search

influxdata / telegraf

Agent for collecting, processing, aggregating, and writing metrics, logs, and other arbitrary data.
https://influxdata.com/telegraf
MIT License
14.6k stars 5.57k forks source link

Support vSphere 7+ with post-7.0U2 authentication API #10276

Closed akhepcat closed 2 years ago

akhepcat commented 2 years ago

Feature Request

Add support for new vSphere API

Proposal:

Current 1.20 doesn't support post-7.0U2 because it uses the old api for authentication.

A per-host flag would need to be set to inform telegraf which API to use when connecting to a host, and support for the new API that follows the flag would need to be added - unless there is an unauthenticated method of determining the API model prior to auth (perhaps with URL test)

Current behavior:

The system spews these message in logging: 2021-12-14T16:21:50-09:00 I! [inputs.vsphere] Starting plugin 2021-12-14T16:21:53-09:00 E! [telegraf] Error running agent: starting input inputs.vsphere: ServerFaultCode: Cannot complete login due to an incorrect user name or password.

The previous API was deprecated as of vSphere 7.0U2 (March 2021). https://core.vmware.com/blog/vsphere-7-update-2-rest-api-modernization

Desired behavior:

Follow authentication process for post-7.0U2 as documented at https://developer.vmware.com/apis/vsphere-automation/latest/cis/api/session/post/

Use case:

vSphere users above 7.0U2 can no longer monitor their vSphere instances.

akhepcat commented 2 years ago

Here's what works on my 7.0.2 vSphere:

# encode the user/password strings for basic auth
BAUTH=$(echo -n """${USER}:${PASS}""" | base64)

# submit the auth request and retrieve the session key
SESS=$(curl --silent -k -H "Authorization: Basic ${BAUTH}" -X POST https://${HOST}/api/session)
SESS=${SESS//\"/}

# use the session
curl --silent -k -H "vmware-api-session-id: ${SESS}" -X GET https://${HOST}/api/vcenter/vm | jq

# end the session
curl --silent -k -H "vmware-api-session-id: ${SESS}" -X DELETE https://${HOST}/api/session
sspaink commented 2 years ago

Thank you for bringing this up, I looked at the framework we are using in the plugin to login into vpshere: https://github.com/vmware/govmomi and I couldn't find any information on it supporting this new auth method or plans to support it. But I definitely could be missing something, @prydin I noticed you've helped with this plugin in the past do you perhaps know more about this?

prydin commented 2 years ago

The changed authentication procedure applies to the vSphere REST API, which is not what this plugin uses. It uses the SOAP API. I just rested against vCenter 7.0.3 and the authentication works fine.

I don't think this is what's causing the failed login.

akhepcat commented 2 years ago

Very interesting, i'll close this as after Yet Another Reboot of both systems, things started logging in again.

Unknown why it wasn't working in the interim.