Pages

Monday, 1 September 2014

Understanding the vpxuser Account




When vCenter Server is present, all activities are funneled through vCenter Server using Windows accounts that have been assigned a role that has, in turn, been assigned to one or more inventory objects as a permission. This combination of Windows account, role, and inventory object creates a permission that allows (or disallows) the user to perform certain functions. The user accounts exist in Active Directory (or on the vCenter Server computer itself), not on the ESXi hosts, and the permissions and roles are defined within vCenter Server, not on the ESXi hosts. Because the user doesn’t log into the ESXi host directly, this minimizes the need for many local user accounts on the ESXi host and thus provides better security. Alas, there still is a need, however small or infrequent, for local accounts on an ESXi host used primarily for administration, which is why I talked earlier about managing local users and groups and integrating ESXi authentication into Active Directory.

Because the user accounts exist outside the ESXi hosts, and because the roles, privileges, and permissions are defined outside the ESXi hosts, when you use vCenter Server to manage your
virtual infrastructure, you are reallyonly creating a task and not directly interacting with the ESXi hosts or the VMs. This is true for any user using vCenter Server to manage hosts or VMs. For instance, Shane, an administrator, wants to log into vCenter Server and create a new VM. Shane first needs the proper role — perhaps a custom role you created specifically for the purpose of creating new VMs — assigned to the proper inventory object or objects within vCenter Server.



         Assuming the correct role has been assigned to the correct inventory objects — let’s say it’s a resource pool — Shane has what he needs to create, modify, and monitor VMs. But does Shane’s user account have direct access to the ESXi hostswhen he’s logged into vCenter Server? No, it does not. In fact, a proxy account is used to communicate Shane’s tasks tothe appropriate ESXi host or VM. This account, vpxuser, isthe only account that vCenter Server stores and tracks in its backend database.
 


 
Anytime vCenter Server polls an ESXi host or an administrator creates a task that needs to be communicated to an ESXi host, the vpxuser account is used. On the ESXi hosts that are managed by vCenter Server, the vpxuser account exists (it’s created automatically by vCenter Server; this is why vCenter Server asks you for the root passwordwhen adding a host to the inventory) and is assigned the Administrator role. This gives the vpxuser account the ability to perform whatever tasks are necessary on the individual ESXi hosts managed by vCenter Server. When a user logs into vCenter Server, vCenter Server applies its security model (roles, privileges, and permissions) to that user, ensuring that the user is only permitted to perform the tasks for which they are authorized. On the backend, though, all these tasks are proxied onto the individual ESXi hosts as vpxuser.
 Info taken from Mastering VMware vSphere Guide

No comments:

Post a Comment