Notes on vSphere Datastore Permissions
One of the new features available for vSphere is the ability to assign role-based permissions to datastores, including VMFS volumes. It is important to note that these permissions are managed exclusively by vCenter and not the filesystem. What this means is that if you access the NFS or VMFS volume outside of vCenter's access authority, these roles do not apply.
Access to VMFS volumes is managed on the volume directly, in lieu of a coordinator. In an earlier post, I outlined how VMFS volumes can easily cross management zones as part of their design. Further, VMFS-3 volumes are forward and backward compatible with VI3 and vSphere installations. This is important as the new datastore consumer role for VMFS permissions within vCenter do not modify the volume itself and affect older installations.
The datastore consumer role can be configured to assign access and tasks per NFS or VMFS volume (see Fig. 1). This can be critical when certain volumes may require highly restricted access, yet an administrator may need virtual machine access at other levels.
|Figure 1. The datastore consumer role allows configuration of privileges on the VMFS volume managed by vCenter.
The main takeaway is to be aware that if vCenter is configured for permissions to a datastore, that is where those access permissions stop. Any access by a host account on the ESX or ESXi host can still access the filesystem when zoned to the storage, whether or not it is managed by the same vCenter Server.
Realistically speaking, managing access for aggregated storage can only be done effectively through a product such as vCenter. I still feel that vStorage VMFS is the most underrated technology that VMware has produced.
Have a thought? Send me an e-mail.
Posted by Rick Vanover on 09/14/2009 at 12:47 PM