Open gigawhitlocks opened 8 years ago
marking medium for review of inclusion in 1.1
@dougm please could you estimate this and move it to the backlog? @karthik-narayan this is definitely aligned with the theme for 1.2 - should we add it to the project as a candidate?
I'll have a better idea when #764 is complete, as we'll need that same API endpoint to implement this. I'll give it an optimistic 3 for now.
Related to #4896 - different languages, but likely some of the same flows. So we should be able to share some knowledge here at least.
Please close #716 when this is complete.
I have worked out how to use the Issue() API to request a token and the code to unmarshal. Using the token with the LoginByToken method is more involved than expected, as it involves signing the SOAP header, which in turn involves some XML transforms/canonicalization. The Go stdlib doesn't have way to do the transforms, but have been looking at https://github.com/russellhaering/goxmldsig - which uses the 'etree' library to help with c14n canonicalization.
WIP is here: https://github.com/vmware/govmomi/compare/master...dougm:sts
@jonathanibers LoginByToken doesn't take any parameters (see above "signing the SOAP header").
There are C# and Java examples: https://www.vmware.com/support/developer/vc-sdk/sso-sdk/
I had tested them using:
sh ./run.sh com.vmware.sso.client.samples.AcquireHoKTokenByUserCredentialSample https://your-VC-address/sts/STSService/vsphere.local VC-username VC-password
Of course you can also step through with the Java debugger.
Not a requirement for 1.3, removing
The following steps must be implemented to support a Solution User:
The PSC registration command in VIC 1.3 contains code to create Solution Users for Admiral, Harbor and the VCH. However the PSC command is written in Java and a JVM would have to be included in the VCH or the system where vic-machine (or vic-machine-proxy) is executed. This is extremely awkward and should be avoided. The only viable approach is to implement all the required APIs in GOLANG and this is sizable amount of work.
govmomi PR: https://github.com/vmware/govmomi/pull/1064
We should be using non-password based credentials to access vSphere for an identity that has limited authorization in vsphere #1689
The minimum we can do here is require that the viadmin obtain the token via out-of-band means and provide it to vic-machine. Preferably vic-machine can acquire the token directly.
My expectation is that this is an SSO token.
https://bugzilla.eng.vmware.com/show_bug.cgi?id=1727641