Milestone 6.1 Storage and Roles - Oliver-Mustoe/Oliver-Mustoe-Tech-Journal GitHub Wiki
This page journals content related to SYS-350 milestone 6.1.
Table of contents:
NFS setup and demo
Creating a NFS Datastore
I went to the SYS350 > right click for drop down > "Storage" > "New Datastore...":
This opened a "New Datastore" menu where I set it to NFS:
Set the version:
Filled in the following datastore name and config:
And pressed "ADD" for the server before pressing "NEXT":
No Kerberos authentication:
Selected my ESXI host in the "Hosts accessibility" section:
Overall new datastore:
Created store:
Clicked on the new NFS share
Then I went to "Files":
Then "UPLOAD FILES" > selected a text file I made on my PC called "super10.txt" and double clicked it:
NOTE: Needed to go to my super10.oliver.local ESXI management console (web interface accessed via the ESXI IP) where it prompted to accept the certificate > accepted it > then the upload works.
Creating a VM on a NFS Datastore
Then I used the process in Creating a NFS Datastore to created another datastore with the following settings:
I went to my VMs tab > right clicked my rocky VM > "New VM from this Template..":
Where I created a VM with the following settings:
(NOTE: Didn't select any clone options)
Successfully cloned:
RBAC setup and demo
Initial setup with folder, users, and groups
First I created the following folder structure for VMs:
Then I added the following groups to my 350 Accounts OU with Powershell through a SSH session into my ad350:
New-ADGroup -Name "sys350-power-user" -SamAccountName sys350-power-user -GroupCategory Security -GroupScope Global -DisplayName "sys350-power-user" -Path "OU=Accounts,OU=350,DC=oliver,DC=local" -Description "sys350-power-user"
New-ADGroup -Name "sys350-restricted-user" -SamAccountName sys350-restricted-user -GroupCategory Security -GroupScope Global -DisplayName "sys350-restricted-user" -Path "OU=Accounts,OU=350,DC=oliver,DC=local" -Description "sys350-restricted-user"
And I created alice, bob, charlie users and placed them in their specified groups:
New-ADUser -Name alice -AccountPassword $password -Passwordneverexpires $true -Enabled $true -Path "OU=Accounts,OU=350,DC=oliver,DC=local"
$password = Read-Host -AsSecureString
New-ADUser -Name bob -AccountPassword $password -Passwordneverexpires $true -Enabled $true -Path "OU=Accounts,OU=350,DC=oliver,DC=local"
$password = Read-Host -AsSecureString
New-ADUser -Name charlie -AccountPassword $password -Passwordneverexpires $true -Enabled $true -Path "OU=Accounts,OU=350,DC=oliver,DC=local"
$restricted = @("bob","charlie")
Add-ADGroupMember -Identity "sys350-power-user" -Members alice
Add-ADGroupMember -Identity "sys350-restricted-user" -Members $restricted
Setup users and groups in ad350:
Setting permissions in vCenter
I selected the "alice" folder > "Add Permission...":
Set the following permission for the group (NOTE: Make sure to set the domain correctly and enable "Propagate to children" ESPECIALLY FOR FOLDERS WITH VMs INSIDE!)
And I also moved the "rocky.lab.test" VM to the alice folder:
I could then login as alice, where the correct permissions were set:
I would then move my "ubuntu.lab.test" VM into the "shared-vms" folder. As well I would set the newly made power user and restricted user groups to the folder with the following roles THE SAME WAY I SET THE PERMISSIONS FOR THE "alice" FOLDER! (group set with a specific role can be seen below):
Bobs account logged in showing the permissions set (does not have permission to take/revert snapshots):
Creating a custom role
In vcenter as my adm user I went to the sidebar > "Administration" > "Roles":
Then I cloned the "Virtual Machine console user" with the "CLONE" button:
Called it "Virtual Machine console no power user":
Then I selected the newly created clone > "EDIT":
Inside the "Virtual Machine" section > I used the show "Selected" to see enabled permissions > deselected power on and off > save:
(NOTE: Could also be seen by navigating to "Virtual machine" > looking under "interaction" and expanding the list with the "SEE MORE PRIVILEGES" button.)
Back on the "shared-vms" folder I selected the restricted users group > "EDIT":
Changed the role on the folder to my "Virtual Machine console no power user" role:
With this set I logged in as charlie, where I saw I was unable to power on and power off the VM as expected!:
Sources: