VMware Solutions Discussions

Restrict access to VSC

terryzolinski
7,793 Views

I am looking for a way to restrict access to VSC from the VCenter client. Currently anyone who has access to Vcenter can simply go to Home in Vcenter and click the Netapp icon. Thus allowing them to have full-reign on the Netapp integration portion. Obviously I don't want this.

Is there a way to block this? I haven't had any luck searching the forums. I did find one post on VMware forums regarding IPSec blocking, but I would rather not get into that. There has to be a cleaner option.

Thanks in advance!

17 REPLIES 17

sharmas
7,753 Views

The KB here https://kb.netapp.com/support/index?page=content&id=1013627 should help you. You'll need a NetApp NOW/Support site login to view this.

terryzolinski
7,753 Views

Thank you for your reply. The KB you mention is one that I have followed. It provides guidelines on how to allow VSC to only have access to the portions of VCenter it needs to carry out Netapp functions in VCenter. What it doesn't explain is how to restrict access to the Netapp portion itself.

Currently I have a user who has read-only permissions in Vcenter, they can't do anything other than view. However they have full-control in VSC to do anything they want. I'm not trying to figure out how to limit VSC from having access to VCenter, I'm trying to figure out how to limit Vcenter users from accessing VSC.

sharmas
7,753 Views

I understand that you want the VSC plugin to disappear for some users. While I am not aware of a solution for that, my personal opinion is that it may be something that is not in NetApp's control. VMware should have more control over what gets visible in the VI client.

terryzolinski
7,753 Views

A fair statement, however... Netapp writes it's plug-ins to work with VCenter, it's a value-added product. You can't stick this Netapp plug-in into Vmware's product, then turn around and put the onus on VMware to lock it down. Netapp is adding this function, therefore Netapp should put a solution in place to lock it down. As far as Vmware is concerned, most of their customers may never need to do this, so why would they put forth an effort to fix it? You could speak globally of all vendor's plug-ins, but again I'm sure the vendors are doing something to lock down their own product.

Then there's also the fact if I posted this question on Vmware, I would get the same response you are giving me, "it's the other guys problem". In fact, here is an example. This guy tried Vmware, I'm trying Netapp. Both of us will get nowhere.

http://communities.vmware.com/thread/310293

Consider this...I use VMware Update Manager. The only systems I can use this feature on are systems where I have specifically installed the plug-in. At the very least I can prevent access by not exposing the plug-in installer. I can't even do this with VSC. Any computer I install the VI Client on has the Netapp Plug-in right there and anyone can access, I literally have no control over who gets the plug-in. I would say that's a Netapp issue in the way the plug-in is installed. If my team couldn't see the plug-in, that would be a very large step toward achieving what I want.

We could go back and forth all day on this, however I feel Netapp should be the ones to deal with it.

If you aren't aware of a solution, then I will open a case and if I get a solution, I will post it here.

Thank you for making an effort.

sharmas
7,753 Views

VSC is a server side plugin where as VUM is client side which requires VUM to be installed on every client. Both deployment models have their pros and cons. You could disable a plugin in the VI client but that may not be enough for what you are looking at. A support case will help justify filing of a RFE. I hope VMware could introduce security roles capable of preventing exposure of the plugins to users (not sure if they already have them).

Thanks..

terryzolinski
7,753 Views

I've just come to realize that there are VSC roles I can create related to Provisioning and Cloning, however the Backup and Recovery tab is wide-open. So it would appear that Netapp has actually taken a step to lock this down, but the Backup jobs are still wide open for anyone to access. Even someone who has read-only.

Do you know if any improvements have been made in VSC 4 that might improve this? I plan on upgrading, but if these issues are solved I will fast track it.

Thank you

sstretchh
7,753 Views

We are running into the exact same problem. We have certain administrators we only want to be able to access some VM's but they are NOT allowed to be able to modify the backups. With the netapp tab installed they can edit all the backup schedules, cancel jobs and start a task. Does anyone know of a way to limit this yet ?

During testing of this we only allowed the user to have interaction with console and they still have free rain on the netapp tab.

We are also running VSC 4

DEVANSCHEL
7,753 Views

I too would like to know if there is any way to restrict access to the VSC console.  It seems dangerous to leave the Backup and Recovery portion of the console wide open to any user who has access to vCenter through the vSphere Console.

Thanks.

cbr1000xhonda
7,753 Views

I recently upgraded to VSC v 4.1 from 2.1.2 and we're using vSphere v5.0.0 and it appears NetApp has at least added a privilage section within the vSphere Roles called 'NetApp Virtual Storage Console' with a checkbox to lock down their new 'Optimization and Migration' features unlocked in v4.1 but even if you don't select that as a permission level for a read-only type role, the users in that vSphere role can still access the VSC plug-in with essentially administrator privilages as the thread states from everyone above.  Why they didn't include a checkbox for access to the plug-in all together I have no idea, maybe it's in their next release of VSC...  I'm actively searching for a resolution to this issue as it's directly affecting our Org as well, if I find anything i'll post it...

schrie
7,680 Views

Because of the features and functionality changes between versions, there is a separate RBAC KB for each of the releases of VSC, the link above is specifically for VSC 4.0, and many of the privileges required for VSC 4.1 are not included

Please link to https://kb.netapp.com/support/index?page=content&id=1013941 for specifics for RBAC in VSC 4.1; this KB also includes a link to a developer created "Username Creator for VSC",  by one of our leading VSC developers, which creates users for Data ONTAP with the privilege level required for the specified VSC RBAC (https://communities.netapp.com/docs/DOC-19074/) instead of having to create them manually.

For the secondary note regarding admin privileges for Optimization and Migration and lockdown from standard users, you can lock down specific functionality for specified groups or restrict use to a group by selecting objects within vCenter and providing specific access restrictions.  Additonally, the developers are working on providing even stricter and more granular controls for the next release of VSC, providing a more comprehensive selection of RBAC within vCenter, clustered ONTAP, and 7-mode ONTAP.

mladen_zecevic
7,680 Views

I solved the problem by blocking the VSC tcp port on the firewall. Maybe that could work for you until Netapp releases a version that supports granular permissions for the Backup&Recovery part of VSC.


Regards,

Mladen

datacenterdude
7,680 Views

Just to give everyone an update on this long-standing hot topic of RBAC....

BIG things are right around the corner.   We're going to give you a "View" privilege in your native vSphere privileges (think show/hide VSC), along with granular privs for most tasks of each of the functional areas within the VSC itself.

More on this very soon!

neilwilson
7,680 Views

Is there an ETA on when the next version of VSC will be available with RBAC?

We would like to install it in our environment, but the lack of ability to restrict access to it for other vsphere users is a deal breaker.

Cheers

Neil.

mlisa
7,680 Views

The next version of VSC - 4.2 - with ONTAP and vCenter RBAC for all VSC features - will be available 2QCY2013.  However, there will be a Beta Program in early March that will allow you to test-drive the new RBAC capability and provide us feedback!  Stay tuned ... we'll announce the Beta on the NetApp Communities soon ...

schrie
7,680 Views

FYI for everyone on this thread -

VSC 4.2 is now available and you can leverage the embedded vCenter canned roles or create your own for vCenter access restrictions - as well as restrict ONTAP by leveraging the RBAC User Creator Tool.

jcbettinelli
6,137 Views

Hello,

As far as I know, we only have to add controllers from the "Monitoring and Host Configuration" tab in VSC 4.2. The same credentials will be used for all modules.

Can we use different credentials for the different modules (not same capability between modules?

On of my customer is having issues with the required rights, and he wanted to remove the controller and add it again with the new credentials.

But he's getting the following message when trying to do that:

Reading this, I would think that it could affect the luns or the datastores if we remove the controller in VSC.

Is it right, or could we go ahead without risk?

Thank you in advance,

Jean-Christophe

schrie
6,137 Views

Instead of having to remove the controller, they can right-click on it and choose "Modify Credentials" to change the account used to authenticate to ONTAP from VSC.

Public