search

vmware-archive / powernsx

PowerShell module that abstracts the VMware NSX-v API to a set of easily used PowerShell functions
173 stars 90 forks source link

Get-NsxUserRole Doesn't Work for non-NSX Accounts, Breaking Get-NsxManagerSystemSummary #570

Open dejstacey opened 5 years ago

dejstacey commented 5 years ago

This is similar to #531 (actually the same issue, pretty sure), but they worked around it in the software they were using (powerops) and closed the ticket.

Get-NsxManagerSystemSummary calls Get-NsxUserRole for the currently logged in user before it does anything else. It checks if the user has a needed permission:

$role = Get-NsxUserRole $Connection.Credential.Username

if ( $role.role -ne 'super_user' ) {
    throw "Appliance Management APIs require a local NSX Manager account (super_user role access) "
}

Output:

PS > Get-NsxUserRole ejstacey
Unable to retrieve role details from NSX.  Microsoft.PowerShell.Commands.HttpResponseException: Response status code does not indicate success: 400 (Bad Request).
   at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
At /home/ejstacey/.local/share/powershell/Modules/PowerNSX/3.0.1125/PowerNSX.psm1:9771 char:13
+             throw "Unable to retrieve role details from NSX.  $_"
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : OperationStopped: (Unable to retri...rd errorRecord):String) [], RuntimeException
+ FullyQualifiedErrorId : Unable to retrieve role details from NSX.  Microsoft.PowerShell.Commands.HttpResponseException: Response status code does not indicate success: 400 (Bad Request).
   at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)

This doesn't work when you're connected to the NSX Instance via the -vCenterServer option with Connect-NsxServer. It's probably something that could/should be fixed on the API side, but failing that, I thought this check in Get-NsxManagerSystemSummary could be avoided or modified when we are accessing with the vCenterServer option. The actual invoke-nsxrestmethod for the system summary info works fine (if you are an enterprise admin, at least).

Powershell Core 6.1.2 (although this really doesn't look like a Core vs Desktop issue) on Linux PowerCLI 11.0.0 build 10380590 PowerNSX 3.0.1125

Thanks, -Eric

alagoutte commented 5 years ago

Hi,

What do you use for authentication ? for try to reproducte issue

Like it is say on #531, it will be more easy to fix nsx-powerops for don't use Get-NsxManagerSystemSummary

dejstacey commented 5 years ago

Hi,

I'm using vCenter/SSO auth. I don't use nsx-powerops, I just use powernsx and wanted to lodge a ticket for the underlying issue (even though it's even more underlying in the API IMHO).

Thanks, -Eric

From: Alexis La Goutte Sent: Thursday, 21 February, 7:31 pm Subject: Re: [vmware/powernsx] Get-NsxUserRole Doesn't Work for non-NSX Accounts, Breaking Get-NsxManagerSystemSummary (#570) To: vmware/powernsx Cc: Eric Stacey, Author

Hi, What do you use for authentication ? for try to reproducte issue Like it is say on #531https://github.com/vmware/powernsx/issues/531, it will be more easy to fix nsx-powerops for don't use Get-NsxManagerSystemSummary — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/vmware/powernsx/issues/570#issuecomment-465908259, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AtnwQcSr8VFhxLV0UfZM9cffion1P_xoks5vPllugaJpZM4bGb6e.

Important Notice: The contents of this email are intended solely for the named addressee and are confidential; any unauthorised use, reproduction or storage of the contents is expressly prohibited. If you have received this email in error, please delete it and any attachments immediately and advise the sender by return email or telephone.

Deakin University does not warrant that this email and any attachments are error or virus free.

alagoutte commented 5 years ago

Your account it is a local account on vCenter ? do not coming from AD/LDAP ?

do you have try Get-NsxUserRole ejstacey@vsphere.local ?

dejstacey commented 5 years ago

Oh, I apologise. It's an AD account.

Trying Get-NsxUserRole ejstacey@du.deakin.edu.au (an ad account with enterprise admin privs) fails with the same error (400 Bad Request).

alagoutte commented 5 years ago

Thanks, i will try to reproduce the issue...

hugoyuxu commented 5 years ago

Hi there, I ran into the same issue with my AD account today as well. My account could run most of the powerNSX cmdlets, except those get-nsxmanager* cmdlets.

I used API call to set my AD account to be Cli user and in super_user role. After that, I can run get-nsxmanager* cmdlets without any issues, like get-nsxmanagerSummary, etc.