Created
January 13, 2021 17:29
-
-
Save jcpowermac/64d1ba94e6820d19d3492b8b782672df to your computer and use it in GitHub Desktop.
openshift vsphere permissions with govc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -e | |
| set -x | |
| declare -A roles | |
| VCENTER="Cns.Searchable InventoryService.Tagging.AttachTag InventoryService.Tagging.CreateCategory InventoryService.Tagging.CreateTag InventoryService.Tagging.DeleteCategory InventoryService.Tagging.DeleteTag InventoryService.Tagging.EditCategory InventoryService.Tagging.EditTag Sessions.ValidateSession StorageProfile.View" | |
| VCENTER_ROLE_NAME="openshift-vcenter-level" | |
| roles+=( ["${VCENTER_ROLE_NAME}"]=${VCENTER} ) | |
| CLUSTER="Host.Config.Storage Resource.AssignVMToPool VApp.AssignResourcePool VApp.Import VirtualMachine.Config.AddNewDisk" | |
| CLUSTER_ROLE_NAME="openshift-cluster-level" | |
| roles+=( ["${CLUSTER_ROLE_NAME}"]=${CLUSTER} ) | |
| DATASTORE="Datastore.AllocateSpace Datastore.Browse Datastore.FileManagement" | |
| DATASTORE_ROLE_NAME="openshift-datastore-level" | |
| roles+=( ["${DATASTORE_ROLE_NAME}"]=${DATASTORE} ) | |
| PORTGROUP="Network.Assign" | |
| PORTGROUP_ROLE_NAME="openshift-portgroup-level" | |
| roles+=( ["${PORTGROUP_ROLE_NAME}"]=${PORTGROUP} ) | |
| FOLDER="Resource.AssignVMToPool VApp.Import VirtualMachine.Config.AddExistingDisk VirtualMachine.Config.AddNewDisk VirtualMachine.Config.AddRemoveDevice VirtualMachine.Config.AdvancedConfig VirtualMachine.Config.Annotation VirtualMachine.Config.CPUCount VirtualMachine.Config.DiskExtend VirtualMachine.Config.DiskLease VirtualMachine.Config.EditDevice VirtualMachine.Config.Memory VirtualMachine.Config.RemoveDisk VirtualMachine.Config.Rename VirtualMachine.Config.ResetGuestInfo VirtualMachine.Config.Resource VirtualMachine.Config.Settings VirtualMachine.Config.UpgradeVirtualHardware VirtualMachine.Interact.GuestControl VirtualMachine.Interact.PowerOff VirtualMachine.Interact.PowerOn VirtualMachine.Interact.Reset VirtualMachine.Inventory.Create VirtualMachine.Inventory.CreateFromExisting VirtualMachine.Inventory.Delete VirtualMachine.Provisioning.Clone" | |
| FOLDER_ROLE_NAME="openshift-folder-level" | |
| roles+=( ["${FOLDER_ROLE_NAME}"]=${FOLDER} ) | |
| for key in "${!roles[@]}"; do | |
| if ! govc role.ls "${key}"; then | |
| govc role.create ${key} ${roles[${key}]} || true | |
| sleep 5 | |
| fi | |
| done | |
| #openshift-vcenter-level | False | vSphere vCenter | |
| #ReadOnly | False | vSphere vCenter Datacenter | |
| #ReadOnly | False | vSphere vCenter Switch | |
| #openshift-cluster-level | True | vSphere vCenter Cluster | |
| #openshift-datastore-level | False | vSphere vCenter Datastore | |
| #openshift-portgroup-level | False | vSphere Port Group | |
| #openshift-folder-level | True | vSphere vCenter Virtual Machine folder | |
| govc permissions.set --propagate=false -principal [email protected] -role openshift-vcenter-level / | |
| govc permissions.set --propagate=false -principal [email protected] -role ReadOnly /SDDC-Datacenter-Nested | |
| govc permissions.set --propagate=false -principal [email protected] -role ReadOnly /SDDC-Datacenter-Nested/host/Cluster-1-Nested | |
| govc permissions.set --propagate=false -principal [email protected] -role openshift-portgroup-level /SDDC-Datacenter-Nested/network/internal | |
| govc permissions.set --propagate=false -principal [email protected] -role ReadOnly /SDDC-Datacenter-Nested/network/DSwitch1 | |
| govc permissions.set -propagate=false -principal [email protected] -role openshift-datastore-level /SDDC-Datacenter-Nested/datastore/WorkloadDatastoreA | |
| govc permissions.set -propagate=true -principal [email protected] -role openshift-cluster-level /SDDC-Datacenter-Nested/host/Cluster-1-Nested | |
| govc folder.create /SDDC-Datacenter-Nested/vm/jcallen2 | |
| govc permissions.set -propagate=true -principal [email protected] -role openshift-folder-level /SDDC-Datacenter-Nested/vm/jcallen2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -e | |
| set -x | |
| declare -A roles | |
| VCENTER="Cns.Searchable InventoryService.Tagging.AttachTag InventoryService.Tagging.CreateCategory InventoryService.Tagging.CreateTag InventoryService.Tagging.DeleteCategory InventoryService.Tagging.DeleteTag InventoryService.Tagging.EditCategory InventoryService.Tagging.EditTag Sessions.ValidateSession StorageProfile.View" | |
| VCENTER_ROLE_NAME="openshift-vcenter-level" | |
| roles+=( ["${VCENTER_ROLE_NAME}"]=${VCENTER} ) | |
| CLUSTER="Host.Config.Storage Resource.AssignVMToPool VApp.AssignResourcePool VApp.Import VirtualMachine.Config.AddNewDisk" | |
| CLUSTER_ROLE_NAME="openshift-cluster-level" | |
| roles+=( ["${CLUSTER_ROLE_NAME}"]=${CLUSTER} ) | |
| DATASTORE="Datastore.AllocateSpace Datastore.Browse Datastore.FileManagement" | |
| DATASTORE_ROLE_NAME="openshift-datastore-level" | |
| roles+=( ["${DATASTORE_ROLE_NAME}"]=${DATASTORE} ) | |
| PORTGROUP="Network.Assign" | |
| PORTGROUP_ROLE_NAME="openshift-portgroup-level" | |
| roles+=( ["${PORTGROUP_ROLE_NAME}"]=${PORTGROUP} ) | |
| DATACENTER="Resource.AssignVMToPool VApp.Import VirtualMachine.Config.AddExistingDisk VirtualMachine.Config.AddNewDisk VirtualMachine.Config.AddRemoveDevice VirtualMachine.Config.AdvancedConfig VirtualMachine.Config.Annotation VirtualMachine.Config.CPUCount VirtualMachine.Config.DiskExtend VirtualMachine.Config.DiskLease VirtualMachine.Config.EditDevice VirtualMachine.Config.Memory VirtualMachine.Config.RemoveDisk VirtualMachine.Config.Rename VirtualMachine.Config.ResetGuestInfo VirtualMachine.Config.Resource VirtualMachine.Config.Settings VirtualMachine.Config.UpgradeVirtualHardware VirtualMachine.Interact.GuestControl VirtualMachine.Interact.PowerOff VirtualMachine.Interact.PowerOn VirtualMachine.Interact.Reset VirtualMachine.Inventory.Create VirtualMachine.Inventory.CreateFromExisting VirtualMachine.Inventory.Delete VirtualMachine.Provisioning.Clone Folder.Create Folder.Delete" | |
| DATACENTER_ROLE_NAME="openshift-datacenter-level" | |
| roles+=( ["${DATACENTER_ROLE_NAME}"]=${DATACENTER} ) | |
| FOLDER="Resource.AssignVMToPool VApp.Import VirtualMachine.Config.AddExistingDisk VirtualMachine.Config.AddNewDisk VirtualMachine.Config.AddRemoveDevice VirtualMachine.Config.AdvancedConfig VirtualMachine.Config.Annotation VirtualMachine.Config.CPUCount VirtualMachine.Config.DiskExtend VirtualMachine.Config.DiskLease VirtualMachine.Config.EditDevice VirtualMachine.Config.Memory VirtualMachine.Config.RemoveDisk VirtualMachine.Config.Rename VirtualMachine.Config.ResetGuestInfo VirtualMachine.Config.Resource VirtualMachine.Config.Settings VirtualMachine.Config.UpgradeVirtualHardware VirtualMachine.Interact.GuestControl VirtualMachine.Interact.PowerOff VirtualMachine.Interact.PowerOn VirtualMachine.Interact.Reset VirtualMachine.Inventory.Create VirtualMachine.Inventory.CreateFromExisting VirtualMachine.Inventory.Delete VirtualMachine.Provisioning.Clone" | |
| FOLDER_ROLE_NAME="openshift-folder-level" | |
| roles+=( ["${FOLDER_ROLE_NAME}"]=${FOLDER} ) | |
| for key in "${!roles[@]}"; do | |
| if ! govc role.ls "${key}"; then | |
| govc role.create ${key} ${roles[${key}]} || true | |
| sleep 5 | |
| fi | |
| done | |
| #openshift-vcenter-level | False | vSphere vCenter | |
| #ReadOnly | False | vSphere vCenter Datacenter | |
| #ReadOnly | False | vSphere vCenter Switch | |
| #openshift-cluster-level | True | vSphere vCenter Cluster | |
| #openshift-datastore-level | False | vSphere vCenter Datastore | |
| #openshift-portgroup-level | False | vSphere Port Group | |
| #openshift-folder-level | True | vSphere vCenter Virtual Machine folder | |
| govc permissions.set --propagate=false -principal [email protected] -role openshift-vcenter-level / | |
| govc permissions.set --propagate=true -principal [email protected] -role openshift-datacenter-level /SDDC-Datacenter-Nested | |
| govc permissions.set --propagate=false -principal [email protected] -role ReadOnly /SDDC-Datacenter-Nested/host/Cluster-1-Nested | |
| govc permissions.set --propagate=false -principal [email protected] -role openshift-portgroup-level /SDDC-Datacenter-Nested/network/internal | |
| govc permissions.set --propagate=false -principal [email protected] -role ReadOnly /SDDC-Datacenter-Nested/network/DSwitch1 | |
| govc permissions.set -propagate=false -principal [email protected] -role openshift-datastore-level /SDDC-Datacenter-Nested/datastore/WorkloadDatastoreA | |
| govc permissions.set -propagate=true -principal [email protected] -role openshift-cluster-level /SDDC-Datacenter-Nested/host/Cluster-1-Nested | |
| #govc folder.create /SDDC-Datacenter-Nested/vm/jcallen2 | |
| #govc permissions.set -propagate=true -principal [email protected] -role openshift-folder-level /SDDC-Datacenter-Nested/vm/jcallen2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment