ansible-for-nsxt icon indicating copy to clipboard operation
ansible-for-nsxt copied to clipboard

Published 20 hours ago verified publisher icon vmware

Permissions required to run nsxt_vm_tags module

Open alexshallcross opened this issue 1 year ago • 5 comments

Describe the bug

In NSX I have created a custom security role which only has full access to the 'tags' permission. When running the nsxt_vm_tags module as a user that has that role, it fails with error 403 forbidden. The user is able to successfully alter tags through the GUI and API.

Reproduction steps

  1. Create a custom security role in NSX that only has full access to the tags permission.
  2. Assign custom security role to a user in NSX
  3. Run the nsxt_vm_tags module with the user credentials

Expected behavior

User with full access to the tags permission should be able to run this module.

Additional context

No response

alexshallcross avatar Apr 10 '24 15:04 alexshallcross

Hi @alexshallcross

I think, you need to add permissions to VM inventory to configure tag

alagoutte avatar Apr 15 '24 08:04 alagoutte

Hi @alagoutte,

I've done some more testing with this. It does not work with a custom role with the VM inventory and Tag full access permissions, nor does it work with a custom role that has full access on all permissions. It will only work if the service account is assigned the built in Enterprise Admin role.

alexshallcross avatar May 15 '24 09:05 alexshallcross

I would like to use a custom role for creating tags on virtual machines.

I analyzed this a bit and as far as I understand, it is currently not possible to use a custom role. The nsxt_vm_tags module is using the virtual-machines endpoint with action update_tags: https://github.com/vmware/ansible-for-nsxt/blob/dfbbd0463f834046d2dcd32e70d3e26d6120613a/plugins/modules/nsxt_vm_tags.py#L278-L280 According to the API documentation, the feature vm_vm_tags is required to execute this API action: https://dp-downloads.broadcom.com/api-content/apis/API_NTDCRA_001/4.1.2/html/api_includes/method_UpdateVirtualMachineTags.html

This feature is marked as internal and therefore it is not possible to create a custom role through the GUI nor with the API with the required permissions to create tags using the nsxt_vm_tags Ansible module.

It is only possible to create a custom role with the policy_vm_vm_tags feature, but another API endpoint must then be used: https://dp-downloads.broadcom.com/api-content/apis/API_NTDCRA_001/4.1.2/html/api_includes/method_ApplyTagOnVirtualMachine.html

{
  "features" : [ {
    "feature" : "policy_vm_vm_tags",
    "feature_name" : "Policy Vm Vm Tags",
    "feature_description" : "Policy Create and assign tags to VM",
    "permission" : "crud",
    "is_internal" : false,
    "is_execute_recommended" : false
  }, {
    "feature" : "vm_vm_tags",
    "feature_name" : "Vm Vm Tags",
    "feature_description" : "Create and assign tags to VM",
    "permission" : "none",
    "is_internal" : true,
    "is_execute_recommended" : false
  } ]
}

hulr avatar Jul 05 '24 08:07 hulr

I confirm @hulr analysis. I've been able to reproduce it with postman using a limited role (Full-access on tags and VM only).

The update of tags raised a 401 FORBIDDEN when using fabric/virtual-machines and succeeded when using the policy endpoint.

So here is a short proposition (untested) to fix that issue :

diff --git a/plugins/module_utils/nsxt_resource_urls.py b/plugins/module_utils/nsxt_resource_urls.py
index 7a7096d..0225770 100644
--- a/plugins/module_utils/nsxt_resource_urls.py
+++ b/plugins/module_utils/nsxt_resource_urls.py
@@ -61,7 +61,7 @@ EDGE_CLUSTER_URL = _ENFORCEMENT_POINT_URL + '/{}/edge-clusters'
 EDGE_NODE_URL = EDGE_CLUSTER_URL + '/{}/edge-nodes'
 
 VM_LIST_URL = '/virtual-machines'
-VM_UPDATE_URL = '/virtual-machines'
+VM_UPDATE_URL = '/infra/realized-state/virtual-machines'
 
 BFD_PROFILE_URL = '/infra/bfd-profiles'
 
diff --git a/plugins/modules/nsxt_vm_tags.py b/plugins/modules/nsxt_vm_tags.py
index 8017e40..33e5936 100644
--- a/plugins/modules/nsxt_vm_tags.py
+++ b/plugins/modules/nsxt_vm_tags.py
@@ -272,12 +272,12 @@ def realize():
             module.exit_json(msg="No tags detected to update")
 
         post_body = {
-            "external_id": virtual_machine_id,
             "tags": final_tags
         }
         policy_communicator.request(
-            VM_UPDATE_URL + '?action=update_tags', data=post_body,
-            method="POST", base_url='fabric')
+            VM_UPDATE_URL + '/' + virtual_machine_id + '/tags', data=post_body,
+            method="POST", base_url='policy')
+
         module.exit_json(msg="Successfully updated tags on VM {}".format(
             virtual_machine_id), changed=True)
     except Exception as err:

akiuni avatar Jul 05 '24 09:07 akiuni

I have made a PR for that bug : https://github.com/vmware/ansible-for-nsxt/pull/507

Tested, it works fine.

However, I don't know if it is a real fix or just a workaround

akiuni avatar Jul 09 '24 07:07 akiuni