Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Permission Error with ContinueRetrievePropertiesEx in govc v0.37.0+ on vSphere 8.x #3455

Open
robinlehrmann opened this issue May 30, 2024 · 10 comments

Comments

@robinlehrmann
Copy link

robinlehrmann commented May 30, 2024

Describe the bug
We are experiencing a permissions issue when using govc version 0.37.0 or higher with vSphere 8.x. The issue manifests as a NoPermissionFault when attempting to retrieve properties using the ContinueRetrievePropertiesEx method. This problem does not occur in govc versions prior to 0.37.0.

To Reproduce
Steps to reproduce the behavior:

Context:
The requests are executed via vm.console using the govc client.

Request (v0.37.0):

<?xml version="1.0" encoding="UTF-8"?>
<Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/">
    <Body>
        <ContinueRetrievePropertiesEx xmlns="urn:vim25">
            <_this type="PropertyCollector">propertyCollector</_this>
            <token>3</token>
        </ContinueRetrievePropertiesEx>
    </Body>
</Envelope>

Response (v0.37.0):

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
        xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <soapenv:Body>
        <soapenv:Fault>
            <faultcode>ServerFaultCode</faultcode>
            <faultstring>Permission to perform this operation was denied.</faultstring>
            <detail>
                <NoPermissionFault xmlns="urn:vim25" xsi:type="NoPermission">
                    <object type="Folder">group-d1</object>
                    <privilegeId>System.Read</privilegeId>
                    <missingPrivileges>
                        <entity type="PropertyCollector">propertyCollector</entity>
                        <privilegeIds>System.Read</privilegeIds>
                    </missingPrivileges>
                </NoPermissionFault>
            </detail>
        </soapenv:Fault>
    </soapenv:Body>
</soapenv:Envelope>

Request (v0.36.3):

<?xml version="1.0" encoding="UTF-8"?>
<Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/">
    <Body>
        <RetrieveProperties xmlns="urn:vim25">
            <_this type="PropertyCollector">propertyCollector</_this>
            <specSet>
                <propSet>
                    <type>Folder</type>
                    <pathSet>name</pathSet>
                    <pathSet>childType</pathSet>
                </propSet>
                <propSet>
                    <type>Datacenter</type>
                    <pathSet>name</pathSet>
                </propSet>
                <propSet>
                    <type>VirtualApp</type>
                    <pathSet>name</pathSet>
                </propSet>
                <propSet>
                    <type>VirtualMachine</type>
                    <pathSet>name</pathSet>
                </propSet>
                <propSet>
                    <type>Network</type>
                    <pathSet>name</pathSet>
                </propSet>
                <propSet>
                    <type>ComputeResource</type>
                    <pathSet>name</pathSet>
                    <pathSet>resourcePool</pathSet>
                </propSet>
                <propSet>
                    <type>ClusterComputeResource</type>
                    <pathSet>name</pathSet>
                    <pathSet>resourcePool</pathSet>
                </propSet>
                <propSet>
                    <type>Datastore</type>
                    <pathSet>name</pathSet>
                </propSet>
                <propSet>
                    <type>DistributedVirtualSwitch</type>
                    <pathSet>name</pathSet>
                </propSet>
                <objectSet>
                    <obj type="Folder">group-v74340</obj>
                    <skip>true</skip>
                    <selectSet xmlns:XMLSchema-instance="http://www.w3.org/2001/XMLSchema-instance"
                               XMLSchema-instance:type="TraversalSpec">
                        <type>Folder</type>
                        <path>childEntity</path>
                        <skip>false</skip>
                    </selectSet>
                </objectSet>
            </specSet>
        </RetrieveProperties>
    </Body>
</Envelope>

Response (v0.36.3):

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
        xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <soapenv:Body>
        <RetrievePropertiesResponse xmlns="urn:vim25">
            <returnval>
                <obj type="VirtualMachine">vm-74345</obj>
                <propSet>
                    <name>name</name>
                    <val xsi:type="xsd:string">vm-bbcag-prd-Allgemein-9apce-p-bz2k3-W11-PC01</val>
                </propSet>
            </returnval>
            <returnval>
                <obj type="VirtualMachine">vm-74347</obj>
                <propSet>
                    <name>name</name>
                    <val xsi:type="xsd:string">vm-bbcag-prd-Allgemein-9apce-p-bz2k3-W11-PC03</val>
                </propSet>
            </returnval>
            <returnval>
                <obj type="VirtualMachine">vm-74346</obj>
                <propSet>
                    <name>name</name>
                    <val xsi:type="xsd:string">vm-bbcag-prd-Allgemein-9apce-p-bz2k3-W11-PC02</val>
                </propSet>
            </returnval>
            <returnval>
                <obj type="VirtualMachine">vm-74343</obj>
                <propSet>
                    <name>name</name>
                    <val xsi:type="xsd:string">vm-bbcag-prd-Allgemein-9apce-p-bz2k3-FIREWALL</val>
                </propSet>
            </returnval>
        </RetrievePropertiesResponse>
    </soapenv:Body>
</soapenv:Envelope>

Expected behavior
The response should not show any permission issues. Maybe deactivating the ContinueRetrievePropertiesEx request or make it optional via option in the vm.console command

Affected version
vSphere 8.x
govc version 0.37.0 or higher

In vSphere 7.x it's still working on every version as expected, but the "ContinueRetrievePropertiesEx" requests will not be performed.

Additional context
The issue seems related to the ContinueRetrievePropertiesEx feature, which starts an active session to retrieve further PropertyCollections.
In previous versions (up to v0.36.3), the RetrieveProperties method is used instead, and it works without issues.

Roles and Permissions
When listing roles using govc role ls, the following are returned:

System.Anonymous
System.Read
System.View
VirtualMachine.Interact.ConsoleInteract
VirtualMachine.Interact.DeviceConnection
VirtualMachine.Interact.DnD
VirtualMachine.Interact.PowerOff
VirtualMachine.Interact.PowerOn
VirtualMachine.Interact.Suspend


Setting System.Anonymous Permission: It has been suggested that setting System.Anonymous permission might resolve the issue, but all required permissions are already set, and the issue persists.

Deactivating ContinueRetrievePropertiesEx: If there is a way to disable ContinueRetrievePropertiesEx and revert to the previous method, this might resolve the issue.

How can we activate the necessary permissions to avoid the NoPermissionFault when using ContinueRetrievePropertiesEx?
Is there a way to completely disable ContinueRetrievePropertiesEx and use the older method (RetrieveProperties)?
Please look into this issue and provide guidance on how to proceed. Any help would be greatly appreciated.

Thank you!

Copy link
Contributor

Howdy 🖐   robinlehrmann ! Thank you for your interest in this project. We value your feedback and will respond soon.

If you want to contribute to this project, please make yourself familiar with the CONTRIBUTION guidelines.

@dougm
Copy link
Member

dougm commented Jun 4, 2024

Thanks for the detailed report @robinlehrmann
I was not aware of this behavior, but will work on reproducing + fixing. In the meantime, a possible workaround would be to specify -vm.ipath, uses the SearchIndex, rather than PropertyCollector:

govc vm.console -vm.ipath /Datacenter-Name/vm/VM-Name

@dougm
Copy link
Member

dougm commented Jun 5, 2024

Can you also share your build number (govc about) ?

I was able to reproduce with 8.0.2b (build 23319993), and verified the -vm.ipath workaround.

But was not able to reproduce with 7.0.3 or 8.0.3 builds (currently internal).

@dougm
Copy link
Member

dougm commented Jun 5, 2024

Confirmed this is a known issue 7.0.3.2 up to 8.0.2, from the upcoming KB:

Workaround: To workaround the issue you can grant non-propagating ReadOnly role to the user on the root folder.
That will give access to the user to the API, without exposing any additional information.

This workaround can be applied in the UI or using govc:

govc permissions.set -principal [email protected] -role ReadOnly -propagate=false /

@robinlehrmann
Copy link
Author

Can you also share your build number (govc about) ?

FullName: VMware vCenter Server 7.0.3 build-22837322
Name: VMware vCenter Server
Vendor: VMware, Inc.
Version: 7.0.3
Build: 22837322
OS type: linux-x64
API type: VirtualCenter
API version: 7.0.3.0
Product ID: vpx
UUID: 8897b0d7-923c-4fdd-92d5-f248d55fea61

I was able to reproduce with 8.0.2b (build 23319993), and verified the -vm.ipath workaround.

Thanks for providing the workaround 👍 I will try this out.
The only problem is, that in the system are a lot of users around 8-12 k were I need to apply this and not sure if the will scale good in regards of performance 😅

Copy link
Contributor

github-actions bot commented Sep 5, 2024

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Mark as fresh by adding the comment /remove-lifecycle stale.

@robinlehrmann
Copy link
Author

robinlehrmann commented Sep 13, 2024

The issue is still there, the workaroun will not help if there a lot of users in the system

@robinlehrmann
Copy link
Author

/remove-lifecycle stale

@dougm
Copy link
Member

dougm commented Sep 26, 2024

The issue is still there

@robinlehrmann can you clarify, have you upgraded vCenter to include the fix? If so, please include current build number (govc about)

Copy link
Contributor

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Mark as fresh by adding the comment /remove-lifecycle stale.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants