Ah access controls…always popular–who doesn’t want everyone to be admins?! Well…um…admins don’t! In this post I am going to run through integrating Active Directory with the Pure Storage FlashArray. Then talk about how it works with the vSphere Web Client Plugin because I would be ashamed if I didn’t at least mention VMware once in a post.
Okay the first thing you need to do is to identify your Active Directory information and the users you want to grant access to. Presently the FlashArray supports three access roles:
- Array Admin Group: Administrators that are allowed to perform every FlashArray operation including configuration–Array Admin Group administrators have the same privileges as the original built-in pureuser.
- Storage Admin Group: Administrators that are allowed to perform FlashArray storage operations (provision, snap etc).
- Read Only Group: Users with read-only privileges on the FlashArray–they can view information but not provision/change anything.
In my Active Directory instance (purecsg.local) I created a new Organization Unit simply called Pure. In it I created three user groups to correspond to the three access roles the FlashArray offers. I named them “Pure Array Admins” “Pure Storage Admins” and “Pure RO Users”. In each group I created one user with the respective user names of purearrayadmin, purestorageadmin, purerouser. Straight forward.
So you can configure AD authentication from the CLI or GUI but in this post I will show the GUI–let me know if there is interest in examples for the CLI.
Log into your Pure GUI and go to System > Configuration > Directory Service. The boxes will all most likely be blank/unchecked.
Go ahead and check the “Enabled” box if not checked and fill out the boxes. You need the LDAP address of the AD, an authenticated user, your OU base to search for your user groups and of course the names of your groups. Mine can be seen in the figure below.
I user the domain admin, but you can choose anything with proper access to the AD server. Note that the names are case sensitive–if you capitalize a name in AD, capitalize it here. If you want to validate the authenticity of the directory servers you can select “Check Peer” and then you must provide a certificate as well. I am going to skip that. When you are ready click “Save” then “Test”. The test will actually validate the information and if successful activate the directory service.
If the test went well you should see a bunch of green boxes like above and you are good to go!
Next I will login as the Pure Read Only User “purerouser”.
Once logged in as a Read Only user you will notice that you can see everything but not create or change anything. Options to create or change are grayed out but performance details and capacity info is all there. Below is an image (click to open in new tab) that shows the read only view on the left and the storage admin on the right. The read only user cannot do anything but view, the storage admin can create storage etc, but cannot change configuration information for the array (such as networking).
Cool. Now what about the vSphere Web Client Plugin?
You can register an array with any user account (read only or higher). Below I registered my array with the read only account.
So how does this affect using the plugin? Well any operation initiated against that array now from the Web Client will be under the banner of the user used to register the array. So if I try to see datastore details, I can:
But if I got to create a datastore, it fails:
The fully integrated GUI in the homescreen will login as the registered user, but if it times out or you manually log out of the Pure GUI inside the vSphere Web Client you can log back in as a different user. But that will not change the registered user and provisioning in-context in the vSphere Web Client will still be prevented. In order to allow provisioning again you must unregister the array in the vSphere Web Client and register it with a user with higher permissions.
A quick video of the process of this is below (no audio). It shows:
- Adding an array with read only permissions
- Logging into the full Pure GUI from the vSphere Client as read only
- Trying to provision storage from the vSphere Web Client and failing (because the array was registered as read only)
- Logging out of the full Pure GUI in the vSphere Web Client and logging back in as storage admin and I get more access in the GUI
- Try to go back to the vSphere Web Client in-context provisioning and once again failing to create because changing the logged in user for the full GUI doesn’t change the rest.
- Re-registering the array with storage admin
- Trying to provision in-context again in the vSphere Web Client and succeeding!
That’s it for now! Let me know if you would like to see more.