HPE SimpliVity
cancel
Showing results for 
Search instead for 
Did you mean: 

Simplivity for HyperV - Datastore permissions issue

 
B0ris
Advisor

Simplivity for HyperV - Datastore permissions issue

Hi,

did anyone with HyperV deployment noticed, that all files and folders created on Simplivity Datastore has Everoyone full access (read and write) permissions ? This is seriuous security issue, and should be fixed in next versions of Simplivity for HyperV deployments. 

On another hand, I would like to know which permissions should VM files/folder have, so that Simplivity Fedaration (nodes,etc.) can correctly access it ? Everyone object shouldn't have ANY permissions.

4 REPLIES 4
KGman
HPE Pro

Re: Simplivity for HyperV - Datastore permissions issue

Hi @B0ris,

Ideally AAA services would be managed by the AD server(s) in use by the Hyper-V cluster, there is no dependancy on the Simplivity layer that would require open access for files/folders. The only requirement for Simplivity funcaiton would be that the highlighted groups are used and added during deployment.

Again there are no defined permissions that "should" be set on the file/folder level, this would be determined on the system admin level and depending on your organisational requirements.

If you wish to look in to this further I would suggest opening a support ticket and working with support to correlate system requirements.


Accept or Kudo
B0ris
Advisor

Re: Simplivity for HyperV - Datastore permissions issue

Hi,

we already have opened support ticket for this issue and one of your support guy said, that Everyone object should simply be removed. When he did this, virtual machine was unaccessible and we had to delete it, and restore it from backup. So this is not as easy as it looks and there must be some permissions dependency.

Anyway. If we want to set any other permission (for example add HPE Simplivity Admins group to have specific permission) we get Access Denied error. For that operation, we are using Domain Admin user which is also in HPE Simplivity Admins groups. 

DWatson
Occasional Visitor

Re: Simplivity for HyperV - Datastore permissions issue

We are trying to get up and running with 3.7.9.

While working with an engineer I questioned the Everyone access.

We built out a group containing all of our nodes computer accounts and all HPE simplivity admins, threw in our SCVMM server for good measure. We gave this group full control of the datastore share and remove Everyone and Domain Computers form the share. 
That effectively trashed the datastore. None of the nodes have access ot the share and VMs can't be built.

We cannot fix this either thus far. Our task to delete the datastore is stuck as is the task to create a new DS. 

This is a glaring security issue with what I am finding to be an underdeveloped product that is not ready for production use.

B0ris
Advisor

Re: Simplivity for HyperV - Datastore permissions issue

@DWatson: I cannot agree more, that Simplivity HyperV is far from being used in production environment. This is not the only problem that we had, and also there is very poor HPE support for Simplivity HyperV platform. Sorry, but that's the truth.