Skip to content

rvanderp3/vsphere-priv-check

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

vsphere-priv-check

Overview

Validating privileges for a user can be challenging. This project attempts to provide a quick method for validating that the user account assigned for installation of an OpenShift cluster has the required privileges. This tool forms the basis of required privileges from Required vCenter account privileges

Building

  1. Setup go environment
  2. Build the binary
./hack/build.sh

Usage

This tool requires that an account with administrator privileges be provided. This account will verify the privileges of the account defined in install-config.yaml. To define the administrator account:

export VCENTER_USERNAME=admin@your.domain
export VCENTER_PASSWORD=yourpassword

The install-config.yaml to be used for the installation must be present in the working directory of this tool. Information such as target datastore, data center, username, and network are all derived from this file.

To run the tool:

$ ./bin/vsphere-priv-check
OpenShift vSphere Pre-Flight Permissions Validator

2021/08/10 13:39:41 checking permissions for user test@vsphere.local

2021/08/10 13:39:41 error while validating required privileges:

*** Missing Privileges ***
vSphere object: vSphere vCenter Datacenter
Resource.AssignVMToPool, VApp.Import, VirtualMachine.Config.AddExistingDisk, VirtualMachine.Config.AddNewDisk, VirtualMachine.Config.AddRemoveDevice, VirtualMachine.Config.AdvancedConfig, VirtualMachine.Config.Annotation, VirtualMachine.Config.CPUCount, VirtualMachine.Config.DiskExtend, VirtualMachine.Config.DiskLease, VirtualMachine.Config.EditDevice, VirtualMachine.Config.Memory, VirtualMachine.Config.RemoveDisk, VirtualMachine.Config.Rename, VirtualMachine.Config.ResetGuestInfo, VirtualMachine.Config.Resource, VirtualMachine.Config.Settings, VirtualMachine.Config.UpgradeVirtualHardware, VirtualMachine.Interact.GuestControl, VirtualMachine.Interact.PowerOff, VirtualMachine.Interact.PowerOn, VirtualMachine.Interact.Reset, VirtualMachine.Inventory.Create, VirtualMachine.Inventory.CreateFromExisting, VirtualMachine.Inventory.Delete, VirtualMachine.Provisioning.Clone, Folder.Create, Folder.Delete

Checking Folder Permissions

Checking user privileges on a folder can be a bit tough as privileges can't be validated until the folder is created. Additionally, privileges to create a folder are provided by the vSphere vCenter Datacenter.

If privileges on a preexisting folder are to be checked(i.e. installing in to an existing folder, creating a UPI machineset which creates machines in an existing folder), the folder can be checked by running:

./bin/vsphere-priv-check --check-folder=vcentertest-24lrs

TO-DO

  • Privilege propagation is currently not role aware. Need to add logic to check roles for privilege propagation. All other aspects of these checks are role aware as the vCenter API is doing the work of calculating available privileges.