Securely Pass A User's Credentials To A Plugin

bblood · ‎02-16-2010

I am interested in approaches where after a user authenticates with a vCO client their credentials could be used by a custom plugin within a workflow to identify the user to other devices. This would assist in keeping a proper "audit trail" as well as ensuring that this user was authorized to perform actions on the devices accessed via the plugin.

Presently, my plugin operates as an opaque layer between vCO and the managed devices - as part of the plugin's configuration a username and password are provided along with the hostname or IP address of the devices and this set of credentials are used for all actions. This prevents the devices from authorizing the actual user, as well as not being able to log auditing information about the user that initiated the operation.

Here's an example of what I'd like to allow. Take the scenario where a device managed by a custom plugin was connected to the same LDAP as vCO for auth purposes. I would like to be able to pass the supplied username and password through to my plugin so that actions performed by the plugin occur under the security context of the client.

Is this sort of operation possible? I wasn't able to find anything in your documentation.

A good example of what would be an acceptable alternative approach to perform this action is how a user context is conveyed by the vSphere client and a scripted plugin. Essentially, the vSphere client provides a sessionId as part of a plugin request that the plugin can use when it communicates with vCenter - this allows an external agent to interact with vCenter while in the authorization context of the user that's using the vSphere client. Assuming vCO can't do what I want right now and VMware isn't interested in extending it to do so, perhaps it could pass something like a sessionId to a plugin which could be sent to a managed device that would in turn use that information to securely provide a trusted identify for the user without passing around usernames and passwords in the clear (I can see how this might work with PKI but those sorts of implementation details are probably too specific for this request).

admin · ‎03-04-2010

Hi Brent,

In order to securely pass user credentials in a plug-in object you can try performing the below steps:

When the plug-in is sollicited for a service-:

- the vCO plugin platform sends a message to the plugin adaptor to get the related IPluginFactory object

- the implementation of the IPluginAdaptor can decide which plugin factory to return :

a. either it returns a fresh factory at each call OR

b. it returns always the same, created at the first call of the createPluginFactory method OR

c. it always returns the same factory for a given user

- this can be easily implemented on the adaptor side using a HashMap (username => IPluginFactory)

- the platform then forwards the service request to factory which in turns forwards it to the product (vCenter) which will do the actual job (can be the plugin associated to the managed device)

- when the factory is created, the (username, passwd) can be passed to it or an intermediary object such as a sessionId that represents this user

- then this information (username/passwd or sessionId) can be passed or not to the product implementing the service

Does this answers your concern?

All

Securely Pass A User's Credentials To A Plugin