VMware Cloud Community
shuguet
Enthusiast
Enthusiast
‎04-30-2014 10:31 AM

Kerberos "pass-through' authentication with vCO REST API

Hello,

I'm trying to build a simple client around our vCO workflows to give to our system teams.

I will be using the REST API to launch workflows from Python (Linux client) and PowerShell (Windows Client).

Most of the work will be done by vCO, to have a common interaction.

I know how to access and use the REST API, and my clients are working fine with Basic Authentication, but I want to be able to use Kerberos to authenticate my users (even my Linux users have Kerberos tickets) and remove the need for them to authenticate each time they run the vCO client.

With PowerShell I'm using Invoke-WebRequest with the "-UseDefaultCredentials", and with Python I'm using the "Requests" lib that support Kerberos.

What I cannot get to work is Kerberos authentication.

Is this possible?

Could it be implemented if it's not already?

Thanks,

Sylvain.

Sylvain Huguet vExpert 2014, 2013, 2012 & 2011 VCP4&5/VTSP4/VSP4&5 Nutanix NPP/NPSE/NPSR
0 Kudos
5 Replies
shuguet
Enthusiast
Enthusiast
‎05-02-2014 03:18 AM

No idea on this one?

To go at the problem from a different angle, is there a vCO CLI client that is simple enough to use by non VI admin (think L1/L2 sysadmins)?

Sylvain Huguet vExpert 2014, 2013, 2012 & 2011 VCP4&5/VTSP4/VSP4&5 Nutanix NPP/NPSE/NPSR
0 Kudos
cdecanini_
VMware Employee
VMware Employee
‎05-02-2014 03:45 AM

Typicaly the vSphere admins adds vCO worklows to the vSphere web client so these can be use by the operators.

vCO only supports basic & SSO auth but I never seen anyone managing to use the SSO auth from a scripting language. I think that the SSO auth is mainly consumed using the Java and .net SDKs for SSO.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vCenter Orchestrator tips and tutorials - @vCOTeam on Twitter
0 Kudos
shuguet
Enthusiast
Enthusiast
‎05-02-2014 04:51 AM

In this particular case (very large/Fortune 500 customer) the systems administrator (Windows / UNIX&Linux) are managing both physical and virtual systems.

There is a team dedicated only to the virtual infrastructure layer (hypervisors & virtual machine layer, but not the OSes inside).

The need is for this team to give access to some vCO workflows to the sysadmins, without the need for the webclient/vSphere client or weboperator view, that many of these sysadmins would not have opened on a daily basis (especially the UNIX team that prefer all things CLI).

I agree it may not be a wide use case, but having a simple, multi-OS, CLI client to launch WFs would be great.

Also, the Kerberos auth is something that most companies can use out of the box because of ActiveDirectory.

Combining the 2 would make a great tool, very easy to use.

Sylvain Huguet vExpert 2014, 2013, 2012 & 2011 VCP4&5/VTSP4/VSP4&5 Nutanix NPP/NPSE/NPSR
0 Kudos
cdecanini_
VMware Employee
VMware Employee
‎05-02-2014 05:25 AM

There is a vCO CLI on labs.vmware.com but it is aimed at the workflow developer.

At some point I knew someone who had started a powershell module for vCO but then this was never released.

There is also an open source pyvCO but it looks it was nto updated in years.

You can also use vCO using curl in command line but then you have to understand how to pass parameters back & forth Here is a good blog article covering the REST API. How to use the REST API to Start a Workflow

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vCenter Orchestrator tips and tutorials - @vCOTeam on Twitter
0 Kudos
shuguet
Enthusiast
Enthusiast
‎05-02-2014 06:51 AM

Christophe, I have the skeleton of a vCO CLI client in Bash with cURL that is working Smiley Happy

I switched to Python because of the way the vCO REST API work:

You have to POST the workflow execution parameters and get the token from the "Location" header of the reply.

Then you need to GET the Token URL until it's state goes to "completed" and then read the "output-parameters" you want.

I would have use the cURL approach if instead of all the above process, the POST request had been "blocking" until the end (with or without error) of the execution token and had return the ouput-parameters.

But anyway, cURL/Python/PowerShell or any other language/pre-packaged, third-party or VMware provided client, all of that will not do me any good without the Kerberos authentication on the REST API connection point on the vCO side :'(

Sylvain.

Sylvain Huguet vExpert 2014, 2013, 2012 & 2011 VCP4&5/VTSP4/VSP4&5 Nutanix NPP/NPSE/NPSR
0 Kudos