Information Technology Reference
In-Depth Information
earlier about managing local users and groups and integrating ESXi authentication into Active
Directory.
Because the user accounts exist outside the ESXi hosts, and because the roles, privileges, and
permissions are dei ned outside the ESXi hosts, when you use vCenter Server to manage your
virtual infrastructure, you are really only creating a task and not directly interacting with the
ESXi hosts or the VMs. This is true for any user using vCenter Server to manage hosts or VMs.
For instance, Shane, an administrator, wants to log into vCenter Server and create a new VM.
Shane i rst needs the proper role—perhaps a custom role you created specii cally for the pur-
pose of creating new VMs—assigned to the proper inventory object or objects within vCenter
Server.
Assuming the correct role has been assigned to the correct inventory objects—let's say it's a
resource pool—Shane has what he needs to create, modify, and monitor VMs. But does Shane's
user account have direct access to the ESXi hosts when he's logged into vCenter Server? No, it
does not. In fact, a proxy account is used to communicate Shane's tasks to the appropriate ESXi
host or VM. This account, vpxuser, is the only account that vCenter Server stores and tracks in
its backend database.
vpxuser Security
h e vpxuser account and password are stored in the vCenter Server database and on the ESXi hosts;
it is used to communicate from a vCenter Server computer to an ESXi host. h e vpxuser password
consists of 32 (randomly selected) characters, is encrypted using SHA1 on an ESXi host, and is
obfuscated on vCenter Server. Each vpxuser password is unique to the ESXi host being managed
by vCenter Server.
No direct administrator intervention is warranted or advised for this account because that would
break vCenter Server functions needing this account. h e account and password are never used by
humans, and they do not have shell access on any ESXi hosts. h us, it isn't necessary to manage
this account or include it with normal administrative and regular user account security policies.
Anytime vCenter Server polls an ESXi host or an administrator creates a task that needs to
be communicated to an ESXi host, the vpxuser account is used. On the ESXi hosts that are man-
aged by vCenter Server, the vpxuser account exists (it's created automatically by vCenter Server;
this is why vCenter Server asks you for the root password when adding a host to the inventory)
and is assigned the Administrator role. This gives the vpxuser account the ability to perform
whatever tasks are necessary on the individual ESXi hosts managed by vCenter Server. When
a user logs into vCenter Server, vCenter Server applies its security model (roles, privileges,
and permissions) to that user, ensuring that the user is permitted to perform only the tasks for
which they are authorized. On the backend, though, all these tasks are proxied onto the indi-
vidual ESXi hosts as vpxuser.
You should now have a good idea of what's involved in vCenter Server authentication. We'd
like to focus now on vCenter Server permissions, which control what users are allowed to do
after they've authenticated to vCenter Server.
