Preflight validation of vsphere creds for required perms #2744
Comments
|
This example may help understand how users, groups and roles might all be associated with each other, but am not sure if it applies to our usecase. |
|
Based on my research so far we can implement this ticket but the check will require admin credentials. We can view the roles associated with an object using: You can ignore inherited roles using the This gives the information we need about a particular object's associated roles. We can check that roles privileges with However, the only way I have found to establish which roles a user is associated to is with But this command requires a user have the Administrator role. I'm trying to determine if lower levels of access may be able to run this command but haven't found any yet. |
|
I timeboxed some additional exploration to determine if it is possible to list a user's groups without the Administrator role and have not come up with anything. I'm waiting on a response to a discussion item I filed, but I don't expect much to come of it. As a side note, govc appears to provide the functionality we would need to automatically generate the user with appropriate roles and permissions. |
|
After looking further into govmomi and the vSphere API based on @vivek-koppuru's recommendation I was able to find an API method that provides a list of privileges for a particular user on a list of entities without requiring an admin role: I found a corresponding client method in govmomi here. As discussed in standup I'm adding govmomi as an explicit project dependency so we can use this functionality. |
Sounds good! |
|
I think it would be a fine option to depend on govmomi only for this and then put an upstream PR to add it to govc, and then for us to change it back. But yea that can be part of the revisiting @g-gaston is suggesting above. |
|
Sure thing 👍 Here's a ticket: #2853. If there are any labels, etc I should apply please let me know. |
|
@jonathanmeier5 you can just follow https://github.com/aws/eks-anywhere/blob/main/docs/developer/issues.md let me know if you have any questions :) |
|
Completed in #2907. |
Currently users need to add the following permissions to their users/roles when creating an EKS-A cluster.
https://anywhere.eks.amazonaws.com/docs/reference/vsphere/vsphere-preparation/
However, we currently don't have robust validations on whether the user they provide has the appropriate permissions that we are asking for in the documentation.
govchas a few commands that would help be able to do this programmatically. Here is the usage instructions for govc: https://github.com/vmware/govmomi/blob/master/govc/USAGE.mdThe list of permissions we ask above can be turned into a list that we can check for by running the
govc role.lscommand, which would list out all the applicable permissions defined for the role. It is described differently through the cli as follows:If described as the following in the documentation:
It translates to the following in the permissions list for the cli (running the command for an
Adminuser should list all the possible values, and we might have to map them accordingly to the documentation):There are also the
permissions.lscommand and thesso.user.lscommand that might list out what roles are associated with the user, however, the documentation on the usage is sparse, so we need to see ifpermissions.lscommand supports-principalflag and if thesso.user.lssupports listing permissions based on passing in the name of the user.The text was updated successfully, but these errors were encountered: