Connect-Rubrik - add support for Service User Secret

[meerkampdvv]

Is your feature request related to a problem? Please describe.

Multi-factor Auth on our Rubrik server is mandatory with version 7.0.3+ and 8.x and rubrik introduced Service Users with Secret Authentication over the service_account/session api endpoint. There doesn't seem to be any support for that in the Connect-Rubrik command.

Describe the solution you'd like

Enable some way to handle Service Users with Secret when using Connect-Rubrik.

Describe alternatives you've considered

Invoke-WebRequest against service_account/session api endpoint

[Bryan-Meier]

@meerkampdvv, I agree that this needs to be added. If you talk to most people at Rubrik, they say Service Accounts with Secrets is the best practice due to the better security features and flexibility it offers.

With that said, there is a way to still use the Powershell SDK with 7.x and 8.x when Service Users and Secret Auth is required. You have to build the connection object and add it to an array of connection objects.

Here's an example of creating that connection which then allows the rest of the SDK to be usable:

$cluster = "yourcluster.domain.com"
$apiBase = "https://$cluster/api/v1"

function CreateRubrikSession {
  $serviceAccountId = "User:::XYZ-123"
  $secret = "SOME_SECRET"

  # Create the body of the API request with the account id and secret
  $bodySession = @{
    serviceAccountId = $serviceAccountId
    secret = $secret
  } | ConvertTo-Json

  $sessionURL = "$apiBase/service_account/session" # URL for creating the session
  $rubrikSession = Invoke-RestMethod -Method POST -Uri $sessionURL -Body $bodySession -ContentType "application/json"

  # Create a connection object the matches what the Rubrik SDK is expecting
  $global:rubrikConnection = @{
    api = 1
    server = $cluster
    token = $rubrikSession.token
    header = @{ 
      'Authorization' = "Bearer $($rubrikSession.token)"
    }
  }

  # Add the Rubrik connection above to an array of connections. Again, the SDK requires this
  [array]$global:RubrikConnections += $rubrikConnection
}

CreateRubrikSession

Hopefully this helps you or others trying to use the best practice approach even though Connect-Rubrik doesn't yet support it.

[Bryan-Meier]

Is there going to be a separate set of work to adjust the Disconnect-Rubrik code to include the closing of the session? If not, the user will need to write a web request to delete the current session. If this is not done they will end up with a Max 10 Token count reached type error. If the user hits this threshold they are literally stuck for 24 hours until the tokens expire. I had a support case open with Rubrik on this and there doesn't seem to be a way of getting around this error once the threshold has been hit other than waiting.

[guirava]

Hi @Bryan-Meier , This new feature augments Connect-Rubrik with a new way to create a session; but Disconnect-Rubrik ends the current session independently of how it was created (except in the case where a token was given as a parameter to Connect-Rubrik).

[DamaniN]

@guirava & @mwpreston, Please provide updates to the documentation for the PowerShell SDK on how to use the new options with Connect-Rubrik and Disconnect-Rubrik.

Also, please provide best practices to avoid token exhaustion during a session. There is a limit of 10 requests that can be made per day per session. As an example, a script may issue multiple Rubrik SDK commands. If the script runs Connect-Rubrik in the beginning, then issues its commands, could that lead to token exhaustion because the same session is being used? Or has the SDK been modified such that each invocation of a command creates and ends its own session?

[DamaniN]

@guirava & @mwpreston , I do see that there was an update to https://github.com/rubrikinc/rubrik-sdk-for-powershell#readme, however, https://rubrik.gitbook.io/rubrik-sdk-for-powershell/command-documentation/reference/connect-rubrik also needs to be updated.

[Bryan-Meier]

Hi @guirava, this is in response to: https://github.com/rubrikinc/rubrik-sdk-for-powershell/issues/812#issuecomment-1256818809

Are you saying that we can use Disconnect-Rubrik in its current state and it will handle deleting the session which frees up the session token? Or are you saying that we will still have to run a separate Invoke-Request to delete the session to release the token? I ask this because at the bottom of this article it explains very specifically that an API call with a method type of DELETE should be called to deleted the current session to avoid token exhaustion. I don't see this in the current Disconnect-Rubrik function which leads me to believe that we will end up with a Max 10 Token error. Please let me know your thoughts. Thanks for your efforts by the way! They are much appreciated!

[guirava]

Hi @guirava, this is in response to: #812 (comment)

Are you saying that we can use Disconnect-Rubrik in its current state and it will handle deleting the session which frees up the session token? Or are you saying that we will still have to run a separate Invoke-Request to delete the session to release the token? I ask this because at the bottom of this article it explains very specifically that an API call with a method type of DELETE should be called to deleted the current session to avoid token exhaustion. I don't see this in the current Disconnect-Rubrik function which leads me to believe that we will end up with a Max 10 Token error. Please let me know your thoughts. Thanks for your efforts by the way! They are much appreciated!

Hello @Bryan-Meier , good question. That article is correct, a DELETE call needs to happen to avoid token exhaustion; and that's exactly what Disconnect-Rubrik does (details here).

It is Disconnect-Rubrik that needs to be used, because unlike a direct call to the REST method (with Invoke-RestMethod), Disconnect-Rubrik handles corner cases, and generally speaking, it is the symmetrical call to Connect-Rubrik.

Thank you for bringing this up to our attention, I will follow up internally to make sure SDK docs and Support articles are in sync.

[Bryan-Meier]

Hi @guirava, this is in response to: #812 (comment)

Are you saying that we can use Disconnect-Rubrik in its current state and it will handle deleting the session which frees up the session token? Or are you saying that we will still have to run a separate Invoke-Request to delete the session to release the token? I ask this because at the bottom of this article it explains very specifically that an API call with a method type of DELETE should be called to deleted the current session to avoid token exhaustion. I don't see this in the current Disconnect-Rubrik function which leads me to believe that we will end up with a Max 10 Token error. Please let me know your thoughts. Thanks for your efforts by the way! They are much appreciated!

Hello @Bryan-Meier , good question. That article is correct, a DELETE call needs to happen to avoid token exhaustion; and that's exactly what Disconnect-Rubrik does (details here).

It is Disconnect-Rubrik that needs to be used, because unlike a direct call to the REST method (with Invoke-RestMethod), Disconnect-Rubrik handles corner cases, and generally speaking, it is the symmetrical call to Connect-Rubrik.

Thank you for bringing this up to our attention, I will follow up internally to make sure SDK docs and Support articles are in sync.

Thank you for the at @guirava. I missed the content in Get-RubrikAPIData. Thank you for that!

[StefanBPS]

I can connect to a Rubrik server using the accountid and secret but not when the account has a limited set of privileges in the attached role.

In the past I used to use API tokens for livemounting and restoring VM's using the Rubrik Powershell SDK with a role setup to allow only that. This role works when I use the API token connect to the Rubrik server but when I use the same role attached to a service account and use that ID + secret to login I get this error message:

PS C:.\script.ps1 VERBOSE: POST with 174-byte payload VERBOSE: received 549-byte response of content type application/json VERBOSE: Content encoding: utf-8

Name Value

---

id authType ServiceAccount version 8.0.1-p1-22135 header {User-Agent, Authorization} api 1 time 11/8/2022 2:35:12 PM userId server 172.17.200.150

PSVersion : 7.2.7 PSEdition : Core GitCommitId : 7.2.7 OS : Microsoft Windows 10.0.17763 Platform : Win32NT PSCompatibleVersions : {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion : 2.3 SerializationVersion : 1.1.0.1 WSManStackVersion : 3.0 HostConsoleName : Visual Studio Code Host HostConsoleVersion : 2022.10.0 HostCulture : en-US HostCultureUI : en-US RubrikConnection : True UserAgentString : RubrikPowerShellSDK-6.0.1--7.2.7--platform--Win32NT--platform_version--Microsoft Windows 10.0.17763 RubrikAuthentication : Bearer RubrikClusterVersion : 8.0.1-p1-22135 RubrikCurrentModuleVersion : 6.0.1 RubrikInstalledModule : 6.0.1 RubrikModuleOptions : ApplyCustomViewDefinitions = True; CredentialPath = ; DefaultWebRequestTimeOut = 100 RubrikModuleDefaultParameters :

WARNING: User unavailable: userId = 903b71c9-ab61-40f0-b297-3de75101aba7 OperationStopped: C:\Program Files\WindowsPowerShell\Modules\Rubrik\6.0.1\Private\Submit-Request.ps1:133:25 Line | 133 | throw $_.Exception | ~~~~~~ | Response status code does not indicate success: 404 (Not Found).

PS C:>

I only give the service account user the admin role, rerun the script and this happens:

VERBOSE: POST with 174-byte payload VERBOSE: received 549-byte response of content type application/json VERBOSE: Content encoding: utf-8

Name Value

---

id authType ServiceAccount version 8.0.1-p1-22135 header {User-Agent, Authorization} api 1 time 11/8/2022 2:42:00 PM userId server 172.17.200.150

PSVersion : 7.2.7 PSEdition : Core GitCommitId : 7.2.7 OS : Microsoft Windows 10.0.17763 Platform : Win32NT PSCompatibleVersions : {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion : 2.3 SerializationVersion : 1.1.0.1 WSManStackVersion : 3.0 HostConsoleName : Visual Studio Code Host HostConsoleVersion : 2022.10.0 HostCulture : en-US HostCultureUI : en-US RubrikConnection : True UserAgentString : RubrikPowerShellSDK-6.0.1--7.2.7--platform--Win32NT--platform_version--Microsoft Windows 10.0.17763 RubrikAuthentication : Bearer RubrikClusterVersion : 8.0.1-p1-22135 RubrikCurrentModuleVersion : 6.0.1 RubrikInstalledModule : 6.0.1 RubrikModuleOptions : ApplyCustomViewDefinitions = True; CredentialPath = ; DefaultWebRequestTimeOut = 100 RubrikModuleDefaultParameters :

Status : Success HTTPStatusCode : 204 HTTPStatusDescription : NoContent

problem disappeared.

Does anybody know if you need some specific privilege attached to the role that the API tokens did not need to make this work?