Moved the doc about ops user (#1988)

vmware · Aug 30, 2018 · 0587c06 · 0587c06
1 parent 3e6eee2
commit 0587c06
Show file tree

Hide file tree

Showing 11 changed files with 78 additions and 67 deletions.
diff --git a/docs/user_doc/SUMMARY.md b/docs/user_doc/SUMMARY.md
@@ -35,6 +35,8 @@
          * [Running Commands](vic_vsphere_admin/running_vicmachine_cmds.md)
          * [Set Environment Variables](vic_vsphere_admin/vic_env_variables.md)
      * [Open the Required Ports on ESXi Hosts](vic_vsphere_admin/open_ports_on_hosts.md)
+     * [Create the Operations User](vic_vsphere_admin/create_ops_user.md)
+         * [Manually Create a User Account for the Operations User](vic_vsphere_admin/ops_user_manual.md)
      * [Deploy VCHs in vSphere Client](vic_vsphere_admin/deploy_vch_client.md)
      * [VCH Deployment Options](vic_vsphere_admin/vch_deployment_options.md)
          * [General Settings](vic_vsphere_admin/vch_general_settings.md)
@@ -54,7 +56,6 @@
              * [Disable Client Verification](vic_vsphere_admin/tls_unrestricted.md)
          * [Registry Access](vic_vsphere_admin/vch_registry.md) 
          * [Operations User](vic_vsphere_admin/set_up_ops_user.md)
-             * [Manually Create a User Account for the Operations User](vic_vsphere_admin/ops_user_manual.md)
          * [Finish VCH Deployment](vic_vsphere_admin/complete_vch_deployment_client.md)
          * [Advanced Options](vic_vsphere_admin/vch_advanced_options.md)
              * [Add VCHs to Affinity Groups](vic_vsphere_admin/vch_affinity_group.md)

diff --git a/docs/user_doc/vic_vsphere_admin/SUMMARY.md b/docs/user_doc/vic_vsphere_admin/SUMMARY.md
@@ -18,6 +18,8 @@
          * [Running Commands](running_vicmachine_cmds.md)
          * [Set Environment Variables](vic_env_variables.md)
      * [Open the Required Ports on ESXi Hosts](open_ports_on_hosts.md)
+     * [Create the Operations User](create_ops_user.md)
+         * [Manually Create a User Account for the Operations User](ops_user_manual.md)
      * [Deploy VCHs in vSphere Client](deploy_vch_client.md)
      * [VCH Deployment Options](vch_deployment_options.md)
          * [General Settings](vch_general_settings.md)
@@ -37,7 +39,6 @@
              * [Disable Client Verification](tls_unrestricted.md)
          * [Registry Access](vch_registry.md) 
          * [Operations User](set_up_ops_user.md)
-             * [Manually Create a User Account for the Operations User](ops_user_manual.md)
          * [Finish VCH Deployment](complete_vch_deployment_client.md)
          * [Advanced Options](vch_advanced_options.md)
              * [Add VCHs to Affinity Groups](vch_affinity_group.md)

diff --git a/docs/user_doc/vic_vsphere_admin/bridge_network.md b/docs/user_doc/vic_vsphere_admin/bridge_network.md
@@ -25,7 +25,6 @@ Before you deploy a VCH, you must create a VMware vSphere Distributed Switch and
 - Do not specify the same port group as the bridge network for multiple VCHs. Sharing a port group between VCHs might result in multiple container VMs being assigned the same IP address. 
 - Do not use the bridge network port group as the target for any of the other VCH networking options.
 - Do not use the bridge network for any other VM workloads.
-<!-- If you intend to use the `--ops-user` option to use different user accounts for deployment and operation of the VCH, you must place the bridge network port group in a network folder that has the `Read-Only` role with propagation enabled. For more information about the requirements when using `--ops-user`, see [Configure the Operations User](set_up_ops_user.md).-->
 
 #### Create VCH Wizard
 

diff --git a/docs/user_doc/vic_vsphere_admin/configure_vch.md b/docs/user_doc/vic_vsphere_admin/configure_vch.md
@@ -60,7 +60,7 @@ You can also use the `vic-machine configure --ops-user` and `--ops-password` opt
     --ops-password <i>password</i>
     --ops-grant-perms</pre>
 
-For more information about the operations user, see [Configure the Operations User](set_up_ops_user.md) in the VCH Deployment Options section.
+For more information about the operations user, see [Create the Operations User Account](create_ops_user.md) and [Configure the Operations User](set_up_ops_user.md).
 
 ## Update vCenter Server Certificates <a id="vccert"></a>
 

diff --git a/docs/user_doc/vic_vsphere_admin/create_ops_user.md b/docs/user_doc/vic_vsphere_admin/create_ops_user.md
@@ -0,0 +1,56 @@
+# Create the Operations User Account #
+
+A virtual container host (VCH) requires the appropriate permissions in vSphere to perform various tasks during VCH operation. Deployment of a VCH requires a user account with vSphere administrator privileges. However, day-to-day operation of a VCH requires fewer vSphere permissions than deployment.
+
+During deployment of a VCH, vSphere Integrated Containers Engine runs all deployment operations by using the vSphere administrator account that you specify in the `vic-machine create --user` or `--target` options. If you are using the Create Virtual Container Host wizard, it uses the vSphere administrator account with which you are logged into the vSphere Client. 
+
+By default, if you deploy a VCH by using `vic-machine`, it runs with the same user account as you used to deploy it. In this case, the VCH uses the vSphere administrator account for post-deployment operations, meaning that it runs with full vSphere administrator privileges. Running with full vSphere administrator privileges is excessive, and potentially a security risk.
+
+To avoid this situation, you should configure a VCH so that it uses different user accounts for deployment and for post-deployment operation by specifying an *operations user* when you deploy the VCH. By specifying an operations user with reduced vSphere privileges, you limit its post-deployment privileges to only those privileges that it needs for day-to-day operation.
+
+- [How the Operations User Works](#behavior)
+  - [Default Behavior](#default)
+  - [Operations User Behavior](#ops-behavior)
+- [Create a User Account for the Operations User](#createuser)
+
+## How the Operations User Works <a id="behavior"></a>
+
+If you specify an operations user, `vic-machine` and the VCH behave differently to how they would behave in a default deployment.
+
+### Default Behavior <a id="default"></a>
+
+- When you create a VCH by using `vic-machine`, you provide vSphere administrator credentials to `vic-machine create`, either in `--target` or in the `--user` and `--password` options. During deployment, `vic-machine create` uses these credentials to log in to vSphere and create the VCH. The VCH safely and securely stores the vSphere administrator credentials, for use in post-deployment operation.
+- When you run other `vic-machine` commands on the VCH after deployment, for example, `vic-machine ls`, `upgrade`, or `configure`, you again provide the vSphere administrator credentials in the `--target` or `--user` and `--password` options. Again, `vic-machine` uses these credentials to log in to vSphere to retrieve the necessary information or to perform upgrade or configuration tasks on the VCH.
+- When a container developer creates a container in the VCH, they authenticate with the VCH with their client certificate. In other words, the developer interacts with the VCH via the Docker client, and does not need to provide any vSphere credentials. However, the VCH uses the stored vSphere administrator credentials that you provided during deployment to log in to vSphere to create the container VM and to run operations on it.
+
+### Operations User Behavior <a id="ops-behavior"></a>
+
+- When you create a VCH, the Create Virtual Container Host wizard uses the vSphere administrator credentials with which you logged into vSphere Client to create the VCH. If you use `vic-machine`, you provide vSphere administrator credentials either in `vic-machine create --target` or in the `--user` and `--password` options. 
+- You also provide the credentials for another vSphere account in the Operations User page of the Create Virtual Container Host wizard or in the `vic-machine create --ops-user` and `--ops-password` options. 
+- During deployment, vSphere Integrated Containers Engine uses the vSphere administrator credentials to log in to vSphere and create the VCH. The operations user credentials are safely and securely stored in the VCH, for later use in post-deployment operation. In this case, the VCH does not store the vSphere administrator credentials.
+- When you perform operations on the VCH after deployment, for example, `vic-machine ls`, `upgrade`, or `configure`, you provide the vSphere administrator credentials in the `--target` or `--user` and `--password` options. This is the same as in the default case. The stored operations user credentials are not used for these operations.
+- When a container developer creates a container in the VCH, the VCH uses the stored operations user credentials to log in to vSphere to create the container VM and to run operations on it.
+
+## Create a User Account for the Operations User <a id="createuser"></a>
+
+The user account that you specify as the operations user must exist before you deploy the VCH. If you are deploying the VCH to a vCenter Server cluster, vSphere Integrated Containers Engine provides an option to automatically assign all of the required roles and permissions to the operations user account. 
+
+**IMPORTANT**: If you are deploying the VCH to a standalone host that is managed by vCenter Server, rather than to a cluster, you must assign roles and permissions manually. For information about manually configuring the operations user account, see [Manually Create a User Account for the Operations User](ops_user_manual.md).
+
+You can use the same user account as the operations user for multiple VCHs.
+
+**Prerequisite**
+
+Log into the Flex-based vSphere Web Client with a vSphere administrator account. You cannot use the HTML5 vSphere Client to create user accounts.
+
+**Procedure**
+
+1. In Home page of the vSphere Web Client, click **Roles**.
+2. Click **Users and Groups** in the Navigator menu.
+3. Select the appropriate domain and click the **+** button to add a new user.
+4. Enter a user name for the operations user account, for example `vic-ops`.
+5. Enter and confirm the password for this account, optionally provide the additional information, and click **OK**. 
+
+**Result**
+
+You can use the new user as the operations user account for VCHs. You must use the option to grant any necessary permissions to the user account when you deploy the VCH.
diff --git a/docs/user_doc/vic_vsphere_admin/deploy_vch.md b/docs/user_doc/vic_vsphere_admin/deploy_vch.md
@@ -10,6 +10,7 @@ The HTML5 vSphere Client plug-in for vSphere Integrated Containers allows you to
 
 - [Using the `vic-machine` CLI Utility](using_vicmachine.md)
 - [Open the Required Ports on ESXi Hosts](open_ports_on_hosts.md)
+- [Create the Operations User Account](create_ops_user.md)
 - [Deploy Virtual Container Hosts in the vSphere Client](deploy_vch_client.md)
 - [Virtual Container Host Deployment Options](vch_deployment_options.md) 
 - [Deploy a Test VCH](deploy_test_vch.md)
diff --git a/docs/user_doc/vic_vsphere_admin/deploy_vch_dchphoton.md b/docs/user_doc/vic_vsphere_admin/deploy_vch_dchphoton.md
@@ -37,7 +37,7 @@ For simplicity, this example deploys a VCH without client certificate verificati
 * If you intend to use the CLI utility to deploy the VCH, familiarize yourself with the basic options of the `vic-machine create` command described in [Running vic-machine Commands](running_vicmachine_cmds.md).
 * Familiarize yourself with the bridge network, public network, image store, and volume store as described in [Configure Bridge Networks](bridge_network.md), [Configure the Public Network](public_network.md), and [Virtual Container Host Storage Capacity](vch_storage.md).
 * Obtain the root certificate for vSphere Integrated Containers Registry. For information about how to obtain the certificate, see [Obtain the vSphere Integrated Containers Registry Certificate](vch_registry.md#regcert).
-* If you intend to use the Create Virtual Container Host wizard in the vSphere Client, create a vSphere user account for the operations user. For information about creating the operations user account, see [Create a User Account for the Operations User](set_up_ops_user.md#createuser).
+* If you intend to use the Create Virtual Container Host wizard in the vSphere Client, create a vSphere user account for the operations user. For information about creating the operations user account, see [Create the Operations User Account](create_ops_user.md).
 * Install a Docker client so that you can test the deployment.
 
 ### Create VCH Wizard

diff --git a/docs/user_doc/vic_vsphere_admin/running_vicmachine_cmds.md b/docs/user_doc/vic_vsphere_admin/running_vicmachine_cmds.md
@@ -79,7 +79,7 @@ If you are deploying a VCH on vCenter Server, specify a user name for an account
 
 You can also specify the user name in the URL that you pass to `vic-machine create` in the `--target` option, in which case the `--user` option is not required.
 
-You can configure a VCH so that it uses a non-administrator account with reduced privileges for post-deployment operations by specifying the `--ops-user` option. If you do not specify `--ops-user`, VCHs use the vSphere administrator account that you specify in `--user` for general post-deployment operations. For information about using a different account for post-deployment operation, see [Configure the Operations User](set_up_ops_user.md).
+You can configure a VCH so that it uses a non-administrator account with reduced privileges for post-deployment operations by specifying the `--ops-user` option. If you do not specify `--ops-user`, VCHs use the vSphere administrator account that you specify in `--user` for general post-deployment operations. For information about using a different account for post-deployment operation, see [Create the Operations User Account](create_ops_user.md).
 
 **Usage**:
 

diff --git a/docs/user_doc/vic_vsphere_admin/security_reference.md b/docs/user_doc/vic_vsphere_admin/security_reference.md
@@ -13,7 +13,7 @@ vSphere Integrated Containers does not create service accounts and does not assi
 
 ### VCH Authentication with vSphere
 
-Using `vic-machine` to deploy and manage virtual container hosts (VCHs) requires a user account with vSphere administrator privileges. The `vic-machine create --ops-user` and `--ops-password` options allow a VCH to operate with less-privileged credentials than those that are required to deploy a new VCH. For information about the `--ops-user` option and the permissions that it requires, see [Configure the Operations User](set_up_ops_user.md).
+Using `vic-machine` to deploy and manage virtual container hosts (VCHs) requires a user account with vSphere administrator privileges. The `vic-machine create --ops-user` and `--ops-password` options allow a VCH to operate with less-privileged credentials than those that are required to deploy a new VCH. For information about the `--ops-user` option and the permissions that it requires, see [Create the Operations User Account](create_ops_user.md).
 
 When deploying VCHs, you must provide the certificate thumbprint of the vCenter Server or ESXi host on which you are deploying the VCH. For information about how to obtain and verify vSphere certificate thumbprints, see [Obtain vSphere Certificate Thumbprints](obtain_thumbprint.md). Be aware that it is possible to use the `--force` option to run `vic-machine` commands that bypass vSphere certificate verification. For information about the `--force` option, see [`--force`](running_vicmachine_cmds.md#force) in the topic on running `vic-machine` commands.