Hazenet
Enthusiast
Enthusiast

vAPI Plugin - "This method requires authentication" error

Jump to solution

Hi

I have previously used the vAPI Plugin to do vCenter tags (properly against a vCenter 6.0) at one of my customers.

Now at another customer I am having issues with the vAPI Plugin and authentication.

I am running:
vRO 7.3.0.5481809 (Embedded in vRA 7.3)

vCenter Server 6.5.0.5973321

vAPI Plugin 7.4.0.5546687 (from here: Technical Preview version of VMware vRealize Orchestrator plug-in for vAPI))

I have added the vAPI Endpoint and vAPI Metamodel, and the objects are shown in the Inventory.
I can see all the scripting classes and methods related to vAPI in the API Explorer"List all tagging categories" I get the following error:

com.vmware.vapi.std.errors.unauthenticated => {data=<unset>, messages=[com.vmware.vapi.std.localizable_message => {args=[], default_message=This method requires authentication., id=vapi.method.authentication.required}]} (Workflow:List all tagging categories / Scriptable task (item1)#7)

If I duplicate the "List all tagging categories" workflow, and modify it, so that the line:

var client = endpoint.client();

Becomes:

var client = endpoint.client(myUsername, myPassowrd);

The workflow works.

So it seems as if the "session" created when adding the vAPI Endpoint / vAPI Metamodel, is not stored or at least not used.

Any way to get this to work properly, so I don't have to pass the username and password, to every workflow that needs to use the vAPI Plugin?

Tags (2)
0 Kudos
1 Solution

Accepted Solutions
Hazenet
Enthusiast
Enthusiast

Problem found.

The VAPI:VAPIEndpoint has a attribute "password", which if sent to System.log will show you the password used while configuring the Endpoint (and in my case also the MetaModel).

The problem is if you provide a wrong password, vRO and vAPI Plugin happily adds the VAPI:VAPIEndpoint to the Inventory with these wrong credentials.

So the vAPI Plugin does zero test/checks/validation on these provided credentials.

But when you later tries to use these "stored" credentials for an actual task against the VAPI:VAPIEndpoint it will failed with the shown error message, as you are not authenticated (correctly that is).

So would have been nice, if the VAPIManager when doing addEndpoint and importMetamodel methods actually tested the provided credentials.

View solution in original post

0 Kudos
4 Replies
iiliev
VMware Employee
VMware Employee

Hi,

There is no session created when importing a metamodel or adding an endpoint that is supposed to be used later by vAPI calls. There was a problem with propagation of authentication info, but this is supposedly fixed in this vAPI plug-in build.

I'll take a look at this particular workflow. Meantime, when you ran the workflows for importing a metamodel and adding an endpoint, did you provide user credentials (myUsername/myPassword) in both of the workflows, or only in one of them?

0 Kudos
Hazenet
Enthusiast
Enthusiast

Session might not be the right word. But It should "store" the credentials and use them, when ever a method is called for that vAPIEndpoint.

I am using the same workflows that have worked on previous versions of the vAPI Plugin.

My "configuration" workflow using the following to configure the vAPIEndpoint and import the MetaModel

endpointUrl = "https://" + endpointFQDN + "/api";

var endpoint = VAPIManager.addEndpoint(endpointUrl, useSecureConnection, username, password);

VAPIManager.importMetamodel(endpointUrl, useSecureConnection, username, password);

Username is provided in "UPN" format, like "service-account@mydomain.local"

The service-account is given full Administrator permissions in vCenter.

If I login to vCenter UI, I can browse, create and delete Tags and Tag Categories.

If I provide the credentials directly (after the Endpoint and Metamodel have been added, with credentials) like stated in the original post, it works.
But that was not needed in the older versions of vAPI, and from my point of view should not be need.

0 Kudos
Hazenet
Enthusiast
Enthusiast

Problem found.

The VAPI:VAPIEndpoint has a attribute "password", which if sent to System.log will show you the password used while configuring the Endpoint (and in my case also the MetaModel).

The problem is if you provide a wrong password, vRO and vAPI Plugin happily adds the VAPI:VAPIEndpoint to the Inventory with these wrong credentials.

So the vAPI Plugin does zero test/checks/validation on these provided credentials.

But when you later tries to use these "stored" credentials for an actual task against the VAPI:VAPIEndpoint it will failed with the shown error message, as you are not authenticated (correctly that is).

So would have been nice, if the VAPIManager when doing addEndpoint and importMetamodel methods actually tested the provided credentials.

0 Kudos
Mikael_8313
Contributor
Contributor

Hello,

I have the same issue actually with vCenter 6.0 and vRO 7.3 the VAPIEndpoint is failed. I try to remove Metamodel and Endpoint but now I have the same message

2018-02-21 14:20:17.227+0100 [WorkflowExecutorPool-Thread-10] ERROR {administrator@vsphere.local:Associate vSphere tag to VM:3bdcee06-b111-4b23-94aa-1fa11376f5c0:token=ff80808161b450490161b87a74110080} [SCRIPTING_LOG] [Associate vSphere tag to VM (2/21/18 14:08:08)] com.vmware.vapi.std.errors.internal_server_error => {data=<unset>, messages=[com.vmware.vapi.std.localizable_message => {args=[Rejecting login on a session where login failed], default_message=Provider method implementation threw unexpected exception: Rejecting login on a session where login failed, id=vapi.bindings.method.impl.unexpected}]} (Workflow:Associate vSphere tag to VM / Scriptable task (item1)#16)

I don't understand why in the first line "administrator@vsphere.local" while our login administrator is administrator.tl.bridge

The endpoint and the metamodel is configured by username : administrator@tl.bridge

Thanks you all

Mikael

0 Kudos