HPE Community
HPE SimpliVity
1822614 Members
3664 Online
109643 Solutions
New Discussion юеВ

Re: Simplivity for HyperV - Datastore permissions issue

 
B0ris
Frequent Advisor

тАО05-09-2019 12:32 AM

тАО05-09-2019 12:32 AM

Simplivity for HyperV - Datastore permissions issue

Hi,

did anyone with HyperV deployment noticed, that all files and folders created on Simplivity Datastore has Everoyone full access (read and write) permissions ? This is seriuous security issue, and should be fixed in next versions of Simplivity for HyperV deployments. 

On another hand, I would like to know which permissions should VM files/folder have, so that Simplivity Fedaration (nodes,etc.) can correctly access it ? Everyone object shouldn't have ANY permissions.

0 Kudos
Reply
4 REPLIES 4
KGman
HPE Pro

тАО05-11-2019 02:44 AM

тАО05-11-2019 02:44 AM

Re: Simplivity for HyperV - Datastore permissions issue

Hi @B0ris,

Ideally AAA services would be managed by the AD server(s) in use by the Hyper-V cluster, there is no dependancy on the Simplivity layer that would require open access for files/folders. The only requirement for Simplivity funcaiton would be that the highlighted groups are used and added during deployment.

Again there are no defined permissions that "should" be set on the file/folder level, this would be determined on the system admin level and depending on your organisational requirements.

If you wish to look in to this further I would suggest opening a support ticket and working with support to correlate system requirements.


I work for HPE
Accept or Kudo
0 Kudos
Reply
B0ris
Frequent Advisor

тАО05-13-2019 08:32 AM

тАО05-13-2019 08:32 AM

Re: Simplivity for HyperV - Datastore permissions issue

Hi,

we already have opened support ticket for this issue and one of your support guy said, that Everyone object should simply be removed. When he did this, virtual machine was unaccessible and we had to delete it, and restore it from backup. So this is not as easy as it looks and there must be some permissions dependency.

Anyway. If we want to set any other permission (for example add HPE Simplivity Admins group to have specific permission) we get Access Denied error. For that operation, we are using Domain Admin user which is also in HPE Simplivity Admins groups. 

0 Kudos
Reply
DWatson
New Member

тАО08-12-2019 07:31 AM

тАО08-12-2019 07:31 AM

Re: Simplivity for HyperV - Datastore permissions issue

We are trying to get up and running with 3.7.9.

While working with an engineer I questioned the Everyone access.

We built out a group containing all of our nodes computer accounts and all HPE simplivity admins, threw in our SCVMM server for good measure. We gave this group full control of the datastore share and remove Everyone and Domain Computers form the share. 
That effectively trashed the datastore. None of the nodes have access ot the share and VMs can't be built.

We cannot fix this either thus far. Our task to delete the datastore is stuck as is the task to create a new DS. 

This is a glaring security issue with what I am finding to be an underdeveloped product that is not ready for production use.

0 Kudos
Reply
B0ris
Frequent Advisor

тАО08-12-2019 09:59 AM

тАО08-12-2019 09:59 AM

Re: Simplivity for HyperV - Datastore permissions issue

@DWatson: I cannot agree more, that Simplivity HyperV is far from being used in production environment. This is not the only problem that we had, and also there is very poor HPE support for Simplivity HyperV platform. Sorry, but that's the truth.

Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.