Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate Missing Permissions #4746

Closed
jonathanmeier5 opened this issue Jan 24, 2023 · 4 comments
Closed

Investigate Missing Permissions #4746

jonathanmeier5 opened this issue Jan 24, 2023 · 4 comments
Assignees
@jonathanmeier5
Labels
area/cli Generic EKS-A CLI features area/providers/vsphere vSphere provider related issues or feature requests team/cli

Comments

@jonathanmeier5
Copy link
Member

jonathanmeier5 commented Jan 24, 2023
edited
Loading

vSphere 7.0.2 appears to be missing several permissions that exist in vSphere 7.0.3:

ContentLibrary.AddCertToTrustStore
ContentLibrary.DeleteCertFromTrustStore
vSphereDataProtection.Protection
vSphereDataProtection.Recovery

The longer term solution here is probably to stop requiring Admin role on objects.

I think that if we add ContentLibrary.UpdateSession to our User role we might be able to deprecate the Admin roles altogether.

Note that despite the warning in CLI validations, missing these permissions will not block cluster creation.
@jonathanmeier5 jonathanmeier5 self-assigned this Jan 24, 2023
@jonathanmeier5 jonathanmeier5 added team/cli area/cli Generic EKS-A CLI features area/providers/vsphere vSphere provider related issues or feature requests labels Jan 24, 2023
@jdavid5815
Copy link

jdavid5815 commented Oct 18, 2023
edited
Loading

Hi,

We are running into the same issue. However, it doesn't appear as a warning, but as an error and the upgrade will NOT continue. It is in fact blocking us.


user XXX@YYY missing vSphere permissions	{"Permissions": "- username: XXX@YYY\n  objectType: Folder\n  path: /AAA/BBB/EKS_Anywhere\n  permissions:\n  - ContentLibrary.AddCertToTrustStore\n  - ContentLibrary.DeleteCertFromTrustStore\n  - vSphereDataProtection.Protection\n  - vSphereDataProtection.Recovery\n- username: XXX@YYY\n  objectType: VirtualMachine\n  path: /AAA/BBB/EKS_Anywhere/bottlerocket-vmware-k8s-1.26-x86_64-v1.14.3.ova\n  permissions:\n  - ContentLibrary.AddCertToTrustStore\n  - ContentLibrary.DeleteCertFromTrustStore\n  - vSphereDataProtection.Protection\n  - vSphereDataProtection.Recovery\n"}
❌ Validation failed	{"validation": "vsphere provider validation", "error": "validating vsphere user privileges: user XXX@YYY missing vSphere permissions", "remediation": ""}

@jonathanmeier5
Copy link
Member Author

jonathanmeier5 commented Oct 19, 2023
edited
Loading

@jdavid5815
This validation was changed from a warning to an error in 0.17.0 when functionality was added to allow skipping it.

You can now use the --skip-validations vsphere-user-privilege flag in the upgrade and create commands.

@jdavid5815
Copy link

Thanks for the update. We already worked around the issue by downgrading eksa to version 0.16.5, where the validation still issues warnings instead of errors. Of course, the new flag is a better solution because it will allow us to use the latest version of eksa.

@csplinter
Copy link
Member

Closing this due to inactivity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jonathanmeier5 jonathanmeier5

Labels
area/cli Generic EKS-A CLI features area/providers/vsphere vSphere provider related issues or feature requests team/cli
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@csplinter @jonathanmeier5 @jdavid5815