Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support session auth for policy resources #846

Merged
merged 1 commit into from
Mar 6, 2023
Merged

Support session auth for policy resources #846

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
45 changes: 43 additions & 2 deletions nsxt/provider.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,8 @@ type nsxtClients struct {
CommonConfig commonProviderConfig
// NSX Manager client - based on go-vmware-nsxt SDK
NsxtClient *api.APIClient
// Config for the above client
NsxtClientConfig *api.Configuration
// Data for NSX Policy client - based on vsphere-automation-sdk-go SDK
// First offering of Policy SDK does not support concurrent
// operations in single connector. In order to avoid heavy locks,
Expand Down Expand Up @@ -83,6 +85,11 @@ func Provider() *schema.Provider {
Optional: true,
DefaultFunc: schema.EnvDefaultFunc("NSXT_REMOTE_AUTH", false),
},
"session_auth": {
Type: schema.TypeBool,
Optional: true,
DefaultFunc: schema.EnvDefaultFunc("NSXT_SESSION_AUTH", true),
},
"host": {
Type: schema.TypeString,
Optional: true,
Expand Down Expand Up @@ -439,6 +446,8 @@ func configureNsxtClient(d *schema.ResourceData, clients *nsxtClients) error {

caFile := d.Get("ca_file").(string)
caString := d.Get("ca").(string)
sessionAuth := d.Get("session_auth").(bool)
skipSessionAuth := !sessionAuth

retriesConfig := api.ClientRetriesConfiguration{
MaxRetries: clients.CommonConfig.MaxRetries,
Expand All @@ -447,7 +456,7 @@ func configureNsxtClient(d *schema.ResourceData, clients *nsxtClients) error {
RetryOnStatuses: clients.CommonConfig.RetryStatusCodes,
}

cfg := api.Configuration{
clients.NsxtClientConfig = &api.Configuration{
BasePath: "/api/v1",
Host: host,
Scheme: "https",
Expand All @@ -463,9 +472,10 @@ func configureNsxtClient(d *schema.ResourceData, clients *nsxtClients) error {
CAString: caString,
Insecure: insecure,
RetriesConfiguration: retriesConfig,
SkipSessionAuth: skipSessionAuth,
}

nsxClient, err := api.NewAPIClient(&cfg)
nsxClient, err := api.NewAPIClient(clients.NsxtClientConfig)
if err != nil {
return err
}
Expand Down Expand Up @@ -694,6 +704,24 @@ func (processor bearerAuthHeaderProcessor) Process(req *http.Request) error {
return nil
}

type sessionHeaderProcessor struct {
cookie string
xsrf string
}

func newSessionHeaderProcessor(cookie string, xsrf string) *sessionHeaderProcessor {
return &sessionHeaderProcessor{
cookie: cookie,
xsrf: xsrf,
}
}

func (processor sessionHeaderProcessor) Process(req *http.Request) error {
req.Header.Set("Cookie", processor.cookie)
req.Header.Set("X-XSRF-TOKEN", processor.xsrf)
return nil
}

func applyLicense(c *api.APIClient, licenseKey string) error {
if c == nil {
return fmt.Errorf("API client not configured")
Expand Down Expand Up @@ -817,6 +845,19 @@ func getPolicyConnector(clients interface{}) *client.RestConnector {
if len(c.CommonConfig.BearerToken) > 0 {
connector.AddRequestProcessor(newBearerAuthHeaderProcessor(c.CommonConfig.BearerToken))
}
// Session support for policy resources (main rationale - vIDM environment where auth is slow)
// Currently session creation is done via old MP sdk.
// TODO - when MP resources are removed, switch to official SDK to initiate session/create API
// TODO - re-trigger session/create when token is expired
if len(c.NsxtClientConfig.DefaultHeader["Cookie"]) > 0 {
cookie := c.NsxtClientConfig.DefaultHeader["Cookie"]
xsrf := ""
if len(c.NsxtClientConfig.DefaultHeader["X-XSRF-TOKEN"]) > 0 {
xsrf = c.NsxtClientConfig.DefaultHeader["X-XSRF-TOKEN"]
}
connector.AddRequestProcessor(newSessionHeaderProcessor(cookie, xsrf))
log.Printf("[INFO]: Session headers configured for policy objects")
}

return connector
}
Expand Down
5 changes: 4 additions & 1 deletion website/docs/index.html.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -211,7 +211,10 @@ The following arguments are used to configure the VMware NSX-T Provider:
policy resources: `409, 429, 500, 503, 504`. Can also be specified with the
`NSXT_RETRY_ON_STATUS_CODES` environment variable.
* `remote_auth` - (Optional) Would trigger remote authorization instead of basic
authorization. This is required for users based on vIDM authentication.
authorization. This is required for users based on vIDM authentication for early
NSX versions.
* `session_auth` - (Optional) Creates session to avoid re-authentication for every
request. Speeds up terraform execution for vIDM based environments. Defaults to `true`
The default for this flag is false. Can also be specified with the
`NSXT_REMOTE_AUTH` environment variable.
* `tolerate_partial_success` - (Optional) Setting this flag to true would treat
Expand Down