VMware Cloud Foundation

About VIEWER Role and SDDC Manager Local Account

In this blog post, we will learn about the VIEWER role and the Local Account that was introduced starting from the VMware Cloud Foundation 4.1.0 release.

About VIEWER role

A new role named VIEWER is introduced in addition to the existing roles ADMIN and OPERATOR.

Using the VIEWER role, a user won’t be able to perform write operations or any operation that involves changing the state of the system. With the VIEWER role, a user can only perform read-only operations and no other operations are allowed.

How to assign VIEWER role to a user using SDDC Manager UI

Following are the steps to assign a VIEWER role to a user using SDDC Manager UI. Note that only a user with ADMIN role can perform the below operations.

Step 1: Log in to SDDC Manager UI and navigate to the Administration > Users page.

Step 2: Search or select any user from the required domain and click on the ‘Choose Role‘ dropdown and select VIEWER role and Click the Add button as shown below.

Step 3: Verify the user shows with assigned role i.e. VIEWER

Step 4: Log in to SDDC Manager UI using the user who has the VIEWER role assigned.

Step 5: Navigate to the Workload Domains page and select the management domain. Click on the Actions menu and notice that there are no options visible in UI to perform any operations and it shows the text as  Unauthorized Access

Note: An user logged-in with the VIEWER role can only view the SDDC Manager. User management and password management are hidden from this role and hence user management and password management related screens are not visible in SDDC Manager UI.

Below is the screenshot which shows Users and Password Management UI pages are hidden in UI for a user having VIEWER role:

Public APIs access using VIEWER role: 

A VIEWER role user can access only GET HTTP request methods (excluding Password Management and User Management related APIs) and no other HTTP request methods such as POST/PUT/PATCH/DELETE are allowed.

Below are few examples which depict that only GET is allowed (excluding password management and user management) and no other HTTP request methods are allowed for VIEWER role user. 

Note: In this post, I’m not covering the details about how to generate a token, adding the user to Cloud foundation, and assigning a role to a user. All these details are available in my other blog post. Check out this blog post for more details:  Getting Started with Token-Based Authentication for VMware Cloud Foundation APIs

GET HTTP request using VIEWER role:

Here is the sample response received for GET /v1/pscs API call using the token generated by the VIEWER role user. Verify that access is allowed for the GET HTTP request method. 

PUT HTTP request using VIEWER role:

Here is the sample response received for the PUT /v1/system/settings/depot API call using the token generated by the VIEWER role user. Verify that access is denied for the PUT HTTP request method

GET HTTP request using VIEWER role (User Management):

Here is the sample API response received for GET /v1/users API call using the token generated by the VIEWER role user. Verify that access is denied for the GET HTTP request method that involves User Management operation

SDDC Manager Local Account

The local account is introduced as part of the VMware Cloud Foundation 4.1.0 release.

A local account can be used to access VMware Cloud Foundation APIs when the management vCenter Server is down.

For example:

1. Use local account when the user identity provider (SSO) is down to validate the user details

2. Any other situation when you can not generate a token using the regular SSO credentials.

We need to specify a password for the local account in the deployment parameter workbook to configure it during the bringup.

Below is the screenshot of the deployment parameter workbook which shows a field in the workbook to provide a password for local account:

The username for the local account is: admin@local
(Note that local account username is constant and it cannot be changed)

The following are the APIs related to the local account – 

How to check if the local account is configured or not

cURL Request Syntax:

curl -H “Authorization: Bearer <ACCESS_TOKEN>” -H “Content-Type: application/json” https://<SDDC_MANAGER_FQDN>/v1/users/local/admin -k

Replace <ACCESS_TOKEN> and <SDDC_MANAGER_FQDN> as appropriate in the above command.

Example Response:

How to update the password of local account

cURL Request Syntax:

curl -H “Authorization: Bearer <ACCESS_TOKEN>” -H “Content-Type: application/json” -X PATCH -d ‘{“oldPassword” : “<OLD_PASSWORD>”,”newPassword” : “<NEW_PASSWORD>”}’ https://v1/users/local/admin -k -i

Replace <ACCESS_TOKEN>, <OLD_PASSWORD>, <NEW_PASSWORD> and <SDDC_MANAGER_FQDN> as appropriate in the above command.

Example Response:

For more details related to password complexity requirements refer to the official documentation from here.

How to configure the local account

In case if you have upgraded from any previous version of Cloud Foundation to 4.1.0 or above, a notification banner in SDDC Manager UI will be displayed with the message: “Local Account is not configured. Refer to Cloud Foundation documentation for more information.”

Note: In case, if bringup was performed using the APIs and if localUserPassword was not mentioned in SddcManagerSpec, a notification message in SDDC Manager UI appears as shown in the below screenshot. This is because the localUserPassword is optional for bringup APIs but mandatory if bringup is triggered using the deployment parameter workbook.

Here is the screenshot of SDDC Manager UI showing the notification message:

Here is the API to configure the local account:

cURL Request Syntax:

curl -H “Authorization: Bearer <ACCESS_TOKEN>” -H “Content-Type: application/json” -X PATCH -d ‘{“newPassword” : “<PASSWORD>”}’ https://<SDDC_MANAGER_FQDN>/v1/users/local/admin -k -i

Replace <ACCESS_TOKEN>, <PASSWORD> and <SDDC_MANAGER_FQDN> as appropriate in the above command.

Example Response:

After configuring the local account successfully the notification message in SDDC Manager UI disappears.

Note that there is no UI available to configure a local account and to update the password for the local account.

References:

For any additional information refer to VMware Cloud Foundation official documentation. Here are few links for quick reference (note that the below reference documentation links are from Cloud Foundation 4.2.0 release)

Create a Local Account

VIEWER Role

Related Articles