Cloud Director CAPVCD User Rights
CAPVCD requires specific user rights set in order for the tenant Organization to have a Role that can successfully execute DKP clusters, those Rights must be specified. When a DKP workload cluster is created, each machine needs to register with VCD Cloud Provider Interface(CPI) and get node references.
Refer to https://docs.vmware.com/en/VMware-Cloud-Director/10.3/VMware-Cloud-Director-Service-Provider-Admin-Portal-Guide/GUID-816FBBBC-2CDA-4B1D-9B1A-C22BC31B46F2.html for terminology related to Rights and Roles. The remainder of this page describes what the CAPVCD User requires in relation to Rights and Rights Bundles.
CAPVCD User
CAPVCD uses the credentials (username/password or API token) of a VCD User to manage the cluster. The VCD Cloud Provider Interface(CPI) and CSI controllers also use the same credentials. This same User needs specific API permissions, known as Rights, for the CAPVCD, CPI, and CSI controllers to work correctly. For a User to be granted a Right, the User must be associated with a Role that consumes this Right, meaning the Role grants Rights to the User.
If the User belongs to an Organization, then the Right must also be published by the Provider to the tenant Organization in a Rights Bundle. The Rights Bundle grants Rights to the tenant Organization.
Create the VCD User Required by CAPVCD
CAPVCD requires all the Rights in the default vApp Author
Global Role, plus the Rights required by the VCD CPI, the VCD CSI, and some Rights required by CAPVCD itself.
A Provider administrator creates a Rights Bundle that enumerates all the below rights. We recommend the name
DKP Cluster Admin
for the Rights Bundle.A Provider administrator creates a Global Role that enumerates all the below rights. We recommend the name
DKP Cluster Admin
for the Global Role.A Provider administrator publishes the both the Rights Bundle and Global Role to every Organization that will deploy DKP clusters.
An Organization administrator creates a User, and associates it with the Global Role.
The procedure for Creating a Rights Bundle is found in VMware Documentation: https://docs.vmware.com/en/VMware-Cloud-Director/10.3/VMware-Cloud-Director-Service-Provider-Admin-Portal-Guide/GUID-CFB0EFEE-0D4C-498D-A937-390811F11B8E.html and the steps for creating the Role: https://docs.vmware.com/en/VMware-Cloud-Director/10.3/VMware-Cloud-Director-Service-Provider-Admin-Portal-Guide/GUID-0D991FCF-3800-461D-B123-FAE7CFF34216.html
List of Rights
CAPVCD requires the following Rights:
The Rights cataloged by the predefined
vApp Author
Global Role.Additional Rights listed in the CAPVCD documentation.
Additional Rights listed in the VCD CPI documentation.
Additional Rights listed in the VCD CSI documentation.
The majority of the Rights are from the vApp Author
Global Role. When independent components, like CAPVCD and CPI, need the same Right, that Right appears in multiple sources.
Below are the lists of the Rights from the above sources as well as Rights required, but not documented by CAPVCD. The last list includes the Rights from all sources, with duplicates removed:
Required by the vApp Author
Role
Some Rights appear in more than one source. This list includes the Rights from all sources, with duplicates removed in the final list below:
Catalog: Add vApp from My Cloud
Catalog: View Private and Shared Catalogs
Organization vDC Compute Policy: View
Organization vDC Disk: View IOPS
Organization vDC Named Disk: Create
Organization vDC Named Disk: Delete
Organization vDC Named Disk: Edit Properties
Organization vDC Named Disk: View Encryption Status
Organization vDC Named Disk: View Properties
Organization vDC Network: View Properties
Organization vDC: VM-VM Affinity Edit
Organization: View
UI Plugins: View
vApp Template / Media: Copy
vApp Template / Media: Edit
vApp Template / Media: View
vApp Template: Checkout
VAPP_VM_METADATA_TO_VCENTER
vApp: Copy
vApp: Create / Reconfigure
vApp: Delete
vApp: Download
vApp: Edit Properties
vApp: Edit VM Compute Policy
vApp: Edit VM CPU
vApp: Edit VM Hard Disk
vApp: Edit VM Memory
vApp: Edit VM Network
vApp: Edit VM Properties
vApp: Manage VM Password Settings
vApp: Power Operations
vApp: Sharing
vApp: Snapshot Operations
vApp: Upload
vApp: Use Console
vApp: View ACL
vApp: View VM and VM's Disks Encryption Status
vApp: View VM metrics
vApp: VM Boot Options
Additional Rights Required by CAPVCD
API Tokens: Manage
Organization vDC Gateway: Configure Load Balancer
Organization vDC Gateway: Configure NAT
Organization vDC Gateway: View
vApp: Allow All Extra Config
Rights Required to List Catalogs (Not Documented by CAPVCD)
These Rights are not documented by CAPVCD, but are required. They allow CAPVCD
to list the Catalogs in the Organization.
General: Administrator View
Access All Organization VDCs
Implied Rights (Not Documented by CAPVCD)
These Rights are not documented by CAPVCD, but are implied by the documented Rights.
Certificate Library: View
Organization vDC Gateway: View NAT
Organization vDC Gateway: View Load Balancer
Additional Rights Required by CPI
API Tokens: Manage
Organization vDC Gateway: Configure Load Balancer
Organization vDC Gateway: Configure NAT
Organization vDC Gateway: View
Additional Rights Required by CSI
API Tokens: Manage
Organization vDC Shared Named Disk: Create
Organization vDC Named Disk: Delete
Organization vDC Named Disk: Edit Properties
Organization vDC Named Disk: View Encryption Status
Organization vDC Named Disk: View Properties
All Sources Merged with Duplicates Removed
Access All Organization VDCs
API Tokens: Manage
Catalog: Add vApp from My Cloud
Catalog: View Private and Shared Catalogs
Certificate Library: View
General: Administrator View
Organization vDC Compute Policy: View
Organization vDC Disk: View IOPS
Organization vDC Gateway: Configure Load Balancer
Organization vDC Gateway: Configure NAT
Organization vDC Gateway: View
Organization vDC Gateway: View Load Balancer
Organization vDC Gateway: View NAT
Organization vDC Named Disk: Create
Organization vDC Named Disk: Delete
Organization vDC Named Disk: Edit Properties
Organization vDC Named Disk: View Encryption Status
Organization vDC Named Disk: View Properties
Organization vDC Network: View Properties
Organization vDC Shared Named Disk: Create
Organization vDC: VM-VM Affinity Edit
Organization: View
UI Plugins: View
vApp Template / Media: Copy
vApp Template / Media: Edit
vApp Template / Media: View
vApp Template: Checkout
VAPP_VM_METADATA_TO_VCENTER
vApp: Allow All Extra Config
vApp: Copy
vApp: Create / Reconfigure
vApp: Delete
vApp: Download
vApp: Edit Properties
vApp: Edit VM Compute Policy
vApp: Edit VM CPU
vApp: Edit VM Hard Disk
vApp: Edit VM Memory
vApp: Edit VM Network
vApp: Edit VM Properties
vApp: Manage VM Password Settings
vApp: Power Operations
vApp: Sharing
vApp: Snapshot Operations
vApp: Upload
vApp: Use Console
vApp: View ACL
vApp: View VM and VM's Disks Encryption Status
vApp: View VM metrics
vApp: VM Boot Options