vCloud Director 9.5 – Multi-Site and Cross-VDC Permissions Requirement

I was recently asked by a colleague of mine on why the Organization Administrator role did not have access to multi-site nor Datacenter Groups which is a new feature inside of vCloud Director 9.5. As it turns out, my orgadmin did not have the permissions required either!

However, under my system administrator, I see it perfectly fine.

So, what gives? Well, this relates to the new Global Roles and Rights Bundles setup.

By default, organization administrators are NOT given the permissions required for multi-site or datacenter group (Cross-VDC) setup. Therefore, this is as expected but requires the new vCD 9.5 RBAC functionality to provide these permissions.

I will walk through setting this up so your organization administrator (or any specific role for that matter) can successfully access to the Datacenter Groups menu.

Starting with Rights Bundles –

From Provider H5 UI, navigate to Administration -> Access Control -> Rights Bundles 

I will be utilizing the Default Rights Bundle as where I’ll establish the correct permissions for multi-site and Datacenter groups. For Providers that want to monetize this, we can either fall back to the existing legacy rights bundle (see above with the Org IDs) or create a new rights bundle. Click on the radio button and press Edit –

Now we are presented with a screen that shows the different rights categories –

For the multi-site, we need to just scroll down a little bit and we can see the section under Administration. Expand and check the applicable boxes.

Cross VDC is at the bottom, scroll down and expand.

Click Save when finished. Now, we need to Publish this to all tenants or select tenants. In my environment, I am going to publish this to all.

Rights Bundles are a way of assigning specific permissions to organizations while Global Roles are a way of assigning rights to users within those organizations. Therefore, if an org does not have permissions to the specific permissions inside of an assigned rights bundle, it will not show within that organization – nor will it show any permissions! Any org must have a rights bundle attached to it.

Publish the Global Role –

Now, we need to place these permissions inside of the Organization Administrator role. In this example, I will need to add these specific permissions inside of the Org Admin role, and then publish it to my tenants.

So, let’s go ahead and modify my Organization Administrator role and add these permissions.

Scroll down and add in Multisite capability…

While adding VDC Group permissions…

Now we are ready to publish this to all tenants –

Now, let’s test it – it works! I can log in with my specific org admin users and now see Datacenter Groups and Multi-site configuration.

Now, what if I attempt to re-modify the Org Admin role and publish it to a specific tenant (i.e. remove these permissions from Wissam)?

Ah ha! Does not work, because we already have a role applied. Good failsafe.

This definitely provides quite a bit of opportunity to Providers on granular permissions and managing them. I will be also asking our team to revise this documentation that shows the org admin as having these permissions by default (which they do not).

Thanks!

-Daniel

VMware vCloud Director 9.5 – Quick Tech Lightboards on What’s New

I was recently in the lightboard studio for VMware vCloud Usage Insight with Luis Ayuso and decided to throw a quick tech talk on vCloud Director 9.5. Below are three quick lightboards on reviewing what’s new within this new release.

I’m very excited to talk about more of the functionality in greater detail. My vCD 9.5 Cross-VDC lab environment is almost completed and will reviewing that in more detail soon. The possibilities with cross-NSX are great, so all providers should be looking at this in greater detail.

Enjoy!

-Daniel

My five favorite things about VMware vCloud Director 9.5!

The VMware Cloud Provider Software Business Unit has released the next iteration of vCloud Director – version 9.5. We’ve been holding to a six month cadence on major releases and this vCD version does not disappoint.

As expected, Tom Fojta did a great job of summarizing many of the new features of 9.5, but I am going to focus on a few of the top of mind things that are pertinent to many Cloud Service Providers.

Advanced HTML5 UI

UI continues to get better and better for Tenants and Providers. With 9.5, I would say the UI is about 98% completed – most of the tenant functions should able to be accomplished through the H5 UI. In this release, RBAC capabilities are also introduced (more on that shortly).

As we can see here, we now have a ribbon at the top along with recent tasks.

RBAC Roles

This is a nice function that’s native to the H5 UI – we now have the concept of roles within the roles based access control. A Provider Admin can now “templatize” roles based off of specific functions and make it easier to manage specific tenant rights.

Cross-VDC Networking / Cross vCenter NSX Support

With vCD 9.5, we now have the ability to support xVC NSX objects inclusive of setting this up the vCD UI. Moreover, vCloud Director will instantiate the stretched network functionality to up to four orgVDCs.

This is done from the Provider set up by establishing a network provider scope –

And as expected, requires a single SSO domain between linked vCenters to support cross vCenter NSX. I am underway in my lab to test this out and will have a post soon on demonstrating this functionality and what’s possible.

vCloud Director Cell Appliance!

Yes, you heard that right – with this release we’ve introduced the vCloud Director cell appliance. This is pre-built PhotonOS appliance with the vCD code but still requires your backend vCD database (please use Postgres!), Cassandra, RMQ, and NFS share.

Please also deploy this with the Flex client as I have not seen success with the vSphere H5 client. This is the first iteration and I’m hoping the next version we will see a “database” appliance for the backend functions.

Plugins

I love this, especially when I’m using vCloud Availability for Cloud to Cloud. With 9.5, the UI extensibility continues to grow. There are some amazing plans as it relates to plugin support for our ecosystem partners and I’m seeing MANY of our partners create plugins for vCD. The possibilities are great here to showcase value added services for your tenants.

As we can see below, this is one of my deployments with C2C and showcasing the C2C plugin for 9.5 –

Again, an exciting release for vCloud Director – and more on the way.

-Daniel

vCloud Director – Unable to Remove vCenter Endpoint

This is a quickie, but I’m hoping this will help others if they run into this. I received some odd behavior when attempting to remove a vCenter endpoint. Basically, vCloud Director was stating to unprepare the hosts, but vCD is not utilizing host agents anymore nor does the hosts page show the hosts. I found a workaround for this.

I’ve been testing the vCD 9.5 release and was cleaning up a previous vCD install to migrate to a net new environment. Therefore, I was removing a vCenter endpoint and received some strange behavior.

Once I cleaned up all ancillary objects (oVDC, pVDC, etc), I attempted to detach the vCenter –

Well, it errors out. Says I need to unprepare the hosts…

But I do not have any hosts available –

Odd! So, it turns out this process is attempting to delete the automatically created VXLAN network pool and fails (as intended). Here’s the workaround – the managed_server table is really not utilized since we’ve been moving away from host agents.

To resolve this issue, I had to truncate the managed_server table.

Here’s what I did in my lab to fix this:

**BACKUP YOUR DATABASE BEFORE DOING THIS – I did this in a lab and have not seen if this impacts multiple endpoints**

  1. Backup your database.
  2. Log into your DB using your favorite client – I have a Oracle DB so using sqlplus –
  3. We are going to truncate the managed_server table. For me, I had to type “TRUNCATE TABLE managed_server;”
  4. Alright, ready to test removing the vCenter endpoint – 
  5. Working….
  6. Voila! 

I did bring this up to our Engineering team and hoping this will be rectified in future versions. Cheers!

-Daniel