Overview
Until the 2.0.3 release, the PowerVC users registered the Hardware Management Console (HMC) to PowerVC with the hscroot user which is a super admin. This user provides privileges to run all the tasks on HMC. However, for PowerVC, the super admin access is not required as it requires privileges to perform only a handful of tasks.
In some of the on-premise customer environments, HMC administrator is different from the PowerVC administrator. The HMC administrator does not want to give full HMC access to PowerVC because it creates a security gap. Therefore, to meet the security requirements in the 2.1.0 release, we introduced a new non-hscroot user to on-premise customers to register HMC to PowerVC. Accordingly, this user only has a specific set of privileges required by PowerVC to initiate a session with HMC, execute the APIs and get the response.
hscroot user vs the new non-hscroot user
- hscroot user: The hscroot user is a super admin user. This user has 176 task privileges across four HMC tasks.
- non-hscroot user: This user has a specific set of privileges required by the PowerVC to execute all the PowerVC REST APIs successfully. PowerVC only requires access to 59 task privileges across three HMC tasks.
The privileges required by the PowerVC are listed below:
Creating new user in HMC
Creating the new user using the CLI
- Perform SSH into HMC as an administrator.
- Execute these commands.
-
- Create a new role with the required tasks.
hscroot@ch-hmc-01:~> mkaccfg -t taskrole -i "name=pvcrole,parent=hmcsuperadmin, "resources=cec:CECPowerOff+CECPowerOn+ChangeCECPassword+ChangeCECProperty+ChangeCoD+ChangePowerManagement+CoDPoolManagement+CreateLPAR+EditCECMTMS+ListCECProperty+ListCoDInformation+ListCoDNotifications+ListSSP+ListUtilizationData+ManageCoDNotifications+ManageDumps+ManageSPP+ManageSSP+ManageSriovAdapter+ManageUtilizationData+ManageVirtualNetwork+ManageVirtualStorage+MoveSriovAdapter+PartitionConfigurationImage+RebuildCEC+RecoverPartitionData+RemoveCEConnection+ViewDumps+ViewPowerManagement+ViewSPP,lpar:ActivateLPAR+CapturePartitionTemplate+ChangeLPARProperty+ChangeProfileProperty+CloseVTerm+Connect5250VTerm+CreateProfile+Delete5250VTerm+DeleteLPAR+DeleteProfile+DisableEnableVirtualEthernet+DlparOperation+HibernateLPAR+ListLPARProperty+ListProfileProperty+ManageLPARDebugData+ManageProfile+MigrateLPAR+Open5250VTerm+OpenVTerm+PartProfileCopy+RRStartLPAR+RebootLPAR+RemoteRestartLPAR+ShutdownLPAR+VirtualIOServerCommand,HMCConsole:ChangeHMCFileSystems+ListHMCConfiguration+ViewHMCFileSystems"”
- Assign the new role to the new user.
hscroot@ch-hmc-01:~> mkhmcusr -u pvcuser -a pvcrole -d pvcuser --passwd abcd1234
Creating the new user using the HMC GUI
- Login to HMC as an administrator.
- From the User management menu, select Tasks and resource roles.
3. Select
Task Roles.
4. Select
Add from the
Edit drop-down.
5.
Enter a name in the Role name field.
6. Select hmcsuperadmin from the Based on drop-down.
7. Select the required tasks from the Available Tasks pane, then click Add to move the selected tasks to the Currents Tasks pane.
8. Click
OK.
9. From the User management menu, click
User profiles and access.
10.
Select Add from the drop-down.
11. Enter
User ID and
Password.
12. Select the newly created role.
13. Click
OK.
Registering HMC with the new user 1. Login to PowerVC.
2. From the Hosts menu, click HMCs, then click
Add.
3. Populate the new user details and click
Add to register HMC with the new user.
Switching to the new user
Users who have already registered to HMC as a hscroot user can switch the user.
- From the Hosts menu, click HMCs.
- Click an HMC to update the credentials.
- Edit the credentials of the new user.
- Click Save.
Important information
The specific set of privileges required by PowerVC have been identified. The PowerVC team is working with the HMC team to get the new user created implicitly from the HMC so the overhead of creating the new user manually can be removed. For now, create a user with the roles specified and register HMC with the newly created non-hscroot user.
Keep watching our social outlets for more interesting information about PowerVC! Find us on Facebook, LinkedIn, Twitter, and YouTube.
Do comment your queries, if any, in the comments section.
Blog authors:
Sharat Sharma S
Arun Mani