VMware vFabric Data Director - 1.0 Administrator’s Guide

VMware vFabric Data Director

Administrator and User Guide

vFabric Data Director 1.0

This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.

EN-000709-01

VMware vFabric Data Director Administrator and User Guide

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

docfeedback@vmware.com

Copyright © 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents.

VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

VMware, Inc.

3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

2 VMware, Inc.

About VMware vFabric Data Director 7

Updated Information 9

VMware vFabric Data Director and vFabric Postgres Overview 11

VMware vFabric Data Director System Architecture 11

VMware vFabric Data Director Components 11

Data Director User Management Modes 12

About Data Director Administration 13

vFabric Postgres Databases 14

Managing Data Director Resources 15

Resource Management Overview 15

Resource Bundles and Resource Pools 16

Resource Assignment 17

vSphere Resource Pools and Data Director 18

Viewing Resource Information 19

Monitor Resource Usage 20

Create a Resource Pool 20

Create a Resource Bundle 21

Assign a Resource Bundle to an Organization 22

Perform Advanced Cluster Configuration 22

Managing Users and Roles 25

User Management Overview 25

Authenticating Users 26

Role-Based Access Control 27

Predefined Roles 28

Privileges 29

Propagation of Permissions and Roles 30

Organization Privileges and Permissions 30

Add Users to Your Organization 31

Add Roles to an Organization 31

Grant a Permission to a User 32

Modify Organization Security Settings 32

VMware, Inc.

Managing Organizations 35

Organization Structure 35

Operating Organizations 36

Managing Resources For Organizations 37

Managing Organization Users 38

VMware vFabric Data Director Administrator and User Guide

Create an Organization 38

Managing Database Groups 41

Database Group Management Overview 41

Managing Resources for Database Groups 42

Database Groups and Security 43

Create a Database Group 43

Managing Database Templates 45

Introduction to Database Templates 45

Create a Database Configuration Template 46

Modify a Database Configuration Template 47

Create a Backup Template 48

Modify a Backup Template 49

Managing Databases 51

Database Lifecycle 51

Requirements for Creating Databases 52

Create a Database 53

Using Tags 54

Cloning Databases 57

Clone Types 57

Cloning Customizations 59

Clone a Database 59

Managing Database Entities 65

Database Entity Management 66

Database Administration 70

SQL Management 75

Safeguarding Data 77

Backup Strategies 78

Backup Types 78

Backup Template Settings 80

Preconfigured Backup Templates 81

Select a Database Backup Template 81

Schedule Regular Database Backups 82

Recover a Database 83

Import Backups 84

Use VMware Data Recovery for Backups 84

Database End of Life and Backups 87

Monitoring the Data Director Environment 89

Explore Monitoring Customization and Filtering 89

Monitoring for System Administrators 90

Monitoring for Organization Administrators 95

Explore Database Monitoring 99

4 VMware, Inc.

Working with Alarms 100

Contents

Managing Licenses 103

License Management Overview 103

Counting Data Director Licenses 104

About Evaluation Licenses 105

Add License Keys 105

View License Information 106

Change the Database Usage Type 106

Remove License Keys 107

Reconfiguring Data Director Networks 109

Change the vCenter IP Address 109

Reconfigure the Web Console Network Mapping or Network Adapter 110

Reconfigure the vCenter Network Mapping 111

Reconfigure the vCenter Network Adapter Settings 111

Reconfigure the DB Name Service Network or DB Name Service Network Adapter 112

Reconfigure the Internal Network or Internal Network Adapter Mapping 113

Verify Network Settings in Data Director 113

Data Director Troubleshooting 115

vCenter Server Stops Responding 115

Resource Bundles Become Unusable Because DRS Is Disabled 116

Missing Resource Pool 116

Index 119

VMware, Inc. 5

VMware vFabric Data Director Administrator and User Guide

6 VMware, Inc.

About VMware vFabric Data Director

The VMware vFabric Data Director Administrator and User Guide provides information about administering VMware® vFabric Data Director. Administration tasks include creating organizations and database groups, managing users and roles, resource allocation, database and backup configuration, cloning databases, safeguarding data, and monitoring your system.

The Data Director software solution provides on-site self-service database provisioning and automation to database administrators and application developers, including the following.

Self-service database creation and resource allocation.

Flexible, policy-based resource management.

Resource isolation within organizations and within databases.

Security policy implementation through role-based access control.

Delegating and granting customizable roles and privileges to specify users' allowed actions.

Self-service database lifecycle management enables application developers to create new databases, manage schemas, configure backups, perform restores, clone databases for testing and development, scale up database sizes, and decommission databases. Customizable database configuration and backup templates enable administrators to control database parameters and enforce resource allocation policies, and provide application developers with simplified database creation and resource allocation.

Intended Audience

This document is for administrators and application developers.

System administrators use this document to learn about managing and monitoring a Data Director environment. System administrators create organizations, allocate resources to them, and perform other high-level tasks.

Organization administrators use this document to learn about managing and monitoring database groups and databases. Organization administrators can use and customize database templates, can assign resources, and can monitor their organization.

Application developers use this document to learn about creating, managing and monitoring databases.

VMware, Inc.

VMware vFabric Data Director Administrator and User Guide

8 VMware, Inc.

Updated Information

This vFabric Data Director Administrator and User Guide is updated with each release of the product or when necessary.

This table provides the update history of the vFabric Data Director Administrator and User Guide.

Revision Description

EN-000709-01

EN-000709-00 Initial release.

The topic Chapter 1, “VMware vFabric Data Director and vFabric Postgres Overview,” on page 11 clarifies information about user management modes.

The topic Chapter 8, “Cloning Databases,” on page 57 clarifies clone point information.

The topic Chapter 12, “Managing Licenses,” on page 103 clarifies information about license types and database usage types.

Minor revisions.

VMware, Inc. 9

VMware vFabric Data Director Administrator and User Guide

10 VMware, Inc.

VMware vFabric Data Director and

vFabric Postgres Overview 1

The VMware vFabric Data Director and vFabric Postgres software solutions enable you to provide on-site selfservice database provisioning and automation to database administrators and application developers.

This chapter includes the following topics:

“VMware vFabric Data Director System Architecture,” on page 11

“VMware vFabric Data Director Components,” on page 11

“Data Director User Management Modes,” on page 12

“About Data Director Administration,” on page 13

“vFabric Postgres Databases,” on page 14

VMware vFabric Data Director System Architecture

The Data Director architecture provides database as a service (DBaaS) to application developers with security and resource isolation as well as flexible, policy-based resource management and role-based access control for system administrators. Data Director is optimized for VMware vSphere.

At the system level, Data Director supports flexible, policy-based resource management and provides resource isolation between organizations and databases. As a Data Director system administrator, you can implement security policies through role-based access control, controlling users' allowed actions with customizable roles and privileges that you delegate and grant as required.

Within organizations, Data Director offers self-service database lifecycle management for VMware vFabric Postgres (vPostgres) databases. You control database parameters with customizable database configuration and database backup templates. These templates simplify database creation and provisioning for application developers. Developers can create databases and allocate resources for them, manage schemas, set up backups and perform restores, clone databases for testing and development, scale database sizes up, and decommission databases without assistance.

The vPostgres database is based on the open source Postgres database, an ACID-compliant, ANSI-SQLcompliant transactional relational database. The database optimized for vSphere and is compatible with Postgres client tools and drivers.

VMware vFabric Data Director Components

VMware vFabric Data Director consists of the database lifecycle management platform and vFabric Postgres (vPostgres).

The Data Director hierarchy has the following levels.

System (the database lifecycle management platform)

VMware, Inc.

organization organization

database database

database group database group

system

VMware vFabric Data Director Administrator and User Guide

Organizations

Database groups

Databases (vPostgres databases)

System administrators perform management tasks at the system level, which is the top level of the hierarchy. To edit system-level settings you must have system privileges, but having system privileges does not allow you to make changes to the other levels.

A system can contain multiple organizations. An organization can contain multiple database groups. A database group can contain multiple databases. You cannot create database groups at the system level. They can exist only within organizations. Databases can exist only within database groups.

The following figure shows the Data Director system hierarchy.

Figure 1-1. Data Director System Hierarchy

System administrators manage Data Director resources at the system, organization, and database group levels. System administrators create resource bundles from vSphere resource pools (CPU and memory resources) and networking and storage resources, and allocate one or more resource bundles to each organization. Organization administrators assign resources from their resource bundles to database groups for consumption by databases.

Data Director User Management Modes

Data Director user management modes control how users are assigned and managed among different organizations. Data Director has two user management modes: Global mode (for enterprises) and By Organization mode (for service providers). Global user management mode is the default.

By Organization user management mode has the following characteristics.

Organizations are set up as separate, isolated enterprises with no visibility into other organizations.

The Data Director system user list is not visible to organizations.

No organization can see another organization's user list.

Organization administrators send email to invite users to join their organization, or users can navigate to the Data Director application URL and click an email link to request access to an organization.

Global user management mode has the following characteristics.

Organizations are set up as separate departments, business units, or groups within one enterprise, such as a corporation's HR and Finance departments.

12 VMware, Inc.

All Data Director users are visible to all organizations within Data Director.

Organization administrators contact users to invite them to the organization or grant access directly from the system user list.

You configure the Data Director user management modes during installation. User management mode cannot be changed. In both Global and By Organization user management modes, organization administrators must grant users access to their organization.

About Data Director Administration

Data Director system administrators perform Data Director administration on the system level. Organization administrators perform Data Director administration on the organization level.

You create the initial Data Director system administrator account during Data Director setup. That system administrator creates other Data Director users, including other system administrators and organization administrators, and performs administration tasks at the system level.

By default, users do not have roles or permissions and cannot access any organizations. Organization administrators assign roles and permissions to users and grant them access to specific organizations.

System administrators perform system-level operations for Data Director or for an entire organization. System administrators perform the following tasks.

Table 1-1. System-level Operations

Operation Type Examples

Resource management operations

User and organization management operations

Creating resource bundles.

Assigning resource bundles to organizations.

Creating users.

Creating organizations.

Creating organization administrators.

Designating existing users as organization administrators.

Chapter 1 VMware vFabric Data Director and vFabric Postgres Overview

Organization administrators perform organization-level operations within their organizations. Organization administrators perform the following tasks.

Table 1-2. Organization-level Operations

Operation Type Examples

Resource management operations

User management operations

Creating database groups.

Creating database configuration templates.

Creating database backup templates.

Allocating resources to database groups within the organization.

Creating organization users.

Granting organization access to existing Data Director users.

Assigning organization roles to users in the organization.

Creating organization roles and granting roles to organization user.

Defining organization permissions and granting permissions to organization users.

VMware, Inc. 13

VMware vFabric Data Director Administrator and User Guide

By default, Data Director system administrators do not have access to organizations. Organization administrators have access only to their own organization, can create organization users, and can grant access to existing Data Director users.

Data Director system administrators can create users, but only organization administrators can grant those users access to organizations.

vFabric Postgres Databases

Data Director provides self-service database provisioning and automation with vFabric Postgres (vPostgres). vPostgres is built on the open source Postgres database. It is compatible with pSQL and the PostgreSQL tools and client drivers. vPostgres databases are fully ACID and ANSI SQL-compliant. The ACID properties (Atomicity, Consistency, Isolation, and Durability) guarantee that database transactions are processed reliably.

Database administrators and application developers administer databases within their organizations. Database administration includes the following tasks.

Creating databases and allocating resources to them.

Cloning databases.

Managing database users, roles, privileges, and permissions.

Maintenance, including backups, restores, and removing old and unused data.

Scaling databases up.

Monitoring database usage and performance.

Monitoring database alarms.

Decommissioning databases.

See the vFabric Postgres Standard Edition User Guide for information about the Postgres database features for Data Director.

14 VMware, Inc.

Managing Data Director Resources 2

System administrators manage CPU, memory, storage, and networking resources for different organizations. Organization administrators manage resources for database groups and for databases.

This chapter includes the following topics:

“Resource Management Overview,” on page 15

“Resource Bundles and Resource Pools,” on page 16

“Resource Assignment,” on page 17

“vSphere Resource Pools and Data Director,” on page 18

“Viewing Resource Information,” on page 19

“Monitor Resource Usage,” on page 20

“Create a Resource Pool,” on page 20

“Create a Resource Bundle,” on page 21

“Assign a Resource Bundle to an Organization,” on page 22

“Perform Advanced Cluster Configuration,” on page 22

Resource Management Overview

System administrators allocate resources to organizations. These virtual resources come directly from the physical resources of the cluster on which Data Director runs. Organization administrators assign organization resources to database groups and databases.

A vSphere cluster consists of several ESXi hosts that provide the physical CPU and memory resources for the databases managed by Data Director. As part of installation, you create the cluster and enable vSphere High Availability (HA) and vSphere Distributed Resource Management (DRS) for the cluster. Data Director can take advantage of the vSphere HA and vSphere DRS functionality because Data Director runs on top of the cluster. See the vSphere Availability and the vSphere Resource Management documentation for details.

A Data Director resource bundle includes CPU, memory, storage, and networking resources. The CPU and memory resources come from a resource pool in the vSphere cluster. The storage and networking resources are assigned to Data Director during installation or at a later time. Data Director includes a set of VLANs to carry different types of network traffic.

When system administrators create an organization, they can assign virtual resources to the organization as resource bundles. When organization administrators create a database group, they assign virtual resources to the database group. These virtual resources are backed by the physical resources of one or more clusters. vSphere clusters provide failover protection and support efficient use of physical resources.

VMware, Inc.

VMware vFabric Data Director Administrator and User Guide

System administrators can assign resources when they create an organization (see “Create an Organization,” on page 38) or assign resources to an existing organization (see “Assign a Resource Bundle to an

Organization,” on page 22). Organization administrators can assign resources when they create a database

group or assign resources to existing database groups.

To help you specify the resources associated with a database template, Data Director includes a calculator that computes the optimum resource configuration based on the anticipated usage patterns. When you create databases from the template, the specified resources are allocated.

Resource Bundles and Resource Pools

A resource bundle is a set of compatible IT resources for provisioning databases. A resource bundle includes CPU and memory resources as vSphere resource pools, and storage and networking resources.

To assign the appropriate amount of resources to each organization, system administrators create resource bundles and assign them to organizations. System administrators specify a resource pool and storage and networking resources when they create a resource bundle.

Resource Pool

Storage Resources

DB Access Networks

The following figure shows how Data Director resources come from vSphere resource pools, datastores, and port groups. When administrators create a resource bundle, the resources are always coming from the underlying vSphere environment.

All CPU and memory resources of a resource bundle come from a vSphere resource pool that is created in the vSphere Client with reservation equal to limit. See “Create a Resource Pool,” on page 20.

Each resource bundle includes storage resources for data and storage resources for backup. The storage resources must be visible to all hosts that use the resource bundle.

DB Access Networks provide communication for databases. A DB Access Network corresponds to a vSphere port group. Each network must be visible to all hosts that use the resource bundle. DHCP is required.

Selecting one or more DB Access Networks allows you to isolate different database groups from one another, for example, to isolate a QA database group from a Production database group. When no DB Access Networks have been assigned in the environment, select the network that is mapped to the Web Console Network. Do not select internal networks for DB Access Network traffic.

16 VMware, Inc.

Figure 2-1. Resources in vSphere and Data Director

vSphere

source RPs

source datastores

source port groups

CPU & memory

database

storage

network

backup storage

resource bundle

CPU & memory

database

storage

network

backup storage

Data Director

resource bundle

Chapter 2 Managing Data Director Resources

“Resource Assignment,” on page 17 explains how resource assignment differs for the different levels of the

hierarchy.

Resource Assignment

Resource assignment differs for organizations, database groups, and databases.

Resource Assignment for Organizations

System administrators can assign multiple resource bundles to each organization. Organization administrators allocate the resource bundles to database groups. When databases are created, they can only draw on the resources assigned to the database group. This resource isolation guarantees that different organizations and different database groups have control over their resources.

Resource Assignment for Database Groups

When you create a database group, you assign a resource bundle that specifies the resources for that group. You cannot assign more than one resource bundle to one database group. Multiple database groups can share one resource bundle.

When you assign a resource bundle to a database group, you can specify how to allocate each resource.

CPU priority or reservation.

Memory priority or reservation.

Storage allocation.

VMware, Inc. 17

A network for the database group. You cannot divide the network. You can select only one network during database group creation even if several networks are associated with the resource bundle.

If you do not explicitly specify the CPU or memory allocation, Data Director sets the reservation to zero but sets expandable reservations to true. If expandable reservations is set to true, the CPU or memory can expand beyond the specified value.

VMware vFabric Data Director Administrator and User Guide

Resource Assignment for Databases

A database consumes the resources assigned to its database group.

You can specify the number of virtual CPUs, the memory size, and CPU and memory priority for each database that you create.

You cannot specify storage allocation. All databases consume the data and the backup storage allocated to their parent database group.

Each database uses the network assigned to the database group.

vSphere Resource Pools and Data Director

A vSphere resource pool is a logical abstraction for flexible management of CPU and memory resources. You add CPU and memory resources to Data Director resource bundles by adding a vSphere resource pool to the bundle.

CAUTION Data Director can only use resource pools if the corresponding cluster is enabled for DRS and HA. Do not disable DRS. If you do, Data Director can no longer use the resource pools even if you reenable DRS. See “Resource Bundles Become Unusable Because DRS Is Disabled,” on page 116.

Resource pools allow you to group available CPU and memory resources. You can allocate resources explicitly, or use the resource pool share mechanism. You can hierarchically partition available CPU and memory resources by grouping resource pools into hierarchies. You can then allow different organization access to different resource pools. For example, a QA department might need large amounts of CPU and memory for running tests while the marketing department might require smaller amounts.

Data Director expects you to group the hosts that provide the CPU and memory resources into clusters. Each cluster owns the resources of all hosts. You can create one or more resource pools for the cluster, which has an invisible root resource pool. Each resource pool owns some of the cluster's resources. If necessary, you can create child resource pools. Child resource pools represent successively smaller amounts of CPU and memory.

How you allocate CPU and memory resources to database groups differs from how you allocate those resources to databases.

Creating Resource Pools

You create resource pools by using a vSphere Client connected to a vCenter Server system. Specify the following resource pool settings to ensure that Data Director always receives all of its allocated resources and does not have different amounts of CPU and memory available if the cluster is experiencing a light or a heavy load.

NOTE If you do not configure your resource pool with these settings, problems with resource bundle creation or other Data Director tasks might result. The primary problem is that resource pools with incorrect settins do not appear in the list of available resource pools when you create a resource bundle.

Set the Limit equal to the Reservation.

If the system never allocates more resources than you reserved, you do not experience resource fluctuations.

Set Expandable Reservation to checked or unchecked.

Set Unlimited to unchecked.

After you create the resource pool, you create resource bundles. Each resource bundle uses one resource pool.

18 VMware, Inc.

If the system does not attempt to allocate more resources than you reserved, you do not experience resource fluctuations.

Data Director requires this setting to avoid that a resource bundle takes more than its share.

Chapter 2 Managing Data Director Resources

See “Create a Resource Pool,” on page 20 and “Create a Resource Bundle,” on page 21.

Allocating CPU and Memory Resources to Database Groups

When you create a database group and set its CPU and memory allocation, Data Director creates a child resource pool of the resource pool you select. Data Director configures the resource pool with the allocation you specify. Having a different resource pool for each database group isolates the database group's allocation and makes different groups independent.

If you specify the CPU and memory allocation, Data Director uses the following settings for the resource pool it creates.

Reservation is set to the value you specify.

Expandable reservation is set to False.

Limit is set to unlimited.

If you do not specify CPU or memory allocation, Data Director uses the following settings for the resource pool it creates.

Reservation is set to 0.

Expandable reservation is set to True, allowing the database group to consume resources as they are available.

Limit is set to unlimited.

Allocating CPU and Memory Resources to Databases

In the Data Director environment, a database is a virtual machine that consumes resources from the database group. You can specify the CPU and memory allocation for the database. Data Director always sets the limit to unlimited.

Viewing Resource Information

Data Director system administrators can view resource usage information for an organization from the Data Director Manage & Monitor tab.

When you log in to Data Director as a system administrator, you can view information about the resource usage of the different database groups and about the resource bundle or resource bundles that are being used by each database group.

The Organizations pane allows you to manage organizations. You can view organization information, assign and unassign resource bundles, delete the organization, and view the organization's properties.

The Resource Bundles pane allows you to view all resource bundles currently created for this instance of Data Director. You can display either allocation information or vCenter Server Object information.

You can click on an item in the heading, such as Organization, to re-sort the table based on that column. Right-click any resource bundle name and choose Properties to see detailed information about each resource bundle.

If you select vCenter Server Objects, Data Director displays the names of resource pools, datastores, and networks that you see in the vSphere Client UI.

The Datastore Usage pane shows datastore usage for the main datastore and the backup datastore. You can see how resource bundles map to datastores and examine storage allocation information for each datastore.

See Chapter 11, “Monitoring the Data Director Environment,” on page 89 for details on using the monitoring interface.

VMware, Inc. 19

VMware vFabric Data Director Administrator and User Guide

Monitor Resource Usage

System administrators can view usage information for resource bundles and datastores and can reassign resource bundles from the Manage & Monitor tab.

The focus of this task is on monitoring, not on changing current settings.

Prerequisites

Verify that one or more organizations exist in your environment.

Verify that resource bundles and datastores have been assigned to the organizations.

Procedure

1 In Data Director, click the System tab, and click the Manage & Monitor tab.

The Organizations panel displays resource allocation information about each organization.

2 Click one of the columns, for example Total Memory, to reorder the rows of the table.

3 Click one of the organizations to display resource bundle information for the selected organization.

4 Click Resource Bundles to display the Resource Bundles pane.

5 Click Datastore Usage to display information about available datastores, their capacity, and the allocated

and unallocated storage for each.

6 Click one of the datastores to display the associated resource bundles and their storage allocation.

What to do next

You can change the resource bundle information by clicking the Actions icon and selecting Properties. If properties are dimmed, you do not have permissions to change them.

Create a Resource Pool

You allocate CPU and memory resources to Data Director by creating one or more resource pools from a vSphere Client connected to a vCenter Server system. From the Data Director user interface, you can then assign the resources from those resource pools to database groups and databases.

Before you create the resource pools, you must prepare a cluster. Enable the cluster for HA and DRS, and add all Data Director hosts to the cluster. See the vFabric Data Director Installation Guide for information.

Prerequisites

Connect to the vCenter Server system by using a vSphere Client. You cannot create resource pools if the client is connected directly to a host.

Verify that you have permissions sufficient to create a resource pool.

Choose a location for the resource pool. Data Director cannot use resource pools at the vApp top level.

See the vSphere Resource Management documentation for information about resource pools.

Procedure

1 In the vSphere Client, select Home > Inventory > Hosts and Clusters.

2 Select the cluster to which all Data Director hosts have been assigned.

20 VMware, Inc.

Chapter 2 Managing Data Director Resources

3 Specify the settings in the following table for the resource pool.

Option Description

Name

CPU Shares

CPU Reservation

Expandable Reservation

CPU Limit

Unlimited

Memory Shares

Memory Reservation

Expandable Reservation

Memory Limit

Unlimited

Name of the resource pool.

Do not specify CPU shares. Instead, specify the CPU reservation.

CPU resources to allocate to this resource pool.

Checked or unchecked.

Maximum CPU resources available to this resource pool. Set Limit to be equal to CPU Reservation.

Unchecked.

Do not specify memory shares. Instead, specify a memory reservation.

Memory resources to allocate to this resource pool.

Checked or Unchecked.

Maximum memory resources available to this resource pool. Set Limit to be equal to Memory Reservation.

Unchecked.

After the resource pool is set up, you can point to the resource pool when you create the Data Director resource bundle.

What to do next

Create a resource bundle. See “Create a Resource Bundle,” on page 21.

Create a Resource Bundle

Resource bundles allow you to bundle CPU, memory, storage, and networking resources. You create resource bundles using the Data Director user interface.

When you create a resource bundle, the wizard displays only resource pools with a parent cluster that meets the following requirements.

vSphere DRS and vSphere HA are enabled.

VM Monitoring is set to VM and Application Monitoring.

VM Restart Priority is not disabled for any of the virtual machines.

Host monitoring is enabled.

See “Perform Advanced Cluster Configuration,” on page 22 for details on recommended settings.

Prerequisites

Create a resource pool to use for allocating CPU and memory resources. See “Create a Resource Pool,” on page 20.

Decide on the storage resources that you want to include in the resource bundle. Plan for storage resources for database storage and resources for backup storage.

Decide on the networking resources that you want to include in the resource bundle. The resource bundle's networking resources are used for the public network for databases in an organization.

NOTE If you do not configure your resource pool with these settings, problems with resource bundle creation or other Data Director tasks might result.

Procedure

1 Log in to Data Director with system administrator privileges.

VMware, Inc. 21

VMware vFabric Data Director Administrator and User Guide

2 Select System, and click Manage & Monitor.

3 Click Resource Bundles in the left pane.

4 Click the plus (+) icon.

5 Specify the following information about the resource bundle in the wizard.

Wizard screen Action

Name and Description

CPU and Memory

Storage

Networks

What to do next

System administrators can allocate the resource bundles to organizations, and organization administrators can assign resources to their database groups.

Type a name and optional description and click Next.

Select the resource pool from which you want to assign CPU and memory resources and click Next.

Click Edit to select a datastore, and allocate the number of GB to use with Data Director, or allocate all unallocated space. Repeat the process for backup storage.

NOTE Do not select a datastore that is in a datastore cluster.

Select the networks that you want to have available to this resource bundle. These networks provide the public network for the organization's databases. Resource bundles must use a database network when available.

Assign a Resource Bundle to an Organization

System administrators can assign a resource bundle to an organization when they create an organization. You can also assign a resource bundle to an organization at a later time.

Prerequisites

Procedure

1 Click the Manage & Monitor tab and, click Organizations.

2 Right-click the organization that you want to assign a resource bundle to, and select Assign Resource

Bundle.

3 Select the resource bundle that you want to assign from the list of resource bundles and click OK.

What to do next

You can create one or more database groups and databases. See “Create a Database,” on page 53 and “Create

a Database Group,” on page 43.

Perform Advanced Cluster Configuration

During installation, you configure the Data Director cluster with vSphere DRS and vSphere HA enabled, and with certain monitoring settings. You can later edit the Data Director cluster configuration to change the monitoring sensitivity for virtual machines.

As part of the installation process, you configure the Data Director cluster. See the vFabric Data Director

Installation Guide. After installation, you can customize the cluster to work in your environment. See the vSphere Availability documentation and the vSphere Resource Management documentation for background information.

22 VMware, Inc.

Chapter 2 Managing Data Director Resources

Not all changes that you can make to a vSphere cluster are compatible with Data Director. You must make sure that the cluster settings remain compatible with Data Director. Data Director checks the following settings.

DRS must be enabled. DRS automation level can be any of the supported options. Partially automated works best with Data Director in most situations.

Admission control must be enabled.

If cluster settings are not compatible with Data Director, and if you create a resource pool in the cluster, you cannot import the resource pool into a Data Director resource bundle.

If you change cluster settings from Data Director compatible to Data director incompatible, Data Director displays alerts but does not revert the settings. You must revert the settings to make the cluster compatible again.

CAUTION Do not disable DRS because you lose all resource pools. Reenabling DRS does not resolve the issue. See “Resource Bundles Become Unusable Because DRS Is Disabled,” on page 116.

If you customize the HA settings for a virtual machine, and if those settings are not compatible with Data Director, an alert appears. You are responsible to make the cluster compatible again.

Prerequisites

Verify that you have log-in privileges and privileges for cluster modification for the vCenter Server system on which the Data Director cluster runs.

Procedure

1 Log in to a vSphere Client that is connected to the vCenter Server on which the Data Director cluster runs.

2 Right-click the cluster and click Edit Settings.

3 Click VM Monitoring.

4 Select the Custom check box and specify custom settings.

The following are the lowest acceptable settings, values can be higher.

Option Description

Failure interval

Minimum uptime

Maximum Per-VM resets

Maximum resets time window

30 seconds

120 seconds

Within 1 hour

5 Click OK.

VMware, Inc. 23

VMware vFabric Data Director Administrator and User Guide

24 VMware, Inc.

Managing Users and Roles 3

User management controls the users that can log in to Data Director and what they can see and do after they log in.

This chapter includes the following topics:

“User Management Overview,” on page 25

“Authenticating Users,” on page 26

“Role-Based Access Control,” on page 27

“Predefined Roles,” on page 28

“Privileges,” on page 29

“Propagation of Permissions and Roles,” on page 30

“Organization Privileges and Permissions,” on page 30

“Add Users to Your Organization,” on page 31

“Add Roles to an Organization,” on page 31

“Grant a Permission to a User,” on page 32

“Modify Organization Security Settings,” on page 32

User Management Overview

System and organization administrators use a combination of user logins, privileges, permissions, and roles (role-based access control) to manage Data Director users. Role-based access control provides management of users and the tasks that they can perform on objects. You can grant and revoke roles and permissions at the system level, on organizations, and on database groups, databases, and templates within organizations.

Roles are sets of permissions required to perform particular jobs. Jobs are sets of tasks that a user with a particular role is responsible for performing, such as the set of tasks that are the responsibility of a database administrator. System and organization administrators define roles as part of defining security policies, and grant the roles to users. To change the permissions and tasks associated with a particular job, the system or organization administrator updates the role settings. The updated settings take effect for all users associated with the role.

To add a user to a job, the system or organization administrator grants the role to the user.

To remove a user from a job, the system or organization administrator revokes the role from the user. Changes are effective immediately.

VMware, Inc.

User Namespace

Bob

role domain

System

(user) Alliance

DBG DBGDBGDBG

role domain role domain

(user) Benefits

DBAdmin

SysAdmin

DBAdmin

Organization

VMware vFabric Data Director Administrator and User Guide

Roles apply only to the organization in which they are created. For example, an organization administrator creates a database administrator role that includes permission to add and remove database users, start and stop databases, and perform backups for a specific database in that organization. Users that are granted the database administrator role in that organization can perform database administrator tasks only within that organization.

Organization administrators usually manage role and permission assignments for their organizations. However, any user that has the permission to grant and revoke permissions on an object can grant all permissions on that object to any user or any role. Organization administrators can also grant permissions directly to users.

Each user's login account is unique in the system. Managing access, roles, and permissions for each user is based on their user login account. The organization administrator can grant users access to one or more organizations. Within those organizations, each user can be granted multiple roles and permissions.

Users who cannot view or access certain objects or cannot perform certain operations were not granted the permissions to do so.

The following figure illustrates the scope of users and roles in Data Director.

Figure 3-1. Scope of users and roles in Data Director

In the figure, user Bob is logged in to Data Director and has been granted access to the system and to the organization Alliance. Bob is also granted the SysAdmin role at the system level, and the DBAdmin role in the organization Alliance. Bob's SysAdmin role applies to the system level. The SysAdmin role does not propagate to any organizations. The role DBAdmin in organization Alliance and the role DBAdmin in organization Benefits are separate roles that apply only within their organizations. Bob has the DBAdmin role in the Alliance organization but does not have access to the Benefits organization.

Authenticating Users

26 VMware, Inc.

User authentication is based on user login and password.

User login accounts and credentials are unique in Data Director. This enables managing credentials, roles, permissions, and privileges for each user based on the user login account.

Create users and passwords in the following ways.

A system or organization administrator creates the user account and assigns a password.

A user registers for a Data Director account and specifies a password as part of the registration request.

Data Director encrypts the password and stores it with the user information. When the user logs in, that user's credentials are stored in an HTTP session. Data Director uses the credentials to validate that the user is authorized to view organization objects (database groups and databases) and to perform tasks.

Role-Based Access Control

Role-based access control enables system and organization administrators to control user access to Data Director and to control what users can do after they log in. To implement role-based access control, system and organization administrators associate (or revoke) privileges, permissions, and roles with (or from) user login accounts.

Chapter 3 Managing Users and Roles

Users

Privileges

Permissions

Roles

User logins (users) are unique accounts that enable users to access Data Director. They include a password and identifying information such as name, email address, and phone number. Because user login accounts are unique, system and organization administrators can control each user's access and actions by granting or revoking privileges, permissions, and roles to or from the user's login account.

Users can be active or inactive. Inactive users cannot log in.

Privileges control all actions in Data Director. They define the allowable actions within an organization. Privileges apply to particular types of Data Director objects. For example, you can apply the Stop Database privilege to organizations, database groups, and databases and apply the Create Database privilege to organizations and database groups. Privileges by themselves are not associated with specific objects within an organization.

Permissions associate a user and privilege pair with an object in Data Director. Examples are granting a user permission to start or stop a specific database, to modify an organization's backup templates, or to create other users in an organization.

You can grant permissions to users by assigning a role to a user, or by granting permissions directly to the user.

Roles are collections of permissions that can be associated with or granted to users. Roles provide a convenient way to package all the permissions required to perform a job, such as that of database administrator. Roles apply only to the entity in which they are created. If you create a role at the system level, it applies only to the system. If you create a role in an organization, it applies only to the organization. Organizations have no visibility into each others' roles. If two organizations in the same Data Director data cloud each have a role that has the same name, those roles are distinct within each organization.

One user can have multiple roles within an organization. Users can have access to multiple organizations and can have multiple roles in each organization.

A user can have different roles for different objects. For example, if you have two database groups in your organization, DBG1 and DBG2, you can grant the Database Admin role to a particular user on DBG1 and grant that user the DB User role on DBG2. These assignments might allow the user to perform administrative tasks in DBG1, but not in DBG2.

VMware, Inc. 27

VMware vFabric Data Director Administrator and User Guide

Predefined Roles

Data Director provides the predefined roles of system administrator, user administrator, and organization administrator. Predefined roles provide a starting point for administering Data Director users and roles and for defining custom roles. You can also create custom roles.

Organization administrator role

Organization adminstrators manage their organizations. They control which users can access the organizations, how users request access to the organizations, and what those users can see and do within the organization. This role has all privileges on the organization for which it is created. Organization administrators invite users to join the organization, grant access, roles, and permissions to users in the organization, create database groups, and can create databases. You can choose to create an administrator user when you create a new organization, or you can select an existing user as the new organization administrator.

Organization administrators perform all user management tasks within their organizations, including the following.

Add users to organizations, database groups, and databases.

Modify user settings.

Remove users from organizations, database groups, and databases.

Create roles.

Grant privileges and permissions to roles and to individual users.

View users, roles, and permissions granted to users and roles.

Organization administrators can view, grant, and revoke privileges on all objects within their organizations, including database groups, databases, and templates. Privileges include Create Database Groups and Modify Database Configuration Templates.

System administrator role

User administrator role

System administrators operate Data Director. The first system administrator user is created during Data Director installation. This role has all system-level privileges, including managing resources for the system and for organizations. System administrators can see, grant, and revoke permissions at the system level. The first system administrator configures Data Director, creates other system administrators and system-level users, and creates initial organizations. System administrators manage users at the system level. By default they do not have access to organizations unless an organization administrator grants access to them.

The User administrator role manages users at the system level, including creating, editing settings for, and deleting system users.

28 VMware, Inc.

Privileges

Privileges define the allowable actions on objects in vFabric Data Director. You associate privileges with a user login and a Data Director object to define permissions.

For example, the Start and Stop Database privilege indicates that in general, Data Director users can start and stop databases. But the privilege by itself does not indicate which users can start and stop databases, or the databases that they can start and stop. To provide context, you associate the privilege with a user login and a Data Director object. The combination of privilege, user login, and Data Director object is a permission. You can group related permissions into roles to package all the permissions required to perform a job, such as that of database administrator.

Chapter 3 Managing Users and Roles

System

Organizations

Database group

Databases

System privileges relate to Data Director management, such as Manage Resources and Manage System Settings. These privileges apply only to the

system. System privileges do not propagate to organizations.

Privileges on organizations relate to organization management, such as Manage Organization Settings and Manage Registration. Organization privileges apply only to organizations. They do not propagate beyond organization boundaries.

Privileges on database groups relate to database group management, such as Create Databases and Import Backups. Database group privileges apply only within the organization and to the organization's database groups.

Organization administrators and users with database group management privileges grant and revoke privileges on database groups, and enable users to access a database group by adding the database group to the user's account.

Privileges on databases relate to database management, such as Start and Stop Database and Edit Database Info. Database privileges apply only to databases, database groups, and organizations. If a database-related privilege is on a database group, that privilege applies to all databases within that database group. If the database-related privilege is on an organization, it applies to every database group and database in the organization.

Organization administrators and users with database management privileges grant and revoke these privileges and permissions on databases. To gain access to databases, the databases must be added to a user's account.

Database configuration and database backup templates

VMware, Inc. 29

Privileges on templates relate to template management, such as edit template and view and user template. Edit template applies only to the organization. View and user template applies to individual templates or to the organization. If a template privilege is on an organization, it applies to all templates within that organization.

Organization administrators and users with template management privileges grant and revoke template privileges and permissions. To gain access to templates, the templates must be added to a user's account.

VMware vFabric Data Director Administrator and User Guide

Propagation of Permissions and Roles

How permissions and roles propagate through an organization depends on where and on what types of objects they are granted. Understanding how permissions and roles propagate can help you to assign them to users appropriately.

Permission and role propagation stops at the organization boundary. Permissions granted within an organization propagate only within that organization. Permissions granted at the system level do not propagate to organizations.

Permissions (and their associated privileges) that apply to an organization are inherited by that organization's database groups and databases. Users or roles can have permissions on specific database groups, and those permissions propagate to databases within the database groups.

Roles apply only to the organization in which they are defined. If a role is defined at the system level, it applies only to the system and is not visible to organizations. If a role is defined within an organization, it applies only to that organization and is not visible to the system or to other organizations.

You can grant permissions and roles on objects within an organization, such as on a database group, on a database, or on a template. For example, granting the Start/Stop Database permission on a database group means that the user or role has the Start/Stop Database permission on all databases within that database group. If a user is granted the Start/Stop Database permission on a database group, that user can start and stop any databases within that database group. However, permissions that apply only to certain types of objects do not propagate to other objects. For example, granting the database group permission Create Database on a database is meaningless.

Organization Privileges and Permissions

Organization administrators grant privileges and permissions to users and roles in their organizations. Those privileges and permissions propagate to database groups and databases in the organization.

You can grant the following types of privileges and permissions to users and roles on organizations.

User and permission management, such as manage roles and registration and grant/revoke permissions.

Organization management, such as manage organization settings, database configuration and backup templates, and import databases.

Database group management, such as manage database groups, create databases, and import backups.

Database management, such as edit database information, resource, and backup settings, modify database users, upgrade databases.

Database operations, such as enable/disable databases, delete databases, start and stop databases, and restart databases.

Database backup and recovery, such as create and delete snapshots, create and delete external backups, clone databases, and recover databases.

Templates, such as use templates.

View and monitor, such as viewing reports and monitoring resource usage.

30 VMware, Inc.

+ 92 hidden pages