Description of problem: Can't connect to vCenter6.7 with non-administrator user by virsh Version-Release number of selected component (if applicable): libvirt-4.5.0-15.module+el8+2285+e990ac42.x86_64 qemu-kvm-2.12.0-44.module+el8+2259+6d80f0a6.x86_64 How reproducible: 100% Steps to Reproduce: 1.Check virt-v2v manual page about VCenter NON-ADMINISTRATOR ROLE VCENTER: NON-ADMINISTRATOR ROLE Instead of using the vCenter Administrator role, you can create a custom non- administrator role to perform the conversion. You will however need to give it a minimum set of permissions as follows: 1. Create a custom role in vCenter. 2. Enable (check) the following objects: Datastore: - Browse datastore - Low level file operations Sessions: - Validate session Virtual Machine: Provisioning: - Allow disk access - Allow read-only disk access - Guest Operating system management by VIX API 2. Create a custom permission role in vsphere 6.7 web client Log into vsphere client web with administrator account -> open 'Home' interface -> Administrator->select "role" -> click "+" -> select related permission to enable the following objects: Datastore: - Browse datastore - Low level file operations Sessions: - Validate session Virtual Machine: Provisioning: - Allow disk access - Allow read-only disk access Interaction: - Guest Operating system management by VIX API 3.Add a new user mxie and set password 3.1 From the Home menu, select Administration 3.2 Under Single Sign On, click Users and Groups,on the Users tab, click Add User. 3.3 Enter a user name and password for the new user. 4. Add the user "mxie" to role of step1 4.1 Go to vcenter's permission option, set role of step1 to the user 5.Use virsh to connect to vCenter6.7 with non-administrator user # virsh -c vpx://vsphere.local%5cmxie.73.141/data/10.73.75.219/?no_verify=1 Enter vsphere.local\mxie's password for 10.73.73.141: error: failed to connect to the hypervisor error: internal error: Could not find datacenter specified in '/data/10.73.75.219/' Actual results: As above description Expected results: Can connect to vCenter6.7 with non-administrator user by virsh Additional info: 1.Can connect to vCenter6.7 with administrator user by virsh 2.Can connect to vCenter6.0 with non-administrator user by virsh 3.Can reproduce the problem on rhel7 with below builds: libvirt-4.5.0-10.el7_6.2.x86_64 qemu-kvm-rhev-2.12.0-19.el7_6.2.x86_64
I can also reproduce Comment 0 issue when i do some testing with vCenter6.7, but after I add more necessary privilege for non-administrator, then i can connect to vCenter6.7 by virsh successfully. Relate packages: virt-v2v-1.38.4-10.module+el8+2709+40ed2f2c.x86_64 libguestfs-1.38.4-10.module+el8+2709+40ed2f2c.x86_64 libvirt-4.5.0-23.module+el8+2800+2d311f65.x86_64 Steps: 1.Check virt-v2v manual page about vCenter NON-ADMINISTRATOR ROLE # man virt-v2v ... VCENTER: NON-ADMINISTRATOR ROLE Instead of using the vCenter Administrator role, you can create a custom non-administrator role to perform the conversion. You will however need to give it a minimum set of permissions as follows (using VMware vCenter 6.5): 1. Create a custom role in vCenter. 2. Enable (check) the following objects: Datastore: - Browse datastore - Low level file operations Sessions: - Validate session Virtual Machine: Interaction: - Guest operating system management by VIX API Provisioning: - Allow disk access - Allow read-only disk access 2. Create a custom permission role in vsphere 6.7 web client Log into vsphere client web with administrator account -> open 'Home' interface -> Administrator->select "role" -> click "+" -> select related permission to enable the following objects: Datastore: - Browse datastore - Low level file operations Sessions: - Validate session Virtual Machine: Provisioning: - Allow disk access - Allow read-only disk access Interaction: - Guest Operating system management by VIX API 3.Add a new user testv and set password 3.1 From the Home menu, select Administration 3.2 Under Single Sign On, click Users and Groups,on the Users tab, Select "VSPHERE.LOCAL" as Domain, then click "ADD USER". 3.3 Enter a user name "testv" and password for the new user, then click "OK" 4. Add the user "testv" to role of step2 4.1 Go to "Global Permissions" under "Access Control", then select "+", add the user "testv" to role of step1 5.Use virsh to connect to vCenter6.7 with non-administrator user # virsh -c vpx://vsphere.local%5ctestv.73.141/data/10.73.75.219/?no_verify=1 Enter vsphere.local\testv's password for 10.73.73.141: error: failed to connect to the hypervisor error: internal error: HTTP response code 500 for call to 'Login'. Fault: ServerFaultCode - Permission to perform this operation was denied. 6.After debug, Go to vcenter's permission option, set role of step2 to the user 'testv', and try virsh command again: # virsh -c vpx://vsphere.local%5ctestv.73.141/data/10.73.75.219/?no_verify=1 Enter vsphere.local\testv's password for 10.73.73.141: error: failed to connect to the hypervisor error: internal error: Could not find datacenter specified in '/data/10.73.75.219/' Result: This error is same with Comment 0. 7. Go to Datastore 'data' permission page, set role of step2 to the user 'testv', also set role of step2 to the user 'testv' on esxi host "10.73.75.219" permission page, then try virsh command again: # virsh -c vpx://vsphere.local%5ctestv.73.141/data/10.73.75.219/?no_verify=1 Enter vsphere.local\testv's password for 10.73.73.141: Welcome to virsh, the virtualization interactive terminal. Type: 'help' for help with commands 'quit' to quit virsh # list --all Id Name State ---------------------------------------------------- virsh # ... Result: I can connect to vCenter6.7 with non-administrator account by virsh now, but i cannot see any vmware_guest. 8. Go to vmware_guest (eg: esx6.0-win2008r2-without-SHA-2) permission page, set role of step2 to the user 'testv', then to check virsh command again: # virsh -c vpx://vsphere.local%5ctestv.73.141/data/10.73.75.219/?no_verify=1 Enter vsphere.local\testv's password for 10.73.73.141: Welcome to virsh, the virtualization interactive terminal. Type: 'help' for help with commands 'quit' to quit virsh # list --all Id Name State ---------------------------------------------------- - esx6.0-win2008r2-without-SHA-2 shut off Result: After i configure necessary permission for a non-administrator user, then i can use virsh command to connect successfully, so i think we can close this bug as "NOTABUG".
Created attachment 1542735 [details] Screenshot for my adding permission for vCenter
Created attachment 1542736 [details] Screenshot for adding permission for esxi host
Created attachment 1542737 [details] Screenshot for adding permission for vmware_guest
(In reply to zhoujunqin from comment #2) > 4. Add the user "testv" to role of step2 > 4.1 Go to "Global Permissions" under "Access Control", then select "+", add > the user "testv" to role of step1 Note that in this form there is a "Propagate to children" checkbox. If that is not applied, the role of the user is not applied to all the children object, so datastores, folders, VMs, etc. Did you checked that option when applying the roles for the global permissions?
(In reply to Pino Toscano from comment #7) > (In reply to zhoujunqin from comment #2) > > 4. Add the user "testv" to role of step2 > > 4.1 Go to "Global Permissions" under "Access Control", then select "+", add > > the user "testv" to role of step1 > > Note that in this form there is a "Propagate to children" checkbox. > If that is not applied, the role of the user is not applied to all the > children object, so datastores, folders, VMs, etc. > > Did you checked that option when applying the roles for the global > permissions? Hi Pino, Thanks for pointing out that, we forget to check "Propagate to children" checkbox. With your comments, i tried again to make steps more clear: 1. Create a custom permission role "celery" in vsphere 6.7 web client Log into vsphere client web with administrator account -> open 'Home' interface -> Administrator->select "role" -> click "+" -> select related permission to enable the following objects: Datastore: - Browse datastore - Low level file operations Sessions: - Validate session Virtual Machine: Provisioning: - Allow disk access - Allow read-only disk access Interaction: - Guest Operating system management by VIX API 2.Add a new user "celery" and set password 2.1 From the Home menu, select Administration 2.2 Under Single Sign On, click Users and Groups,on the Users tab, Select "VSPHERE.LOCAL" as Domain, then click "ADD USER". 2.3 Enter a user name "celery" and password for the new user, then click "OK" 3. Add the user "testv" to role of step2 3.1 Go to "Global Permissions" under "Access Control", then select "+", add the user "celery" to role of step1, check "Propagate to children" checkbox, then click "OK". 4.Use virsh to connect to vCenter6.7 with non-administrator user # virsh -c vpx://vsphere.local%5ccelery.73.141/data/10.73.75.219/?no_verify=1 Enter vsphere.local\celery's password for 10.73.73.141: Welcome to virsh, the virtualization interactive terminal. Type: 'help' for help with commands 'quit' to quit virsh # list --all Id Name State ---------------------------------------------------- 567 VMware vCenter Server Appliance running 697 esx6.7-rhel6.10-x86_64-vmware-tools running - Auto-esx6.7-win2016-2ProgramFiles shut off ... virsh # dumpxml esx6.7-win8.1-x86_64 <domain type='vmware' xmlns:vmware='http://libvirt.org/schemas/domain/vmware/1.0'> <name>esx6.7-win8.1-x86_64</name> ... Result: virsh commands works well when connect to vCenter6.7 with non-administrator user, so i think we can close this bug as "NOTABUG". Thanks for your help.
(In reply to zhoujunqin from comment #8) > Thanks for pointing out that, we forget to check "Propagate to children" > checkbox. > [...] > Result: virsh commands works well when connect to vCenter6.7 with > non-administrator user, so i think we can close this bug as "NOTABUG". > Thanks for your help. Thanks for double checking -- closing the bug accordingly.