reestr
1 Nickel

ESXi Inventory with readonly user

Hi,

Is there any way to use a lower privilege user for inventory of ESXi hosts using the ESXi OMSA client with WSMan credentials?

Currently, when doing a discovery through the primary NICS, we're having to put in ESXi console root credentials, not our preferred method.  I've tried creating a readonly user on the ESXi host but when I use these new credentials for WSMan in the discovery range in place of the root ones they don't work.  Any ideas anyone?

(PS this is for discovery of the ESXi primary network NICS, not the iDRAC connected NIC.)

0 Kudos
8 Replies
DELL-Raj S
2 Iron

Re: ESXi Inventory with readonly user

You may have to refer to OMSA user guide. Here is a link to OMSA 6.5 user guide:

support.dell.com/.../OMSA_ug.pdf

Page 24 (Section: Creating Server Administrator Users for

VMware ESX 4.X and ESXi 4.X) has info on configuring Server Administrator users. Not sure how much of it is helpful.

Thanks,

Raj Shresta

0 Kudos
DELL-Raj S
2 Iron

Re: ESXi Inventory with readonly user

One more article on configuring users in Server administrator:

support.dell.com/.../esxi5_ts.pdf

0 Kudos
reestr
1 Nickel

Re: ESXi Inventory with readonly user

Hi, thanks for that. The manuals don't refer to creating service accounts with the principle of least privilege.  I've done some testing, so for everyone else's benefit....

The best method is to create a console user on the esxi host, add this to the root users group but only assign it a read only role for the host. This ensures OpenManage has enough rights to scrape the inventory using the read only credentials for wsman.

0 Kudos
Highlighted
adgross
1 Copper

RE: ESXi Inventory with readonly user

I tried this but in my 5.5 environment I don't have a root group, or any other groups for that matter.  I gave the user shell access then put in in a read-only role and in ome I get an 'unknown' health status.  If I change my ws-man config to the root user, I get a healthy status.  There has to be a way to set this up with a non-root account.

0 Kudos

RE: ESXi Inventory with readonly user

Hi and thanks for the question.

I think you either have to use a root account or a user account in root group. Just a read only account which is not in root group may not work.

Thanks much,

Rob

delltechcenter.com/ome

DELL-Rob C
Social Media Support
#IWork4Dell

0 Kudos
adgross
1 Copper

RE: ESXi Inventory with readonly user

This seems like a poor design.  Why would I want to give OME root access to my VMware hosts?  Any plans on the roadmap for changing this?

0 Kudos

RE: ESXi Inventory with readonly user

Thanks for the follow up. I'll try to find out more on this.

But I think that for discovery or possibly some of the inventory data we are
collecting from the ESXi box VMware requires the elevated privileges.

You can use a different (non root) user most likely. But it must have admin access. This is because we are running WSMan commands to collect the inventory and ESXi would require it.


I found a few other posts searching around. Perhaps there are ways to configure
the ESXi side of things to accept accounts with lower permissions(?) Or perhaps there is something we can do on the OME side in a future release. But at least according to these posts, there are some considerations that must be made.

http://virtuallyhyper.com/2012/04/getting-permission-denied-using-netapp-nas-on-
esxi/


http://h30499.www3.hp.com/t5/ITRC-HP-Systems-Insight-Manager/HP-SIM-and-ESXi-
permissions/td-p/4719711#.VFOzqqMo5lY

Thanks and let me know if your searching comes up with anything else.
Rob


delltechcenter.com/ome

DELL-Rob C
Social Media Support
#IWork4Dell

0 Kudos

RE: ESXi Inventory with readonly user

Found out a little bit more, for what it's worth...

WSMAN (which is the protocol we and others use to get inventory data from ESXi) cannot execute with read only account directly,

This ESXi document says to create a service account for CIM service.

 

 

There is a blog I found that says even the service account will not work without root access and it is an ESXi issue (again fwiw).

 

DELL-Rob C
Social Media Support
#IWork4Dell

0 Kudos