vSphere Plugin User Guide: Role-Based Access Control (RBAC) with the Remote Plugin
RBAC for the HTML vSphere Plug-in Overview
Limiting who is able to do what in any datacenter environment is a core element in separating responsibilities and protecting against accidental or nefarious actions from users. In version 5.0 of the vSphere plugin, we are happy to introduce the ability to define vSphere-based roles and permissions for Pure Storage that cover VMware storage-related tasks. This capability enables vSphere administrators to enforce granular controls over other administrators and consumers of the vSphere environment at the storage layer.
There are a few key terms and definitions that we will define to help provide context for the remainder of this KB article.
A vCenter Role is simply a collection of one or more action(s) that can be executed. Available roles are grouped together within vCenter, so for example there is a Pure Storage set of available roles and a separate set of roles that applies to ESXi hosts. A role can contain as few as one but as many actions as you wish to give to it. The Administrators role which is built-in to vCenter by default has all available actions available to it.
A vCenter Permission is the mechanism by which you define who is able to do what where. Permissions require a user and/or a group and a role to be assigned to them. Permissions can leverage users or groups from the local vCenter or from something external like Active Directory (AD) if the vCenter has been joined to the domain. Finally, permissions can be defined globally or they can be associated with individual objects within a vCenter instance like a Distributed Switch or a single ESXi cluster.
A vCenter Object is simply something that exists within a vCenter instance. Examples can include a FlashArray, a datastore, a cluster or a distributed switch just to name a few. Objects are generally what permissions and roles are able to or not able to view or manipulate.
Requirements:
- Minimum Plugin Version: Remote Plugin 5.0.0
- Installation Instructions for the vSphere Remote Plugin can be found here.
- Minimum Purity Version: 4.10
- Minimum vCenter Version: 6.7U3
- If Active Directory or other Identity Source is to be used, the vCenter instance needs to be registered against it. Here are instructions for how to join vCenter to an Active Directory (AD) domain. In the following examples, our vCenter instance is joined to a Windows AD domain.
How to Create a vSphere Role with Pure Storage Permissions
Role creation for use with Pure Storage within vCenter is no different than creating any other vCenter-based role so long as the plugin has been installed to make the Pure Storage roles available. To start, click on the vCenter Menu button and click on Administration.
From the Administration menu, next click on the Roles option and then click on the + sign to create a new role. Alternatively, an existing role can be edited to add Pure Storage permissions to it but for this example we will create a new role.
In the New Role wizard, scroll down to the Pure Storage section and select the action(s) that you want the new role to be able to do. At the end of this guide, we show minimum permissions required in order to perform various vCenter actions with Pure Storage. Some Pure Storage actions only require selections from the Pure Storage role section while others require permissions from other areas as well. Multiple actions can be combined into a single role depending on how much or how little you want the role to be able to do. Once you have selected one or more actions for the new role click on the Next button.
Provide a Name for the new role and optionally provide a Description. Click on Finish to complete.
The new role is now available to be assigned as a Global Permission within vCenter or can be directly assigned to a FlashArray as we will show in the next section.
How To Assign Role-Based Permissions within vCenter
Many of the daily operations needed by someone administering Pure Storage will include roles external to the Pure Storage set of roles. As an example, creating a new datastore not only requires appropriate permissions to the underlying FlashArray but also requires ESXi host permissions to perform operations like scanning the HBAs and datastore permissions to allocate new space. As such, we will show one way to associate a role with a user or group of users within vCenter so that it applies to the necessary objects.
To start, return to the vSphere Administrative menu and click on Global Permissions. Then click on the + sign to add a new permission.
In the Add Permission screen, first select the Domain to be used (Active Directory in this example), enter the User or Group in that domain you want and then pick the Role from the pull-down menu. Optionally select if you want the permission to Propagate to children and finally click on OK.
Returning to the sample Role defined in the previous section, we can see under Usage that a single user now has this role assigned to them.
How To Assign Role-Based Permissions to a Pure Storage FlashArray
The permission assignment process shown in the previous section must also be applied in similar fashion within the Pure Storage plugin so that it applies to Pure Storage objects.
To get started assigning a role-based permission to a Pure Storage FlashArray, we first need to add a FlashArray to vCenter. To access the plugin, go to the vCenter Menu and then select Pure Storage.
Click on the + ADD button to add an array. Note that the user adding a FlashArray must always be a member of the vCenter Administrators group.
In the Add Array wizard, provide a Array Name, the IP Address (typically the VIP) and Username/Password for the Flasharray. Click on Submit to complete.
With the FlashArray now added, Select the array, click on the Permissions tab and then click on the + sign to give a user or group permissions over the FlashArray.
In the Add Permission window, confirm the Array is the one you want to add the permission to, then from the pull down menu pick the Domain, followed by the User or Group you want to use for the permission. Lastly, select the Role you wish to assign against the FlashArray and click Submit.
In the below screen capture we can see that we have successfully assigned a user (vvols) the role of virtual volumes admin.
Video Demo of Using Pure Storage vSphere RBAC
Minimum Permissions Matrix for Pure Storage vSphere RBAC
The below table shows the minimum permission needed to perform
FlashArray VMware Component |
Pure Storage Action |
Minimum vSphere Permissions Required |
FlashArray Management | ||
Add FlashArray to vCenter |
User must be in the administrators@vsphere.local (or equivalent SSO) domain. | |
Edit Existing FlashArray |
|
|
Remove FlashArray from vCenter |
|
|
Modify FlashArray Roles
Applies to existing FlashArray permissions only. That is, cannot add a new permission to a FlashArray. That capability is reserved for users in the Administrators@vsphere.local group. |
|
|
ESXi Host Management | ||
Add Host Group to FlashArray*
*Note that for iSCSI-based arrays the configure ESXi Host iSCSI permission listed below will also be required if software iSCSI has not been enabled on the ESXi hosts. |
|
|
Rename Host |
|
|
Disconnect Host from FlashArray Host Group |
|
|
Configure ESXi Host iSCSI |
|
|
Protection Groups | ||
Import Protection Groups |
|
|
Snapshot Management | ||
Create Snapshot |
|
|
Copy Snapshot |
|
|
Restore Snapshot |
|
|
Delete Snapshot |
|
|
VMFS Management |
Create VMFS Datastore |
Host
Pure Storage
|
Edit VMFS Datastore |
Host
Pure Storage
|
|
Run and Schedule Space Reclamation |
|
|
Destroy VMFS Datastore |
Host
Pure Storage
|
|
vVols Management | Register Storage Provider |
Host
Pure Storage
Storage views
|
Create vVols Datastore |
Host
Pure Storage
Storage views
|
|
Unmount vVols Datastore |
Host
Pure Storage
Storage views
|
|
Create Virtual Disk |
|
|
Create a Virtual Volume |
|
|
Overwrite a Virtual Volume |
|
|
Restore Deleted Virtual Volume |
|
|
Snapshot Virtual Volume |
|
|
Undelete vVols VM
|
|
|
Remove hard disk |
|