Solved: Re: Ansible automation with NSX-T 3.2 - session co...

Czernobog · ‎07-07-2022

I am trying to leverage the URI module in Ansible to automate tasks within NSX-T 3.2
I group tasks together in roles to create workflows, the simplified schema of a playbook looks like this:
- login (extract session cookie)
- doing 1
- doing 2,3,4...
- logout (close session)
For the login part I use basic authentication and extract the session cookie:

- name: NSX-T - login
uri:
url: "{{ nsx_auth.nsx_url }}/api/session/create"
method: POST
timeout: 60
validate_certs: no
return_content: yes
headers:
Content-Type: application/x-www-form-urlencoded
Accept: application/json
body: "j_username={{ nsx_auth.nsx_user }}&j_password={{ nsx_auth.nsx_password }}"
register: nsx_login
- name: NSX-T - extract session cookie
set_fact:
nsx_cookie: "{{ nsx_login.cookies_string }}"
# so far tried with: .cookies_string .x_xsrf_token

Logout works fine with the passed cookie string:

- name: NSX-T - logout
uri:
url: "{{ nsx_auth.nsx_url }}/api/session/destroy"
method: POST
timeout: 60
validate_certs: no
return_content: yes
headers:
X-XSRF-TOKEN: "{{ nsx_cookie }}

What I cannot get to work is the "doing" part, those are various GET or POST requests, where the work should be done. The structure of the API call is identical to the logout part, but I get a "The credentials were incorrect or the account specified has been locked.","error_code":403}'" every time I tried to log in useing the session cookie, example:

- name: NSX-T - list policies
uri:
url: "{{ nsx_auth.nsx_url }}/policy/api/v1/infra/domains/{{ domain }}/security-policies"
method: GET
timeout: 60
validate_certs: no
return_content: yes
headers:
X-XSRF-TOKEN: "{{ nsx_cookie }}"

This DOES work with basic auth, which I try to avoid however - this is what the session cookie is there for. I have tried to pass the whole cookie file, which is generated during login as a payload, to subsequent api calls but a bad request is returned then.

For login I use the local admin account and a domain account with enterprise administrator rights.

When using the VS code rest client, I can log in, grab the token from the response using .response.headers.X-XSRF-TOKEN and the authentication in subsequent queries does work with it, however extracting this header and passing it to the uri module in Ansible returns an error 403.

Any ideas on how to get the session cookie authentication in Ansible to work? Experimenting with VS Code showed it can be done, I guess I made a mistake somewhere when extracting the session token.

Czernobog · ‎07-08-2022

I found the source of the issue. The documentation tells you to pass on the token and cooke file with each request:

NSX-T Data Center REST API - VMware API Explorer - VMware {code}

This can be done in the uri module with the Cookie header, it should look like this:

headers:
Content-Type: application/json
X-XSRF-TOKEN: "{{ nsx_login.x_xsrf_token }}"
Cookie: "{{ nsx_login.cookies_string }}"

This way the authentication works fine, it's a bit faster than with basic authentication too.

View solution in original post

V00Z11 · ‎07-08-2022

You have to both set the X-XSRF-TOKEN and the cookie in the header. Here is a working example:

- name: Request token
  ansible.builtin.uri:
    url: "{{ nsx_url }}/api/session/create"
    method: POST
    timeout: 60
    validate_certs: no
    return_content: no
    headers:
      Content-Type: application/x-www-form-urlencoded
    body: "j_username={{ nsx_user }}&j_password={{ nsx_pass }}"
  register: token_request

- name: Set header
  set_fact:
    header:
      Content-Type: application/json
      X-XSRF-TOKEN: "{{ token_request.x_xsrf_token }}"
      Cookie: "{{ token_request.cookies_string }}"

- name: Get DHCP servers
  ansible.builtin.uri:
    url: "{{ nsx_url }}/api/v1/dhcp/servers/"
    method: GET
    timeout: 60
    validate_certs: no
    return_content: no
    headers: "{{ header }}"
  register: binding

- debug: var=binding

- name: Delete token
  ansible.builtin.uri:
    url: "{{ nsx_url }}/api/session/destroy"
    method: POST
    timeout: 60
    validate_certs: no
    return_content: no
    headers: "{{ header }}"