This section describes the security used in SPM.
Symmetrix authorization
There are specific SYMAPI authorizations for SPM to provide additional security within the Symmetrix:
◆ The Storage Admin — Virtualization Domain role has the ability to perform operations on thin pools and storage groups. All vCenter Administrators are given this role.
◆ Authorizations can be set for groups.
◆ Authorizations can be set on individual thin pools and storage groups.
◆ An authorization on a thin pool also allows the user to:
• Create or delete a device.
• Bind a device to an authorized thin pool.
• Unbind a device from an authorized thin pool.
• Reserve a thin device that belongs to an authorized thin pool.
• Release a thin device that belongs to an authorized thin pool from a reservation.
◆ An authorization on a storage group allows a user to put a device into a storage group or remove a device from a storage group These authorizations have two functions. One is to ensure that vSphere Clients can manipulate only Symmetrix storage objects on which they are authorized. The other is to provide some protection from other storage administrators to the Symmetrix objects that SPM is using.
Storage provisioning commands from the vSphere Client come with a user ID and group ID. The user ID is the name the user used to log in to the vCenter server. For instance, in order for a user on vCenter server ABC to create a LUN through SPM, two privileges are required to have been granted:
◆ The role of Storage Admin — Virtualization Domain on the thin pool associated with the virtualization domain.
◆ The role of Storage Admin — Virtualization Domain on the storage group associated with the virtualization domain.
Note: The Symmetrix authorizations are automatically configured when using the Auto
SMC roles
A choice for StorageAdmin — Virtualization Domain is available in the Role choices specifically for SPM (Figure 19 on page 90 shows this). This role indicates that the user is attempting to set up a virtualization domain permission rule. When this choice is selected:
◆ The Name field will change to Virtualization Domain Name.
◆ The Component fields will become active.
◆ The Type choices for selecting user/group will change to an uneditable WebLabel and have group selected.
The user will enter the virtualization domain name in the
Virtualization Domain Name field. Realizing that the fully qualified name is of the form V:xxx\users, and that the V: and users portions do not change, the user must only enter the xxx portion. This Virtualization Domain Name will be used to construct the fully qualified name for the user. This will help eliminate any questions about the format of the name and reduce the possibility of the user typing it in wrong. Should the user try to enter the fully qualified name, then an error message will be presented:
Please enter the Virtualization Domain without V:
or \users.
The virtualization domain must be the name of the vCenter that will be provisioning the storage. It can be obtained by exporting the environment from the vSphere Client. The Section “Storage Pool Management” on page 97 has more detail. When the OK button on the Add Permission dialog box is clicked, a message that confirms the creation of a virtualization domain rule appears to the user: A rule will be created for V:xxx\users. This message displays the option Don't show this confirmation dialog box again so that the user can bypass the message.
A selection button and dialog box help select a storage group or thin pool. Depending on the selected type of component a dialog box displays a table of storage groups or thin pools. Figure 21 on page 91 and Figure 22 on page 91 show this. The text box that gets populated with the name will be editable so that the user can delete the entry.
Figure 18 on page 89, shows entries for a normal permission rule.
Figure 18 Normal Permission
When setting up permissions for SPM, select the role StorageAdmin
— Virtualization Domain. Figure 19 on page 90 and Figure 20 on page 90 show the dialog boxes.
Figure 19 StorageAdmin Permission
Figure 20 Virtualization Domain entry
The storage group selection is shown in Figure 21 on page 91 and in Figure 22 on page 91.
Figure 21 Storage Group selection
Figure 22 Thin Pool selection
VSI to SMC server security
Communication between the vSphere Client and the SMC/SPM server uses SSL.
Trust is established between the vSphere Client and the SMC server initially through a password. After the first login of the client to the server by using the password, the client's certificate is stored on the SMC server. This is used to validate any further communications with the client.
vSphere permissions
The VMware administrator role possesses all the permissions it requires to use SPM. While that role is typically used in test, development, and lab environments by all users, production environments require tighter control. Many VMware administrators of production environments will create specialized roles in the vSphere Client for the users, perhaps based on the business unit, or the user’s function. In such cases, these users may own a single VM or even groups of VMs through resource pools. It may be desirable to allow these users to add RDMs to their own VMs through Storage Pool Management.
There are two sets of permissions a VMware user must have in order to use the SPM integration: Extension and Tasks. These privileges must be applied at the vCenter level and set to propagate through the entire environment. In Figure 23 on page 93 the user vmwareuser is assigned a new role called SPM which has the sets of privileges Extension and Tasks. Note that the setting Propagate to Child Objects in the red box is checked. If this is not checked, even a VMware user that has administrator privileges on a VM will not be able to use SPM to create the RDM.
Figure 23 Assign Extension Permission to a VMware user