How-to configure local ESXi user for hardware monitoring via WBEM (CIM)

This forum supports the ESX Host Health Monitor plugin. When posting post screenshots of issues and any script and command logs listed in the probe consoles.
Post Reply
User avatar
Cubert
Posts: 2430
Joined: Tue Dec 29, 2015 7:57 pm
8
Contact:

How-to configure local ESXi user for hardware monitoring via WBEM (CIM)

Post by Cubert »

How-to create User with limited permissions

So you don't want to use your root ESXi account for the plugin to work! Before we get to the how-to let us explain some of the problems that were encountered and what is truly needed to access CIM. No fear, there is a way!

We had a lot of noise on this issue and even a VMware support rep involved and here is the skinny. According to VMware the CIM\interactwithcim permission is supposed to be enough to allow retrieving data from the CIM Server service, but as we found from testing, that did not work.

Vmware's support rep referenced the following URL "Support Doc on CIM permissions" . They expressed that this is all you will need but that is inaccurate. Below we reference "Bugs" which is our way of saying it's broken but VMware may just call it features.


The Problem: A user with limited permissions is needed in environments of administrative disparity where you still have strict separation of virtualization admins and hardware admins a local ESXi account to allow CIM access only.


The Solution:

We need to have a dedicated local users on each of our ESXi hosts with minimal permissions and no shell access. But wait, there's a catch.

It will require us to create a new local user and assign this user the Administrator role with all permissions the root level has on the ESXi host, only then can the user query CIM hardware management information through WBEM.

Bug 1: There is a local permission called “Host – CIM – CIM Interaction”, which implies that using a dedicated role for this user instead of the built-in Administrator role would work, but forget about that, it doesn’t. Why? Bug #2, When adding user to “Host – CIM – CIM Interaction” role the /etc/security/access.conf file does not change.

Bug 2: For non-root local users, access to CIM interface is only allowed if we add permissions with the builtin Administrator role on the ESXi host. Even cloning that role and thereby retaining full permissions results in NOT being allowed to access the CIM interface. This is because any non-builtin Administrator assignment will not be reflected in /etc/security/access.conf. Access to the CIM interface via WBEM is governed through the configuration files in /etc/security/.

Here is the default /etc/security/access.conf after creating the local cimuser account with the VMWare permissions as mandated above.
# This file is autogenerated and must not be edited.
+:dcui:ALL
+:root:ALL
+:vi-admin01:ALL
+:vpxuser:ALL
+:vslauser:ALL
-:vi-user01:ALL
-:ALL:ALL
The cimuser is not included and as such treated with no rights (-:ALL:ALL). If we assign the builtin Administrator ESXi role, a new entry will be added allowing everything:
+:cimuser:ALL

Now that we know why it doesn’t work unless the user has the builtin Administrator role, we could edit the /etc/security/access.conf file manually and even control that the user only has access to the sfcb CIM service by adding the following before the -ALL rule:
+:cimuser:sfcb

This works well and allows us to assign really the most minimal permissions possible, but the problem is that this file is auto-generated at every reboot. This means the file is replaced every time the system reboots and so your edits are removed.

We can work around the problem above with the following steps:

1. Add the cimuser to the root group in /etc/group on the host:
# grep root /etc/group
root:x :0:root,cimuser
Note that local groups were officially deprecated as of ESXi 5.1 and you can’t administer them with the vSphere client anymore.

2. Change the login shell of the cimuser from /bin/sh to /sbin/nologin, or otherwise they can connect via SSH or login through the local shell:
# grep cimuser /etc/passwd
cimuser:x :501:0:Hardware Monitoring:/:/sbin/nologin
“Hey, I can do that from the vSphere Client too!” And Unfortunately, no you can’t! Why? Bug #3.

Bug 3: Since ESXi 5.1 the “grant shell access to user” checkbox in the user properties window became useless. Even if you uncheck it, no actual change will be performed and it will automatically be checked again. By editing the /etc/passwd file for the user directly, the checkbox will correctly display an unchecked status though.


3. Finally, run the ESXi config backup scripts so the changes persist across reboots:
# backup.sh 0

Saving current state in /bootbank
Clock updated.
Time: 08:06:53 Date: 09/27/2013 UTC
# /sbin/auto-backup.sh
This approach survives reboots or updates and does not require ANY assigned permissions for the user on the local ESXi host. You only need to create the user beforehand. The user will not be able to connect to the host with the vSphere Client, APIs like Powershell, or login through SSH or the local ESXi shell.




How can I check if the WBEM interface works with a user?


You can easily check if a user is allowed to query CIM providers by connecting to the WBEM port like this.
# curl -ik 'https://myesxihost.domain:5989' --request POST --data "" --basic --user cimuser
Enter host password for user 'cimuser':
HTTP/1.1 200 OK
Content-Type: application/xml; charset="utf-8"
Content-Length: 0
Cache-Control: no-cache
CIMOperation: MethodResponse
If the service replies with a good 200 OK message then you are successful and can now use that user to probe CIM data on the ESXi host. Wrong passwords or insufficient permissions will receive a 401 Unauthorized response.

Denied login attempts are logged to /var/log/syslog.log on the ESXi Host and should look something like this.
2012-12-05T11:46:06Z sfcb-CIMXML-Processor[1192236]: pam_access(sfcb:auth): access denied for user `cimuser’ from `sfcb’
We hope this helps you get local users setup securely across your environments. Post any comments below.

User avatar
Cubert
Posts: 2430
Joined: Tue Dec 29, 2015 7:57 pm
8
Contact:

Re: How-to configure local ESXi user for hardware monitoring via WBEM (CIM)

Post by Cubert »

Setup ESXi 7.x user to allow probing of CIM data

You can utilize the root account or create another account that has root (Administrator) access. This is recommended to ensure the account does not get logged out.

Login to host with current root credentials. Navigate to Host > Manage > Security and Users > Users > Select Add User


1.png
1.png (28.35 KiB) Viewed 7892 times


Create the new user and password and select Add.

2.png
2.png (11.43 KiB) Viewed 7892 times


Navigate to Host > Actions > Permissions


3.png
3.png (67.42 KiB) Viewed 7892 times


Click on Add User

4.png
4.png (10.15 KiB) Viewed 7892 times

Select Drop to Select a user and Select the user Role and click Add

5.png
5.png (26.2 KiB) Viewed 7892 times

Select Close

Now let’s ensure CIM Services are running. Navigate to Host > Manage > Services

Locate the sfcdb-watchdog (CIM Server) and right click and select start

6.png
6.png (45.76 KiB) Viewed 7892 times

That’s all that is required.

Post Reply

Return to “VMWare ESX Host Health Monitor”