[libvirt] VMware driver: SessionIsActive API / Sessions.ValidateSession permission
Richard W.M. Jones
rjones at redhat.com
Thu Feb 11 11:59:43 UTC 2016
The VMware driver currently calls the SessionIsActive API, which
requires the vCenter Sessions.ValidateSession permission.
https://libvirt.org/git/?p=libvirt.git;a=blob;f=src/esx/esx_vi.c;h=af822b14cfc5ba93c9c2ab4dfa2cb72a23a74a1a;hb=HEAD#l2068
This causes a problem that you have to give this permission to any
libvirt client accessing VMware, and you have to give it from the very
top level of vCenter, all the way down through the Cluster, Folder,
hypervisor levels. This has caused a bit of pushback from virt-v2v
users who consider that the SessionIsActive API is an "admin" API
which they don't want to give out to roles using v2v.
Is calling SessionIsActive necessary? From my (very limited)
understanding, it seems as if we might use 'SessionManager.
currentSession' property instead, which doesn't require admin
permissions. Actually the code [see link above] already does this
when ctx->hasSessionIsActive is false, but that doesn't apply to
modern vCenter.
See also
https://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=5699034b65afd49d91dff13c46481bea545cbaac
which doesn't really explain why this was added.
Also, why is it even necessary to check if the session is active here?
Shouldn't we just log in unconditionally?
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org
More information about the libvir-list
mailing list