vCenter API client SSO authentication support

vmware / vic

vSphere Integrated Containers Engine is a container runtime for vSphere.

http://vmware.github.io/vic

Other

639 stars 173 forks source link

vCenter API client SSO authentication support #766

Open gigawhitlocks opened 8 years ago

gigawhitlocks commented 8 years ago

We should be using non-password based credentials to access vSphere for an identity that has limited authorization in vsphere #1689

The minimum we can do here is require that the viadmin obtain the token via out-of-band means and provide it to vic-machine. Preferably vic-machine can acquire the token directly.

My expectation is that this is an SSO token.

https://bugzilla.eng.vmware.com/show_bug.cgi?id=1727641

mdubya66 commented 7 years ago

marking medium for review of inclusion in 1.1

hickeng commented 7 years ago

@dougm please could you estimate this and move it to the backlog? @karthik-narayan this is definitely aligned with the theme for 1.2 - should we add it to the project as a candidate?

dougm commented 7 years ago

I'll have a better idea when #764 is complete, as we'll need that same API endpoint to implement this. I'll give it an optimistic 3 for now.

dougm commented 7 years ago

STS API docs are here: http://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.ssosdk.pg.doc/sso_pg_reference.4.2.html

dougm commented 7 years ago

Related to #4896 - different languages, but likely some of the same flows. So we should be able to share some knowledge here at least.

hickeng commented 7 years ago

Please close #716 when this is complete.

dougm commented 7 years ago

I have worked out how to use the Issue() API to request a token and the code to unmarshal. Using the token with the LoginByToken method is more involved than expected, as it involves signing the SOAP header, which in turn involves some XML transforms/canonicalization. The Go stdlib doesn't have way to do the transforms, but have been looking at https://github.com/russellhaering/goxmldsig - which uses the 'etree' library to help with c14n canonicalization.

WIP is here: https://github.com/vmware/govmomi/compare/master...dougm:sts

dougm commented 6 years ago

@jonathanibers LoginByToken doesn't take any parameters (see above "signing the SOAP header").

There are C# and Java examples: https://www.vmware.com/support/developer/vc-sdk/sso-sdk/

I had tested them using:

sh ./run.sh com.vmware.sso.client.samples.AcquireHoKTokenByUserCredentialSample https://your-VC-address/sts/STSService/vsphere.local VC-username VC-password

Of course you can also step through with the Java debugger.

mdubya66 commented 6 years ago

Not a requirement for 1.3, removing

lcastellano commented 6 years ago

The following steps must be implemented to support a Solution User:

Login to PSC as Administrator, create the Solution User, Solution Users are identified by a public/private key pair (no username/password), the public/private key must be made available to the VCH, this step could be executed by VIC-machine,
Acquire HOK Token for the Solution User, this has to be done on the VCH, this step must be performed on the VCH as the HOK Tokens have an expiration time,
Call LoginByToken() to get the vCenter "session-id" cookie, also to be performed on the VCH

The PSC registration command in VIC 1.3 contains code to create Solution Users for Admiral, Harbor and the VCH. However the PSC command is written in Java and a JVM would have to be included in the VCH or the system where vic-machine (or vic-machine-proxy) is executed. This is extremely awkward and should be avoided. The only viable approach is to implement all the required APIs in GOLANG and this is sizable amount of work.

dougm commented 6 years ago

govmomi PR: https://github.com/vmware/govmomi/pull/1064