4.0
Table Of Contents
- vCenter Orchestrator Administration Guide
- Contents
- Updated Information
- About This Book
- Introduction to VMware vCenter Orchestrator
- The Orchestrator Client
- Managing Workflows
- Creating Resource Elements
- Using Plug-Ins
- Managing Actions
- Using Packages
- Setting System Properties
- Disable Access to the Orchestrator Client By Nonadministrators
- Disable Access to Workflows from Web Service Clients
- Setting Server File System Access from Workflows and JavaScript
- Set JavaScript Access to Operating System Commands
- Set JavaScript Access to Java Classes
- Set Custom Timeout Property
- Modify the Number of Objects a Plug-In Search Obtains
- Maintenance and Recovery
- Index
Each line of the js-io-rights.conf file must contain the following information.
n
A plus (+) or minus (-) sign to indicate whether rights are permitted or denied
n
The read (r), write (w), and execute (x) levels of rights
n
The path on which to apply the rights
Orchestrator resolves access rights in the order they appear in the js-io-rights.conf file. Each line can override
the previous lines. The following code extract shows the default content of the js-io-rights.conf configuration
file:
-rwx c:/
+rwx c:/orchestrator
+rx ../../configuration/jetty/logs/
+rx ../server/vmo/log/
+rx ../bin/
+rx ./boot.properties
+rx ../server/vmo/conf/
+rx ../server/vmo/conf/plugins/
+rx ../server/vmo/deploy/vmo-server/vmo-ds.xml
+rx ../../apps/
+r ../../version.txt
The first two entries in the default js-io-rights.conf configuration file allow the following access rights:
-rxw c:/
All access to the file system is denied.
+rxw c:/orchestrator
Read, write, and execute access is permitted in the c:/orchestrator directory.
In the default js-io-rights.conf configuration file, the second line partially overrides the first line because
c:/orchestrator is after c:/, which allows read, write, and execute access to c:/orchestrator but denies access
to the rest of the file system under c:/. The default configuration allows workflows and the Orchestrator API
to write to the c:/orchestrator directory, but nowhere else.
IMPORTANT You can permit access to all parts of the file system by setting +rxw / in the js-io-rights.conf
file. However, doing so represents a high security risk.
Set Server File System Access for Workflows and JavaScript
To change the parts of the server file system that workflows and the Orchestrator API can access, modify the
js-io-rights.conf configuration file. The js-io-rights.conf file is created when a workflow tries to access
the Orchestrator server file system.
Orchestrator has read, write, and execute rights to a folder named orchestrator, at the root of the server system.
Although workflows have permission to read, write, and execute in this folder, you must create the folder on
the server system.
Procedure
1 Create the c:/orchestrator folder at the root of the Orchestrator server system.
2 Navigate to the following folder on the Orchestrator server system.
Option Action
If you installed Orchestrator with the
vCenter Server installer
Go to
install_directory
\VMware\Infrastructure\Orchestrator\app-
server\server\vmo\conf.
If you installed the standalone
version of Orchestrator
Go to
install_directory
\VMware\Orchestrator\app-
server\server\vmo\conf.
Chapter 8 Setting System Properties
VMware, Inc. 65