Unsolved
This post is more than 5 years old
26 Posts
0
58071
ESXi Inventory with readonly user
Hi,
Is there any way to use a lower privilege user for inventory of ESXi hosts using the ESXi OMSA client with WSMan credentials?
Currently, when doing a discovery through the primary NICS, we're having to put in ESXi console root credentials, not our preferred method. I've tried creating a readonly user on the ESXi host but when I use these new credentials for WSMan in the discovery range in place of the root ones they don't work. Any ideas anyone?
(PS this is for discovery of the ESXi primary network NICS, not the iDRAC connected NIC.)
DELL-Raj S
327 Posts
0
November 19th, 2012 15:00
One more article on configuring users in Server administrator:
support.dell.com/.../esxi5_ts.pdf
DELL-Raj S
327 Posts
0
November 19th, 2012 15:00
You may have to refer to OMSA user guide. Here is a link to OMSA 6.5 user guide:
support.dell.com/.../OMSA_ug.pdf
Page 24 (Section: Creating Server Administrator Users for
VMware ESX 4.X and ESXi 4.X) has info on configuring Server Administrator users. Not sure how much of it is helpful.
Thanks,
Raj Shresta
reestr
26 Posts
0
November 29th, 2012 07:00
Hi, thanks for that. The manuals don't refer to creating service accounts with the principle of least privilege. I've done some testing, so for everyone else's benefit....
The best method is to create a console user on the esxi host, add this to the root users group but only assign it a read only role for the host. This ensures OpenManage has enough rights to scrape the inventory using the read only credentials for wsman.
adgross
5 Posts
0
October 28th, 2014 09:00
I tried this but in my 5.5 environment I don't have a root group, or any other groups for that matter. I gave the user shell access then put in in a read-only role and in ome I get an 'unknown' health status. If I change my ws-man config to the root user, I get a healthy status. There has to be a way to set this up with a non-root account.
DELL-Rob C
2 Intern
2 Intern
•
2.8K Posts
0
October 30th, 2014 09:00
Hi and thanks for the question.
I think you either have to use a root account or a user account in root group. Just a read only account which is not in root group may not work.
Thanks much,
Rob
delltechcenter.com/ome
adgross
5 Posts
0
October 31st, 2014 09:00
This seems like a poor design. Why would I want to give OME root access to my VMware hosts? Any plans on the roadmap for changing this?
DELL-Rob C
2 Intern
2 Intern
•
2.8K Posts
0
October 31st, 2014 14:00
Thanks for the follow up. I'll try to find out more on this.
But I think that for discovery or possibly some of the inventory data we are
collecting from the ESXi box VMware requires the elevated privileges.
You can use a different (non root) user most likely. But it must have admin access. This is because we are running WSMan commands to collect the inventory and ESXi would require it.
I found a few other posts searching around. Perhaps there are ways to configure
the ESXi side of things to accept accounts with lower permissions(?) Or perhaps there is something we can do on the OME side in a future release. But at least according to these posts, there are some considerations that must be made.
http://virtuallyhyper.com/2012/04/getting-permission-denied-using-netapp-nas-on-
esxi/
http://h30499.www3.hp.com/t5/ITRC-HP-Systems-Insight-Manager/HP-SIM-and-ESXi-
permissions/td-p/4719711#.VFOzqqMo5lY
Thanks and let me know if your searching comes up with anything else.
Rob
delltechcenter.com/ome
DELL-Rob C
2 Intern
2 Intern
•
2.8K Posts
0
November 3rd, 2014 13:00
Found out a little bit more, for what it's worth...
WSMAN (which is the protocol we and others use to get inventory data from ESXi) cannot execute with read only account directly,
This ESXi document says to create a service account for CIM service.
There is a blog I found that says even the service account will not work without root access and it is an ESXi issue (again fwiw).