VMware Cloud Community
harshstar121
Contributor
Contributor

vRO/vCO : Authentication Token expire for all Scheduled Tasks in vro

Hi All

Each time i create a scheduled task it works for some time (a month may be) then it show authentication expire warning in vro. After that I need to manually set the credential every time.

pastedImage_0.png

I tried to prepare the script which can show at least error or something but it didn't work

var tasks = Server.findAllForType('Task');

for each (var task in tasks) {

    System.log(task.error);

}

Is there any way to prepare a vro script which can monitor these tasks?

stevedrummond

iiliev

Thanks in advance

Tags (2)
Reply
0 Kudos
5 Replies
iiliev
VMware Employee
VMware Employee

Hi,

When you create a scheduled task, vRO server obtains a token from the authentication provider on behalf of the user, and stores this token together with the task. Periodically, the token is checked and renewed in case it is about to expire.

Now, the problem is that most authentication providers allow a limited number of renewals for a given token, due to security reasons. Once we reach this limit, the token cannot be renewed anymore, and will eventually expire. An option would be to change scheduling logic to keep user credentials instead of authentication token, but that's also not ideal from security point of view.

At the moment, there is no scripting API to monitor this expiration/renewal process.

Reply
0 Kudos
MaxB
Enthusiast
Enthusiast

Hi,

I expirenced the same issue today. 

Is there any other option for monitoring the expiration/expired state of a token? e.g. vRLI ? 

TomJPie
Contributor
Contributor

It seems like this issue is possibly still present even in v8, although it's in a worse state since there's no java client and zero visible indicators it's happening in the web UI - other than the scheduled tasks just not running at all.

In all honestly, this is TERRIBLE and it's more than enough alone to make us consider switching platform.

Lets face it, there's a million applications out there with schedulers built in that handle this scenario just fine, it appears to me that whatever issue is being described by iiliev is simply an architecture/design flaw on the part of VMWare. Sure it may explain why it's occurring, but it shouldn't occur full stop.

This application could be used for potentially critical and impacting jobs, so it needs to have a reliable way to schedule jobs long term. It should have been designed in a way that scheduled jobs could for example be run in a system context, or just some other way altogether that doesn't rely on expiring tokens that have a limit for renewal.

MaxB
Enthusiast
Enthusiast

VMware tried to fix it for vRO deployments with vRA authentication provider in version 8.6.: Set Scheduled Task and Policy Authentication Token Renewal Property (vmware.com)

I couldn´t verify it because I use vCenter authentication... already asked for implementation of this feature for vCenter authentication. 

May you have vRA deployment and it will help you... 

mbrkic
Hot Shot
Hot Shot

Yes, the fact that it is not at all visible now makes this an even bigger issue.

I have a workflow that resubmits a scheduled task (based on taskID) with the same recurrence and parameters that I use to recreate the ones that start not running, once they are identified (typically through the end user complaint when they don't run). Unfortunately, there is no way that I know to automatically recognize scheduled tasks in this state. They still show as 'pending' not 'error' or any other status.

The other 'would be nice' is if the recurrence settings were obtainable from the scripting objects. Right now one has to register the vRO as a REST host and retrieve the task info from that REST host through an API call to get the recurrence settings for the tasks.

Reply
0 Kudos