restrict access to blade via kvm/kvm manager

Kassim Ismail · ‎07-08-2011

Hi All,

is it possible to restrict access for certain users to a specific blade on the UCS either via KVM or another method?

we have AD integration enabled but i guess the problem will be that i give them access, then they will be able to access all the blades & not 1 specific one.

any suggestions.

Thanks

Kassim

padramas · ‎07-09-2011

Kassim,

First, make sure that TCP Port 2068 is not being blocked.

Following options are available to grant access only to KVM.

Method #1 -- Access as IPMI user

Method #2 -- Standalone KVM tool

Method #3 -- KVM Viewer

Method #4 -- KVM Manager

For method #1 and #2, configure IPMI policy with a IPMI user having admin role and then associate it to required service-profiles / blades.This is non-disruptive configuration.

Method #1 -- as IPMI user

Access KVM via one of the following URLs

## Enter user name, password & blade's management IP address

http:///ucsm/kvm.jnlp

## OR we can include IP address of the specific blade in URL as a parameter

http:///ucsm/kvm.jnlp?kvmIpAddr=a.b.c.d

Method #2 -- Standalone KVM tool

Tool is available for both Windows and Linux systems.

To run a standalone KVM, download kvm.zip file from the Fabric Interconnect ( FI )

http:///kvm.zip

and extract the contents to a folder.

On Windows, double click launchkvm.bat file to launch the KVM.

On Linux, enable the execute permission by " chmod 777 launchkvm.sh " and then launch it by running " ./launchkvm.sh "

For method #3 and #4, access can be restricted to specific blades by associating appropriate role,locale and organization.

#1 Map blades to an organization

#2 Create a locale and include the organization

#3 Assign the user with " server-profile " role and assign it to appropriate locale

Method #3 -- KVM Viewer

To launch KVM viewer

http:///ucsm/kvm.jnlp

http:///ucsm/kvm.jnlp?kvmIpAddr=a.b.c.d

Method #4 -- KVM Manager

Access the KVM launch manager via FI ip address or use the following direct link

http:///ucsm/kvm.html

In this view, user will be able to see all blades but only will be allowed access to blades associated with organization and locale.

NOTE :- This was based on UCSM 1.4.3 and for locally authenticated users. Need to check out options for users authenticated through LDAP.

HTH

Padma

Kassim Ismail · ‎07-12-2011

Hi Padma,

Thanks for the info. I will give it a go.

Kassim

David Rodriguez · ‎03-07-2012

Hi Padramas,have you tried with the latest firmware 2.0.1w to use local authentication with locale to specific organisation and only seeing their server in the kvm manager ? Or have you found another way to accomplish this ?

padramas · ‎03-08-2012

David,

I just did quick test ( 2.0.1t ) in lab where I associated a user to custom role that has only " service-profile-ext-access " privilege in it and mapped with corresponding locale ( organization )

With this configuration, user will be able to access KVM for blades within the locale.

For other blades, it will launch a login window and will fail when you try to authenticate.

http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/gui/config/guide/2.0/b_UCSM_GUI_Configuration_Guide_2_0_chapter_01001.html

HTH

Padma

pavel.jenicek · ‎02-05-2013

Hello,

even in sw version 2.1, KVM user role (service profile ext access) still have read-only access to management. I really don't want to let my kvm users see all the equipment, server profiles, etc.

Any clue to create KVM role ONLY ? Without RO access to management ?

Thanks

Regards,

Pavel

Robert Burns · ‎02-05-2013

It's another request that's in the pipe. No commit timeframe yet.

Robert

NarendraChawda · ‎04-18-2018

We are at UCSM2.2.8g and we would like to restrict some GROUP to just have KVM. i think above post is OLD & may be still valid but could someone help in details please? thank you

pranavgu · ‎04-18-2018

To be able to assign different permission to a particular blades you need to put the blades under the different organizations.
However UCS Manager does not allow one user to have different roles/privileges in different organizations. There is no direct option configure this functionality.
Therefore only option we see here to achieve your task is to create separate users and assign them a different roles under organizations.
You can create your own role with defined privileges. Depending the tasks you want to allow for user, you need to enable particular privileges for him.
Below is the list of the privileges which contain KVM access and can't be used for the role, to whom you want to disable KVM access:
- Admin
- Service profile Config
- Service profile Config Policy
- Service profile Server
- Service profile Compute
- Service profile Server Policy
- Service profile Ext Access
- Service profile Server Oper
- Server Equipment
- Server Maintenance
- Server Policy

Below link provides configuration guide for configuring UCSM user roles:
http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/gui/config/guide/2-2/b_UCSM_GUI_Configuration_Guide_2_2/configuring_role_based_access_control.html#concept_E41FB2D2F363406EAC1011CC59B5D4BB
At the following link you can see the explanation of each privilege to understand which operations are allowed for them:
http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/ucsm_privileges/CiscoUCSManager_Privileges_release21.html

NarendraChawda · ‎04-18-2018

Thanks Pranav, but with that they CAN login to UCSM and see other business HW< configurations< and global policies etc, which we would like to restrict.

we already have the ORG & Local created for this business UNIT but with that they have some access to that ORG-locale but have READONLY rights to the UCSM as whole.

WE want to restrict the UCSM access completely, and give only KVM with KVM-IP (like rack server mgmt.).

we are OK with local user but AD is preferred...

robertdemay · ‎04-18-2018

We use Locales to separate usage to different users.

https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/gui/config/guide/2-0/b_UCSM_GUI_Configuration_Guide_2_0/b_UCSM_GUI_Configuration_Guide_2_0_chapter_01001.html

Scroll down to User Locales