Allow configure to set rols for ops user

vmware · Apr 23, 2018 · 5c1bc91 · 5c1bc91
1 parent f4fedad
commit 5c1bc91
Show file tree

Hide file tree

Showing 7 changed files with 66 additions and 27 deletions.
diff --git a/cmd/vic-machine/common/ops_credentials.go b/cmd/vic-machine/common/ops_credentials.go
@@ -63,7 +63,7 @@ func (o *OpsCredentials) Flags(hidden bool) []cli.Flag {
 // operation, adminUser and adminPassword are not needed.
 func (o *OpsCredentials) ProcessOpsCredentials(op trace.Operation, isCreateOp bool, adminUser string, adminPassword *string) error {
 	if o.OpsUser == nil && o.OpsPassword != nil {
-		return errors.New("Password for operations user specified without user having been specified")
+		return errors.New("Password for operations user specified without operations username")
 	}
 
 	if isCreateOp {

diff --git a/cmd/vic-machine/configure/configure.go b/cmd/vic-machine/configure/configure.go
@@ -204,6 +204,7 @@ func (c *Configure) copyChangedConf(o *config.VirtualContainerHostConfigSpec, n
 	if c.OpsCredentials.IsSet {
 		o.Username = n.Username
 		o.Token = n.Token
+		o.GrantPermsLevel = n.GrantPermsLevel
 	}
 
 	// Copy the thumbprint directly since it has already been validated.
@@ -327,7 +328,7 @@ func (c *Configure) Run(clic *cli.Context) (err error) {
 
 	validator, err := validate.NewValidator(op, c.Data)
 	if err != nil {
-		op.Errorf("Configuring cannot continue - failed to create validator: %s", err)
+		op.Errorf("Configure cannot continue - failed to create validator: %s", err)
 		return errors.New("configure failed")
 	}
 	defer validator.Session.Logout(parentOp) // parentOp is used here to ensure the logout occurs, even in the event of timeout

diff --git a/lib/install/management/configure.go b/lib/install/management/configure.go
@@ -58,6 +58,14 @@ func (d *Dispatcher) Configure(vch *vm.VirtualMachine, conf *config.VirtualConta
 
 	d.appliance = vch
 
+	if vch.IsVC() {
+		vchFolder, ferr := d.appliance.Folder(d.op)
+		if ferr != nil {
+			return ferr
+		}
+		d.session.VCHFolder = vchFolder
+	}
+
 	// update the displayname to the actual folder name used
 	if d.vmPathName, err = d.appliance.FolderName(d.op); err != nil {
 		d.op.Errorf("Failed to get canonical name for appliance: %s", err)
@@ -111,15 +119,6 @@ func (d *Dispatcher) Configure(vch *vm.VirtualMachine, conf *config.VirtualConta
 
 	err = d.update(conf, settings, isConfigureOp)
 
-	// If successful try to grant permissions to the ops-user
-	if err == nil && conf.ShouldGrantPerms() {
-		err = opsuser.GrantOpsUserPerms(d.op, d.session, conf)
-		if err != nil {
-			// Update error message and fall through to roll back
-			err = errors.Errorf("Failed to grant permissions to ops-user, failure: %s", err)
-		}
-	}
-
 	if err != nil {
 		// Roll back
 		d.op.Errorf("Failed to upgrade: %s", err)
@@ -333,6 +332,15 @@ func (d *Dispatcher) update(conf *config.VirtualContainerHostConfigSpec, setting
 		return err
 	}
 
+	// If successful try to grant permissions to the ops-user
+	if err == nil && conf.ShouldGrantPerms() {
+		err = opsuser.GrantOpsUserPerms(d.op, d.session, conf)
+		if err != nil {
+			// Update error message and fall through to roll back
+			return errors.Errorf("Failed to grant permissions to ops-user, failure: %s", err)
+		}
+	}
+
 	if err = d.appliance.PowerOn(d.op); err != nil {
 		return err
 	}

diff --git a/lib/migration/feature/feature.go b/lib/migration/feature/feature.go
@@ -28,7 +28,9 @@ const (
 	// create time is stored in nanoseconds (previously seconds) in the portlayer.
 	ContainerCreateTimestampVersion
 
-	VMFolderSupportVersion
+	// VCHFolderSupportVersion represents the VCH version that first introduced
+	// VM folder support for the VCH.
+	VCHFolderSupportVersion
 
 	// Add new feature flag here
 

diff --git a/pkg/vsphere/session/session.go b/pkg/vsphere/session/session.go
@@ -382,7 +382,6 @@ func (s *Session) Populate(ctx context.Context) (*Session, error) {
 		// This will provide standalone ESXi and backwards
 		// compatibility to non-folder versions.
 		s.VCHFolder = folders.VmFolder
-
 	}
 
 	if len(errs) > 0 {

diff --git a/tests/manual-test-cases/Group5-Functional-Tests/5-25-OPS-User-Grant.md b/tests/manual-test-cases/Group5-Functional-Tests/5-25-OPS-User-Grant.md
@@ -16,13 +16,23 @@ This test requires access to VMware Nimbus cluster for dynamic ESXi and vCenter
 6. Create a container
 7. Use govc to attempt to out-of-band destroy the container from Step 6
 8. Clean up the VCH
+9. Install the VIC appliance into the cluster without any ops user options
+10. Reconfigure the VCH with the --ops-user, --ops-password, --ops-grant-perms options
+11. Run a variety of docker operations on the VCH
+12. Create a container
+13. Use govc to attempt to out-of-band destroy the container from Step 6
+14. Clean up the VCH
 
 # Expected Outcome:
 * Steps 1-3 should succeed
 * Step 4 should fail since the ops-user does not have enough permissions for the operation
 * Step 5 and 6 should succeed
 * Step 7 should fail since the destroy method should be disabled by VIC
 * Step 8 should succeed
+* Step 9-12 should succeed
+* Step 13 should fail since the destroy method should be disabled by VIC
+* Step 14 should succeed
+
 
 # Possible Problems:
 None
diff --git a/tests/manual-test-cases/Group5-Functional-Tests/5-25-OPS-User-Grant.robot b/tests/manual-test-cases/Group5-Functional-Tests/5-25-OPS-User-Grant.robot
@@ -82,17 +82,32 @@ Run privilege-dependent docker operations
     ${rc}  ${output}=  Run And Return Rc And Output  docker %{VCH-PARAMS} rm -f ${c5}
     Should Be Equal As Integers  ${rc}  0
 
-*** Test Cases ***
-vic-machine create grants ops-user perms
-    Install VIC Appliance To Test Server  additional-args=--ops-user ${ops_user_name} --ops-password ${ops_user_password} --ops-grant-perms
+Reconfigure VCH With Ops User
+    ${rc}  ${output}=  Run And Return Rc And Output  bin/vic-machine-linux configure --target %{TEST_URL} --user %{TEST_USERNAME} --password=%{TEST_PASSWORD} --compute-resource=%{TEST_RESOURCE} --name %{VCH-NAME} --ops-user=${ops_user_name} --ops-password=${ops_user_password} --ops-grant-perms --thumbprint=%{TEST_THUMBPRINT} --debug=1
+    Should Be Equal As Integers  ${rc}  0
+    Should Contain  ${output}  Completed successfully
 
-    # Run a govc test to check that access is denied on some resources
+Attempt To Disable DRS
     Log To Console  Running govc to set drs-enabled, it should fail
     ${rc}  ${output}=  Run And Return Rc And Output  GOVC_USERNAME=${ops_user_name} GOVC_PASSWORD=${ops_user_password} govc cluster.change -drs-enabled /${datacenter}/host/${cluster}
     Log  Govc output: ${output}
     Should Be Equal As Integers  ${rc}  1
     Should Contain  ${output}  Permission to perform this operation was denied
 
+Attempt To Create Resource Pool
+    Log To Console  Running govc to create a resource pool named "5-25-OPS-User-Grant-%{DRONE_BUILD_NUMBER}", it should fail
+    ${rc}  ${output}=  Run And Return Rc And Output  GOVC_USERNAME=${ops_user_name} GOVC_PASSWORD=${ops_user_password} govc pool.create */Resources/5-25-OPS-User-Grant-%{DRONE_BUILD_NUMBER}
+    Log  Govc output: ${output}
+    Should Be Equal As Integers  ${rc}  1
+    Should Contain  ${output}  Permission to perform this operation was denied
+
+*** Test Cases ***
+vic-machine create grants ops-user perms
+    Install VIC Appliance To Test Server  additional-args=--ops-user ${ops_user_name} --ops-password ${ops_user_password} --ops-grant-perms
+
+    # Run a govc test to check that access is denied on some resources
+    Attempt To Disable DRS
+
     Run Regression Tests
 
     Run privilege-dependent docker operations
@@ -107,11 +122,7 @@ granted ops-user perms work after upgrade
     Check Upgraded Version
 
     # Run a govc test to check that access is denied on some resources
-    Log To Console  Running govc to set drs-enabled, it should fail
-    ${rc}  ${output}=  Run And Return Rc And Output  GOVC_USERNAME=${ops_user_name} GOVC_PASSWORD=${ops_user_password} govc cluster.change -drs-enabled /${datacenter}/host/${cluster}
-    Log  Govc output: ${output}
-    Should Be Equal As Integers  ${rc}  1
-    Should Contain  ${output}  Permission to perform this operation was denied
+    Attempt To Create Resource Pool
 
     Run Regression Tests
 
@@ -124,14 +135,22 @@ Test with VM-Host Affinity
     Install VIC Appliance To Test Server  additional-args=--ops-user ${ops_user_name} --ops-password ${ops_user_password} --ops-grant-perms --affinity-vm-group
 
     # Run a govc test to check that access is denied on some resources
-    Log To Console  Running govc to create a resource pool named "5-25-OPS-User-Grant-%{DRONE_BUILD_NUMBER}", it should fail
-    ${rc}  ${output}=  Run And Return Rc And Output  GOVC_USERNAME=${ops_user_name} GOVC_PASSWORD=${ops_user_password} govc pool.create */Resources/5-25-OPS-User-Grant-%{DRONE_BUILD_NUMBER}
-    Log  Govc output: ${output}
-    Should Be Equal As Integers  ${rc}  1
-    Should Contain  ${output}  Permission to perform this operation was denied
+    Attempt To Create Resource Pool
 
     Run Regression Tests
 
     Run privilege-dependent docker operations
 
     Cleanup VIC Appliance On Test Server
+
+vic-machine configure grants ops-user perms
+    Install VIC Appliance To Test Server
+
+    Reconfigure VCH With Ops User
+
+    # Run a govc test to check that access is denied on some resources
+    Attempt To Disable DRS
+
+    Run Privileged Commands
+
+    Cleanup VIC Appliance On Test Server