[libvirt] VMware driver: SessionIsActive API / Sessions.ValidateSession permission

Richard W.M. Jones rjones at redhat.com
Thu Feb 11 11:59:43 UTC 2016

The VMware driver currently calls the SessionIsActive API, which
requires the vCenter Sessions.ValidateSession permission.


This causes a problem that you have to give this permission to any
libvirt client accessing VMware, and you have to give it from the very
top level of vCenter, all the way down through the Cluster, Folder,
hypervisor levels.  This has caused a bit of pushback from virt-v2v
users who consider that the SessionIsActive API is an "admin" API
which they don't want to give out to roles using v2v.

Is calling SessionIsActive necessary?  From my (very limited)
understanding, it seems as if we might use 'SessionManager.
currentSession' property instead, which doesn't require admin
permissions.  Actually the code [see link above] already does this
when ctx->hasSessionIsActive is false, but that doesn't apply to
modern vCenter.

See also
which doesn't really explain why this was added.

Also, why is it even necessary to check if the session is active here?
Shouldn't we just log in unconditionally?


Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org

More information about the libvir-list mailing list