VMware Solutions Discussions

RCU from VSC 2.0 problem with RBAC

f_duranti
2,672 Views

Hi all, it seems that I've some problems to configure RBAC to use RCU from VSC 2.0.

I had RBAC configured from RCU 3.0 and it was working fine with that version. I've checked on the documentation and it seems that nothing changed but when I try to add a host to RCU part of VSC 2.0 I get an error saying that some role are missing.

It seems something related to some cli-* role missing from my definition. Anyone have the correct RBAC role to put on the storage to make RCU work on VSC 2.0?

Thanks

Francesco

3 REPLIES 3

costea
2,672 Views

Some additional APIs have been added for the 3.1 version of RCU.  They are found in the IAG.

The additional APIs required to add a controller to RCU 3.1 are these:

  • api-cf-get-partner
  • api-disk-list-info
  • api-fcp-adapter-list-info
  • api-fcp-get-cfmode
  • api-lun-get-vdisk-attributes
  • api-nfs-exportfs-list-rules
  • api-volume-options-list-info
  • api-lun-move
  • api-lun-unmap
  • api-lun-online

    f_duranti
    2,672 Views

    Thanks for the answer. I've checked back the installation guide for VSC and I can find those api listed in the VSC capabilities:

    • api-cf-get-partner
    • api-disk-list-info
    • api-fcp-adapter-list-info
    • api-fcp-get-cfmode
    • api-lun-get-vdisk-attributes
    • api-nfs-exportfs-list-rules
    • api-volume-options-list-info

    So should I add the entire VSC user role capability to the capability used by RCU user (we had different user for vsc/rcu/smvi defined on the storage)?

    I cannot find those in the documentation. Do you know in what specific role they need to go? create_clones/create_datastore/destroy_datastore/modify_datastore ?) :

    • api-lun-move
    • api-lun-unmap
    • api-lun-online

    To make rcu 3.0 work i had only those roles defined (and i was using all but destroy_datastore role in the rcu user):

    Name:    rcu_create_clones
    Info:
    Allowed Capabilities: login-http-admin,api-system-get-version,api-system-get-info,api-system-cli,api-license-list-info,cli-ifconfig,api-aggr-list-info,api-volume-list-info,api-lun-list-info,api-lun-map-list-info,api-igroup-list-info,api-ems-autosupport-log,api-file-get-file-info,api-clone-*,api-file-create-directory,api-file-read-file,api-file-delete-file,api-file-write-file,cli-mv,api-file-delete-directory,cli-ndmpd,cli-ndmpcopy,api-useradmin-user-list,api-cf-status,api-snapshot-list-info,api-volume-autosize-get,api-iscsi-session-list-info,api-iscsi-portal-list-info,api-fcp-service-status,api-iscsi-service-status,cli-df,api-snapmirror-get-volume-status,api-quota-report,api-qtree-list,api-system-api-list,api-vfiler-list-info

    Name:    rcu_create_datastores
    Info:
    Allowed Capabilities: api-volume-create,api-volume-set-option,api-volume-autosize-set,api-sis-enable,api-sis-start,api-snapshot-create,api-snapshot-set-reserve,api-volume-clone-create,api-nfs-exportfs-list-rules-2,api-nfs-exportfs-modify-rule-2,api-nfs-exportfs-load-exports,api-igroup-create,api-lun-create-by-size,api-lun-map,api-lun-set-comment,api-igroup-add,cli-qtree,cli-iscsi,api-nfs-exportfs-append-rules-2

    Name:    rcu_destroy_datastores
    Info:
    Allowed Capabilities: api-volume-offline,api-volume-destroy,api-lun-offline,api-lun-destroy

    Name:    rcu_modify_datastores
    Info:
    Allowed Capabilities: api-volume-size,api-sis-disable,api-sis-stop,api-lun-resize

    Thanks for the help

    Francesco

    costea
    2,672 Views

    Hi Francesco,

    All of these new capabilities (including the VSC user role) need to be added to the create_clones role.

    -George

    Public