Re: VMware driver: SessionIsActive API / Sessions.ValidateSession permission

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Feb 15, 2016 at 11:22:27PM +0100, Matthias Bolte wrote:
> Here's a patch that basically reverts the offending commit. The patch
> is only compile tested, as I don't have a vCenter at hand to test
> this. Do you have the option to test this in an actual setup?

Yes - I will be able to test this tomorrow.

Matt (Booth) - what do you think of this patch?

Rich.

> -- 
> Matthias Bolte
> http://photron.blogspot.com

> From d94afccfdee014ee97ecbf01f1108e17014b2017 Mon Sep 17 00:00:00 2001
> From: Matthias Bolte <matthias.bolte@xxxxxxxxxxxxxx>
> Date: Mon, 15 Feb 2016 21:17:49 +0100
> Subject: [PATCH] esx: Avoid using vSphere SessionIsActive function
> 
> A login session with the vSphere API might expire after some idle time.
> The esxVI_EnsureSession function uses the SessionIsActive function to
> check if the current session has expired and a relogin needs to be done.
> 
> But the SessionIsActive function needs the Sessions.ValidateSession
> privilege that is considered as an admin level privilege.
> 
> Only vCenter actually provides the SessionIsActive function. This results
> in requiring an admin level privilege even for read-only operations on
> a vCenter server.
> 
> ESX and VMware Server don't provide the SessionIsActive function and
> the code already works around that. Use the same workaround for vCenter
> again.
> 
> This basically reverts commit 5699034b65afd49d91dff13c46481bea545cbaac.
> ---
>  src/esx/esx_vi.c | 88 ++++++++++++++++++++++++--------------------------------
>  1 file changed, 37 insertions(+), 51 deletions(-)
> 
> diff --git a/src/esx/esx_vi.c b/src/esx/esx_vi.c
> index af822b1..f7eeeb5 100644
> --- a/src/esx/esx_vi.c
> +++ b/src/esx/esx_vi.c
> @@ -2043,11 +2043,21 @@ esxVI_BuildSelectSetCollection(esxVI_Context *ctx)
>  
>  
>  
> +/*
> + * Cannot use the SessionIsActive() function here, because at least
> + * ESX Server 3.5.0 build-64607 and ESX 4.0.0 build-171294 return an
> + * method-not-implemented fault when calling it. The vCenter Server
> + * implements this method, but because it can be used to check any
> + * session it requires the Sessions.ValidateSession privilege that is
> + * considered as an admin privilege.
> + *
> + * Instead query the session manager for the current session of this
> + * connection and re-login if there is no current session.
> + */
>  int
>  esxVI_EnsureSession(esxVI_Context *ctx)
>  {
>      int result = -1;
> -    esxVI_Boolean active = esxVI_Boolean_Undefined;
>      esxVI_String *propertyNameList = NULL;
>      esxVI_ObjectContent *sessionManager = NULL;
>      esxVI_DynamicProperty *dynamicProperty = NULL;
> @@ -2065,65 +2075,41 @@ esxVI_EnsureSession(esxVI_Context *ctx)
>          goto cleanup;
>      }
>  
> -    if (ctx->hasSessionIsActive) {
> -        /*
> -         * Use SessionIsActive to check if there is an active session for this
> -         * connection, and re-login if there isn't.
> -         */
> -        if (esxVI_SessionIsActive(ctx, ctx->session->key,
> -                                  ctx->session->userName, &active) < 0) {
> -            goto cleanup;
> -        }
> -
> -        if (active != esxVI_Boolean_True) {
> -            esxVI_UserSession_Free(&ctx->session);
> +    if (esxVI_String_AppendValueToList(&propertyNameList,
> +                                       "currentSession") < 0 ||
> +        esxVI_LookupObjectContentByType(ctx, ctx->service->sessionManager,
> +                                        "SessionManager", propertyNameList,
> +                                        &sessionManager,
> +                                        esxVI_Occurrence_RequiredItem) < 0) {
> +        goto cleanup;
> +    }
>  
> -            if (esxVI_Login(ctx, ctx->username, ctx->password, NULL,
> -                            &ctx->session) < 0) {
> +    for (dynamicProperty = sessionManager->propSet; dynamicProperty;
> +         dynamicProperty = dynamicProperty->_next) {
> +        if (STREQ(dynamicProperty->name, "currentSession")) {
> +            if (esxVI_UserSession_CastFromAnyType(dynamicProperty->val,
> +                                                  &currentSession) < 0) {
>                  goto cleanup;
>              }
> -        }
> -    } else {
> -        /*
> -         * Query the session manager for the current session of this connection
> -         * and re-login if there is no current session for this connection.
> -         */
> -        if (esxVI_String_AppendValueToList(&propertyNameList,
> -                                           "currentSession") < 0 ||
> -            esxVI_LookupObjectContentByType(ctx, ctx->service->sessionManager,
> -                                            "SessionManager", propertyNameList,
> -                                            &sessionManager,
> -                                            esxVI_Occurrence_RequiredItem) < 0) {
> -            goto cleanup;
> -        }
> -
> -        for (dynamicProperty = sessionManager->propSet; dynamicProperty;
> -             dynamicProperty = dynamicProperty->_next) {
> -            if (STREQ(dynamicProperty->name, "currentSession")) {
> -                if (esxVI_UserSession_CastFromAnyType(dynamicProperty->val,
> -                                                      &currentSession) < 0) {
> -                    goto cleanup;
> -                }
>  
> -                break;
> -            } else {
> -                VIR_WARN("Unexpected '%s' property", dynamicProperty->name);
> -            }
> +            break;
> +        } else {
> +            VIR_WARN("Unexpected '%s' property", dynamicProperty->name);
>          }
> +    }
>  
> -        if (!currentSession) {
> -            esxVI_UserSession_Free(&ctx->session);
> +    if (!currentSession) {
> +        esxVI_UserSession_Free(&ctx->session);
>  
> -            if (esxVI_Login(ctx, ctx->username, ctx->password, NULL,
> -                            &ctx->session) < 0) {
> -                goto cleanup;
> -            }
> -        } else if (STRNEQ(ctx->session->key, currentSession->key)) {
> -            virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
> -                           _("Key of the current session differs from the key at "
> -                             "last login"));
> +        if (esxVI_Login(ctx, ctx->username, ctx->password, NULL,
> +                        &ctx->session) < 0) {
>              goto cleanup;
>          }
> +    } else if (STRNEQ(ctx->session->key, currentSession->key)) {
> +        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
> +                       _("Key of the current session differs from the key at "
> +                         "last login"));
> +        goto cleanup;
>      }
>  
>      result = 0;
> -- 
> 1.9.1
> 


-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]