In this article, we will discuss managing users that have access to vSphere for an HPC (Hosted Private Cloud) environment and the different security settings.
Topics
- Creating a User (OVHcloud Control Panel)
- User Permissions & Rights (OVHcloud Control Panel)
- Security
- Managing Users (OVHcloud API)
Creating a User
We begin with how to create a user in the OVHcloud Control Panel. Start by logging in to the OVHcloud Control Panel. Then, click on "Hosted Private Cloud" in the left-hand column followed by the name of your HPC environment (e.g., Private Cloud).
At the top of the page click on the "Users" tab followed by the "Create" User button.
Next, you are prompted to fill out a form. Enter a "Name", "Password", and "Email" for the person you would like to grant access to vSphere.
Select the permission you wish to give to the user and then click the Next button.
Finish by clicking the Confirm button.
You have successfully created a new user that has access to vSphere.
Deleting a User
To delete a user, click on the ellipses (...) to the far right of the user in question.
Click the "Delete this user" option from the pop-up menu.
User Permissions & Rights
To edit the front-facing user permissions, select the ellipses (...) to the far right of the user in question.
Click the "Modify" option from the pop-up menu. These options are two-factor authentication (Token validator), the ability to access the interfaces to work with IPs, additional IPs, and NSX.
To edit the rights of a user for each of your data centers, click the "See/Modify the rights for each DC" option from the pop-up menu. Then, click on the Pencil icon.
The following pop-up menu appears:
The following three areas of access have the following rights:
vSphere | VM Network | V(X)LAN | |
None | No access | No access | No access |
Read-only | Access and ability to read settings | Access and ability to read settings | Access and ability to read settings |
Read/Write | Write access | — | — |
Administrator | — | — | Manage port groups on virtual switches |
Provider | Reserved for OVH | Allowed to configure VMs on a public network | Allowed to configure VMs on a private network |
On this page, the Add resources checkbox allows the user to add hosts and data stores to the HPC environment directly from the vSphere web client, instead of via the OVH US Manager.
Now that we have gone through all of the permissions available for users, let's get into setting up our security settings for our users.
Security
Click the "Hosted Private Cloud" option in the left-hand column and then select the "Security" tab. The following page appears:
From here, we can administer our security settings.
Session Expiry
Let's start with changing the expiry date of connections to the vSphere web client.
Click the Change the expiry date button. As an example, we will have our connections timeout after 30 minutes.
Confirm the change, and you will see it reflected on the Security page.
Simultaneous connections
Click the Simultaneous connections button. From here set how many users are able to login to vSphere web client at the same time. After deciding, click the Confirm button and the changes will be saved on the Security page.
vCenter Access Policy
Here we can decide whether or not to restrict vCenter access. Click vCenter access policy button and choose the option that is right for you. Keep in mind that by default the policy is set to open, which means any IP address can connect to the vSphere web client.
Click Confirm when you are done, and the changes will be reflected on the Security page.
Note: If the policy is set to 'Restricted', then at least one IP address needs to be authorized to access the vSphere web client using the Add IPs button.
Disconnection policy
With the disconnection policy, we get to decide who gets disconnected in the event that we go over the simultaneous connection limit. The options are to disconnect the first user or the last user who connected to the vSphere web client. Choose which option works best for you and click Confirm button.
Adding and Deleting IPs
By clicking the Add IPs button, we can decide which IPs can connect to the vSphere web client. If we have nothing listed here, all IPs are able to connect.
In our example, we have added an IP and will delete it by selecting the check mark next to the IP.
Next click the Delete IPs button and any selected IPs will be removed.
Now that we have created a user, defined the permissions, and determined the security settings, we are ready to access the vSphere web client. For more information regarding connecting to the vSphere web client, please check out our Getting Started with HPC article.
In the next section, we will be going over how to manage HPC users in the OVHcloud API.
Managing Users (OVHcloud API)
To begin, visit the OVHcloud API page and click Explore the OVH API. In the top-right of the following page, select Login. Type in your credentials, select the validity time period, and Log in to the API.
Navigate to the /dedicatedCloud section of the API and select it.
Creating a new User
To create a new user, select the POST command /dedicatedCloud/{serviceName}/user and fill in the relevant information selecting the Execute button when finished.
From here, we are also able to remove the user after a specific date by typing in a value in days for the expirationDate field. This is very useful for creating temporary users.
Now that we have created a user, we are able to change the user's rights, the user's password, or delete the user. To do so, we need to locate the user's unique ID.
Note: We will be going over some of the more basic functions for our user. You are able to do much more in the OVHcloud API for your user and datacenter security. Feel free to explore more of the commands located in this /dedicatedCloud section.
Locating the userID
Select the command GET /dedicatedCloud/{serviceName}/user. Type in the HPC environment and the name of the user and select the Execute button.
Now that we have our unique ID for our user ("3210" in our example), we are ready to change our user's properties.
Changing a User's Properties
Select the POST command /dedicatedCloud/{serviceName}/user/{userID}/changeProperties to change any of your user's properties.
After you are satisfied with the new changes for the user, select the Execute button to implement them.
Changing a User's Password
To change a user's password, select the POST command /dedicatedCloud/{serviceName}/user/{userId}/changePassword.
Enter the HPC environment, your user's unique userID, and the new password you would like for your user. When satisfied click the Execute button.
Deleting a User
To delete a user from your HPC environment, select the DELETE command /dedicatedCloud/{serviceName}/user/{userId}
Enter the HPC environment and your user's unique user ID. Select the Execute button to delete the user.
You now have a basic understanding of some of the most important API functions for user creation, deletion, and security.
Conclusion
With the added ability to administer security policies, you can make sure that your environment is in the right hands. Having the ability to create users, delete users, change user permissions, and change security permissions makes it a breeze to keep your OVHcloud HPC secure.