On Mon, Feb 15, 2016 at 11:22:27PM +0100, Matthias Bolte wrote: > Here's a patch that basically reverts the offending commit. The patch > is only compile tested, as I don't have a vCenter at hand to test > this. Do you have the option to test this in an actual setup? Yes - I will be able to test this tomorrow. Matt (Booth) - what do you think of this patch? Rich. > -- > Matthias Bolte > http://photron.blogspot.com > From d94afccfdee014ee97ecbf01f1108e17014b2017 Mon Sep 17 00:00:00 2001 > From: Matthias Bolte <matthias.bolte@xxxxxxxxxxxxxx> > Date: Mon, 15 Feb 2016 21:17:49 +0100 > Subject: [PATCH] esx: Avoid using vSphere SessionIsActive function > > A login session with the vSphere API might expire after some idle time. > The esxVI_EnsureSession function uses the SessionIsActive function to > check if the current session has expired and a relogin needs to be done. > > But the SessionIsActive function needs the Sessions.ValidateSession > privilege that is considered as an admin level privilege. > > Only vCenter actually provides the SessionIsActive function. This results > in requiring an admin level privilege even for read-only operations on > a vCenter server. > > ESX and VMware Server don't provide the SessionIsActive function and > the code already works around that. Use the same workaround for vCenter > again. > > This basically reverts commit 5699034b65afd49d91dff13c46481bea545cbaac. > --- > src/esx/esx_vi.c | 88 ++++++++++++++++++++++++-------------------------------- > 1 file changed, 37 insertions(+), 51 deletions(-) > > diff --git a/src/esx/esx_vi.c b/src/esx/esx_vi.c > index af822b1..f7eeeb5 100644 > --- a/src/esx/esx_vi.c > +++ b/src/esx/esx_vi.c > @@ -2043,11 +2043,21 @@ esxVI_BuildSelectSetCollection(esxVI_Context *ctx) > > > > +/* > + * Cannot use the SessionIsActive() function here, because at least > + * ESX Server 3.5.0 build-64607 and ESX 4.0.0 build-171294 return an > + * method-not-implemented fault when calling it. The vCenter Server > + * implements this method, but because it can be used to check any > + * session it requires the Sessions.ValidateSession privilege that is > + * considered as an admin privilege. > + * > + * Instead query the session manager for the current session of this > + * connection and re-login if there is no current session. > + */ > int > esxVI_EnsureSession(esxVI_Context *ctx) > { > int result = -1; > - esxVI_Boolean active = esxVI_Boolean_Undefined; > esxVI_String *propertyNameList = NULL; > esxVI_ObjectContent *sessionManager = NULL; > esxVI_DynamicProperty *dynamicProperty = NULL; > @@ -2065,65 +2075,41 @@ esxVI_EnsureSession(esxVI_Context *ctx) > goto cleanup; > } > > - if (ctx->hasSessionIsActive) { > - /* > - * Use SessionIsActive to check if there is an active session for this > - * connection, and re-login if there isn't. > - */ > - if (esxVI_SessionIsActive(ctx, ctx->session->key, > - ctx->session->userName, &active) < 0) { > - goto cleanup; > - } > - > - if (active != esxVI_Boolean_True) { > - esxVI_UserSession_Free(&ctx->session); > + if (esxVI_String_AppendValueToList(&propertyNameList, > + "currentSession") < 0 || > + esxVI_LookupObjectContentByType(ctx, ctx->service->sessionManager, > + "SessionManager", propertyNameList, > + &sessionManager, > + esxVI_Occurrence_RequiredItem) < 0) { > + goto cleanup; > + } > > - if (esxVI_Login(ctx, ctx->username, ctx->password, NULL, > - &ctx->session) < 0) { > + for (dynamicProperty = sessionManager->propSet; dynamicProperty; > + dynamicProperty = dynamicProperty->_next) { > + if (STREQ(dynamicProperty->name, "currentSession")) { > + if (esxVI_UserSession_CastFromAnyType(dynamicProperty->val, > + ¤tSession) < 0) { > goto cleanup; > } > - } > - } else { > - /* > - * Query the session manager for the current session of this connection > - * and re-login if there is no current session for this connection. > - */ > - if (esxVI_String_AppendValueToList(&propertyNameList, > - "currentSession") < 0 || > - esxVI_LookupObjectContentByType(ctx, ctx->service->sessionManager, > - "SessionManager", propertyNameList, > - &sessionManager, > - esxVI_Occurrence_RequiredItem) < 0) { > - goto cleanup; > - } > - > - for (dynamicProperty = sessionManager->propSet; dynamicProperty; > - dynamicProperty = dynamicProperty->_next) { > - if (STREQ(dynamicProperty->name, "currentSession")) { > - if (esxVI_UserSession_CastFromAnyType(dynamicProperty->val, > - ¤tSession) < 0) { > - goto cleanup; > - } > > - break; > - } else { > - VIR_WARN("Unexpected '%s' property", dynamicProperty->name); > - } > + break; > + } else { > + VIR_WARN("Unexpected '%s' property", dynamicProperty->name); > } > + } > > - if (!currentSession) { > - esxVI_UserSession_Free(&ctx->session); > + if (!currentSession) { > + esxVI_UserSession_Free(&ctx->session); > > - if (esxVI_Login(ctx, ctx->username, ctx->password, NULL, > - &ctx->session) < 0) { > - goto cleanup; > - } > - } else if (STRNEQ(ctx->session->key, currentSession->key)) { > - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", > - _("Key of the current session differs from the key at " > - "last login")); > + if (esxVI_Login(ctx, ctx->username, ctx->password, NULL, > + &ctx->session) < 0) { > goto cleanup; > } > + } else if (STRNEQ(ctx->session->key, currentSession->key)) { > + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", > + _("Key of the current session differs from the key at " > + "last login")); > + goto cleanup; > } > > result = 0; > -- > 1.9.1 > -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-df lists disk usage of guests without needing to install any software inside the virtual machine. Supports Linux and Windows. http://people.redhat.com/~rjones/virt-df/ -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list