ansible-for-nsxt icon indicating copy to clipboard operation
ansible-for-nsxt copied to clipboard

Published 20 hours ago verified publisher icon vmware

Authentication to NSX-T using an Active Directory user times out

Open itaytalmi opened this issue 2 years ago • 1 comments

Describe the bug

We have a new environment on AVS (Azure VMware Solution), utilizing the managed NSX-T, vSphere, etc. We've connected NSX-T to Active Directory because we must use AD users in this environment, and noticed that when using AD users to authenticate to NSX-T, the request may take a few seconds. The Ansible module for NSX-T does not allow to customize the timeout (it defaults to 10 seconds, just like the ansible.builtin.uri module). When using the local admin user for NSX-T authentication, timeout doesn't occur and everything works.

I suppose this issue occurs due to some latency between NSX-T and Active Directory.

It would be really nice if there was a timeout parameter on all Ansible modules, to support such environments...

Reproduction steps

Not sure it's reproducible due to the latency issue I mentioned.

This issue occurs in any REST request using an AD user.

For example, the following task:

- name: Get NSX-T Edge Cluster ID
  vmware.ansible_for_nsxt.nsxt_rest:
    hostname: "{{ nsxt_host }}"
    username: "{{ nsxt_username }}"
    password: "{{ nsxt_password }}"
    validate_certs: false
    method: get
    path: "/api/v1/search?query=resource_type:EdgeCluster%20AND%20display_name:{{ edge_cluster_name }}"
  register: nsxt_edge_cluster

Results in:

PLAY [localhost] *****************************************************************************************************************************************************************************************
 
TASK [build-nsx-topology : Get NSX-T Edge Cluster ID] ****************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "error_code: -1, error_message: Connection failure: The read operation timed out"}
 
PLAY RECAP ***********************************************************************************************************************************************************************************************
localhost                  : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Expected behavior

It would be great if we could increase the default timeout on all modules.

Additional context

No response

itaytalmi avatar Mar 24 '22 06:03 itaytalmi

We don't use AD user auth yet, but I had a look at the code and it seems only the vmware.ansible_for_nsxt.nsxt_rest module should have timeout issues. Most, if not all, other module use the policy_communicator.py which has a timeout=300 setting hardcoded. So you have 3 options;

  1. use the generic ansible uri module instead, There you can specify the timeout (our approach).
  2. edit the vmware.ansible_for_nsxt.nsxt_rest module to add a timeout. A simple timeout= added to the fetch_url arguments (line 199) might be enough.
  3. wait for VMware or someone else to add it/make it configurable.

Note: default ansible uri timeout is 30s according to -> https://docs.ansible.com/ansible/latest/collections/ansible/builtin/uri_module.html#parameter-timeout

Note2: If you're on 3.1.0 or 3.1.1 -> https://kb.vmware.com/s/article/82331

B-Lourens avatar Sep 22 '22 14:09 B-Lourens