Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1014745

Summary: Document permissions required by virt-who for enhanced reporting
Product: Red Hat Satellite 5 Reporter: Rich Jerrido <rjerrido>
Component: Docs Installation GuideAssignee: Dan Macpherson <dmacpher>
Status: CLOSED CURRENTRELEASE QA Contact: Dan Macpherson <dmacpher>
Severity: medium Docs Contact:
Priority: high    
Version: 560CC: ahumbe, mjs, rjerrido, rnovacek, rprice, rproffit, xdmoon
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-21 02:09:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1018166    
Attachments:
Description Flags
vSphere Permissions example none

Description Rich Jerrido 2013-10-02 16:38:37 UTC 
Description of problem:

The current release notes for Satellite 5.6 do not document which level of permissions are required for vSphere when using virt-who. In many cases, the team that provides the virtualization platform is different from the team running RHEL. Having the level of permissions documented will help with getting virt-who (and enhanced reporting) deployed. 


Version-Release number of selected component (if applicable):
1.3
Comment 1 Clifford Perry 2013-10-11 11:05:54 UTC 
Help us out - what permissions? 

I don't have knowledge of VMware to guide docs, so if there is something specific we should add, let us know. 

Cliff
Comment 2 Rich Jerrido 2013-10-11 14:35:39 UTC 
Created attachment 811167 [details]
vSphere Permissions example
Comment 3 Rich Jerrido 2013-10-11 14:39:01 UTC 
vSphere provides the capability of creating a read-only user [http://pubs.vmware.com/vsphere-4-esx-vcenter/index.jsp#managing_users_groups_roles_and_permissions/c_managing_users_groups_roles_and_permissions.html]. Our example use the admin user who is effectively root (he has the 'Administrator' role). Are there any ill-effects of creating and using a read-only user? As I understand it, virt-who shouldn't require more than read-only access (but I don't know if that has been tested).
Comment 4 Dan Macpherson 2014-01-21 15:20:12 UTC 
This bug can be worked on early during the planning stages for Satellite 5.7.
Comment 5 Megan Lewis 2014-03-14 01:03:57 UTC 
Hi Rich, 

Thanks for the feedback. We'll have a look at thelevel of permissions required for vSphere when using virt-who. Any changes will be integrated into the documentation for the next release. 

Thanks, 
Megan
Comment 16 Dan Macpherson 2014-12-31 01:07:44 UTC 
Updated virt-who instructions in Sat 5.7 docs to note that you should create a read-only user specifically for virt-who's use.
Comment 21 Radek Novacek 2015-01-29 06:17:06 UTC 
Hi Dan,

it is possible to scan multiple vCenter envs from virt-who. It's not possible to do it in /etc/sysconfig/virt-who. There is a directory /etc/virt-who.d/ where multiple config files can be created containing options for more vCenter servers.

See man virt-who-config(5).
Comment 22 Dan Macpherson 2015-02-03 00:32:21 UTC 
Thanks, Radek!
Comment 24 Dan Macpherson 2015-02-04 02:46:30 UTC 
Hi Rich,

I've pushed these changes live:

https://documentation-devel.engineering.redhat.com/site/documentation/en-US/Red_Hat_Satellite/5.7/html/Installation_Guide/chap-Red_Hat_Satellite-Installation_Guide-virt_who.html#sect-Red_Hat_Satellite-Installation_Guide-virt_who-virt_who_Setup

There is a new bug related to this issue here:
https://bugzilla.redhat.com/show_bug.cgi?id=1188720

Aside from this issue, does the new content reflect what you were after when you opened this bug?

- Dan
Comment 27 Radek Novacek 2015-02-16 13:45:54 UTC 
Hi Rich and Ashish,

I've just tested permissions/roles set up for virt-who in vSphere environment.

I created new Role using vSphere Web Client completely without any privileges and created new User that I've assigned this role to whole vCenter and virt-who just worked. When I assigned this new role to one cluster and set role to "No access" for other cluster, virt-who reports information only about the cluster it has access to.

Could you please ask the customers to try this? I've just tested in my testing environment and it would make me more certain if someone tries that in some real-world scenario.
Comment 28 Dan Macpherson 2015-02-17 01:20:27 UTC 
I'll hold off on verifying this bug until the customers report back.
Comment 32 Radek Novacek 2015-02-19 14:29:40 UTC 
I've put together draft of a document that explains how to create new user (both in vCenter and in AD) and configure it to use with virt-who.

You can check it here:

https://rnovacek.fedorapeople.org/virt-who/vsphereperm/

Please let me know if the information is correct and understandable, so we can incorporate it into the official documentation.