VMware Infrastructure Security and Web Access

Date: Jun 3, 2009

Return to the article

This chapter is dedicated to security in VMware Infrastructure. Specifically, it discusses creating and assigning roles, assigning permissions, the differences between VirtualCenter security and ESX Server security, and the limitations of web access.

Terms you'll need to understand:

Roles

Privileges

vpxuser

Web Access

Generate Remote Console URL

Concepts and techniques you'll need to master:

What a role is and how to create it and assign users and groups to it

How to assign permissions to objects in the inventory

The difference between VirtualCenter security and ESX Server security

The limitations of Web Access

With great power comes great responsibility. Your responsibility is to make sure that the virtual infrastructure you have deployed is secure and that role-based access has been implemented so that the right users have the necessary security permissions to perform their daily tasks. This chapter is dedicated to security in VMware Infrastructure.

VI Security Model

The VMware Infrastructure security model consists of both VirtualCenter security and ESX Server security. The security model revolves around users and groups that are assigned roles. These roles constitute a collection of rights or privileges to perform certain tasks.

Users, Roles, Privileges, and Permissions

The cornerstones of the VMware Infrastructure (VI) security model are the users, groups, roles, privileges, and permissions that you can assign at different levels and to different objects within your infrastructure. Properly configuring and assigning these rights and permissions enables you to enforce accountability. Taking a closer look at each of these cornerstones helps you better design your security solution:

NOTE

You can choose from about 100 preconfigured privileges.

Working with Roles

Familiarizing yourself with roles is an imperative task of building your access control into the Virtual Infrastructure. To help you get started, Table 8.1 shows a set of default roles available to you.

Table 8.1. Default Roles

Default ESX Roles

Default VirtualCenter Roles

Custom Roles

No Access

No Access

User-created roles

Read-Only

Read-Only

Administrator

Administrator

Virtual Machine Administrator

Datacenter Administrator

Virtual Machine Power User

Virtual Machine User

Resource Pool Administrator

VCB User

The easiest way to get to the Roles panel is to log in to ESX Server or VirtualCenter using your VI client. Click the Administration tab and then the Roles tab, as shown in Figure 8.1.

Figure 8.1 Roles panel.

Exam Alert

The VCP exam is sure to quiz you on the difference between the ESX host roles and the VC Server roles, so make sure you know which roles belong where.

On the Roles panel, you can right-click any role and edit it. However, we recommend that you maintain the integrity of the existing roles and create your own custom roles if the need arises. To do so, you can right-click anywhere in the Roles pane and click Add to start the new role creation, as shown in Figure 8.2.

Figure 8.2 Add new role.

NOTE

Custom roles cannot be shared between ESX Server and VirtualCenter.

Assigning Permissions

After you have crafted the appropriate roles for your environment, it is time to apply them to the right inventory object to allow your users and groups access only to the part of the inventory tree that you want them to have access to. To apply permissions, find the object in the tree on which you want to implement security, right-click it, and select Add Permission. This brings you to a screen similar to the one shown in Figure 8.3 that allows you to choose a user or group and assign the corresponding role that you want the user or group to have for this inventory object.

Figure 8.3 Assign permissions.

When assigning permissions, you may choose to have these permissions propagate from the object where the permission originated and downward to all the child objects. To do this, simply place a check mark in the check box next to Propagate to Child Objects, as shown in Figure 8.3.

If a conflict arises when assigning permissions, the most restrictive of the permissions takes precedence. For instance, if a user is part of a group in the Administrator role but the user is explicitly assigned a Read-Only role on a particular object, the most restrictive of the permissions takes precedence, thereby allowing the user only Read-Only permissions to the object. Keep in mind though that if permissions do not propagate down to any child objects, the user has Read-Only permission over the object but has full permissions over the child objects. The reason behind this is Propagate permissions is not enabled, which means you are slapping explicit permissions on this object only, but not its child object. The child objects in this case inherit the permissions given to the user's group.

Exam Alert

Knowing how permissions are applied and the precedence of permissions are topics that are sure to come up on the exam.

When explicitly assigned, permissions take precedence and the most restrictive permissions are enforced.

VirtualCenter Security

VirtualCenter is a Windows-based application to be installed on a Windows-based operating system. It has two types of directory repositories to select from:

By default, the local Administrators group is assigned the Administrator role at the top of the inventory list in VirtualCenter. If the VC server is member of a domain, the Domain Admins group is also added by default.

ESX Server Security

The ESX Server security revolves around the Service Console, and because the Service Console operating system is based on Red Hat Linux, the users and groups that you find in the ESX Server are Linux users and groups. These users and groups can be configured to grant direct access to an ESX host.

NOTE

ESX Server users and groups do not sync and cannot be used to assign roles and privileges in VirtualCenter.

TIP

Do not configure permissions using ESX users and groups. The reason behind this is the permissions you assign on a per ESX Server level do not propagate to other ESX hosts; therefore, using a common users and groups directory makes it easier to manage permissions.

By default, the following users are assigned the Administrator role in ESX Server:

While the vpxuser is used to authenticate VirtualCenter to ESX Server and pass preapproved commands, the root account actually executes these commands. So in this case, the vpxuser acts merely as a secure bridge between VirtualCenter and the ESX host, while the root user account is tasked with executing VirtualCenter tasks.

Web Access

Web Access is designed to allow you to manage virtual machines from anywhere without requiring special software to be installed on the host from which you are trying to connect. Web Access is not as robust or feature friendly as the VI client, and it allows for limited functionality but can be useful when you need to perform certain tasks from a machine that does not have the VI client installed or if you need to pass an administrative tool with limited features to a group like the helpdesk, for example.

To access Web Access, you need to point your Internet browser to either the IP address or fully qualified domain name (FQDN) of your ESX host or your VirtualCenter Server. If you point to your ESX host, you are able to manage virtual machines that are on this host only. If you log in to VirtualCenter Web Access, you are able to manage all your VMs.

After logging in to Web Access, you can select any VM in the list and you are able to perform the following tasks, shown in Figure 8.4:

Figure 8.4 Virtual machine Web Access view.

Exam Alert

The exam will surely challenge your knowledge of the difference between Web Access and the full VI client. Know the limitations of the Web Access compared to the full VI client.

CAUTION

You cannot create VMs from Web Access; this function requires the VI in order to be completed.

NOTE

To launch a VM's console from Web Access, you need to have installed the VMware Virtual Infrastructure plug-in in your browser.

Web Access Minimum Requirements

The minimum system requirements to successfully connect and log in to Web Access are as follows:

On a Windows machine:

On a Linux machine:

Remote Console URL

One of the very cool things you can do with Web Access is to generate a regular web URL to a particular virtual machine. This URL gives you or any user you send it to direct access to this virtual machine. This capability is useful when you want to provide someone access to a virtual machine directly; you can just as easily paste the URL link into an email and send it to that person.

To generate a URL for a VM, you can simply click the Generate Remote Console URL link shown in Figure 8.4. This brings you to a screen similar to the one shown in Figure 8.5 that allows you to configure different settings to control which user interface features the user has access to.

Figure 8.5 Generate Remote Console URL window.

Exam Prep Questions

  1. What is a collection of privileges called in the security model of a VMware Infrastructure?

    A.

    Role

    B.

    Right

    C.

    Access

    D.

    Permission

  2. Choose two roles that are default VirtualCenter roles.

    A.

    Night-shift Operator

    B.

    VCB User

    C.

    Backup Administrator

    D.

    Virtual Machine User

  3. Which version of Internet Explorer is the minimum that can be used with Web Access?

    A.

    4.0

    B.

    5.0

    C.

    6.0

    D.

    7.0

  4. Choose the roles that are not default ESX Server roles.

    A.

    Read-Only

    B.

    No Access

    C.

    Datacenter Administrator

    D.

    Resource Pool Administrator

  5. Which version of Mozilla Firefox is the minimum that can be used with Web Access?

    A.

    1.0.4

    B.

    1.0.5

    C.

    1.0.6

    D.

    1.0.7

  6. True or false: When using Web Access, you can access VMs only by accessing the VirtualCenter Server.

    A.

    True

    B.

    False

  7. Approximately how many privileges are there by default in VMware Infrastructure?

    A.

    50

    B.

    75

    C.

    100

    D.

    150

  8. True or false: Web Access can be used to create virtual machines.

    A.

    True

    B.

    False

  9. True or false: ESX Server and VirtualCenter Server users and groups can be synchronized.

    A.

    True

    B.

    False

  10. Which two user accounts are assigned to the ESX Server Administrator role by default?

    A.

    adm

    B.

    vpxuser

    C.

    vpx

    D.

    root

Answers to Exam Prep Questions

  1. Answer A is correct. A collection of privileges is known as a role in a VMware Infrastructure.

  2. Answers B and D are correct. From the list provided, the two roles that are available by default on a VirtualCenter server are VMware Consolidated Backup (VCB) User and Virtual Machine User.

  3. Answer C is correct. Internet Explorer version 6.0 is the minimum that can be used to access Web Access.

  4. Answers C and D are correct. The two roles that are not default ESX Server roles are Datacenter Administrator and Resource Pool Administrator.

  5. Answer D correct. The minimum version of Mozilla Firefox that is supported with Web Access is 1.0.7.

  6. Answer B, False, is correct. You can access the Web Access console by either pointing to the ESX Server or VirtualCenter Server IP address or FQDN. When pointing to the ESX host, you see only the VMs on that host, whereas when pointing the web access to the VC server, you see all the VMs.

  7. Answer C is correct. There are approximately 100 privileges by default.

  8. Answer B, False, is correct. Web Access cannot be used to create virtual machines. Web Access can be used only to manage VMs. To create virtual machines, you need to use the VI client.

  9. Answer B, False, is correct. ESX Server and VirtualCenter Server users and groups cannot be synchronized.

  10. Answers B and D are correct. The two user accounts that are assigned the administrator role by default on the ESX Server are root and vpxuser.

© 2024 Pearson Education, Pearson IT Certification. All rights reserved.

800 East 96th Street, Indianapolis, Indiana 46240

sale-70-410-exam    | Exam-200-125-pdf    | we-sale-70-410-exam    | hot-sale-70-410-exam    | Latest-exam-700-603-Dumps    | Dumps-98-363-exams-date    | Certs-200-125-date    | Dumps-300-075-exams-date    | hot-sale-book-C8010-726-book    | Hot-Sale-200-310-Exam    | Exam-Description-200-310-dumps?    | hot-sale-book-200-125-book    | Latest-Updated-300-209-Exam    | Dumps-210-260-exams-date    | Download-200-125-Exam-PDF    | Exam-Description-300-101-dumps    | Certs-300-101-date    | Hot-Sale-300-075-Exam    | Latest-exam-200-125-Dumps    | Exam-Description-200-125-dumps    | Latest-Updated-300-075-Exam    | hot-sale-book-210-260-book    | Dumps-200-901-exams-date    | Certs-200-901-date    | Latest-exam-1Z0-062-Dumps    | Hot-Sale-1Z0-062-Exam    | Certs-CSSLP-date    | 100%-Pass-70-383-Exams    | Latest-JN0-360-real-exam-questions    | 100%-Pass-4A0-100-Real-Exam-Questions    | Dumps-300-135-exams-date    | Passed-200-105-Tech-Exams    | Latest-Updated-200-310-Exam    | Download-300-070-Exam-PDF    | Hot-Sale-JN0-360-Exam    | 100%-Pass-JN0-360-Exams    | 100%-Pass-JN0-360-Real-Exam-Questions    | Dumps-JN0-360-exams-date    | Exam-Description-1Z0-876-dumps    | Latest-exam-1Z0-876-Dumps    | Dumps-HPE0-Y53-exams-date    | 2017-Latest-HPE0-Y53-Exam    | 100%-Pass-HPE0-Y53-Real-Exam-Questions    | Pass-4A0-100-Exam    | Latest-4A0-100-Questions    | Dumps-98-365-exams-date    | 2017-Latest-98-365-Exam    | 100%-Pass-VCS-254-Exams    | 2017-Latest-VCS-273-Exam    | Dumps-200-355-exams-date    | 2017-Latest-300-320-Exam    | Pass-300-101-Exam    | 100%-Pass-300-115-Exams    |
http://www.portvapes.co.uk/    | http://www.portvapes.co.uk/    |