Managing access to the VMware vCloud Availability for Cloud-to-Cloud Plugin to vCloud Director 9.5

With C2C 1.5, a new plugin was introduced inside of the vCloud Director 9.x context switching menu. By default, all organizations and org admins receive this plugin once C2C is installed. What if we wanted to restrict/control access and mask this from specific tenants? Well, I plan on walking through how this is done using the new /cloudapi inside of 9.5.

Recently, I ran into a situation where my Cloud-to-Cloud plugin was not populating in the vCD context menu for my organizations, however, I saw it in the sysadmin view –

So, this led me to investigate further and discover the full capacity of the plugin management from the new vCloud Director 9.5 API (with the help of Jeff Moroski)

With vCD 9.5, we introduced the use of bearer tokens for authentication. Tomas Fojta did a great job of writing up a how-to guide on using bearer tokens inside of Postman while embedding the token after login.

First off, how did I resolve the above problem? Well, it turned out that it was not published out to any organization. Let’s walk through the API and discuss how one can control access to the plugin.

Steps

First off, POST to your vCD instance to grab the access token –

https://vcd-fqdn/api/sessions


From there, I’m ready to run a GET to see what extensions are registered to this vCD instance (remember, uncheck the Accept/XML header since this is JSON) –

https://vcd-fqdn/cloudapi/extensions/ui

We can see my plugin has a identifier associated of –

"id": "urn:vcloud:uiPlugin:c450bdf8-764f-4631-a319-1c849873c176",

So, let’s see which tenants have access to this now. Here’s my GET API string –

https://vcd-fdqn/cloudapi/extensions/ui/urn:vcloud:uiPlugin:c450bdf8-764f-4631-a319-1c849873c176/tenants

Now, in my above issue, I had nothing in the output body. Therefore, Jeff stated that I needed to append “publishAll” to propagate to all tenants. Great!

Let’s go ahead and remove access to the “Daniel” organization for C2C. Right now, I see this in my UI –

This requires a POST command with the JSON body that has the “Daniel” organization inside of it –

https://vcd-fqdn/cloudapi/extensions/ui/urn:vcloud:uiPlugin:c450bdf8-764f-4631-a319-1c849873c176/tenants/unpublish

[
	{
        "name": "Daniel",
        "id": "urn:vcloud:org:aa663210-b11f-4c14-8dca-1efab8dec429"
    }
]

I received a 200 OK message, so it looks like it worked, let’s go check.

A quick refresh, voila! Gone.

Again, this is a great way to verify and control the accessibility to the Availability plugin (or any vCD plugin) in vCloud Director 9.5. Cheers!

-Daniel

Migrate VMs and Networking to vCloud Director – Video Walkthrough

I wanted to provide a quick walkthrough on how easy it is to import a VM (or adopt a VM) into a tenant organization for vCloud Director.

Tomas Fojta covers a lot of great detail on when this was introduced in vCD 8.20 here. 

In this video, I go through and show how I moved a tenant workload (DanielApp) along with a 172.16.102.0/24 network to vCloud Director and NSX.

While this does require a stepped process, it’s a pretty seamless process.

Migration Steps:

  1. Move the routing interface from the current physical underlay to the NSX Edge inside of the vCloud Director tenant organization (DCP-Edge-01)
  2. Switch over the VMNIC for the workloads to the logical switch presented by DCP-Edge-01
  3. Drag the VM to the orgVDC resource pool that’s provisioned by vCloud Director. Done!

Note 1 and 2 do require some level of coordination with your network team with a brief maintenance window (route changes and validation). Moreover, the important distinction is we are allowing a tenant to utilize NSX functionality alongside vCloud Director.

Step 3 is the easiest. vCloud Director does all of the work and shows it in the UI without any further intervention. This is a great feature that demonstrates vCD can be utilized for existing tenant workloads that may be in a “naked” vCenter environment (or utilizing an existing CMP they are moving away from).

Anyway, here’s the video I created that shows me moving DanielApp to vCloud Director under my “Daniel” organization.

 

Last bit I’ll leave you with – while it’s great to migrate both the network and to vCD, this may not be possible based on use case. Other migration method could be exposing the existing distributed virtual portgroup as a vCD External Network to the pVDC, then the oVDC. Then it’s as simple as just dragging in the VM(s) to the resource pool.

However, I do lose any self-service and NSX functionality, which could include overlapping networks when I scale out tenants.

Happy migrating!

-Daniel

vCloud Director 9.5 – Multi-Site and Cross-VDC Permissions Requirement

I was recently asked by a colleague of mine on why the Organization Administrator role did not have access to multi-site nor Datacenter Groups which is a new feature inside of vCloud Director 9.5. As it turns out, my orgadmin did not have the permissions required either!

However, under my system administrator, I see it perfectly fine.

So, what gives? Well, this relates to the new Global Roles and Rights Bundles setup.

By default, organization administrators are NOT given the permissions required for multi-site or datacenter group (Cross-VDC) setup. Therefore, this is as expected but requires the new vCD 9.5 RBAC functionality to provide these permissions.

I will walk through setting this up so your organization administrator (or any specific role for that matter) can successfully access to the Datacenter Groups menu.

Starting with Rights Bundles –

From Provider H5 UI, navigate to Administration -> Access Control -> Rights Bundles 

I will be utilizing the Default Rights Bundle as where I’ll establish the correct permissions for multi-site and Datacenter groups. For Providers that want to monetize this, we can either fall back to the existing legacy rights bundle (see above with the Org IDs) or create a new rights bundle. Click on the radio button and press Edit –

Now we are presented with a screen that shows the different rights categories –

For the multi-site, we need to just scroll down a little bit and we can see the section under Administration. Expand and check the applicable boxes.

Cross VDC is at the bottom, scroll down and expand.

Click Save when finished. Now, we need to Publish this to all tenants or select tenants. In my environment, I am going to publish this to all.

Rights Bundles are a way of assigning specific permissions to organizations while Global Roles are a way of assigning rights to users within those organizations. Therefore, if an org does not have permissions to the specific permissions inside of an assigned rights bundle, it will not show within that organization – nor will it show any permissions! Any org must have a rights bundle attached to it.

Publish the Global Role –

Now, we need to place these permissions inside of the Organization Administrator role. In this example, I will need to add these specific permissions inside of the Org Admin role, and then publish it to my tenants.

So, let’s go ahead and modify my Organization Administrator role and add these permissions.

Scroll down and add in Multisite capability…

While adding VDC Group permissions…

Now we are ready to publish this to all tenants –

Now, let’s test it – it works! I can log in with my specific org admin users and now see Datacenter Groups and Multi-site configuration.

Now, what if I attempt to re-modify the Org Admin role and publish it to a specific tenant (i.e. remove these permissions from Wissam)?

Ah ha! Does not work, because we already have a role applied. Good failsafe.

This definitely provides quite a bit of opportunity to Providers on granular permissions and managing them. I will be also asking our team to revise this documentation that shows the org admin as having these permissions by default (which they do not).

Thanks!

-Daniel

VMware vCloud Director 9.5 – Quick Tech Lightboards on What’s New

I was recently in the lightboard studio for VMware vCloud Usage Insight with Luis Ayuso and decided to throw a quick tech talk on vCloud Director 9.5. Below are three quick lightboards on reviewing what’s new within this new release.

I’m very excited to talk about more of the functionality in greater detail. My vCD 9.5 Cross-VDC lab environment is almost completed and will reviewing that in more detail soon. The possibilities with cross-NSX are great, so all providers should be looking at this in greater detail.

Enjoy!

-Daniel