Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Connect-Rubrik - Service User Secret #812 only works for admin role? #819

Open
StefanBPS opened this issue Nov 8, 2022 · 2 comments
Open

Connect-Rubrik - Service User Secret #812 only works for admin role? #819

StefanBPS opened this issue Nov 8, 2022 · 2 comments

Comments

@StefanBPS
Copy link

I can connect to a Rubrik server using the accountid and secret but not when the account has a limited set of privileges in the attached role.

In the past I used to use API tokens for livemounting and restoring VM's using the Rubrik Powershell SDK with a role setup to allow only that.
This role works when I use the API token connect to the Rubrik server but when I use the same role attached to a service account and use that ID + secret to login I get this error message:

PS C:.\script.ps1
VERBOSE: POST with 174-byte payload
VERBOSE: received 549-byte response of content type application/json
VERBOSE: Content encoding: utf-8

Name Value

id
authType ServiceAccount
version 8.0.1-p1-22135
header {User-Agent, Authorization}
api 1
time 11/8/2022 2:35:12 PM
userId
server 172.17.200.150

PSVersion : 7.2.7
PSEdition : Core
GitCommitId : 7.2.7
OS : Microsoft Windows 10.0.17763
Platform : Win32NT
PSCompatibleVersions : {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion : 2.3
SerializationVersion : 1.1.0.1
WSManStackVersion : 3.0
HostConsoleName : Visual Studio Code Host
HostConsoleVersion : 2022.10.0
HostCulture : en-US
HostCultureUI : en-US
RubrikConnection : True
UserAgentString : RubrikPowerShellSDK-6.0.1--7.2.7--platform--Win32NT--platform_version--Microsoft Windows 10.0.17763
RubrikAuthentication : Bearer
RubrikClusterVersion : 8.0.1-p1-22135
RubrikCurrentModuleVersion : 6.0.1
RubrikInstalledModule : 6.0.1
RubrikModuleOptions : ApplyCustomViewDefinitions = True; CredentialPath = ; DefaultWebRequestTimeOut = 100
RubrikModuleDefaultParameters :

WARNING: User unavailable: userId = 903b71c9-ab61-40f0-b297-3de75101aba7
OperationStopped: C:\Program Files\WindowsPowerShell\Modules\Rubrik\6.0.1\Private\Submit-Request.ps1:133:25
Line |
133 | throw $_.Exception
| ~~~~~~~~~~~~~~~~~~
| Response status code does not indicate success: 404 (Not Found).

PS C:>

I only give the service account user the admin role, rerun the script and this happens:

VERBOSE: POST with 174-byte payload
VERBOSE: received 549-byte response of content type application/json
VERBOSE: Content encoding: utf-8

Name Value

id
authType ServiceAccount
version 8.0.1-p1-22135
header {User-Agent, Authorization}
api 1
time 11/8/2022 2:42:00 PM
userId
server 172.17.200.150

PSVersion : 7.2.7
PSEdition : Core
GitCommitId : 7.2.7
OS : Microsoft Windows 10.0.17763
Platform : Win32NT
PSCompatibleVersions : {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion : 2.3
SerializationVersion : 1.1.0.1
WSManStackVersion : 3.0
HostConsoleName : Visual Studio Code Host
HostConsoleVersion : 2022.10.0
HostCulture : en-US
HostCultureUI : en-US
RubrikConnection : True
UserAgentString : RubrikPowerShellSDK-6.0.1--7.2.7--platform--Win32NT--platform_version--Microsoft Windows 10.0.17763
RubrikAuthentication : Bearer
RubrikClusterVersion : 8.0.1-p1-22135
RubrikCurrentModuleVersion : 6.0.1
RubrikInstalledModule : 6.0.1
RubrikModuleOptions : ApplyCustomViewDefinitions = True; CredentialPath = ; DefaultWebRequestTimeOut = 100
RubrikModuleDefaultParameters :

Status : Success
HTTPStatusCode : 204
HTTPStatusDescription : NoContent

problem disappeared.

Does anybody know if you need some specific privilege attached to the role that the API tokens did not need to make this work?

Originally posted by @StefanBPS in #812 (comment)
@Bryan-Meier
Copy link

Bryan-Meier commented Nov 10, 2022
edited

Hi @StefanBPS,

I am not an admin of our Rubrik Cluster but I do know that our admin said the setup for AccountIds and Secrets is definitely different than previous versions of Rubrik. As far as I know, the old API token implementation was unsecure because once you had the token you could execute any API call because the privileges around that token were not able to be tightened down. The new implementation with AccountID and Secret requires the role to be setup specifically for the account which will grant access to only the API's required rather than everything. Hence being more secure. I am sure there is documentation around this but I didn't have time to search for it. Hopefully this helps in some fashion. Rubrik support can help with this as well.

@StefanBPS
Copy link
Author

The old API tokens worked fine and would adhere to RBAC roles within Rubrik I think @Bryan-Meier
The new method works fine on Linux with restricted RBAC roles (non Rubrik administrator) but the new method does not work on Windows with powershell.

Two issues:

1)once you restrict the user that you use (as in, it is not attached to the Rubrik administrator role but a more restricted role that works fine with the API tokens) powershell gives the error as seen above.

2)The 6.0.1 Rubrik powershell module has a bug that makes this new service account business not work with Powershell 5.1, this causes all kinds of challenges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Bryan-Meier @StefanBPS