Permission denied when attempting to clone a vm from a template

[markfaine]

SUMMARY

ISSUE TYPE

• Bug Report

COMPONENT NAME

vmware_guest

ANSIBLE VERSION

ansible [core 2.13.5]
  config file = None
  configured module search path = ['/home/mfaine/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/python-ansible/lib64/python3.8/site-packages/ansible
  ansible collection location = /home/mfaine/development/collections
  executable location = /opt/python-ansible/bin/ansible
  python version = 3.8.13 (default, Apr  5 2022, 17:15:15) [GCC 9.1.1 20190605 (Red Hat 9.1.1-2)]
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

# /opt/python-ansible/lib/python3.8/site-packages/ansible_collections
Collection        Version
----------------- -------
community.general 5.7.0

# /opt/python-ansible/lib64/python3.8/site-packages/ansible_collections
Collection        Version
----------------- -------
community.general 5.7.0

CONFIGURATION

ANSIBLE_PIPELINING(env: ANSIBLE_PIPELINING) = True
CACHE_PLUGIN(env: ANSIBLE_CACHE_PLUGIN) = memory
CACHE_PLUGIN_CONNECTION(env: ANSIBLE_CACHE_PLUGIN_CONNECTION) = None
CACHE_PLUGIN_PREFIX(env: ANSIBLE_CACHE_PLUGIN_PREFIX) = ansible_facts_
CACHE_PLUGIN_TIMEOUT(env: ANSIBLE_CACHE_PLUGIN_TIMEOUT) = 86400
COLLECTIONS_PATHS(env: ANSIBLE_COLLECTIONS_PATHS) = ['/home/mfaine/development/collections']
DEFAULT_DEBUG(env: ANSIBLE_DEBUG) = False
DEFAULT_FORKS(env: ANSIBLE_FORKS) = 10
DEFAULT_GATHERING(env: ANSIBLE_GATHERING) = smart
DEFAULT_HOST_LIST(env: ANSIBLE_INVENTORY) = ['/opt/inventory/inventory.yml']
DEFAULT_LOG_PATH(env: ANSIBLE_LOG_PATH) = /var/log/ansible/mfaine/ansible.log
DEFAULT_REMOTE_USER(env: ANSIBLE_REMOTE_USER) = bean
DEFAULT_TIMEOUT(env: ANSIBLE_TIMEOUT) = 60
DEFAULT_TRANSPORT(env: ANSIBLE_TRANSPORT) = ssh
DEFAULT_VAULT_IDENTITY_LIST(env: ANSIBLE_VAULT_IDENTITY_LIST) = ['default@/home/mfaine/.vault']
DEFAULT_VERBOSITY(env: ANSIBLE_VERBOSITY) = 0
HOST_KEY_CHECKING(env: ANSIBLE_HOST_KEY_CHECKING) = False
INTERPRETER_PYTHON(env: ANSIBLE_PYTHON_INTERPRETER) = auto_silent
RETRY_FILES_ENABLED(env: ANSIBLE_RETRY_FILES_ENABLED) = False

OS / ENVIRONMENT

STEPS TO REPRODUCE

Playbook is using community.vmware.vmware_guest. The issue seems to be with the folder parameter. Additional permissions are required for the folder operation and are unknown to me. This works fine with admin permissions but not with a service account role. I need to know what are the missing permissions.

Current permissions in vsphere for the vcenter user:

    Content Library
        Add library item
        Update library item
    Datastore
        Allocate space
        Browse datastore
        Low level file operations
    Network
        Assign network
    Resource
        Assign virtual machine to resource pool
    vApp
        Export
    Virtual machine
        Change Configuration
        Add new disk
        Add or remove device
        Advanced configuration
        Change CPU count
        Change Memory
        Change Settings
        Change resource
        Set annotation
        Edit Inventory
        Create from existing
        Create new
        Remove
        Interaction
        Configure CD media
        Configure floppy media
        Connect devices
        Inject USB HID scan codes
        Power off
        Power on
        Provisioning
        Clone template
        Create template from virtual machine
        Deploy template
        Mark as template
        Mark as virtual machine
        Snapshot management
        Create snapshot
        Remove snapshot

Play:

   - name: Create vm from template
     vmware_guest:
        hostname: "{{ vcenter_hostname }}"
        username: "{{ vcenter_username }}"
        password: "{{ vcenter_password }}"
        validate_certs: "{{ vcenter_validate_certs | default(false) }}"
        datacenter: "{{ vcenter_datacenter }}"
        name: "{{ item.name }}"
        cluster: "{{ vcenter_cluster }}"
        folder: "{{ vcenter_folder }}"
        template: "nats-{{ item.vm_rhel_version }}-v2"
        state: poweredon
        proxy_host: 192.100.9.85
        proxy_port: 3128
        hardware:
          memory_mb: "{{ item.vm_memory }}"
          num_cpus: "{{ item.vm_cpu_cores }}"
          scsi: paravirtual
        networks: >
          {{ item.vm_networks }}
        customization:
          hostname: "{{ item.name.split('.')[0] }}"
        wait_for_ip_address: true
        wait_for_customization: true
      register: server
      delegate_to: localhost
      loop: "{{ molecule_yml.platforms }}"

molecule create

EXPECTED RESULTS

VM is created from a template.

ACTUAL RESULTS

Permission denied on the operation

TASK [Create vm from template] *************************************************
failed: [localhost] (item={'name': 'molecule8-fips-default-mfaine', 'ssh_key_file': '/opt/python-ansible/id_bean-rsa', 'vm_cpu_cores': 2, 'vm_memory': 2048, 'vm_networks': [{'gateway': '10.0.13.90', 'ip': '10.0.13.224', 'name': 'VM Network', 'netmask': '255.255.255.0', 'type': 'static'}], 'vm_port': 22, 'vm_rhel_version': 'rhel8', 'vm_user': 'bean'}) => {"ansible_loop_var": "item", "changed": false, "item": {"name": "molecule8-fips-default-mfaine", "ssh_key_file": "/opt/python-ansible/id_bean-rsa", "vm_cpu_cores": 2, "vm_memory": 2048, "vm_networks": [{"gateway": "10.0.13.90", "ip": "10.0.13.224", "name": "VM Network", "netmask": "255.255.255.0", "type": "static"}], "vm_port": 22, "vm_rhel_version": "rhel8", "vm_user": "bean"}, "msg": "Failed to clone virtual machine molecule8-fips-default-mfaine to folder 'vim.Folder:group-v6546' due to permission issue: Permission to perform this operation was denied."}
failed: [localhost] (item={'name': 'molecule9-fips-default-mfaine', 'ssh_key_file': '/opt/python-ansible/id_bean-rsa', 'vm_cpu_cores': 2, 'vm_memory': 2048, 'vm_networks': [{'gateway': '10.0.13.90', 'ip': '10.0.13.225', 'name': 'VM Network', 'netmask': '255.255.255.0', 'type': 'static'}], 'vm_port': 22, 'vm_rhel_version': 'rhel9', 'vm_user': 'bean'}) => {"ansible_loop_var": "item", "changed": false, "item": {"name": "molecule9-fips-default-mfaine", "ssh_key_file": "/opt/python-ansible/id_bean-rsa", "vm_cpu_cores": 2, "vm_memory": 2048, "vm_networks": [{"gateway": "10.0.13.90", "ip": "10.0.13.225", "name": "VM Network", "netmask": "255.255.255.0", "type": "static"}], "vm_port": 22, "vm_rhel_version": "rhel9", "vm_user": "bean"}, "msg": "Failed to clone virtual machine molecule9-fips-default-mfaine to folder 'vim.Folder:group-v6546' due to permission issue: Permission to perform this operation was denied."}

[ybrock]

I confirm the issue.

I have a user dedicated to provisionning VM into a folder only. This works without problem when the action of creating a VM from a template is done from the vCenter WebUI. With the same user account, when the same action is done through ansible "community.vmware.vmware_guest" call, I get an permission error.

If I call the same ansible task with another user with more privileges it works.

regardddddddddd

[markfaine]

Has anyone made any progress with this, it's been 4 months since I posted this and it's not even assigned yet.

[ybrock]

I've tested this issue again now to see if things have changed, and with version 4.0 it's still present.

Nothing has been done on this issue during the whole year.

Unfortunatelly this prevents us from automating the creation of our Openshift clusters since we can't tolerate our provisioning account to be admin.

There must be a bug in the community.vmware or in the vmware Python SDK. If only we could know the exact privileges that are required. I can't decently ask our VMWare administrator for a service account with full admin privileges.

Provisioning from a template using the WebUI or the PowerCli module is working. Deleting a VM is working as well, only the creation fails.

I wish I could help on that issue

[ybrock]

@markfaine : my problem has been solved. I noticed that some permissions were missing in the end.

The user used to provision the machine had not enough access on the VMware PortGroups.

I've noticed this when I tried from the WebUI to add a network card on the VM, and I got a permission denied error.

So I'm not sure this is really an issue with the community.vmware module.