users that are defined on individual ESXi hosts. You can also use AD, via SSO, to manage users and groups for both the vCenter Server system and the ESXi hosts.

The vCenter Server system is not required to belong to an AD domain. But if the vCenter Server system is a member of an AD domain, user accounts and groups from the domain are available on the vCenter Server system. If the vCenter Server system is not a member of a domain, vCenter Server uses local Windows users and groups.

The fact that the vCenter Server system is a member of the AD domain has profound security implications for vSphere administration. For example, by default, anyone with Domain Administrator privileges in the AD domain has full administrative powers over all ESXi hosts and virtual machines that are managed by vCenter Server. vSphere administrators must plan and coordinate security carefully with Windows AD administrators.

Users who are in the AD group ESX Admins are assigned the Administrator role. For ESXi hosts, you can use the vSphere Client or the VMware vSphere API to log in with AD accounts. On ESXi hosts, you can also use the direct console user interface (DCUI) and the ESXi shell to log in with AD accounts. Only users who are assigned the Administrator role can log in to the DCUI.



vCenter Server and ESXi hosts manage their own sets of roles. Roles are managed separately. A role that is created on the vCenter Server system is not visible to an ESXi host if a user logs in directly to an ESXi host.

The rest of the module focuses on roles and permissions for vCenter Server.



Access and A


8Roles Slide 8-17

A role is a set of one or more privileges. A privilege allows access to a specific task and is grouped with other privileges related to it. For example, the Virtual Machine Power User role consists of several privileges in categories like Datastore and Global. A role is assigned to a user or group and determines the level of access of that user or group.

To display the list of roles, on the Home screen, under Administration, select Roles. To display the privileges associated with an existing role, click the Privileges box and then select the role.

Roles are not hierarchically organized. No role is superior or subordinate to another role. All roles are independent of one another.



Objects Slide 8-18

A user or group indicates who can perform the action. The object is the target of the action. Each combination of user or group, role, and object must be specified. The administrator does the following:

1. Selects an object from the overall vCenter Server inventory

2. Selects a role to be assigned to that object

3. Selects the user or group to which this permission pertains

A permission can be assigned to any object in the vCenter Server inventory.

On the slide, the Administrator role has been granted to the root user. The combination of user or group, plus role can be applied at the vCenter Server level. So this permission is allowed on all data centers in the vCenter Server inventory.



Access and A


8Assigning Permissions Slide 8-19

To assign a permission

1. Select the object in the inventory, click the Manage tab, and select the Permissions entry.

2. Click the green plus sign (+) to open the add permission window.3. Set the conditions for the permission and click OK.

In the left pane of the dialog box, select a user or group by clicking Add. In the right pane, select a role in the role list. You can also choose to propagate the permission to all child objects.

Role propagation is the act of passing along permissions. A role can be propagated to its child objects in the inventory.

For each permission, you can decide whether the permission propagates down the object hierarchy to all subobjects or if it applies only to the original object. For example, you can grant a user the Read-only role at the data center level and have the role propagate to the data centers child objects. Then you can grant a more permissive role, such as Virtual Machine Power User, to a virtual machine in the data center.



Viewing Roles and AssignmentsSlide 8-20

You can view all of the objects to which a role was assigned and all of the users or groups who were granted the role.

To view this information, select the Usage entry within the Roles window. Select a role in the role list. The information panel displays each object to which the role is assigned and the users and groups who were granted the role.



Access and A


8Applying Permissions: Scenario 1 Slide 8-21

In addition to specifying whether permissions propagate downward, you can override permissions set at a higher level by explicitly setting different permissions for a lower-level object.

On the slide, user Greg is given the vCenter Server Administrator role at the Training data center. This role is propagated to all child objects except one, the virtual machine Prod03-2. For this virtual machine, Greg has no access.



Applying Permissions: Scenario 2 Slide 8-22

When a user is a member of multiple groups, and these groups have permissions on the same object in the inventory, the user is assigned the union of privileges assigned to the groups for that object.

On the slide, Group1 is assigned the VM_Power_On role, a custom role that contains only one privilege: the ability to power on a virtual machine. Group2 is assigned the Take_Snapshots role, another custom role that contains the privileges to create and remove snapshots. Both roles propagate to the child objects. Assume that Greg belongs to both Group1 and Group2. Greg gets both VM_Power_On and Take_Snapshots privileges for all objects in the Training data center.



Access and A


8Applying Permissions: Scenario 3Slide 8-23

A user can be a member of multiple groups and can have permissions on different objects in the inventory. For each object on which the group has permissions, the same permissions apply as if they were granted to the user directly. You can override permissions set for a higher-level object by explicitly setting different permissions for a lower-level object.

On the slide, Group1 is assigned the administrator role at the Training data center and Group2 is assigned the Read-only role on the virtual machine object, Prod03-1. The permission granted to Group1 is propagated to child objects. Assume that user Greg is a member of both Group1 and Group2. Greg gets administrator privileges on the entire Training data center (the higher-level object), except for the virtual machine named Prod03-1 (the lower-level object). For this object, Greg gets read-only access.



Applying Permissions: Scenario 4Slide 8-24

Permissions defined explicitly for the user on an object take precedence over a users group permissions on that same object.

On the slide, three permissions are assigned to the Training data center:

Group1 is assigned the VM_Power_On role.

Group2 is assigned the Take_Snapshots role.

User Greg is assigned the Read-only role.

Assume that Greg is a member of both Group1 and Group2. Assume also that propagation to child objects is enabled on all roles. In this case, even though Greg is a member of both Group1 and Group2, he gets the Read-only privilege to the Training data center and all objects under it. Greg gets the Read-only privilege because explicit user permissions on an object take precedence over all group permissions on that same object.



Access and A


8Creating a RoleSlide 8-25

The Virtual Machine Creator role is one of many examples of roles that can be created. As a best practice, define a role using the smallest number of privileges possible so that security and control over your environment can be maximized. Also, give the roles names that explicitly indicate what each role allows, to make its purpose clear.

Use folders to contain the scope of permissions. For example, to limit the creation of virtual machines, create a folder in the VMs and Templates inventory view. Apply the Virtual Machine Creator role on this folder for the users.

Another example of a role is to allow a user to create a virtual machine by deploying from a template only. You can create a role named Template Deployer, for example, and give it the following privileges:

Datastore > Allocate spaceNetwork > Assign networkResource > Assign virtual machine to resource poolVirtual machine > Configuration > Add new diskVirtual machine > Configuration > Add or remove deviceVirtual machine > Inventory > Create from existingVirtual machine > Provisioning > Deploy template



Lab 14: Managing Virtual MachinesSlide 8-26



Access and A


8Lab 17: User PermissionsSlide 8-27



Review of Learner ObjectivesSlide 8-28



Access and A


8Key PointsSlide 8-29


vsicm55_m08_accesscontrol.pdf

Documents

esxi host access

firewalls control access

am370 vmware vsphere

am372 vmware vsphere

am374 vmware vsphere

am376 vmware vsphere

authentication control8lesson

vmware vsphere web client