Closed VedaNiks closed 1 week ago
@DanielDraganov Can you please let me know if adding support for communication with vCenter Server via kerberos authenticated proxy sever is possible? We need to plan release for our product which needs this functionality.
I could debug this issue and found the root cause. pyVmomi connects to vCenter Server twice:
__FindSupportedVersion
method, that returns the most preferred API version supported by the specified serverConnect
method, that login and return the service instance object.For each of this connection to pass through the kerberos authenticated proxy server, a new Proxy-Authorization
header is needed.
We will need to modify SmartConnect
method to allow multiple Proxy-Authorization
headers. I have created a new method [since we'll need 2 custom headers]
def SmartConnectKerberosProxy(protocol='https',
host='localhost',
port=443,
user='root',
pwd='',
service="hostd",
path="/sdk",
preferredApiVersions=None,
keyFile=None,
certFile=None,
httpProxyHost=None,
httpProxyPort=80,
thumbprint=None,
sslContext=None,
httpConnectionTimeout=None,
connectionPoolTimeout=CONNECTION_POOL_IDLE_TIMEOUT_SEC,
token=None,
tokenType=None,
disableSslCertValidation=False,
customHeaders=[],
# Deprecated
b64token=None,
# Deprecated
mechanism='userpass'):
"""
Determine the most preferred API version supported by the specified server,
then connect to the specified server using that API version, login and return
the service instance object.
Throws any exception back to caller. The service instance object is
also saved in the library for easy access.
Clients should modify the service parameter only when connecting to
a VMOMI server other than hostd/vpxd. For both of the latter, the
default value is fine.
@param protocol: What protocol to use for the connection (e.g. https or http).
@type protocol: string
@param host: Which host to connect to.
@type host: string
@param port: Port
@type port: int
@param user: User
@type user: string
@param pwd: Password
@type pwd: string
@param service: Service
@type service: string
@param path: Path
@type path: string
@param preferredApiVersions: Acceptable API version(s) (e.g. vim.version.version9)
If a list of versions is specified the versions should
be ordered from most to least preferred. If None is
specified, the list of versions support by pyVmomi will
be used.
@type preferredApiVersions: string or string list
@param keyFile: ssl key file path
@type keyFile: string
@param certFile: ssl cert file path
@type certFile: string
@param httpProxyHost The host name of the proxy server.
@type httpProxyHost: string
@param httpProxyPort The proxy server port.
@type httpProxyPort: string
@param thumbprint: host cert thumbprint
@type thumbprint: string
@param sslContext: SSL Context describing the various SSL options. It is only
supported in Python 2.7.9 or higher.
@type sslContext: SSL.Context
@param httpConnectionTimeout: Timeout in secs for http requests.
@type httpConnectionTimeout: int
@param connectionPoolTimeout: Timeout in secs for idle connections to close, specify
negative numbers for never closing the connections
@type connectionPoolTimeout: int
@type token: string
@param token: Authentication and Authorization token to use for the connection.
The presence of this token overrides the user and pwd parameters.
@type disableSslCertValidation: bool
@param disableSslCertValidation: Creates an unverified SSL context when True.
@type customHeaders: array
@param customHeaders: Array of dictionaries with custom HTTP headers.
@param b64token: base64 encoded token
*** Deprecated: Use token instead ***
@type b64token: string
@param mechanism: authentication mechanism: userpass or sspi
*** Deprecated: Use tokenType instead ***
@type mechanism: string
"""
if len(customHeaders) < 2:
raise Exception("At least 2 Proxy-authorization headers are needed"
" to connect via Kerberos authenticated proxy server.")
if preferredApiVersions is None:
preferredApiVersions = GetServiceVersions('vim25')
sslContext = getSslContext(host, sslContext, disableSslCertValidation)
supportedVersion = __FindSupportedVersion(protocol, host, port, path,
preferredApiVersions, sslContext,
httpProxyHost, httpProxyPort,
customHeaders[0])
if supportedVersion is None:
raise Exception("{0}:{1} is down or is not a VIM server"
.format(host, port))
portNumber = protocol == "http" and -int(port) or int(port)
return Connect(host=host,
port=portNumber,
user=user,
pwd=pwd,
service=service,
adapter='SOAP',
version=supportedVersion,
path=path,
keyFile=keyFile,
certFile=certFile,
httpProxyHost=httpProxyHost,
httpProxyPort=httpProxyPort,
thumbprint=thumbprint,
sslContext=sslContext,
httpConnectionTimeout=httpConnectionTimeout,
connectionPoolTimeout=connectionPoolTimeout,
token=token,
tokenType=tokenType,
disableSslCertValidation=disableSslCertValidation,
customHeaders=customHeaders[1],
b64token=b64token,
mechanism=mechanism)
Hello, With the latest major release of pyVmomi the connection logic was simplified and streamlined. However, this does not affect the Kerberos usage with the provided code sample. It's not clear if this specific use case requirement comes from Kerberos or from requests-kerberos but nevertheless this is not a pyVmomi related issue. Another workaround is to use Connect() instead of the SmartConnect() wrapper and provide a static version. It's enough for most of the use cases.
Is your feature request related to a problem? Please describe.
I need to communicate with vCenter Server and all the traffic goes through a kerberos authenticated proxy sever. I am not able to authenticate the proxy server using
'Proxy-Authorization'
header. I am using below code:I see below exception:
I see below messages in the proxy logs:
pyVmomi connects to vCenter Server 2 times.
First time here: https://github.com/vmware/pyvmomi/blob/f0fe4e279cebdfdbca5bfce699063d15b1d3bd1d/pyVim/connect.py#L663
Second time here: https://github.com/vmware/pyvmomi/blob/f0fe4e279cebdfdbca5bfce699063d15b1d3bd1d/pyVmomi/SoapAdapter.py#L1533
It seems that first request is passing and second request is failing. I am not sure why that is happening.
Describe the solution you'd like
I would like to know what I am doing wrong and any WAR to solve it? Is is even possible to connect to vCenter server via kerberos authenticated proxy sever using pyVmomi? I am trying to do register/unregister a plugin on vCenter server.
Describe alternatives you've considered
No response
Additional context
No response