[libvirt] VMware driver: SessionIsActive API / Sessions.ValidateSession permission
Richard W.M. Jones
rjones at redhat.com
Mon Feb 15 22:31:15 UTC 2016
On Mon, Feb 15, 2016 at 11:22:27PM +0100, Matthias Bolte wrote:
> Here's a patch that basically reverts the offending commit. The patch
> is only compile tested, as I don't have a vCenter at hand to test
> this. Do you have the option to test this in an actual setup?
Yes - I will be able to test this tomorrow.
Matt (Booth) - what do you think of this patch?
Rich.
> --
> Matthias Bolte
> http://photron.blogspot.com
> From d94afccfdee014ee97ecbf01f1108e17014b2017 Mon Sep 17 00:00:00 2001
> From: Matthias Bolte <matthias.bolte at googlemail.com>
> Date: Mon, 15 Feb 2016 21:17:49 +0100
> Subject: [PATCH] esx: Avoid using vSphere SessionIsActive function
>
> A login session with the vSphere API might expire after some idle time.
> The esxVI_EnsureSession function uses the SessionIsActive function to
> check if the current session has expired and a relogin needs to be done.
>
> But the SessionIsActive function needs the Sessions.ValidateSession
> privilege that is considered as an admin level privilege.
>
> Only vCenter actually provides the SessionIsActive function. This results
> in requiring an admin level privilege even for read-only operations on
> a vCenter server.
>
> ESX and VMware Server don't provide the SessionIsActive function and
> the code already works around that. Use the same workaround for vCenter
> again.
>
> This basically reverts commit 5699034b65afd49d91dff13c46481bea545cbaac.
> ---
> src/esx/esx_vi.c | 88 ++++++++++++++++++++++++--------------------------------
> 1 file changed, 37 insertions(+), 51 deletions(-)
>
> diff --git a/src/esx/esx_vi.c b/src/esx/esx_vi.c
> index af822b1..f7eeeb5 100644
> --- a/src/esx/esx_vi.c
> +++ b/src/esx/esx_vi.c
> @@ -2043,11 +2043,21 @@ esxVI_BuildSelectSetCollection(esxVI_Context *ctx)
>
>
>
> +/*
> + * Cannot use the SessionIsActive() function here, because at least
> + * ESX Server 3.5.0 build-64607 and ESX 4.0.0 build-171294 return an
> + * method-not-implemented fault when calling it. The vCenter Server
> + * implements this method, but because it can be used to check any
> + * session it requires the Sessions.ValidateSession privilege that is
> + * considered as an admin privilege.
> + *
> + * Instead query the session manager for the current session of this
> + * connection and re-login if there is no current session.
> + */
> int
> esxVI_EnsureSession(esxVI_Context *ctx)
> {
> int result = -1;
> - esxVI_Boolean active = esxVI_Boolean_Undefined;
> esxVI_String *propertyNameList = NULL;
> esxVI_ObjectContent *sessionManager = NULL;
> esxVI_DynamicProperty *dynamicProperty = NULL;
> @@ -2065,65 +2075,41 @@ esxVI_EnsureSession(esxVI_Context *ctx)
> goto cleanup;
> }
>
> - if (ctx->hasSessionIsActive) {
> - /*
> - * Use SessionIsActive to check if there is an active session for this
> - * connection, and re-login if there isn't.
> - */
> - if (esxVI_SessionIsActive(ctx, ctx->session->key,
> - ctx->session->userName, &active) < 0) {
> - goto cleanup;
> - }
> -
> - if (active != esxVI_Boolean_True) {
> - esxVI_UserSession_Free(&ctx->session);
> + if (esxVI_String_AppendValueToList(&propertyNameList,
> + "currentSession") < 0 ||
> + esxVI_LookupObjectContentByType(ctx, ctx->service->sessionManager,
> + "SessionManager", propertyNameList,
> + &sessionManager,
> + esxVI_Occurrence_RequiredItem) < 0) {
> + goto cleanup;
> + }
>
> - if (esxVI_Login(ctx, ctx->username, ctx->password, NULL,
> - &ctx->session) < 0) {
> + for (dynamicProperty = sessionManager->propSet; dynamicProperty;
> + dynamicProperty = dynamicProperty->_next) {
> + if (STREQ(dynamicProperty->name, "currentSession")) {
> + if (esxVI_UserSession_CastFromAnyType(dynamicProperty->val,
> + ¤tSession) < 0) {
> goto cleanup;
> }
> - }
> - } else {
> - /*
> - * Query the session manager for the current session of this connection
> - * and re-login if there is no current session for this connection.
> - */
> - if (esxVI_String_AppendValueToList(&propertyNameList,
> - "currentSession") < 0 ||
> - esxVI_LookupObjectContentByType(ctx, ctx->service->sessionManager,
> - "SessionManager", propertyNameList,
> - &sessionManager,
> - esxVI_Occurrence_RequiredItem) < 0) {
> - goto cleanup;
> - }
> -
> - for (dynamicProperty = sessionManager->propSet; dynamicProperty;
> - dynamicProperty = dynamicProperty->_next) {
> - if (STREQ(dynamicProperty->name, "currentSession")) {
> - if (esxVI_UserSession_CastFromAnyType(dynamicProperty->val,
> - ¤tSession) < 0) {
> - goto cleanup;
> - }
>
> - break;
> - } else {
> - VIR_WARN("Unexpected '%s' property", dynamicProperty->name);
> - }
> + break;
> + } else {
> + VIR_WARN("Unexpected '%s' property", dynamicProperty->name);
> }
> + }
>
> - if (!currentSession) {
> - esxVI_UserSession_Free(&ctx->session);
> + if (!currentSession) {
> + esxVI_UserSession_Free(&ctx->session);
>
> - if (esxVI_Login(ctx, ctx->username, ctx->password, NULL,
> - &ctx->session) < 0) {
> - goto cleanup;
> - }
> - } else if (STRNEQ(ctx->session->key, currentSession->key)) {
> - virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
> - _("Key of the current session differs from the key at "
> - "last login"));
> + if (esxVI_Login(ctx, ctx->username, ctx->password, NULL,
> + &ctx->session) < 0) {
> goto cleanup;
> }
> + } else if (STRNEQ(ctx->session->key, currentSession->key)) {
> + virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
> + _("Key of the current session differs from the key at "
> + "last login"));
> + goto cleanup;
> }
>
> result = 0;
> --
> 1.9.1
>
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/
More information about the libvir-list
mailing list