community.vmware icon indicating copy to clipboard operation
community.vmware copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

vmware_host_lockdown: Add possibility to configure lockdown exception users

Open Kloppi313 opened this issue 4 years ago • 8 comments

SUMMARY

Hello community, I would like to see the possibility to configure lockdown exception users (these are users who are able to login to the host, even with activated lockdown mode). This is usefull for automation accounts.

ISSUE TYPE
  • Feature Idea
COMPONENT NAME

vmware_host_lockdown

ADDITIONAL INFORMATION

By adding this feature it would be possible to natively use a dedicated ansible-bot-user on vmware hosts, without removing the lockdown mode from the host - performing the desired action - activating the lockdown mode again (and maybe adding a block with repair section - to lockdown even if something failed) I have two additional parameters for this module in mind:

  • lockdown_exception_user: username
  • lockdown_exception_user_state: present/absent

I hope this is some kind of an easytask, unfortunally I'm not able to do it on my own.

Kloppi313 avatar Nov 30 '20 10:11 Kloppi313

Maybe usefull methods of the api: https://code.vmware.com/apis/704/vsphere/vim.host.HostAccessManager.html#queryLockdownExceptions https://code.vmware.com/apis/704/vsphere/vim.host.HostAccessManager.html#updateLockdownExceptions

Kloppi313 avatar Nov 30 '20 12:11 Kloppi313

@Kloppi313 Thanks for reporting this feature. I am not able to access hostAccessManager but I am not quite sure why.

(Pdb) content.hostAccessManager
*** AttributeError: 'vim.ServiceInstanceContent' object has no attribute 'hostAccessManager'

Akasurde avatar Nov 30 '20 12:11 Akasurde

@Akasurde Oh, by searching a bit I found, that the module might use a deprecated function: https://code.vmware.com/apis/704/vsphere/vim.HostSystem.html#enterLockdownMode (Deprecated. As of vSphere API 6.0, use ChangeLockdownMode.) as well as https://code.vmware.com/apis/704/vsphere/vim.HostSystem.html#exitLockdownMode (maybe because of backwarts compatibility?)

They were replaced by https://code.vmware.com/apis/704/vsphere/vim.host.HostAccessManager.html#changeLockdownMode -> it also needs HostAccessManager So is it possible that you are developing with some older version of esxi?

Kloppi313 avatar Nov 30 '20 13:11 Kloppi313

This could be case sensitive: HostAccessManager instead of hostAccessManager

mainboarder avatar Nov 30 '20 14:11 mainboarder

cc @Tomorrow9 @goneri @lparkes @pgbidkar @warthog9 click here for bot help

ansibullbot avatar Jan 15 '21 16:01 ansibullbot

I am having the same issue, how do I update the lockdown exception users using ansible? Is this feature going to be added to the REST API?

mvgtsvg avatar Mar 16 '21 12:03 mvgtsvg

Hi @Akasurde , you added the "waiting_on_contributer" label. Where are you waiting for in this case? I see that @Kloppi313 and @mainboarder replied, have you seen that as well? I'm not able to communicate to the API on my own, but I'm willing to participate where possible to help creating this module.

Most recent reference guide: https://vdc-download.vmware.com/vmwb-repository/dcr-public/bf660c0a-f060-46e8-a94d-4b5e6ffc77ad/208bc706-e281-49b6-a0ce-b402ec19ef82/SDK/vsphere-ws/docs/ReferenceGuide/vim.host.HostAccessManager.html#updateLockdownExceptions

denknl avatar Jun 07 '22 14:06 denknl

@denknl waiting_on_contributer means we want this functionality but have no time or resources, so someone from the community can take a lead on this and work on it. You might want to start drafting WIP PR so that we can guide you along the way. Thanks.

Akasurde avatar Jun 13 '22 10:06 Akasurde

@Kloppi313 @pugnacity @mainboarder @mvgtsvg @denknl If you're still interested in this feature, you might want to test if #1510 works for you:

mkdir -p  ~/.ansible/collections/ansible_collections/community
git clone https://github.com/ansible-collections/community.vmware ~/.ansible/collections/ansible_collections/community/vmware
cd ~/.ansible/collections/ansible_collections/community/vmware
git fetch origin pull/1510/head:issue529
git checkout issue529

For various reasons, I found it tricky to implement this in the current vmware_host_lockdown module. So I have created a new one, it's called vmware_host_lockdown_exceptions.

mariolenz avatar Oct 21 '22 11:10 mariolenz

@Kloppi313 @pugnacity @mainboarder @mvgtsvg @denknl If you're still interested in this feature, you might want to test if #1510 works for you

Hi @mariolenz thank you for adding this feature! It works well but changes the list in VMware on every run. We might want to change 'if not self.module.check_mode:' to 'if not self.module.check_mode and changed:' on line 142. Maybe I need to create a new issue for this?

denknl avatar Jan 04 '23 13:01 denknl

It works well but changes the list in VMware on every run. We might want to change 'if not self.module.check_mode:' to 'if not self.module.check_mode and changed:' on line 142.

@denknl It looks like the module always tries to update the lockdown exception users, even if they didn't change:

https://github.com/ansible-collections/community.vmware/blob/813d2b6781dd9de290c2ffe1e49869aa10a92004/plugins/modules/vmware_host_lockdown_exceptions.py#L142-L144

So you should see a task which is unnecessary, but it wouldn't really change anything. It would only set the exception users to what they already are. Did I understand you correct and this what you want to avoid?

If so, I've created #1585 to fix this.

mariolenz avatar Jan 04 '23 16:01 mariolenz

Hi @mariolenz yes that was exactly my point. It worked fine but it will be a nice optimization to do nothing in VMware if there's nothing to change. Thank you for creating #1585 !

denknl avatar Jan 05 '23 09:01 denknl