What user permissions/roles are required for the VMware vCenter user account to provision from Satellite 6.x?

Solution Verified - Updated

Environment

  • Red Hat Satellite 6.x
  • VMware vSphere 6.x/7.x/8.x

Issue

  • Creating a New Host on a VMware Compute Resource in Satellite 6.x returns an error similar to:

    "Failed to create a compute VMwareLab (VMWare) instance badhost.example.com: failed to create vm: NoPermission: 
Permission to perform this operation was denied."

    2018-05-15 18:05:10 3b4949e0 [app] [E] Failed to rebuild Bootdisk image for client.example.com
 | RuntimeError: upload failed
 | /opt/theforeman/tfm/root/usr/share/gems/gems/rbvmomi-1.10.0/lib/rbvmomi/vim/Datastore.rb:53:in `upload'

    Failed to upload ISO image for instance client.example.com: #<Net::HTTPUnauthorized 401 Unauthorized 
readbody=true>

    Oops, we're sorry but something went wrong undefined method `vmFolder' for nil:NilClass

Resolution

  • The recommended / mandatory permissions to properly provision new virtual machines in VMware from Satellite 6 is:

  • Vcenter 6.7/7.0:

    All Privileges -> Datastore -> Allocate Space, Browse datastore, Update Virtual Machine files, Low level file operations, Update virtual machine metadata
All Privileges -> Network -> Assign Network 
All Privileges -> Resource -> Apply recommendation, Assign virtual machine to resource pool 
All Privileges -> Virtual Machine -> Change Configuration (All) 
All Privileges -> Virtual Machine -> Interaction (All) 
All Privileges -> Virtual Machine -> Edit Inventory (All) 
All Privileges -> Virtual Machine -> Provisioning (All)
All Privileges -> Global Read

  • Vcenter 6.5

    All Privileges -> Datastore -> Allocate Space, Browse datastore, Update Virtual Machine files, Low level file operations
All Privileges -> Network -> Assign Network 
All Privileges -> Resource -> Apply recommendation, Assign virtual machine to resource pool 
All Privileges -> Virtual Machine -> Configuration (All) 
All Privileges -> Virtual Machine -> Interaction (All) 
All Privileges -> Virtual Machine -> Inventory (All) 
All Privileges -> Virtual Machine -> Provisioning (All)

  • If TPM provider is configured in the vCenter, following additional permission is required:

    All Privileges -> Cryptographic operations -> Direct Access

  • Log in to the VMware vSphere Server that represents the Compute Resource. Create a role with the above permissions. Add the appropriate account to the role. To create user accounts, roles or for complete details on the administration of VMware vSphere, please consult your VMware vSphere Server documentation.

  • Ensure the role is assigned at the Vcenter object and Propgate to children is selected. If you do not want to apply the permissions this way, then it needs to be done to each object that we touch in the permissions above.

  • In Red Hat Satellite 6, we use a ruby gem called fog-vspherepermissions are read from the vCenter server down to the cluster etc. The easiest way to apply permissions for the user, is to assign the user permission with the role at the top level vCenter object and check the box propagate to children.

  • Ensure that the vSphere Server, Username, Password, and Datacenter configured for the Compute Resource in Red Hat Satellite 6 are accurate. Please test the connection.

For more KB articles/solutions related to Red Hat Satellite 6.x Provisioning Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x Provisioning related Issues

Root Cause

  • User specified for Compute Resource has insufficient permissions in vSphere to perform the actions required for provisioning the virtual machine. 

    See Infrastructure -> Compute Resources 
Select the Name of the Compute Resource. On the resulting page select the Edit button.
The Username specified has insufficient permissions in vSphere.

Diagnostic Steps

  • Review the vSphere Configuration to verify the appropriate permissions are assigned to the Role and the specified user has been assigned that Role.
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.