I did a crazy thing last week, I decided to update our vCenter appliance (VCSA) from version 5.5U3a to version 6.0 Update1 3040890. I was surprised how flawlessly it went. It was finished in couple of hours, “almost” everything was working as expected, so big success 🙂
Until users started to report some permissions problems – example those who had rights only to power on VMs, couldn’t do it using WebClient with “File not found” error and so on. This wasn’t actually so big concern till I tried another thing.
I had to patch one ESXi using update manager and noticed that it is actually working and it shouldn’t. Update manager was using LocalOs account which wasn’t actually existing in the new VCSA 6.0 anymore so I started digging.
I removed permissions for my personal account and I was still able to login and do all administrators tasks. Obviously I removed it at all levels including Global Permissions. My account wasn’t showing in any GUIs, either WebClient or vSphere Client.
This is in my opinion huge security flaw as you cannot effectively revoke access for users which had it in the old vcenter 5.5.
I found kb2123931 regarding permissions in vCenter 6.0. I have tried to find my account in both new locations cis_kv_keyvalue also Lotus, but it wasn’t there.
KB is also saying VPX_Access table is not used anymore however, when I tried to select from it. I could find the all old users and their permissions including mine.
So I decided to truncate (clear) vpx_access table to see if it helps – it wasn’t supposed to be used anyway :). And it did help and looks like it was used!
After I restarted vcenter services I was finally getting “no permissions” error. And I wasn’t able to login under mine account anymore. Permissions for the others worked fine and were intact as they should be.
Steps to clear old permissions:
Take snapshot of your vCenter appliance
Follow kb2123931 until step 6 to enter into Postgres shell.
to see records in the old table enter:
select * from vpx_access;
to delete records (not table)
restart vcenter services as instructed in kb:
service-control --stop --all
service-control --start --all
another error which it fixed for my account was error when trying to search using vSphere Client:
Unable to connect to web services to execute query. Verify that the ‘VMware VirtualCenter Management Webservices’ service is running on https://vcenter:443/invsvc”
Latest posts by Dusan Tekeljak (see all)
- Set up an alert for port blocked by vSwitch security policy - June 12, 2017
- Enabling agentless Guest (VM) RAM monitoring with vRealize Operations 6.3+ - February 14, 2017
- Just Another ESXi 6.0 Storage APD Handling Bug - November 15, 2016