container-service-extension
container-service-extension copied to clipboard
vmware
Full list of required rights
I am trying to set up a role with minimum required privileges for the CSE service per the list of roles and rights in the documentation and having a bit of trouble. If I run the install with a system administrator account it works fine but if I attempt it with the limited account it fails. I was able to get through the first error by adding the Extensions: View permission but I am now getting the error below when trying to run the install.
Connected to vCloud Director as system administrator (vcd-rc.expedient.com:443): success
Traceback (most recent call last):
File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 1116, in get_linked_resource
return self.get_resource(find_link(resource, rel, media_type).href)
File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 1335, in find_link
raise MissingLinkException(resource.get('href'), rel, media_type)
pyvcloud.vcd.exceptions.MissingLinkException: ('https://vcd-rc.expedient.com/api/admin/extension', <EnumValue: RelationType.DOWN [value=down]>, 'application/vnd.vmware.admin.vmwVimServerReferences+xml'); href: https://vcd-rc.expedient.com/api/admin/extension, rel: RelationType.DOWN, mediaType: application/vnd.vmware.admin.vmwVimServerReferences+xml
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/expedient/.local/bin/cse", line 11, in <module>
sys.exit(cli())
File "/home/expedient/.local/lib/python3.6/site-packages/click/core.py", line 764, in __call__
return self.main(*args, **kwargs)
File "/home/expedient/.local/lib/python3.6/site-packages/click/core.py", line 717, in main
rv = self.invoke(ctx)
File "/home/expedient/.local/lib/python3.6/site-packages/click/core.py", line 1137, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/home/expedient/.local/lib/python3.6/site-packages/click/core.py", line 956, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/home/expedient/.local/lib/python3.6/site-packages/click/core.py", line 555, in invoke
return callback(*args, **kwargs)
File "/home/expedient/.local/lib/python3.6/site-packages/click/decorators.py", line 17, in new_func
return f(get_current_context(), *args, **kwargs)
File "/home/expedient/.local/lib/python3.6/site-packages/container_service_extension/cse.py", line 206, in install
amqp_install, ext_install)
File "/home/expedient/.local/lib/python3.6/site-packages/container_service_extension/config.py", line 311, in install_cse
check_config(config_file_name)
File "/home/expedient/.local/lib/python3.6/site-packages/container_service_extension/config.py", line 234, in check_config
for vc in platform.list_vcenters():
File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/platform.py", line 65, in list_vcenters
EntityType.VIM_SERVER_REFS.value)
File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 1119, in get_linked_resource
"Operation is not supported").with_traceback(e.__traceback__)
File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 1116, in get_linked_resource
return self.get_resource(find_link(resource, rel, media_type).href)
File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 1335, in find_link
raise MissingLinkException(resource.get('href'), rel, media_type)
pyvcloud.vcd.exceptions.OperationNotSupportedException: Operation is not supported
Got through that error by adding the vSphere Server: View right, now receiving the error below.
[expedient@localhost ~]$ cse install --config config.yaml
Validating CSE on vCD from file: config.yaml
Python version >= 3.6 (installed: 3.6.5): success
InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised.
Connected to AMQP server (pit-vcd-mq0.provider.local:5672): success
InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised.
Connected to vCloud Director as system administrator (vcd-rc.expedient.com:443): success
Connected to vCenter Server PIT-VCSA01 as administrator (pit-vcsa01.provider.local:443): success
Installing CSE on vCD from file: config.yaml, template: *
InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised.
Connected to vCloud Director as system administrator (vcd-rc.expedient.com:443): success
Installing 'default' service broker
Find org 'cse': success
Traceback (most recent call last):
File "/home/expedient/.local/bin/cse", line 11, in <module>
sys.exit(cli())
File "/home/expedient/.local/lib/python3.6/site-packages/click/core.py", line 764, in __call__
return self.main(*args, **kwargs)
File "/home/expedient/.local/lib/python3.6/site-packages/click/core.py", line 717, in main
rv = self.invoke(ctx)
File "/home/expedient/.local/lib/python3.6/site-packages/click/core.py", line 1137, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/home/expedient/.local/lib/python3.6/site-packages/click/core.py", line 956, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/home/expedient/.local/lib/python3.6/site-packages/click/core.py", line 555, in invoke
return callback(*args, **kwargs)
File "/home/expedient/.local/lib/python3.6/site-packages/click/decorators.py", line 17, in new_func
return f(get_current_context(), *args, **kwargs)
File "/home/expedient/.local/lib/python3.6/site-packages/container_service_extension/cse.py", line 206, in install
amqp_install, ext_install)
File "/home/expedient/.local/lib/python3.6/site-packages/container_service_extension/config.py", line 334, in install_cse
vdc_resource = org.get_vdc(config['broker']['vdc'])
File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/org.py", line 1537, in get_vdc
return self.client.get_resource(link.href)
File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 1099, in get_resource
'GET', uri, objectify_results=objectify_results)
File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 861, in _do_request
response), _objectify_response(response, objectify_results))
File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 898, in _response_code_to_exception
raise InternalServerException(sc, request_id, objectify_response)
pyvcloud.vcd.exceptions.InternalServerException: Status code: 500/INTERNAL_SERVER_ERROR, [ 170d9812-a6e2-4180-a6b1-c7fe217d873c ] com.vmware.vcloud.api.presentation.entity.vdc.UserVdcSpec cannot be cast to com.vmware.vcloud.api.presentation.entity.vdc.VdcSpec (request id: 170d9812-a6e2-4180-a6b1-c7fe217d873c)
That error is solved by adding the Organization vDC: Extended View permission, and now allows the template upload to start before generating an error
Find source ova 'photon-custom-hw11-2.0-304b817.ova': success
Traceback (most recent call last):
File "/home/expedient/.local/lib/python3.6/site-packages/container_service_extension/config.py", line 371, in install_cse
catalog, no_capture, template, ssh_key)
File "/home/expedient/.local/lib/python3.6/site-packages/container_service_extension/config.py", line 470, in create_template
records = list(q.execute())
File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 1454, in execute
return self._iterator(self._client.get_resource(query_uri))
File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 1099, in get_resource
'GET', uri, objectify_results=objectify_results)
File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 861, in _do_request
response), _objectify_response(response, objectify_results))
File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 872, in _response_code_to_exception
raise AccessForbiddenException(sc, request_id, objectify_response)
pyvcloud.vcd.exceptions.AccessForbiddenException: Status code: 403/ACCESS_TO_RESOURCE_IS_FORBIDDEN, [ 77ad20b0-5c88-40be-b9e3-4219c4c0a50c ] This operation is denied. (request id: 77ad20b0-5c88-40be-b9e3-4219c4c0a50c)
the above is still failing but I've identified /query?type=adminCatalogItem as the REST call that is getting access denied, attempting to work out which Right provides that ability now
hi @mgaruccio
Please ensure that your limited account has the following rights:
Minimum roles and (admin-view) rights required for the service account (subject to change with new vCD versions):
Catalog Author (Role) vApp Author (Role) vApp User (Role) vCenter: View (Right) vCenter: Refresh (Right) vCenter: Open in vSphere (Right) Task: View Tasks (Right) Task: Update (Right) Task: Resume, Abort, or Fail (Right) Catalog Item: Add to My Cloud (Right) Catalog Item: Create/Upload a vApp Template/Media (Right) Catalog Item: View vApp Templates/Media (Right) Catalog Item: Copy/Move a vApp Template/Media (Right) General: Administrator View (Right) Organization VDC: View Organization VDCs (Right) Organization VDC Network: View Properties (Right) Organization: View Organizations (Right)
Let us know if adding this list of rights resolves the problem. Please refer to the documentation here for more information https://vmware.github.io/container-service-extension/#sysadmin
Those are all configured with the exception of the "Catalog Item" rights, which don't seem to exist in the current release of 9.5, however I did confirm that a user with full System Administrator rights is able to successfully deploy CSE and does not have those rights listed. Current rights for the account are:
vApp: Edit VM Hard Disk
vApp: Create / Reconfigure
vApp Template / Media: Edit
vApp Template / Media: Copy
Organization vDC: Extended View
vApp Template: Change Owner
Catalog: Publish
Organization vDC: VM-VM Affinity Edit
General: Administrator View
Catalog: CLSP Publish Subscribe
Catalog: Sharing
Catalog: View Published Catalogs
vApp: Sharing
Organization: View
vSphere Server: View
vApp Template / Media: View
Disk: Edit Properties
vApp: Snapshot Operations
Disk: View Properties
Organization vDC Compute Policy: View
Catalog: View Private and Shared Catalogs
UI Plugins: View
Task: Update
vCenter: Open in vSphere
Disk: Delete
vApp: Edit Properties
Catalog: Edit Properties
Disk: Create
vApp: Delete
vApp: Power Operations
Catalog: Add vApp from My Cloud
Organization vDC: View
vApp: Copy
vApp: View VM metrics
vApp: VM Boot Options
vApp Template: Download
Task: View Tasks
vCenter: Refresh
vApp: Use Console
Organization vDC Network: View Properties
Task: Resume, Abort, or Fail
Catalog: Create / Delete a Catalog
Disk: Change Owner
vApp: View ACL
vCenter: View
vApp: Upload
vApp: Manage VM Password Settings
vApp Template: Checkout
vApp: Download
vApp: Edit VM CPU
vApp: Edit VM Memory
Extensions: View
Catalog: View ACL
vApp Template / Media: Create / Upload
VAPP_VM_METADATA_TO_VCENTER
vApp: Edit VM Properties
vApp: Edit VM Network
The names of rights have possibly been renamed in the new release. If you have figured out the minimum rights needed to install cse, could you post them here ? We will update the documentation soon for the latest vCD version 9.5.
I'm still trying to determine the minimum rights, is there anyone at VMWare who can tell me which right is required to reach the /query?type=adminCatalogItem endpoint? that's the call the process is currently stuck on.
Ok so the missing right there was Organization: Perform Administrator Queries, which has been added but now we are failing on a different portion of the create_template() call, trying to find that right now
@mgaruccio Were you able to get through the create_template() call ? Just wanted to follow up on that.
No I'm still trying to narrow down the correct set of permissions. currently it's failing when trying to access the vapp template.
Hi @mgaruccio I was able to narrow down on the minimum list of Rights for installing CSE. I will be revising the list again to see if any additional rights can be removed. Following are the minimum rights I have so far.
Catalog: Add vApp from My Cloud Catalog: CLSP Publish Subscribe Catalog: Create / Delete a Catalog Catalog: Edit Properties Catalog: Import Media from vSphere Catalog: Publish Catalog: Sharing Catalog: View ACL Catalog: View Private and Shared Catalogs Catalog: View Published Catalogs Cell Configuration: View Disk: Change Owner Disk: Create Disk: Delete Disk: Edit Properties Disk: View Properties General: Administrator View General: View Error Details Host: View Organization Default Settings: View default settings for new Organizations. Organization Network: Open in vSphere Organization Network: View Organization vDC Network: View Properties Organization vDC Resource Pool: Open in vSphere Organization vDC Resource Pool: View Organization vDC Storage Policy: Open in vSphere Organization vDC: Extended View Organization vDC: View Organization vDC: View ACL Organization: View System Operations: Execute System Operations Task: Resume, Abort, or Fail Task: Update VAPP_VM_METADATA_TO_VCENTER VDC Template: Instantiate VDC Template: View vApp Template / Media: Copy vApp Template / Media: Create / Upload vApp Template / Media: Edit vApp Template / Media: View vApp Template: Checkout vApp Template: Download vApp Template: Import vApp Template: Open in vSphere vApp: Allow All Extra Config vApp: Allow Ethernet Coalescing Extra Config vApp: Allow Latency Extra Config vApp: Allow Matching Extra Config vApp: Allow NUMA Node Affinity Extra Config vApp: Change Owner vApp: Copy vApp: Create / Reconfigure vApp: Delete vApp: Download vApp: Edit Properties vApp: Edit VM CPU vApp: Edit VM CPU and Memory reservation settings in all VDC types vApp: Edit VM Hard Disk vApp: Edit VM Memory vApp: Edit VM Network vApp: Edit VM Properties vApp: Enter/Exit Maintenance Mode vApp: Import Options vApp: Manage VM Password Settings vApp: Open in vSphere vApp: Power Operations vApp: Shadow VM View vApp: Sharing vApp: Snapshot Operations vApp: Upload vApp: Use Console vApp: VM Boot Options vApp: VM Check Compliance vApp: VM Migrate, Force Undeploy, Relocate, Consolidate vApp: View ACL vApp: View VM metrics vCenter: Open in vSphere vCenter: Refresh vCenter: View
Hi, I'm trying to install CSE on VCloud 9.0, but receive the same error as above one:
Validating config file 'config.yaml' Connected to AMQP server (pclidcdvamqp-vip.dv.pc.local:5672) InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. Connected to vCloud Director (ode.teluscloud.com:443) Connected to vCenter Server 'pclidcdvvcr01.dv.pc.local' as 'cse_admin' (pclidcdvvcr01.dv.pc.local:443) Config file 'config.yaml' is valid Installing CSE on vCloud Director using config file 'config.yaml' Connected to vCD as system administrator: ode.teluscloud.com:443 Checking for AMQP exchange 'lidcvcloud' AMQP exchange 'lidcvcloud' is ready Skipping AMQP configuration. vCD and config file may have different AMQP settings. Found catalog 'CSE' Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 1087, in post_linked_resource find_link(resource, rel, media_type).href, contents, File "/usr/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 1335, in find_link raise MissingLinkException(resource.get('href'), rel, media_type) pyvcloud.vcd.exceptions.MissingLinkException: ('https://ode.teluscloud.com/api/catalog/b5aaf890-d9fa-4e1a-b232-782b99621eb0', <EnumValue: RelationType.PUBLISH [value=publish]>, 'application/vnd.vmware.admin.publishCatalogParams+xml'); href: https://ode.teluscloud.com/api/catalog/b5aaf890-d9fa-4e1a-b232-782b99621eb0, rel: RelationType.PUBLISH, mediaType: application/vnd.vmware.admin.publishCatalogParams+xml
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/bin/cse", line 11, in
As is stated above, I've tried with System Administrator account in order to run the cluster smoothly, but no success. Tried via CentOS installed on the same environment, Internet enabled, every prerequisite before CSE installation is OK, I hope.
Also tried with Organization Admin account, but CSE installer cannot login to vcloud.
IMHO this is not related to missing permissions because of Admin account used here? Can you advice?
@harshneelmore unfortunately I haven't had the opportunity to give it a shot yet, it looks like my lab has some permissions issues beyond what we were seeing here that are causing at least some of the issues I was seeing.
@yankostefanov if you are not able to deploy using a system administrator account than permissions are not the problem, I was able to deploy without an issue using an admin-level account. You may want to check the sharing settings on your catalog or post a new issue.
Actually the missing item here is: MissingLinkException: (**'https://ode.teluscloud.com/api/catalog/**a8d55218-3e9d-4342-beb1-b3862f89bd7a', <EnumValue: RelationType .PUBLISH [value=publish]>, 'application/vnd.vmware.admin.publishCatalogParams+xml'); href: https://ode.teluscloud.com/api/catalog/a8d55218-3e9d-4342-b eb1-b3862f89bd7a, rel: RelationType.PUBLISH, mediaType: application/vnd.vmware.admin.publishCatalogParams+xml
In Admin Catalog there is such record: "Link rel="publish" href="**https://ode.teluscloud.com/api/admin/catalog/**a8d55218-3e9d-4342-beb1-b3862f89bd7a/action/publish" type="application/vnd.vmware.admin.publishCatalogParams+xml"
But for some reason the same Link rel is missing for https://ode.teluscloud.com/api/catalog/ I suppose this Link rel is needed for CSE. Tried to add it with REST PUT call. The answer is 200 OK, but the Link rel again is missing. :) Actually vCloud api refuses to add that record in https://ode.teluscloud.com/api/catalog/
Any ideas?
Last we investigated this issue, we found that vCD sends back admin labeled links only when logged in as sys admin. Pyvcloud/cse can only find the item if the admin link exists. We have not decided on a timeline to fix this issue, as it involves coordination with vCD team. The workaround for now is to install CSE using system administrator.
@rocknes , can you look over this and check if I missed anything or explained something incorrectly?
