Full list of required rights

[mgaruccio]

I am trying to set up a role with minimum required privileges for the CSE service per the list of roles and rights in the documentation and having a bit of trouble. If I run the install with a system administrator account it works fine but if I attempt it with the limited account it fails. I was able to get through the first error by adding the Extensions: View permission but I am now getting the error below when trying to run the install.

Connected to vCloud Director as system administrator (vcd-rc.expedient.com:443): success
Traceback (most recent call last):
  File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 1116, in get_linked_resource
    return self.get_resource(find_link(resource, rel, media_type).href)
  File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 1335, in find_link
    raise MissingLinkException(resource.get('href'), rel, media_type)
pyvcloud.vcd.exceptions.MissingLinkException: ('https://vcd-rc.expedient.com/api/admin/extension', <EnumValue: RelationType.DOWN [value=down]>, 'application/vnd.vmware.admin.vmwVimServerReferences+xml'); href: https://vcd-rc.expedient.com/api/admin/extension, rel: RelationType.DOWN, mediaType: application/vnd.vmware.admin.vmwVimServerReferences+xml

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/expedient/.local/bin/cse", line 11, in <module>
    sys.exit(cli())
  File "/home/expedient/.local/lib/python3.6/site-packages/click/core.py", line 764, in __call__
    return self.main(*args, **kwargs)
  File "/home/expedient/.local/lib/python3.6/site-packages/click/core.py", line 717, in main
    rv = self.invoke(ctx)
  File "/home/expedient/.local/lib/python3.6/site-packages/click/core.py", line 1137, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/home/expedient/.local/lib/python3.6/site-packages/click/core.py", line 956, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/home/expedient/.local/lib/python3.6/site-packages/click/core.py", line 555, in invoke
    return callback(*args, **kwargs)
  File "/home/expedient/.local/lib/python3.6/site-packages/click/decorators.py", line 17, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "/home/expedient/.local/lib/python3.6/site-packages/container_service_extension/cse.py", line 206, in install
    amqp_install, ext_install)
  File "/home/expedient/.local/lib/python3.6/site-packages/container_service_extension/config.py", line 311, in install_cse
    check_config(config_file_name)
  File "/home/expedient/.local/lib/python3.6/site-packages/container_service_extension/config.py", line 234, in check_config
    for vc in platform.list_vcenters():
  File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/platform.py", line 65, in list_vcenters
    EntityType.VIM_SERVER_REFS.value)
  File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 1119, in get_linked_resource
    "Operation is not supported").with_traceback(e.__traceback__)
  File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 1116, in get_linked_resource
    return self.get_resource(find_link(resource, rel, media_type).href)
  File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 1335, in find_link
    raise MissingLinkException(resource.get('href'), rel, media_type)
pyvcloud.vcd.exceptions.OperationNotSupportedException: Operation is not supported

[mgaruccio]

Got through that error by adding the vSphere Server: View right, now receiving the error below.

[expedient@localhost ~]$ cse install --config config.yaml
Validating CSE on vCD from file: config.yaml
Python version >= 3.6 (installed: 3.6.5): success
InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised.
Connected to AMQP server (pit-vcd-mq0.provider.local:5672): success
InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised.
Connected to vCloud Director as system administrator (vcd-rc.expedient.com:443): success
Connected to vCenter Server PIT-VCSA01 as administrator (pit-vcsa01.provider.local:443): success
Installing CSE on vCD from file: config.yaml, template: *
InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised.
Connected to vCloud Director as system administrator (vcd-rc.expedient.com:443): success
Installing  'default' service broker
Find org 'cse': success
Traceback (most recent call last):
  File "/home/expedient/.local/bin/cse", line 11, in <module>
    sys.exit(cli())
  File "/home/expedient/.local/lib/python3.6/site-packages/click/core.py", line 764, in __call__
    return self.main(*args, **kwargs)
  File "/home/expedient/.local/lib/python3.6/site-packages/click/core.py", line 717, in main
    rv = self.invoke(ctx)
  File "/home/expedient/.local/lib/python3.6/site-packages/click/core.py", line 1137, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/home/expedient/.local/lib/python3.6/site-packages/click/core.py", line 956, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/home/expedient/.local/lib/python3.6/site-packages/click/core.py", line 555, in invoke
    return callback(*args, **kwargs)
  File "/home/expedient/.local/lib/python3.6/site-packages/click/decorators.py", line 17, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "/home/expedient/.local/lib/python3.6/site-packages/container_service_extension/cse.py", line 206, in install
    amqp_install, ext_install)
  File "/home/expedient/.local/lib/python3.6/site-packages/container_service_extension/config.py", line 334, in install_cse
    vdc_resource = org.get_vdc(config['broker']['vdc'])
  File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/org.py", line 1537, in get_vdc
    return self.client.get_resource(link.href)
  File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 1099, in get_resource
    'GET', uri, objectify_results=objectify_results)
  File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 861, in _do_request
    response), _objectify_response(response, objectify_results))
  File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 898, in _response_code_to_exception
    raise InternalServerException(sc, request_id, objectify_response)
pyvcloud.vcd.exceptions.InternalServerException: Status code: 500/INTERNAL_SERVER_ERROR, [ 170d9812-a6e2-4180-a6b1-c7fe217d873c ] com.vmware.vcloud.api.presentation.entity.vdc.UserVdcSpec cannot be cast to com.vmware.vcloud.api.presentation.entity.vdc.VdcSpec (request id: 170d9812-a6e2-4180-a6b1-c7fe217d873c)

[mgaruccio]

That error is solved by adding the Organization vDC: Extended View permission, and now allows the template upload to start before generating an error

Find source ova 'photon-custom-hw11-2.0-304b817.ova': success
Traceback (most recent call last):
  File "/home/expedient/.local/lib/python3.6/site-packages/container_service_extension/config.py", line 371, in install_cse
    catalog, no_capture, template, ssh_key)
  File "/home/expedient/.local/lib/python3.6/site-packages/container_service_extension/config.py", line 470, in create_template
    records = list(q.execute())
  File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 1454, in execute
    return self._iterator(self._client.get_resource(query_uri))
  File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 1099, in get_resource
    'GET', uri, objectify_results=objectify_results)
  File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 861, in _do_request
    response), _objectify_response(response, objectify_results))
  File "/home/expedient/.local/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 872, in _response_code_to_exception
    raise AccessForbiddenException(sc, request_id, objectify_response)
pyvcloud.vcd.exceptions.AccessForbiddenException: Status code: 403/ACCESS_TO_RESOURCE_IS_FORBIDDEN, [ 77ad20b0-5c88-40be-b9e3-4219c4c0a50c ] This operation is denied. (request id: 77ad20b0-5c88-40be-b9e3-4219c4c0a50c)

[mgaruccio]

the above is still failing but I've identified /query?type=adminCatalogItem as the REST call that is getting access denied, attempting to work out which Right provides that ability now

[sompa]

hi @mgaruccio
Please ensure that your limited account has the following rights:
Minimum roles and (admin-view) rights required for the service account (subject to change with new vCD versions):

Catalog Author (Role)
vApp Author (Role)
vApp User (Role)
vCenter: View (Right)
vCenter: Refresh (Right)
vCenter: Open in vSphere (Right)
Task: View Tasks (Right)
Task: Update (Right)
Task: Resume, Abort, or Fail (Right)
Catalog Item: Add to My Cloud (Right)
Catalog Item: Create/Upload a vApp Template/Media (Right)
Catalog Item: View vApp Templates/Media (Right)
Catalog Item: Copy/Move a vApp Template/Media (Right)
General: Administrator View (Right)
Organization VDC: View Organization VDCs (Right)
Organization VDC Network: View Properties (Right)
Organization: View Organizations (Right)

Let us know if adding this list of rights resolves the problem. Please refer to the documentation here for more information https://vmware.github.io/container-service-extension/#sysadmin

[mgaruccio]

Those are all configured with the exception of the "Catalog Item" rights, which don't seem to exist in the current release of 9.5, however I did confirm that a user with full System Administrator rights is able to successfully deploy CSE and does not have those rights listed. Current rights for the account are:

vApp: Edit VM Hard Disk
vApp: Create / Reconfigure
vApp Template / Media: Edit
vApp Template / Media: Copy
Organization vDC: Extended View
vApp Template: Change Owner
Catalog: Publish
Organization vDC: VM-VM Affinity Edit
General: Administrator View
Catalog: CLSP Publish Subscribe
Catalog: Sharing
Catalog: View Published Catalogs
vApp: Sharing
Organization: View
vSphere Server: View
vApp Template / Media: View
Disk: Edit Properties
vApp: Snapshot Operations
Disk: View Properties
Organization vDC Compute Policy: View
Catalog: View Private and Shared Catalogs
UI Plugins: View
Task: Update
vCenter: Open in vSphere
Disk: Delete
vApp: Edit Properties
Catalog: Edit Properties
Disk: Create
vApp: Delete
vApp: Power Operations
Catalog: Add vApp from My Cloud
Organization vDC: View
vApp: Copy
vApp: View VM metrics
vApp: VM Boot Options
vApp Template: Download
Task: View Tasks
vCenter: Refresh
vApp: Use Console
Organization vDC Network: View Properties
Task: Resume, Abort, or Fail
Catalog: Create / Delete a Catalog
Disk: Change Owner
vApp: View ACL
vCenter: View
vApp: Upload
vApp: Manage VM Password Settings
vApp Template: Checkout
vApp: Download
vApp: Edit VM CPU
vApp: Edit VM Memory
Extensions: View
Catalog: View ACL
vApp Template / Media: Create / Upload
VAPP_VM_METADATA_TO_VCENTER
vApp: Edit VM Properties
vApp: Edit VM Network

[sompa]

The names of rights have possibly been renamed in the new release. If you have figured out the minimum rights needed to install cse, could you post them here ? We will update the documentation soon for the latest vCD version 9.5.

[mgaruccio]

I'm still trying to determine the minimum rights, is there anyone at VMWare who can tell me which right is required to reach the /query?type=adminCatalogItem endpoint? that's the call the process is currently stuck on.

[mgaruccio]

Ok so the missing right there was Organization: Perform Administrator Queries, which has been added but now we are failing on a different portion of the create_template() call, trying to find that right now

[sompa]

@mgaruccio Were you able to get through the create_template() call ? Just wanted to follow up on that.

[mgaruccio]

No I'm still trying to narrow down the correct set of permissions. currently it's failing when trying to access the vapp template.

[harshneelmore]

Hi @mgaruccio
I was able to narrow down on the minimum list of Rights for installing CSE. I will be revising the list again to see if any additional rights can be removed.
Following are the minimum rights I have so far.

Catalog: Add vApp from My Cloud
Catalog: CLSP Publish Subscribe
Catalog: Create / Delete a Catalog
Catalog: Edit Properties
Catalog: Import Media from vSphere
Catalog: Publish
Catalog: Sharing
Catalog: View ACL
Catalog: View Private and Shared Catalogs
Catalog: View Published Catalogs
Cell Configuration: View
Disk: Change Owner
Disk: Create
Disk: Delete
Disk: Edit Properties
Disk: View Properties
General: Administrator View
General: View Error Details
Host: View
Organization Default Settings: View default settings for new Organizations.
Organization Network: Open in vSphere
Organization Network: View
Organization vDC Network: View Properties
Organization vDC Resource Pool: Open in vSphere
Organization vDC Resource Pool: View
Organization vDC Storage Policy: Open in vSphere
Organization vDC: Extended View
Organization vDC: View
Organization vDC: View ACL
Organization: View
System Operations: Execute System Operations
Task: Resume, Abort, or Fail
Task: Update
VAPP_VM_METADATA_TO_VCENTER
VDC Template: Instantiate
VDC Template: View
vApp Template / Media: Copy
vApp Template / Media: Create / Upload
vApp Template / Media: Edit
vApp Template / Media: View
vApp Template: Checkout
vApp Template: Download
vApp Template: Import
vApp Template: Open in vSphere
vApp: Allow All Extra Config
vApp: Allow Ethernet Coalescing Extra Config
vApp: Allow Latency Extra Config
vApp: Allow Matching Extra Config
vApp: Allow NUMA Node Affinity Extra Config
vApp: Change Owner
vApp: Copy
vApp: Create / Reconfigure
vApp: Delete
vApp: Download
vApp: Edit Properties
vApp: Edit VM CPU
vApp: Edit VM CPU and Memory reservation settings in all VDC types
vApp: Edit VM Hard Disk
vApp: Edit VM Memory
vApp: Edit VM Network
vApp: Edit VM Properties
vApp: Enter/Exit Maintenance Mode
vApp: Import Options
vApp: Manage VM Password Settings
vApp: Open in vSphere
vApp: Power Operations
vApp: Shadow VM View
vApp: Sharing
vApp: Snapshot Operations
vApp: Upload
vApp: Use Console
vApp: VM Boot Options
vApp: VM Check Compliance
vApp: VM Migrate, Force Undeploy, Relocate, Consolidate
vApp: View ACL
vApp: View VM metrics
vCenter: Open in vSphere
vCenter: Refresh
vCenter: View

[harshneelmore]

@mgaruccio
Did the above list of Rights work for installing CSE?

[yankostefanov]

Hi,
I'm trying to install CSE on VCloud 9.0, but receive the same error as above one:

Validating config file 'config.yaml'
Connected to AMQP server (pclidcdvamqp-vip.dv.pc.local:5672)
InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised.
Connected to vCloud Director (ode.teluscloud.com:443)
Connected to vCenter Server 'pclidcdvvcr01.dv.pc.local' as 'cse_admin' (pclidcdvvcr01.dv.pc.local:443)
Config file 'config.yaml' is valid
Installing CSE on vCloud Director using config file 'config.yaml'
Connected to vCD as system administrator: ode.teluscloud.com:443
Checking for AMQP exchange 'lidcvcloud'
AMQP exchange 'lidcvcloud' is ready
Skipping AMQP configuration. vCD and config file may have different AMQP settings.
Found catalog 'CSE'
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 1087, in post_linked_resource
find_link(resource, rel, media_type).href, contents,
File "/usr/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 1335, in find_link
raise MissingLinkException(resource.get('href'), rel, media_type)
pyvcloud.vcd.exceptions.MissingLinkException: ('https://ode.teluscloud.com/api/catalog/b5aaf890-d9fa-4e1a-b232-782b99621eb0', <EnumValue: RelationType.PUBLISH [value=publish]>, 'application/vnd.vmware.admin.publishCatalogParams+xml'); href: https://ode.teluscloud.com/api/catalog/b5aaf890-d9fa-4e1a-b232-782b99621eb0, rel: RelationType.PUBLISH, mediaType: application/vnd.vmware.admin.publishCatalogParams+xml

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/bin/cse", line 11, in
sys.exit(cli())
File "/usr/lib64/python3.6/site-packages/click/core.py", line 764, in call
return self.main(*args, **kwargs)
File "/usr/lib64/python3.6/site-packages/click/core.py", line 717, in main
rv = self.invoke(ctx)
File "/usr/lib64/python3.6/site-packages/click/core.py", line 1137, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/lib64/python3.6/site-packages/click/core.py", line 956, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/lib64/python3.6/site-packages/click/core.py", line 555, in invoke
return callback(*args, **kwargs)
File "/usr/lib64/python3.6/site-packages/click/decorators.py", line 17, in new_func
return f(get_current_context(), *args, **kwargs)
File "/usr/lib/python3.6/site-packages/container_service_extension/cse.py", line 227, in install
amqp_install=amqp_install, ext_install=ext_install)
File "/usr/lib/python3.6/site-packages/container_service_extension/config.py", line 509, in install_cse
catalog_desc='CSE templates')
File "/usr/lib/python3.6/site-packages/container_service_extension/utils.py", line 403, in create_and_share_catalog
org.share_catalog(catalog_name)
File "/usr/lib/python3.6/site-packages/pyvcloud/vcd/org.py", line 227, in share_catalog
contents=params)
File "/usr/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 1091, in post_linked_resource
"Operation is not supported").with_traceback(e.traceback)
File "/usr/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 1087, in post_linked_resource
find_link(resource, rel, media_type).href, contents,
File "/usr/lib/python3.6/site-packages/pyvcloud/vcd/client.py", line 1335, in find_link
raise MissingLinkException(resource.get('href'), rel, media_type)
pyvcloud.vcd.exceptions.OperationNotSupportedException: Operation is not supported
[root@centos7-5u ~]# pyvcloud.vcd.exceptions.OperationNotSupportedException: Operation is not supported
-bash: pyvcloud.vcd.exceptions.OperationNotSupportedException:: command not found

As is stated above, I've tried with System Administrator account in order to run the cluster smoothly, but no success. Tried via CentOS installed on the same environment, Internet enabled, every prerequisite before CSE installation is OK, I hope.

Also tried with Organization Admin account, but CSE installer cannot login to vcloud.

IMHO this is not related to missing permissions because of Admin account used here?
Can you advice?

[mgaruccio]

@harshneelmore unfortunately I haven't had the opportunity to give it a shot yet, it looks like my lab has some permissions issues beyond what we were seeing here that are causing at least some of the issues I was seeing.

@yankostefanov if you are not able to deploy using a system administrator account than permissions are not the problem, I was able to deploy without an issue using an admin-level account. You may want to check the sharing settings on your catalog or post a new issue.

[yankostefanov]

Actually the missing item here is:
MissingLinkException: (**'https://ode.teluscloud.com/api/catalog/**a8d55218-3e9d-4342-beb1-b3862f89bd7a', <EnumValue: RelationType .PUBLISH [value=publish]>, 'application/vnd.vmware.admin.publishCatalogParams+xml'); href: https://ode.teluscloud.com/api/catalog/a8d55218-3e9d-4342-b eb1-b3862f89bd7a, rel: RelationType.PUBLISH, mediaType: application/vnd.vmware.admin.publishCatalogParams+xml

In Admin Catalog there is such record:
"Link rel="publish" href="**https://ode.teluscloud.com/api/admin/catalog/**a8d55218-3e9d-4342-beb1-b3862f89bd7a/action/publish" type="application/vnd.vmware.admin.publishCatalogParams+xml"

But for some reason the same Link rel is missing for https://ode.teluscloud.com/api/catalog/
I suppose this Link rel is needed for CSE. Tried to add it with REST PUT call. The answer is 200 OK, but the Link rel again is missing. :) Actually vCloud api refuses to add that record in https://ode.teluscloud.com/api/catalog/

Any ideas?

[andrew-ni]

Last we investigated this issue, we found that vCD sends back admin labeled links only when logged in as sys admin. Pyvcloud/cse can only find the item if the admin link exists. We have not decided on a timeline to fix this issue, as it involves coordination with vCD team. The workaround for now is to install CSE using system administrator.

@rocknes , can you look over this and check if I missed anything or explained something incorrectly?