Verify object permissions
In the ITS Private Cloud we have implemented the best of VMware vCenter authorization management along with our internal directory for authentication and authorization. This configuration allows us to manage permissions on objects such as virtual machines, networks, domains and folders with a good level of granularity and efficiency.
The latest version of the ITS Private Cloud RESTful API provides an interface to list permissions o a given object, thus end users can verify who has access to what in their environment. Permissions are set to groups (preferably), but there are cases a specific user needs access temporarily to a given object. The problem arises when the temporarily becomes permanent - to solve this, we have exposed a resource in the RESTful API and implemented in the VSS Command Line interface to list permissions on networks, folders and virtual machines and if a group is permitted, list the group members to verify everyone in the group is allowed to access the object. If you believe a user is not supposed to be allowed, please contact us ASAP at vss(at)eis.utoronto.ca.
This document will guide you through the process of listing permissions on folder objects, but you also can apply this method on networks and virtual machines.
Object
First of all, we should get either the moref or UUID of the object to
list permissions. In this case, the folder moref can be queried by
vss compute folder ls as follows:
vss-cli compute folder ls -f name=Folder
moref name parent path
----------- ------- -------- ----------------------------
group-v1234 Folder Public Public > Folder
Moref group-v1234 is now our target to list permissions.
Validate if the folder is correct by getting its info
with vss compute folder get <moref> as shown below:
vss-cli compute folder get group-v1234
Path : Public > Folder
Parent : Public
Name : Folder
vss-cli compute folder get Folder
Path : Public > Folder
Parent : Public
Name : Folder
Permission
Permissions in the folder command can be listed by the
vss compute folder get <moref-or-name> perm command:
Usage: vss-cli compute folder get [OPTIONS] MOREF_OR_NAME COMMAND [ARGS]...
Get given folder info.
Options:
--help Show this message and exit.
Commands:
perm list permissions.
vms list virtual machines.
For instance, querying folder group-v1234 permissions would look like:
vss-cli compute folder get group-v1234 perm
principal group propagate
-------------------- ------- -----------
VSKEY5\vc51-VSSPriv True True
VSKEY5\vc51-VSSTest True True
VSKEY5\jm1 False True
The output shows that vc51-VSSTest and vc51-VSSPriv group has been
granted to access the folder and should propagate to any children
contained, however members are not listed. On the other hand,
user jm1 has been granted to the folder and its children.
Group members
There are a couple of restrictions in order to get group info and members:
you should be a member of the group
group should be prefixed by vc5
To get group basic info, use vss-cli account get group <group_name>
as follows:
vss-cli account get group vc51-VSSTest
cn : vc51-VSSTest
description : VSS Development Testing and Continuous Integration
create_timestamp : 20170303022113Z
modify_timestamp : 20180712175916Z
unique_member_count : 5
unique_member : ....
If you do are not member of a given group, expect the following output:
vss-cli account get group vc51-VSSPriv --member
Error: status: 401; message: User has no membership on vc51-VSSPriv; error: unauthorized
Note
If one of the group members is no longer authorized to access, please let us know ASAP.