Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: cannot find datacenter from path "": NoPermission #854

Closed
Koleon opened this issue Oct 3, 2019 · 6 comments
Closed

Error: cannot find datacenter from path "": NoPermission #854

Koleon opened this issue Oct 3, 2019 · 6 comments
Labels
question/vsphere Question: VMware vSphere

Comments

@Koleon
Copy link

Koleon commented Oct 3, 2019
edited
Loading

Hi there,

recently we've hardened our VMware vSphere environment and restrict access to parts of the system using roles. Administration of objects via vSphere UI or VMware Workstation Pro works without problem. Unfortunately Terraform has problems with some restrictions.

Terraform Version

$ terraform version
Terraform v0.12.9
+ provider.vsphere v1.13.0

vSphere Provider Version

$ terraform providers
.
└── provider.vsphere
terraform-provider-vsphere_v1.13.0_x4

Affected Resource(s)

Please list the resources as a list, for example:

  • vsphere_folder

Terraform Configuration Files

data "vsphere_datacenter" "dc-lab" {
  name = "BM-LAB"
}

resource "vsphere_folder" "k8s" {
  path          = "08_Sandbox/21_Kolo/k8s"
  type          = "vm"
  datacenter_id = data.vsphere_datacenter.dc-lab.id
}

Debug Output

vsphere_folder.k8s - *terraform.NodeApplyableResourceInstance
  data.vsphere_datacenter.dc-lab - *terraform.NodeApplyableResourceInstance
  data.vsphere_datacenter.dc-lab (prepare state) - *terraform.NodeApplyableResource
  provider.vsphere - *terraform.NodeApplyableProvider
  vsphere_folder.k8s (prepare state) - *terraform.NodeApdata.vsphere_datacenter.dc-lab: Refreshing state...
vsphere_folder.k8s: Creating...
2019/10/03 10:16:33 [ERROR] <root>: eval: *terraform.EvalApplyPost, err: cannot find datacenter from path "/BM-LAB": NoPermission
2019/10/03 10:16:33 [ERROR] <root>: eval: *terraform.EvalSequence, err: cannot find datacenter from path "/BM-LAB": NoPermission

Panic Output

There is no panic or crash.log.

Expected Behavior

Create folder.

Actual Behavior

The folder is created, unfortunately I get error message.
Error: cannot find datacenter from path "/BM-LAB": NoPermission

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform plan
  2. terraform apply

Important Factoids

It seems problem comes from https://github.com/terraform-providers/terraform-provider-vsphere/blob/534931a5deb3be12c7217b6794781299fdce28cb/vsphere/resource_vsphere_folder.go#L127 where function resourceVSphereFolderCreate return resourceVSphereFolderRead, but I don't know why. Comments are missing.

Needless to say user connecting to the vSphere has no privileges to view VC Server object.

EDIT: It's interesting that folder creation in vSphere Web UI works without any problem. Moreover I tested folder creation via govc and it works as well.
@Koleon
Copy link
Author

Koleon commented Oct 8, 2019

Bump

@aareet aareet added the question/vsphere Question: VMware vSphere label Oct 9, 2019
@Koleon
Copy link
Author

Koleon commented Oct 22, 2019

EDIT-2: For better testing scenario:

Hierarchical Inheritance of Permissions below:

[Hosts and Clusters]
vsphere.local [VC Server] (no permission specified)
└── LAB-datacenter [datacenter] (LAB-Users:Read-only[This object])
     └── LAB-cluster [cluster] (LAB-G-Users:Assign-Vapp-and-VM-to-resourcepool[This object])

[VMs and Templates]
vsphere.local [VC Server] (no permission specified)
└── LAB-datacenter [datacenter] (LAB-Users:Read-only[This object])
     └── Folder (LAB-G-Users:Manage-Folders-and-VM[Propagate])
         └── SubFolder (LAB-G-Users:Manage-Folders-and-VM[Propagate])

[Storage]
vsphere.local [VC Server] (no permission specified)
└── LAB-datacenter [datacenter] (LAB-Users:Read-only[This object])
     └── Datastore-lab (LAB-G-Users:Allocate-Datastore[This object])
  • Read-only
System.Anonymous
System.Read
System.View
  • Assign-Vapp-and-VM-to-Resourcepool
Resource.AssignVAppToPool
Resource.AssignVMToPool
System.Anonymous
System.Read
System.View
VApp.Import
VirtualMachine.Config.AddNewDisk
VirtualMachine.Config.AdvancedConfig
  • Manage-Folders-and-VM
Folder.Create
Folder.Delete
Folder.Rename
System.Anonymous
System.Read
System.View
VApp.ApplicationConfig
VApp.Create
VApp.Export
VApp.ExtractOvfEnvironment
VApp.Import
VApp.InstanceConfig
VApp.ManagedByConfig
VApp.ResourceConfig
VirtualMachine.Config.AddExistingDisk
VirtualMachine.Config.AddNewDisk
VirtualMachine.Config.AddRemoveDevice
VirtualMachine.Config.AdvancedConfig
VirtualMachine.Config.Annotation
VirtualMachine.Config.CPUCount
VirtualMachine.Config.DiskExtend
VirtualMachine.Config.DiskLease
VirtualMachine.Config.EditDevice
VirtualMachine.Config.Memory
VirtualMachine.Config.MksControl
VirtualMachine.Config.RemoveDisk
VirtualMachine.Config.Rename
VirtualMachine.Config.ResetGuestInfo
VirtualMachine.Config.Resource
VirtualMachine.Config.Settings
VirtualMachine.Config.UpgradeVirtualHardware
VirtualMachine.GuestOperations.Modify
VirtualMachine.Interact.AnswerQuestion
VirtualMachine.Interact.ConsoleInteract
VirtualMachine.Interact.DeviceConnection
VirtualMachine.Interact.PowerOff
VirtualMachine.Interact.PowerOn
VirtualMachine.Interact.Reset
VirtualMachine.Interact.SetCDMedia
VirtualMachine.Interact.SetFloppyMedia
VirtualMachine.Interact.ToolsInstall
VirtualMachine.Inventory.Create
VirtualMachine.Inventory.CreateFromExisting
VirtualMachine.Inventory.Delete
VirtualMachine.Inventory.Register
VirtualMachine.Provisioning.Clone
VirtualMachine.Provisioning.CloneTemplate
VirtualMachine.Provisioning.CreateTemplateFromVM
VirtualMachine.Provisioning.Customize
VirtualMachine.Provisioning.DeployTemplate
VirtualMachine.Provisioning.DiskRandomAccess
VirtualMachine.Provisioning.DiskRandomRead
VirtualMachine.Provisioning.MarkAsTemplate
VirtualMachine.Provisioning.MarkAsVM
VirtualMachine.Provisioning.ModifyCustSpecs
VirtualMachine.Provisioning.ReadCustSpecs
VirtualMachine.State.CreateSnapshot
VirtualMachine.State.RemoveSnapshot
VirtualMachine.State.RenameSnapshot
VirtualMachine.State.RevertToSnapshot
  • Allocate-Datastore
Datastore.AllocateSpace
Datastore.UpdateVirtualMachineMetadata
System.Anonymous
System.Read
System.View

@hashibot
Copy link

This issue has been open 180 days with no activity. If this issue is reproducible with the latest version of the provider and with Terraform 0.12, please comment. Otherwise this issue will be closed in 30 days.

@hashibot hashibot added the stale Status: Stale label Apr 21, 2020
@Koleon
Copy link
Author

Koleon commented May 20, 2020

This issue is related to #803
Running the $ govc datacenter.info check gives me NoPermission error.
Obviously the Read-only role on datacenter object is not enough.

@ghost ghost removed the stale Status: Stale label May 20, 2020
@bill-rich
Copy link
Contributor

It may also be that the permissions are not applied at the vCenter level. They must be applied at the root in order to list datacenters using the vSphere API.

@ghost
Copy link

ghost commented Oct 10, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators Oct 10, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
question/vsphere Question: VMware vSphere
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@aareet @bill-rich @Koleon @hashibot