With the release of the Pure Storage VMware Plugin OVA, one of the key plugin features that is being released is Role-Based Access Control (RBAC). RBAC for the Pure Storage vSphere Plugin enables vCenter administrators to assign and provide granular permission controls over one or more FlashArrays registered against a given vCenter instance. This provides the capability for least privileged access control to individual users or groups as well as an audit trail for knowing who does what against a particular array, datastore or virtual machine at the storage layer.
In our initial release of RBAC, a temporary workaround has been instituted that enables FlashArray objects to have permissions assigned and used against them within vCenter. When a Pure Storage FlashArray is registered against the vSphere Plugin, a folder object is created within vCenter which encapsulates the permissions set for that array. This KB article will show how and where this folder is created as well as what steps to take should it be accidently removed or renamed. Please note that this is a temporary workaround and this requirement will be removed in an upcoming vCenter and Pure Storage VMware appliance release.
The prerequisite for this article is that the vSphere Plugin has been installed via the Pure Storage VMware Appliance. Please see this article for instructions on that here.
Registering a FlashArray and Pure Storage vCenter Permissions Folders
Upon registration of the plugin in a vCenter instance, we can see that the following top-level folder is created within vCenter. As individual FlashArrays are registered against the plugin, unique sub-folders will be created for each.
The next few screenshots will register a FlashArray instance with the plugin and show a sub-folder being created.
Upon entering the array information above and clicking the Submit button, we can see the alpha numeric sub-folder is created and is highlighted in the below screenshot.
With the FlashArray instance registered, we can see that an alpha numeric folder has been created within the Pure Storage Plugin folder. It is critical that the Pure Storage Plugin folder as well as the alpha-numeric folder names are not changed as this will break the permissions mapping between the plugin and the FlashArray instance. Instructions for how to correct this issue are included at the end of this KB article.
Creating and Assigning a Role with Pure Storage Privileges
The next step is to create a role which includes some Pure Storage specific permissions within it. A new role can be created by navigating to the vCenter Administration menu, Access Control > Roles and then clicking on the + sign.
Select the specific permissions you want the new role to have. Note that some actions require both Pure Storage permissions as well as other permissions outside of Pure Storage. A complete list of required RBAC permissions on a per action basis can be found here.
Provide a name for the new role and then create it by clicking Finish.
To assign the role to a registered FlashArray instance, return to the plugin window, highlight the array you want, select the permissions tab and click on the + sign.
Select the domain, user or group and the role you want to assign to the FlashArray and click on OK.
The new permission assigned to the target FlashArray is shown below.
Fixing a Broken/Renamed Pure Storage Plugin Folder or Subfolder
In the event that either the top level Pure Storage Plugin folder or a sub folder is renamed or deleted, that will break the permissions relationship between the FlashArray and the vCenter instance and will require actions from the vCenter administrator to cleanup the renamed folders and to rebuild the permissions between the FlashArray and vCenter instance.
We will show both scenarios and expected behavior of the Pure Storage plugin as well as required cleanup actions.
One of the Individual FlashArray Subfolders within the Pure Storage Plugin Folder is Renamed or Moved
In this example, a vCenter administrator has taken the alpha-numeric sub folder which is mapped to a registered FlashArray and renamed as whoops:
When we navigate back to the FlashArray permissions listed in the plugin we can see that they cannot be found:
After a few moments, the plugin will automatically regenerate the alpha-numeric subfolder name and reassociate it with the registered FlashArray.
At this point, the renamed folder (whoops) should be removed from vCenter inventory.
At this point, the FlashArray permissions do need to be manually re-added within the Pure Storage Plugin window to regain RBAC functionality.
Top-level Pure Storage Plugin Folder was Renamed
For this example, we have two FlashArray instances registered against the plugin which are visible via the two alpha-numeric subfolders located inside of the Pure Storage Plugin Folder.
If this Pure Storage Plugin Folder is renamed or moved it will break the permissions relationship between all registered FlashArrays.
After a few moments, the Pure Storage vSphere Plugin will automatically regenerate the Pure Storage Plugin folder, along with all registered FlashArray subfolders. However, we see that the renamed instance and its subfolders are also present.
It is important to remove the renamed top-level plugin folder along with the duplicate sub-folder entries.
With the plugin folder structure returned to the default setup, it is now necessary to manually re-add all of the permissions to each registered FlashArray instance to regain RBAC functionality.