Documentation for ops-user vic-machine option needs to be updated

[stuclem]

@lcastellano commented on Tue Nov 21 2017

User Statement:
With the introduction of Resource Pools and the ops-grant-perms option the documented procedure to set Roles and Permissions needs to be updated.

Details:
Resource Pools are now the only option in VCH create. The Roles and Permissions previously documented in the Appliance mode cannot longer be applied. In general new Permissions are needed at the Data Center level. The current documentation should be updated.
The new create/configure option --ops-grant-perms also needs to be documented.

Acceptance Criteria:
Documentation has been updated.

---

@stuclem commented on Tue Nov 28 2017

Thanks for the info @lcastellano. Moving this to the vic-product repo.

[stuclem]

@lcastellano what are the requirements for the ops-user now that we have the --ops-grant-perms option? I created a new user in PSC, didn't grant it any special permissions, then ran vic-machine create with the options --ops-user '[email protected]' --ops-password 'p@ssword' --ops-grant-perms, believing that this would configure my vic-ops user account as necessary.

However, this resulted in "Failed to validate operations credentials: ServerFaultCode: Permission to perform this operation was denied."

So, what are the requirements for the ops user account that you create in PSC? Thanks!

[stuclem]

Looking at this as a part of the Create VCH wizard docs.

[stuclem]

From @lcastellano via email:

Hi Stuart there are a couple of things that we need to document for 1.3. The main change is the introduction of the —ops-grant-perms option in vic-machine. In 1.2 Roles and Permissions for the opsuser must be created manually. The section of the manual that deals with opsuser is at: https://vmware.github.io/vic-product/assets/files/html/1.2/vic_vsphere_admin/set_up_ops_user.html . When using the —ops-grant-perms option there are two manual steps:
• Create the user in VC
• Set Readonly non-propagating permissions for the opsuser at the datacenter level.
There is no need to create roles and assign permissions to other objects.

If, however, the admin decides to go that manual way, there are changes in the following Roles. This is caused by the fact the 1.3 requires the admin to select Resource Pools. Here is a list of the modified Roles and the correct set of privileges:
• VCH Datacenter, the list of Privileges should be:
“Datastore: Configure datastore”,
“Datastore: Low level file operations”,
“VirtualMachine.Configuration: Add new disk”,
“VirtualMachine.Configuration: Advanced”,
“VirtualMachine.Configuration: Remove disk”,
“VirtualMachine.Inventory: Create new”,
“VirtualMachine.Inventory: Remove”
• VCH Endpoint, the list of Privileges should be:
“dvPort group: Modify",
“dvPort group: Policy operation",
“dvPort group: Scope operation",
“Resource: Assign virtual machine to resource pool",
“VirtualMachine.Configuration: Add existing disk",
“VirtualMachine.Configuration: Add new disk",
“VirtualMachine.Configuration: Add remove device",
“VirtualMachine.Configuration: Advanced",
“VirtualMachine.Configuration: Edit device",
“VirtualMachine.Configuration: Remove disk",
“VirtualMachine.Configuration: Rename",
“VirtualMachine.Guest operations: Execute",
“VirtualMachine.Interaction: Device connection",
“VirtualMachine.Interaction: Power off",
“VirtualMachine.Interaction: Power on",
“VirtualMachine.Inventory: Create new",
“VirtualMachine.Inventory: Remove",
“VirtualMachine.Inventory: Register",
“VirtualMachine.Inventory: Unregister”

The following note about —use-rp should be removed as that is now the default.

[stuclem]

Merged in #1259. Reviewed by @lcastellano.