When vCenter Server is present, all activities are funneled
through vCenter Server using Windows accounts that have been assigned a role
that has, in turn, been assigned to one or more inventory objects as a
permission. This combination of Windows account, role, and inventory object
creates a permission that allows (or disallows) the user to perform certain
functions. The user accounts exist in Active Directory (or on the vCenter
Server computer itself), not on the ESXi hosts, and the permissions and roles
are defined within vCenter Server, not on the ESXi hosts. Because the user
doesn’t log into the ESXi host directly, this minimizes the need for many local
user accounts on the ESXi host and thus provides better security. Alas, there
still is a need, however small or infrequent, for local accounts on an ESXi
host used primarily for administration, which is why I talked earlier about
managing local users and groups and integrating ESXi authentication into Active
Directory.
Because the user accounts exist outside the ESXi hosts, and because the roles, privileges, and permissions are defined outside the ESXi hosts, when you use vCenter Server to manage your
virtual infrastructure, you are reallyonly creating a task and not directly interacting with the ESXi hosts or the VMs. This is true for any user using vCenter Server to manage hosts or VMs. For instance, Shane, an administrator, wants to log into vCenter Server and create a new VM. Shane first needs the proper role — perhaps a custom role you created specifically for the purpose of creating new VMs — assigned to the proper inventory object or objects within vCenter Server.
Assuming the correct role has been assigned to the correct inventory
objects — let’s say it’s a resource pool — Shane has what he needs to create,
modify, and monitor VMs. But does Shane’s user account have direct access to
the ESXi hostswhen he’s logged into vCenter Server? No, it does not. In fact, a
proxy account is used to communicate Shane’s tasks tothe appropriate ESXi host
or VM. This account, vpxuser, isthe only account that vCenter Server stores and
tracks in its backend database.
Anytime vCenter Server polls an ESXi host or an administrator creates a task that needs to be communicated to an ESXi host, the vpxuser account is used. On the ESXi hosts that are managed by vCenter Server, the vpxuser account exists (it’s created automatically by vCenter Server; this is why vCenter Server asks you for the root passwordwhen adding a host to the inventory) and is assigned the Administrator role. This gives the vpxuser account the ability to perform whatever tasks are necessary on the individual ESXi hosts managed by vCenter Server. When a user logs into vCenter Server, vCenter Server applies its security model (roles, privileges, and permissions) to that user, ensuring that the user is only permitted to perform the tasks for which they are authorized. On the backend, though, all these tasks are proxied onto the individual ESXi hosts as vpxuser.
Info taken from Mastering VMware vSphere Guide
No comments:
Post a Comment