Open robinlehrmann opened 1 month ago
github-actions[bot]
commented
1 month ago Howdy 🖐 robinlehrmann ! Thank you for your interest in this project. We value your feedback and will respond soon.
If you want to contribute to this project, please make yourself familiar with the CONTRIBUTION guidelines.
dougm
commented
4 weeks ago Thanks for the detailed report @robinlehrmann
I was not aware of this behavior, but will work on reproducing + fixing. In the meantime, a possible workaround would be to specify -vm.ipath, uses the SearchIndex, rather than PropertyCollector:
govc vm.console -vm.ipath /Datacenter-Name/vm/VM-NameCan you also share your build number (govc about) ?
I was able to reproduce with 8.0.2b (build 23319993), and verified the -vm.ipath workaround.
But was not able to reproduce with 7.0.3 or 8.0.3 builds (currently internal).
dougm
commented
3 weeks ago Confirmed this is a known issue 7.0.3.2 up to 8.0.2, from the upcoming KB:
Workaround: To workaround the issue you can grant non-propagating ReadOnly role to the user on the root folder. That will give access to the user to the API, without exposing any additional information.
This workaround can be applied in the UI or using govc:
govc permissions.set -principal $USERNAME@vsphere.local -role ReadOnly -propagate=false /
robinlehrmann
commented
3 weeks ago Can you also share your build number (govc about) ?
FullName: VMware vCenter Server 7.0.3 build-22837322 Name: VMware vCenter Server Vendor: VMware, Inc. Version: 7.0.3 Build: 22837322 OS type: linux-x64 API type: VirtualCenter API version: 7.0.3.0 Product ID: vpx UUID: 8897b0d7-923c-4fdd-92d5-f248d55fea61
I was able to reproduce with 8.0.2b (build 23319993), and verified the
-vm.ipathworkaround.
Thanks for providing the workaround 👍 I will try this out. The only problem is, that in the system are a lot of users around 8-12 k were I need to apply this and not sure if the will scale good in regards of performance 😅
Describe the bug We are experiencing a permissions issue when using govc version 0.37.0 or higher with vSphere 8.x. The issue manifests as a NoPermissionFault when attempting to retrieve properties using the ContinueRetrievePropertiesEx method. This problem does not occur in govc versions prior to 0.37.0.
To Reproduce Steps to reproduce the behavior:
Context: The requests are executed via vm.console using the govc client.
Request (v0.37.0):
Response (v0.37.0):
Request (v0.36.3):
Response (v0.36.3):
Expected behavior The response should not show any permission issues. Maybe deactivating the
ContinueRetrievePropertiesExrequest or make it optional via option in thevm.consolecommandAffected version vSphere 8.x govc version 0.37.0 or higher
In vSphere 7.x it's still working on every version as expected, but the "ContinueRetrievePropertiesEx" requests will not be performed.
Additional context The issue seems related to the ContinueRetrievePropertiesEx feature, which starts an active session to retrieve further PropertyCollections. In previous versions (up to v0.36.3), the RetrieveProperties method is used instead, and it works without issues.
Roles and Permissions When listing roles using govc role ls, the following are returned:
Setting System.Anonymous Permission: It has been suggested that setting System.Anonymous permission might resolve the issue, but all required permissions are already set, and the issue persists.
Deactivating ContinueRetrievePropertiesEx: If there is a way to disable ContinueRetrievePropertiesEx and revert to the previous method, this might resolve the issue.
How can we activate the necessary permissions to avoid the NoPermissionFault when using ContinueRetrievePropertiesEx? Is there a way to completely disable ContinueRetrievePropertiesEx and use the older method (RetrieveProperties)? Please look into this issue and provide guidance on how to proceed. Any help would be greatly appreciated.
Thank you!