davoult · December 8, 2023 20:28
diff --git a/create-existing-folder-permissions.sh b/create-existing-folder-permissions.sh
 #!/bin/bash
 set -e
 set -x


 declare -A roles 


 VCENTER="Cns.Searchable InventoryService.Tagging.AttachTag InventoryService.Tagging.CreateCategory InventoryService.Tagging.CreateTag InventoryService.Tagging.DeleteCategory InventoryService.Tagging.DeleteTag InventoryService.Tagging.EditCategory InventoryService.Tagging.EditTag Sessions.ValidateSession StorageProfile.View"
 VCENTER_ROLE_NAME="openshift-vcenter-level"
 roles+=( ["${VCENTER_ROLE_NAME}"]=${VCENTER} )

 CLUSTER="Host.Config.Storage Resource.AssignVMToPool VApp.AssignResourcePool VApp.Import VirtualMachine.Config.AddNewDisk"
 CLUSTER_ROLE_NAME="openshift-cluster-level"
 roles+=( ["${CLUSTER_ROLE_NAME}"]=${CLUSTER} )

 DATASTORE="Datastore.AllocateSpace Datastore.Browse Datastore.FileManagement InventoryService.Tagging.ObjectAttachable"
 DATASTORE_ROLE_NAME="openshift-datastore-level"
 roles+=( ["${DATASTORE_ROLE_NAME}"]=${DATASTORE} )


 PORTGROUP="Network.Assign"
 PORTGROUP_ROLE_NAME="openshift-portgroup-level"

 roles+=( ["${PORTGROUP_ROLE_NAME}"]=${PORTGROUP} )

 FOLDER="Resource.AssignVMToPool VApp.Import VirtualMachine.Config.AddExistingDisk VirtualMachine.Config.AddNewDisk VirtualMachine.Config.AddRemoveDevice VirtualMachine.Config.AdvancedConfig VirtualMachine.Config.Annotation VirtualMachine.Config.CPUCount VirtualMachine.Config.DiskExtend VirtualMachine.Config.DiskLease VirtualMachine.Config.EditDevice VirtualMachine.Config.Memory VirtualMachine.Config.RemoveDisk VirtualMachine.Config.Rename VirtualMachine.Config.ResetGuestInfo VirtualMachine.Config.Resource VirtualMachine.Config.Settings VirtualMachine.Config.UpgradeVirtualHardware VirtualMachine.Interact.GuestControl VirtualMachine.Interact.PowerOff VirtualMachine.Interact.PowerOn VirtualMachine.Interact.Reset VirtualMachine.Inventory.Create VirtualMachine.Inventory.CreateFromExisting VirtualMachine.Inventory.Delete VirtualMachine.Provisioning.Clone"

 FOLDER_ROLE_NAME="openshift-folder-level"
 roles+=( ["${FOLDER_ROLE_NAME}"]=${FOLDER} )

 for key in "${!roles[@]}"; do
 	if ! govc role.ls "${key}"; then
 		govc role.create ${key} ${roles[${key}]} || true
 		sleep 5 
 	fi
 done

 #openshift-vcenter-level | False | vSphere vCenter
 #ReadOnly | False | vSphere vCenter Datacenter
 #ReadOnly | False | vSphere vCenter Switch 
 #openshift-cluster-level | True | vSphere vCenter Cluster
 #openshift-datastore-level | False | vSphere vCenter Datastore
 #openshift-portgroup-level | False | vSphere Port Group
 #openshift-folder-level | True | vSphere vCenter Virtual Machine folder


 govc permissions.set --propagate=false -principal [email protected] -role openshift-vcenter-level /

 govc permissions.set  --propagate=false -principal [email protected] -role ReadOnly /Datacenter

 govc permissions.set  --propagate=false -principal [email protected] -role ReadOnly /Datacenter/host/Cluster-1-Nested

 govc permissions.set  --propagate=false -principal [email protected] -role openshift-portgroup-level /Datacenter/network/internal

 govc permissions.set  --propagate=false -principal [email protected] -role ReadOnly /Datacenter/network/DSwitch1

 govc permissions.set -propagate=false -principal [email protected] -role openshift-datastore-level /Datacenter/datastore/WorkloadDatastoreA

 govc permissions.set -propagate=true -principal [email protected] -role openshift-cluster-level /Datacenter/host/Cluster-1-Nested


 govc folder.create /Datacenter/vm/Openshift
 govc permissions.set -propagate=true -principal [email protected] -role openshift-folder-level /Datacenter/vm/Openshift
	#!/bin/bash
	set -e
	set -x


	declare -A roles


	VCENTER="Cns.Searchable InventoryService.Tagging.AttachTag InventoryService.Tagging.CreateCategory InventoryService.Tagging.CreateTag InventoryService.Tagging.DeleteCategory InventoryService.Tagging.DeleteTag InventoryService.Tagging.EditCategory InventoryService.Tagging.EditTag Sessions.ValidateSession StorageProfile.View"
	VCENTER_ROLE_NAME="openshift-vcenter-level"
	roles+=( ["${VCENTER_ROLE_NAME}"]=${VCENTER} )

	CLUSTER="Host.Config.Storage Resource.AssignVMToPool VApp.AssignResourcePool VApp.Import VirtualMachine.Config.AddNewDisk"
	CLUSTER_ROLE_NAME="openshift-cluster-level"
	roles+=( ["${CLUSTER_ROLE_NAME}"]=${CLUSTER} )

	DATASTORE="Datastore.AllocateSpace Datastore.Browse Datastore.FileManagement InventoryService.Tagging.ObjectAttachable"
	DATASTORE_ROLE_NAME="openshift-datastore-level"
	roles+=( ["${DATASTORE_ROLE_NAME}"]=${DATASTORE} )


	PORTGROUP="Network.Assign"
	PORTGROUP_ROLE_NAME="openshift-portgroup-level"

	roles+=( ["${PORTGROUP_ROLE_NAME}"]=${PORTGROUP} )

	FOLDER="Resource.AssignVMToPool VApp.Import VirtualMachine.Config.AddExistingDisk VirtualMachine.Config.AddNewDisk VirtualMachine.Config.AddRemoveDevice VirtualMachine.Config.AdvancedConfig VirtualMachine.Config.Annotation VirtualMachine.Config.CPUCount VirtualMachine.Config.DiskExtend VirtualMachine.Config.DiskLease VirtualMachine.Config.EditDevice VirtualMachine.Config.Memory VirtualMachine.Config.RemoveDisk VirtualMachine.Config.Rename VirtualMachine.Config.ResetGuestInfo VirtualMachine.Config.Resource VirtualMachine.Config.Settings VirtualMachine.Config.UpgradeVirtualHardware VirtualMachine.Interact.GuestControl VirtualMachine.Interact.PowerOff VirtualMachine.Interact.PowerOn VirtualMachine.Interact.Reset VirtualMachine.Inventory.Create VirtualMachine.Inventory.CreateFromExisting VirtualMachine.Inventory.Delete VirtualMachine.Provisioning.Clone"

	FOLDER_ROLE_NAME="openshift-folder-level"
	roles+=( ["${FOLDER_ROLE_NAME}"]=${FOLDER} )

	for key in "${!roles[@]}"; do
	if ! govc role.ls "${key}"; then
	govc role.create ${key} ${roles[${key}]} \|\| true
	sleep 5
	fi
	done

	#openshift-vcenter-level \| False \| vSphere vCenter
	#ReadOnly \| False \| vSphere vCenter Datacenter
	#ReadOnly \| False \| vSphere vCenter Switch
	#openshift-cluster-level \| True \| vSphere vCenter Cluster
	#openshift-datastore-level \| False \| vSphere vCenter Datastore
	#openshift-portgroup-level \| False \| vSphere Port Group
	#openshift-folder-level \| True \| vSphere vCenter Virtual Machine folder


	govc permissions.set --propagate=false -principal [email protected] -role openshift-vcenter-level /

	govc permissions.set --propagate=false -principal [email protected] -role ReadOnly /Datacenter

	govc permissions.set --propagate=false -principal [email protected] -role ReadOnly /Datacenter/host/Cluster-1-Nested

	govc permissions.set --propagate=false -principal [email protected] -role openshift-portgroup-level /Datacenter/network/internal

	govc permissions.set --propagate=false -principal [email protected] -role ReadOnly /Datacenter/network/DSwitch1

	govc permissions.set -propagate=false -principal [email protected] -role openshift-datastore-level /Datacenter/datastore/WorkloadDatastoreA

	govc permissions.set -propagate=true -principal [email protected] -role openshift-cluster-level /Datacenter/host/Cluster-1-Nested


	govc folder.create /Datacenter/vm/Openshift
	govc permissions.set -propagate=true -principal [email protected] -role openshift-folder-level /Datacenter/vm/Openshift