vRealize Orchestrator – adding permissions to vCenter using ONYX

I was asked a question about how to do something in javascript using the vCenter API and my response was ‘check ONYX’ to see what API calls are being made. My colleagues response was that he wasn’t a fan of Onyx. Now, for a moment I thought about what he said, carried on and got to the bottom of the problem. However later on, I gave some thought about what my colleague said and I do understand why ONYX doesn’t give you the desired out of the box solution, but it sure don’t half help get you there. So, I decided to pick a task and see what the ONYX output was and how helpful it was. The task was to add a user to a role in vCenter.

This was the output of ONYX

// ------- SetEntityPermissions -------

var entity = Server.findForType("VC:Folder", managedObject.vimHost.id + "/group-d1");

var permission = System.getModule("com.vmware.onyx").array(VcPermission, 1);
permission[0] = new VcPermission();
permission[0].principal = "CORP\\asmith";
permission[0].group = false;
permission[0].roleId = -2;
permission[0].propagate = true;

managedObject.setEntityPermissions(entity, permission);  // AuthorizationManager

It’s pretty rough I reckon, but I started to break down what it was doing to get me my solution. The first line :


var entity = Server.findForType("VC:Folder", managedObject.vimHost.id + "/group-d1");

Now, firstly I didn’t understand what this line was doing, but its obviously looking for VC:Folder called group-d1. Investigating this further, this is the root DC folder where I was adding permissions. When I tried to create this entity, it didn’t recognise what the managedObject was. Fair enough, as ONYX knew, but the script doesn’t have any input to tell it what object it was managing. So I found a script that created that entity for me:


//Assume only one VC is registered in the configurator
var dcFolders = VcPlugin.getAllDatacenterFolders();

//Default alarms are defined in the root object of the inventory.
var rootDCFolder;
for (i in dcFolders) {
     if (!dcFolders[i].parent) {
                //datacenter folder without parent - we found to root object
          rootDCFolder = dcFolders[i];
          System.log(rootDCFolder.name);
          break;
     }
}

So now I had the rootDCFolder entity which was the folder I was adding the permission to.

Looking at the next bit of ONYX output, it was building up the permissions I was applying.


var permission = System.getModule("com.vmware.onyx").array(VcPermission, 1);
permission[0] = new VcPermission();
permission[0].principal = "CORP\\asmith";
permission[0].group = false;
permission[0].roleId = -2;
permission[0].propagate = true;


I just swapped out and the first line above, var permission = System.getModule(“com.vmware.onyx”).array(VcPermission, 1);, for an array, so it looked like this:

var permission = new Array();

Pretty simple, and then I didn’t change any of the VcPermission method attributes as these were the permissions I wanted to set. This is actually the helpful stuff ONYX spits out in my opinion.

However, I needed to create the ‘authorizationManager’ object or AzMan that some of us would have come across before. So I looked at the API object explorer in vRealize Orchetrator and found the VC:Folder object method that was initially returned in the ONYX output.

I then created the authorizationManager as per what the API object explorer explained.

var entity = rootDCFolder.sdkConnection.authorizationManager;

So the last bit of ONYX code was to run the setEntityPermissions using the entity object I set as an instance of authorizationManager.

entity.setEntityPermissions(rootDCFolder, permission);  // AuthorizationManager

So this is the entire script:

// ------- GetEntity -------

var dcFolders = VcPlugin.getAllDatacenterFolders();
var rootDCFolder;
for (i in dcFolders) {
     if (!dcFolders[i].parent) {
                //datacenter folder without parent - we found to root object
          rootDCFolder = dcFolders[i];
          System.log(rootDCFolder.name);
          break;
     }
}

// ------- SetEntityPermissions -------

var entity = rootDCFolder.sdkConnection.authorizationManager;
var permission = new Array();
permission[0] = new VcPermission();
permission[0].principal = "CORP\\csmith";
permission[0].group = false;
permission[0].roleId = -2;
permission[0].propagate = true;

entity.setEntityPermissions(rootDCFolder, permission); 

So, it wasn’t too difficult but my colleague is right though as straight off the bat, ONYX output doesn’t look useful and can put people off. However, there was no way I would have got as far without using ONYX!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s