ESX Configuration Guide
Figure 13-1. Authentication for vSphere Client Communications with ESX vSphere Client
management functions
|
|
|
|
|
|
|
|
|
console |
|||
user name/password |
|
|
|
ticket-based |
||||||||
authentication |
|
|
|
authentication |
||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ESX |
|
|
||||
|
|
|
|
service console |
|
VMkernel |
|
|
||||
|
|
|
|
vmware-hostd |
|
virtual machine |
|
|
||||
|
|
|
|
|
||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
vmkauthd |
|
|
|
||
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ESX authentication transactions with vSphere Web Access and third-party network management clients are also direct interactions with the vmware-hostd process.
To make sure that authentication works efficiently for your site, perform basic tasks such as setting up users, groups, permissions, and roles, configuring user attributes, adding your own certificates, and determining whether you want to use SSL.
About Users, Groups, Permissions, and Roles
vCenter Server and ESX hosts use a combination of user name, password, and permissions to authenticate a user for access and authorize activities. You can control access to hosts, clusters, datastores, resource pools, networking port groups, and virtual machines by assigning permissions.
Access to an ESX host and its resources is granted when a known user with appropriate permissions logs in to the host with a correct password. vCenter Server uses a similar approach when determining whether to grant access to a user.
vCenter Server and ESX hosts deny access under the following circumstances:
nA user not in the user list attempts to log in.
nA user enters the wrong password.
nA user is in the list but was not assigned permissions.
nA user who successfully logged in attempts operations that they do not have permission to perform.
As part of managing ESX hosts and vCenter Server, you must plan how to handle particular types of users and permissions. ESX and vCenter Server use sets of privileges, or roles, to control which operations individual users or groups can perform. Predefined roles are provided, but you can also create new ones. You can manage users more easily by assigning them to groups. When you apply a role to the group, all users in the group inherit the role.
The topics in this section apply to local users and groups. You can also use Active Directory to manage users and groups for ESX.
174 |
VMware, Inc. |
Chapter 13 Authentication and User Management
Understanding Users
A user is an individual authorized to log in to either an ESX host or vCenter Server.
ESX users fall into two categories: those who can access the host through vCenter Server and those who can access by directly logging in to the host from the vSphere Client, vSphere Web Access, a third-party client, or a command shell.
Authorized vCenter |
Authorized users for vCenter Server are those included in the Windows |
Server users |
domain list that vCenter Server references or are local Windows users on the |
|
vCenter Server host. |
|
You cannot use vCenter Server to manually create, remove, or otherwise |
|
change users. You must use the tools for managing your Windows domain. |
|
Any changes you make are reflected in vCenter Server. However, the user |
|
interface does not provide a user list for you to review. |
Direct-access users |
Users authorized to work directly on an ESX host are those added to the internal |
|
user list by a system administrator. |
|
An administrator can perform a variety of management activities for these |
|
users, such as changing passwords, group memberships, and permissions as |
|
well as adding and removing users. |
The user list that ESX maintains locally is separate from the users known to vCenter Server, which are either local Windows users or users that are part of the Windows domain. Even if the lists appear to have common users (for instance, a user called devuser), treat these users separately. If you log in to vCenter Server as devuser, you might have permission to view and delete files from a datastore, whereas if you log in to an ESX host as devuser, you might not. If Active Directory authentication has been configured on the host, then the same Windows domain users known to vCenter Server will be available on the ESX host.
Because of the confusion that duplicate naming can cause, check the vCenter Server user list before you create ESX host users to avoid duplicating names. To check for vCenter Server users, review the Windows domain list.
Understanding Groups
A group is a set of users that share a common set of rules and permissions. When you assign permissions to a group, all users in the group inherit them, and you do not have to work with the user profiles individually.
As an administrator, decide how to structure groups to achieve your security and usage goals. For example, three part-time sales team members work different days, and you want them to share a single virtual machine but not use the virtual machines belonging to sales managers. In this case, you might create a group called SalesShare that includes the three sales people and give the group permission to interact with only one object, the shared virtual machine. They cannot perform any actions on the sales managers’ virtual machines.
The group lists in vCenter Server and an ESX host are drawn from the same sources as their respective user lists. The group lists in vCenter Server are drawn from the local users or any trusted domain, and the group lists for an ESX host are drawn from the local user list or from any trusted Windows domain.
Understanding Password Requirements
By default, ESX enforces requirements for user passwords.
When you create a password, include a mix of characters from four character classes: lowercase letters, uppercase letters, numbers, and special characters such as an underscore or dash.
Your user password must meet the following length requirements.
nPasswords containing characters from one or two character classes must be at least eight characters long.
VMware, Inc. |
175 |