Table of Contents
Role Based Access Control is a mechanism for controlling access and restricting actions of users by adding user accounts to groups that have delegated permissions. The NSX Manager has its own authentication database and permission roles you can assign to users.
In this post we will learn how to configure role based access in NSX.
Implement identity service support for Active Directory, NIS, and LDAP with SSO
To be frank this topic is very confusing and I am not sure what VMware intends us to do here. One use case of associating NSX with Active Directory is that you can use identity based firewall. And may be associating NSX with AD is what VMware might meant by this topic.
To add AD authentication to NSX, login to vCenter Web Client and navigate to Networking & Security > NSX Managers and click on the NSX Manager where you to add AD authentication and select Domains tab. Click on + button to add new domain.
Specify your domain name and your domain’s netbios name and hit Next.
Type your domain controller IP/FQDN and select protocol as LDAP and port 389.
Type in a user name which have enough rights to help client machines to join domain. As a best practice, you can use a service account here.
For security event log access select yes or no as per your need and hit next.
On Ready to complete page, review your settings and hit finish.
It takes 3-5 minutes for NSX manager to sync with AD. Make sure you see a success message for last sync before adding any user.
Once NSX manager is configured with AD authentication, it gets group and user information as well as the relationship between them from each domain that it is registered with. NSX Manager also retrieves Active Directory (AD) credentials.
Configure Single-Sign On for NSX
When installing NSX and registering the NSX Manager to a vCenter, the NSX Manager gets access to the vCenter authentication database and single sign on is achieved for the vSphere Web Client. The vCenter user you registered the NSX Manager will get the administrator role, but you will need to grant additional users permission roles manually.
In my lab my NSX manager is already associated with my vCenter so I am not demonstrating that. If you don’t have SSO configured for NSX, you can follow the steps mentioned here
Manage User rights
Assign roles to user accounts
Roles can be assigned while creating a user. NSX Manager has four default roles:
- Auditor: This role can view settings, events and reports. A read-only role.
- Security Administrator: The Security Administrator can manage all security related settings, such as the firewall services, NAT, SpoofGuard, Security Groups, etc.
- NSX Administrator: This role can deploy and configure NSX Edges, Logical Switches, etc.
- Enterprise Administrator: This role can do anything within NSX.
To add a new user to NSX, login to vCenter Web Client and navigate to Networking & Security > NSX Managers > Select NSX Manager > Manage > Users and click on + button to add a new user.
Select “Specify a vCenter user” and type the username and hit next.
Select a role from the list and hit finish.
Change a user role
A user role can be changed post creation as well. For new role to take effect user have to disconnect current session and login to vCenter Web Client again.
To change a user role, select a user from the list and click on pencil icon to edit
Select the new role which you want to assign to user and hit finish.
Delete/disable/enable a user account
To disable a user, select the user from the list and click on disable button as highlighted in below image.
To enable a disabled user, select the user from the list and click on the right symbol button.
To delete a user, select the user from list and click on red cross button
Click on yes to confirm user removal.
Creating API users
If you look at the users which we create from Web Client, we can see origin of user shows as vCenter. From GUI it’s not possible to create users via which we can fire API call against NSX manager. This is only possible via CLI.
Lets create some API users and assign them roles.
1: SSH to nsxmgr-01a.crop.local and switch to ‘enable’ mode by typing en
1 2 3 4 5 6 7 |
[root@mgmt-linjump ~]# ssh admin@nsxmgr-01a.corp.local admin@nsxmgr-01a.corp.local's password: nsxmgr-01a.corp.local> nsxmgr-01a.corp.local> nsxmgr-01a.corp.local> en Password: nsxmgr-01a.corp.local# |
2: Type: Configure terminal command to go to config mode
1 2 |
nsxmgr-01a.corp.local# configure terminal nsxmgr-01a.corp.local(config)# |
3: Create user by typing command: user user-name password plaintext user-password
1 |
nsxmgr-01a.corp.local(config)# user alex password plaintext Welcome!123 |
4: Go back to enable mode by typing “end” and then write to memory by typing “wr”
1 2 3 4 5 |
nsxmgr-01a.corp.local(config)# end nsxmgr-01a.corp.local# wr Building Configuration... Configuration saved. [OK] |
Now we have created a user, but this user will not be visible in under NSX user list as we have not provided any role to this user. Role assignment can be only done via API. Fire below API to assign role to the newly created user.
1 2 3 4 5 |
Method: POST Content-Type: application/xml API: https://<NSX-IP>/api/2.0/services/usermgmt/role/?isCli=true |
Request Body:
1 2 3 4 5 6 |
<accessControlEntry> <role>auditor</role> <resource> <resourceId>globalroot-0</resourceId> </resource> </accessControlEntry> |
a typical curl command for this can be:
1 |
# curl -sik -u 'admin' -H 'Content-Type:application/xml' -X POST https://nsxmgr-01a.corp.local/api/2.0/services/usermgmt/role/alex?isCli=true -d @addnsxuser.xml |
Where content of addnsxuser.xml is the text mentioned above under Request Body.
Note: If you don’t specify isCli=true, then the user will be created as regular “vCenter” user
On firing above API call, if you see a HTTP 204 No Content (as shown below) in output, it means your API call is successful and now you can see the user in NSX user list.
1 2 3 4 5 |
HTTP/1.1 204 No Content Cache-Control: no-cache Date: Mon, 11 Jun 2018 15:17:30 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: SAMEORIGIN |
I verified that user alex was created in my lab and look at the origin. It says “NSX CLI User” rather than vCenter user.
Deleting a user via API
To delete a user from CLI, we first have to remove the user role via below API call
1 |
# curl -sik -u 'admin' -H 'Content-Type:application/xml' -X DELETE https://nsxmgr-01a.corp.local/api/2.0/services/usermgmt/role/amit |
Next is to login to NSX manager CLI and go to configure mode and type below command:
1 2 3 4 5 6 |
nsxmgr-01a.corp.local(config)# no user amit nsxmgr-01a.corp.local(config)# end nsxmgr-01a.corp.local# wr Building Configuration... Configuration saved. [OK] |
And that’t it for this post.
I hope you find this post informational. Feel free to share this on social media if it is worth sharing. Be sociable 🙂