diff --git a/cmd/vic-machine/common/ops_credentials.go b/cmd/vic-machine/common/ops_credentials.go index 3cb887c084..b7bb26711d 100644 --- a/cmd/vic-machine/common/ops_credentials.go +++ b/cmd/vic-machine/common/ops_credentials.go @@ -63,7 +63,7 @@ func (o *OpsCredentials) Flags(hidden bool) []cli.Flag { // operation, adminUser and adminPassword are not needed. func (o *OpsCredentials) ProcessOpsCredentials(op trace.Operation, isCreateOp bool, adminUser string, adminPassword *string) error { if o.OpsUser == nil && o.OpsPassword != nil { - return errors.New("Password for operations user specified without user having been specified") + return errors.New("Password for operations user specified without operations username") } if isCreateOp { diff --git a/cmd/vic-machine/configure/configure.go b/cmd/vic-machine/configure/configure.go index 2aa9406e50..9cb2daaca3 100644 --- a/cmd/vic-machine/configure/configure.go +++ b/cmd/vic-machine/configure/configure.go @@ -204,6 +204,7 @@ func (c *Configure) copyChangedConf(o *config.VirtualContainerHostConfigSpec, n if c.OpsCredentials.IsSet { o.Username = n.Username o.Token = n.Token + o.GrantPermsLevel = n.GrantPermsLevel } // Copy the thumbprint directly since it has already been validated. @@ -327,7 +328,7 @@ func (c *Configure) Run(clic *cli.Context) (err error) { validator, err := validate.NewValidator(op, c.Data) if err != nil { - op.Errorf("Configuring cannot continue - failed to create validator: %s", err) + op.Errorf("Configure cannot continue - failed to create validator: %s", err) return errors.New("configure failed") } defer validator.Session.Logout(parentOp) // parentOp is used here to ensure the logout occurs, even in the event of timeout diff --git a/lib/install/management/configure.go b/lib/install/management/configure.go index d1fbad74af..9a58226693 100644 --- a/lib/install/management/configure.go +++ b/lib/install/management/configure.go @@ -58,6 +58,14 @@ func (d *Dispatcher) Configure(vch *vm.VirtualMachine, conf *config.VirtualConta d.appliance = vch + if vch.IsVC() { + vchFolder, ferr := d.appliance.Folder(d.op) + if ferr != nil { + return ferr + } + d.session.VCHFolder = vchFolder + } + // update the displayname to the actual folder name used if d.vmPathName, err = d.appliance.FolderName(d.op); err != nil { d.op.Errorf("Failed to get canonical name for appliance: %s", err) @@ -111,15 +119,6 @@ func (d *Dispatcher) Configure(vch *vm.VirtualMachine, conf *config.VirtualConta err = d.update(conf, settings, isConfigureOp) - // If successful try to grant permissions to the ops-user - if err == nil && conf.ShouldGrantPerms() { - err = opsuser.GrantOpsUserPerms(d.op, d.session, conf) - if err != nil { - // Update error message and fall through to roll back - err = errors.Errorf("Failed to grant permissions to ops-user, failure: %s", err) - } - } - if err != nil { // Roll back d.op.Errorf("Failed to upgrade: %s", err) @@ -333,6 +332,14 @@ func (d *Dispatcher) update(conf *config.VirtualContainerHostConfigSpec, setting return err } + // Try to grant permissions to the ops-user + if conf.ShouldGrantPerms() { + err = opsuser.GrantOpsUserPerms(d.op, d.session, conf) + if err != nil { + return errors.Errorf("Failed to grant permissions to ops-user, failure: %s", err) + } + } + if err = d.appliance.PowerOn(d.op); err != nil { return err } diff --git a/lib/migration/feature/feature.go b/lib/migration/feature/feature.go index 9232575111..485f688720 100644 --- a/lib/migration/feature/feature.go +++ b/lib/migration/feature/feature.go @@ -28,7 +28,9 @@ const ( // create time is stored in nanoseconds (previously seconds) in the portlayer. ContainerCreateTimestampVersion - VMFolderSupportVersion + // VCHFolderSupportVersion represents the VCH version that first introduced + // VM folder support for the VCH. + VCHFolderSupportVersion // Add new feature flag here diff --git a/pkg/vsphere/session/session.go b/pkg/vsphere/session/session.go index 975a170e62..6a3b4bc037 100644 --- a/pkg/vsphere/session/session.go +++ b/pkg/vsphere/session/session.go @@ -382,7 +382,6 @@ func (s *Session) Populate(ctx context.Context) (*Session, error) { // This will provide standalone ESXi and backwards // compatibility to non-folder versions. s.VCHFolder = folders.VmFolder - } if len(errs) > 0 { diff --git a/tests/manual-test-cases/Group5-Functional-Tests/5-25-OPS-User-Grant.md b/tests/manual-test-cases/Group5-Functional-Tests/5-25-OPS-User-Grant.md index 4fca9233da..726ebc65d1 100644 --- a/tests/manual-test-cases/Group5-Functional-Tests/5-25-OPS-User-Grant.md +++ b/tests/manual-test-cases/Group5-Functional-Tests/5-25-OPS-User-Grant.md @@ -16,6 +16,12 @@ This test requires access to VMware Nimbus cluster for dynamic ESXi and vCenter 6. Create a container 7. Use govc to attempt to out-of-band destroy the container from Step 6 8. Clean up the VCH +9. Install the VIC appliance into the cluster without any ops user options +10. Reconfigure the VCH with the --ops-user, --ops-password, --ops-grant-perms options +11. Run a variety of docker operations on the VCH +12. Create a container +13. Use govc to attempt to out-of-band destroy the container from Step 6 +14. Clean up the VCH # Expected Outcome: * Steps 1-3 should succeed @@ -23,6 +29,10 @@ This test requires access to VMware Nimbus cluster for dynamic ESXi and vCenter * Step 5 and 6 should succeed * Step 7 should fail since the destroy method should be disabled by VIC * Step 8 should succeed +* Step 9-12 should succeed +* Step 13 should fail since the destroy method should be disabled by VIC +* Step 14 should succeed + # Possible Problems: None diff --git a/tests/manual-test-cases/Group5-Functional-Tests/5-25-OPS-User-Grant.robot b/tests/manual-test-cases/Group5-Functional-Tests/5-25-OPS-User-Grant.robot index d70f916db5..87dcab7f70 100644 --- a/tests/manual-test-cases/Group5-Functional-Tests/5-25-OPS-User-Grant.robot +++ b/tests/manual-test-cases/Group5-Functional-Tests/5-25-OPS-User-Grant.robot @@ -82,17 +82,32 @@ Run privilege-dependent docker operations ${rc} ${output}= Run And Return Rc And Output docker %{VCH-PARAMS} rm -f ${c5} Should Be Equal As Integers ${rc} 0 -*** Test Cases *** -vic-machine create grants ops-user perms - Install VIC Appliance To Test Server additional-args=--ops-user ${ops_user_name} --ops-password ${ops_user_password} --ops-grant-perms +Reconfigure VCH With Ops User + ${rc} ${output}= Run And Return Rc And Output bin/vic-machine-linux configure --target %{TEST_URL} --user %{TEST_USERNAME} --password=%{TEST_PASSWORD} --compute-resource=%{TEST_RESOURCE} --name %{VCH-NAME} --ops-user=${ops_user_name} --ops-password=${ops_user_password} --ops-grant-perms --thumbprint=%{TEST_THUMBPRINT} --debug=1 + Should Be Equal As Integers ${rc} 0 + Should Contain ${output} Completed successfully - # Run a govc test to check that access is denied on some resources +Attempt To Disable DRS Log To Console Running govc to set drs-enabled, it should fail ${rc} ${output}= Run And Return Rc And Output GOVC_USERNAME=${ops_user_name} GOVC_PASSWORD=${ops_user_password} govc cluster.change -drs-enabled /${datacenter}/host/${cluster} Log Govc output: ${output} Should Be Equal As Integers ${rc} 1 Should Contain ${output} Permission to perform this operation was denied +Attempt To Create Resource Pool + Log To Console Running govc to create a resource pool named "5-25-OPS-User-Grant-%{DRONE_BUILD_NUMBER}", it should fail + ${rc} ${output}= Run And Return Rc And Output GOVC_USERNAME=${ops_user_name} GOVC_PASSWORD=${ops_user_password} govc pool.create */Resources/5-25-OPS-User-Grant-%{DRONE_BUILD_NUMBER} + Log Govc output: ${output} + Should Be Equal As Integers ${rc} 1 + Should Contain ${output} Permission to perform this operation was denied + +*** Test Cases *** +vic-machine create grants ops-user perms + Install VIC Appliance To Test Server additional-args=--ops-user ${ops_user_name} --ops-password ${ops_user_password} --ops-grant-perms + + # Run a govc test to check that access is denied on some resources + Attempt To Disable DRS + Run Regression Tests Run privilege-dependent docker operations @@ -107,11 +122,7 @@ granted ops-user perms work after upgrade Check Upgraded Version # Run a govc test to check that access is denied on some resources - Log To Console Running govc to set drs-enabled, it should fail - ${rc} ${output}= Run And Return Rc And Output GOVC_USERNAME=${ops_user_name} GOVC_PASSWORD=${ops_user_password} govc cluster.change -drs-enabled /${datacenter}/host/${cluster} - Log Govc output: ${output} - Should Be Equal As Integers ${rc} 1 - Should Contain ${output} Permission to perform this operation was denied + Attempt To Create Resource Pool Run Regression Tests @@ -124,14 +135,22 @@ Test with VM-Host Affinity Install VIC Appliance To Test Server additional-args=--ops-user ${ops_user_name} --ops-password ${ops_user_password} --ops-grant-perms --affinity-vm-group # Run a govc test to check that access is denied on some resources - Log To Console Running govc to create a resource pool named "5-25-OPS-User-Grant-%{DRONE_BUILD_NUMBER}", it should fail - ${rc} ${output}= Run And Return Rc And Output GOVC_USERNAME=${ops_user_name} GOVC_PASSWORD=${ops_user_password} govc pool.create */Resources/5-25-OPS-User-Grant-%{DRONE_BUILD_NUMBER} - Log Govc output: ${output} - Should Be Equal As Integers ${rc} 1 - Should Contain ${output} Permission to perform this operation was denied + Attempt To Create Resource Pool Run Regression Tests Run privilege-dependent docker operations Cleanup VIC Appliance On Test Server + +vic-machine configure grants ops-user perms + Install VIC Appliance To Test Server + + Reconfigure VCH With Ops User + + # Run a govc test to check that access is denied on some resources + Attempt To Disable DRS + + Run Privileged Commands + + Cleanup VIC Appliance On Test Server \ No newline at end of file