VMware Infrastructure Security and Web Access
Date: Jun 3, 2009
With great power comes great responsibility. Your responsibility is to make sure that the virtual infrastructure you have deployed is secure and that role-based access has been implemented so that the right users have the necessary security permissions to perform their daily tasks. This chapter is dedicated to security in VMware Infrastructure.
VI Security Model
The VMware Infrastructure security model consists of both VirtualCenter security and ESX Server security. The security model revolves around users and groups that are assigned roles. These roles constitute a collection of rights or privileges to perform certain tasks.
Users, Roles, Privileges, and Permissions
The cornerstones of the VMware Infrastructure (VI) security model are the users, groups, roles, privileges, and permissions that you can assign at different levels and to different objects within your infrastructure. Properly configuring and assigning these rights and permissions enables you to enforce accountability. Taking a closer look at each of these cornerstones helps you better design your security solution:
- User and group: An account that is allowed to log in to the VMware infrastructure. A group is a collection of accounts with rights to log in and perform other tasks within the VMware Infrastructure.
- Role: A collection of privileges that a user or group is allowed to perform.
- Privilege: An allowed action or function within a role. In other words, a privilege allows a user or group to perform a certain task.
- Permission: A right assigned to an object in the inventory and grants a user or group the right to interact with that object according to selected roles and privileges.
Working with Roles
Familiarizing yourself with roles is an imperative task of building your access control into the Virtual Infrastructure. To help you get started, Table 8.1 shows a set of default roles available to you.
Table 8.1. Default Roles
Default ESX Roles |
Default VirtualCenter Roles |
Custom Roles |
No Access |
No Access |
User-created roles |
Read-Only |
Read-Only |
|
Administrator |
Administrator |
|
Virtual Machine Administrator |
||
Datacenter Administrator |
||
Virtual Machine Power User |
||
Virtual Machine User |
||
Resource Pool Administrator |
||
VCB User |
The easiest way to get to the Roles panel is to log in to ESX Server or VirtualCenter using your VI client. Click the Administration tab and then the Roles tab, as shown in Figure 8.1.
Figure 8.1 Roles panel.
On the Roles panel, you can right-click any role and edit it. However, we recommend that you maintain the integrity of the existing roles and create your own custom roles if the need arises. To do so, you can right-click anywhere in the Roles pane and click Add to start the new role creation, as shown in Figure 8.2.
Figure 8.2 Add new role.
Assigning Permissions
After you have crafted the appropriate roles for your environment, it is time to apply them to the right inventory object to allow your users and groups access only to the part of the inventory tree that you want them to have access to. To apply permissions, find the object in the tree on which you want to implement security, right-click it, and select Add Permission. This brings you to a screen similar to the one shown in Figure 8.3 that allows you to choose a user or group and assign the corresponding role that you want the user or group to have for this inventory object.
Figure 8.3 Assign permissions.
When assigning permissions, you may choose to have these permissions propagate from the object where the permission originated and downward to all the child objects. To do this, simply place a check mark in the check box next to Propagate to Child Objects, as shown in Figure 8.3.
If a conflict arises when assigning permissions, the most restrictive of the permissions takes precedence. For instance, if a user is part of a group in the Administrator role but the user is explicitly assigned a Read-Only role on a particular object, the most restrictive of the permissions takes precedence, thereby allowing the user only Read-Only permissions to the object. Keep in mind though that if permissions do not propagate down to any child objects, the user has Read-Only permission over the object but has full permissions over the child objects. The reason behind this is Propagate permissions is not enabled, which means you are slapping explicit permissions on this object only, but not its child object. The child objects in this case inherit the permissions given to the user's group.
When explicitly assigned, permissions take precedence and the most restrictive permissions are enforced.
VirtualCenter Security
VirtualCenter is a Windows-based application to be installed on a Windows-based operating system. It has two types of directory repositories to select from:
- Local: If VirtualCenter is installed on a Windows server that is part of a workgroup, the users and groups that are local members of this server can be configured to have access in VirtualCenter.
- Domain: If VirtualCenter is part of an Active Directory domain, in addition to the ability to configure local users and groups, you can also configure users and groups from Active Directory.
By default, the local Administrators group is assigned the Administrator role at the top of the inventory list in VirtualCenter. If the VC server is member of a domain, the Domain Admins group is also added by default.
ESX Server Security
The ESX Server security revolves around the Service Console, and because the Service Console operating system is based on Red Hat Linux, the users and groups that you find in the ESX Server are Linux users and groups. These users and groups can be configured to grant direct access to an ESX host.
By default, the following users are assigned the Administrator role in ESX Server:
- root is the equivalent of the administrator in the Windows world and is the highest user account that is created by default.
- vpxuser is added to the Administrators group in ESX after the ESX Server is joined to VirtualCenter. VirtualCenter uses this user to authenticate itself to the ESX host to send preapproved commands.
While the vpxuser is used to authenticate VirtualCenter to ESX Server and pass preapproved commands, the root account actually executes these commands. So in this case, the vpxuser acts merely as a secure bridge between VirtualCenter and the ESX host, while the root user account is tasked with executing VirtualCenter tasks.
Web Access
Web Access is designed to allow you to manage virtual machines from anywhere without requiring special software to be installed on the host from which you are trying to connect. Web Access is not as robust or feature friendly as the VI client, and it allows for limited functionality but can be useful when you need to perform certain tasks from a machine that does not have the VI client installed or if you need to pass an administrative tool with limited features to a group like the helpdesk, for example.
To access Web Access, you need to point your Internet browser to either the IP address or fully qualified domain name (FQDN) of your ESX host or your VirtualCenter Server. If you point to your ESX host, you are able to manage virtual machines that are on this host only. If you log in to VirtualCenter Web Access, you are able to manage all your VMs.
After logging in to Web Access, you can select any VM in the list and you are able to perform the following tasks, shown in Figure 8.4:
- Enumerate VMs
- Launch console access to a VM
- Manipulate all power functions against a VM
- View a VM's status
- Edit VM configuration
Figure 8.4 Virtual machine Web Access view.
Web Access Minimum Requirements
The minimum system requirements to successfully connect and log in to Web Access are as follows:
On a Windows machine:
- Internet Explorer 6.0 or higher
- Firefox 1.0.7 or higher
- Netscape Navigator 7.0 or higher
- Mozilla 1.x
On a Linux machine:
- Firefox 1.0.7 or higher
- Mozilla 1.x
- Netscape Navigator 7.0 or higher
Remote Console URL
One of the very cool things you can do with Web Access is to generate a regular web URL to a particular virtual machine. This URL gives you or any user you send it to direct access to this virtual machine. This capability is useful when you want to provide someone access to a virtual machine directly; you can just as easily paste the URL link into an email and send it to that person.
To generate a URL for a VM, you can simply click the Generate Remote Console URL link shown in Figure 8.4. This brings you to a screen similar to the one shown in Figure 8.5 that allows you to configure different settings to control which user interface features the user has access to.
Figure 8.5 Generate Remote Console URL window.
Exam Prep Questions
-
What is a collection of privileges called in the security model of a VMware Infrastructure?
A.
Role
B.
Right
C.
Access
D.
Permission
-
Choose two roles that are default VirtualCenter roles.
A.
Night-shift Operator
B.
VCB User
C.
Backup Administrator
D.
Virtual Machine User
-
Which version of Internet Explorer is the minimum that can be used with Web Access?
A.
4.0
B.
5.0
C.
6.0
D.
7.0
-
Choose the roles that are not default ESX Server roles.
A.
Read-Only
B.
No Access
C.
Datacenter Administrator
D.
Resource Pool Administrator
-
Which version of Mozilla Firefox is the minimum that can be used with Web Access?
A.
1.0.4
B.
1.0.5
C.
1.0.6
D.
1.0.7
-
True or false: When using Web Access, you can access VMs only by accessing the VirtualCenter Server.
A.
True
B.
False
-
Approximately how many privileges are there by default in VMware Infrastructure?
A.
50
B.
75
C.
100
D.
150
-
True or false: Web Access can be used to create virtual machines.
A.
True
B.
False
-
True or false: ESX Server and VirtualCenter Server users and groups can be synchronized.
A.
True
B.
False
-
Which two user accounts are assigned to the ESX Server Administrator role by default?
A.
adm
B.
vpxuser
C.
vpx
D.
root
Answers to Exam Prep Questions
-
Answer A is correct. A collection of privileges is known as a role in a VMware Infrastructure.
-
Answers B and D are correct. From the list provided, the two roles that are available by default on a VirtualCenter server are VMware Consolidated Backup (VCB) User and Virtual Machine User.
-
Answer C is correct. Internet Explorer version 6.0 is the minimum that can be used to access Web Access.
-
Answers C and D are correct. The two roles that are not default ESX Server roles are Datacenter Administrator and Resource Pool Administrator.
-
Answer D correct. The minimum version of Mozilla Firefox that is supported with Web Access is 1.0.7.
-
Answer B, False, is correct. You can access the Web Access console by either pointing to the ESX Server or VirtualCenter Server IP address or FQDN. When pointing to the ESX host, you see only the VMs on that host, whereas when pointing the web access to the VC server, you see all the VMs.
-
Answer C is correct. There are approximately 100 privileges by default.
-
Answer B, False, is correct. Web Access cannot be used to create virtual machines. Web Access can be used only to manage VMs. To create virtual machines, you need to use the VI client.
-
Answer B, False, is correct. ESX Server and VirtualCenter Server users and groups cannot be synchronized.
-
Answers B and D are correct. The two user accounts that are assigned the administrator role by default on the ESX Server are root and vpxuser.