pyvmomi icon indicating copy to clipboard operation
pyvmomi copied to clipboard

Published 20 hours ago verified publisher icon vmware

Support communication with vCenter Server via kerberos authenticated proxy sever

Open VedaNiks opened this issue 1 year ago • 2 comments

Is your feature request related to a problem? Please describe.

I need to communicate with vCenter Server and all the traffic goes through a kerberos authenticated proxy sever. I am not able to authenticate the proxy server using 'Proxy-Authorization' header. I am using below code:

import ssl
from pyVim.connect import SmartConnect, Disconnect
from requests_kerberos import HTTPKerberosAuth

def get_unverified_context():
    """
    Get an unverified ssl context. Used to disable the server certificate
    verification.
    @return: unverified ssl context.
    """
    context = None
    if hasattr(ssl, '_create_unverified_context'):
        context = ssl._create_unverified_context()
    return context

context = get_unverified_context()
kerb_auth = HTTPKerberosAuth(force_preemptive=True)
auth_header = kerb_auth.generate_request_header(None, '10.24.129.100', True)
custom_headers = {}
custom_headers['Proxy-Authorization'] = auth_header


si = SmartConnect(protocol='https',
                  host='10.24.129.1',
                  user='[email protected]',
                  pwd='p@s$w0rD',
                  sslContext=context,
                  httpProxyHost='10.24.129.100',
                  httpProxyPort='3128',
                  customHeaders=custom_headers)


# Retrieve the service content
content = si.RetrieveContent()
vc_guid = content.about.instanceUuid
print(vc_guid)

I see below exception:

Traceback (most recent call last):
  File "/etc/vcp/applianceRTVEnv/lib/python3.10/site-packages/pyVim/connect.py", line 491, in __Login
    content = si.RetrieveContent()
  File "/etc/vcp/applianceRTVEnv/lib/python3.10/site-packages/pyVmomi/VmomiSupport.py", line 598, in <lambda>
    self.f(*(self.args + (obj,) + args), **kwargs)
  File "/etc/vcp/applianceRTVEnv/lib/python3.10/site-packages/pyVmomi/VmomiSupport.py", line 388, in _InvokeMethod
    return self._stub.InvokeMethod(self, info, args)
  File "/etc/vcp/applianceRTVEnv/lib/python3.10/site-packages/pyVmomi/SoapAdapter.py", line 1533, in InvokeMethod
    conn.request('POST', self.path, req, headers)
  File "/usr/lib/python3.10/http/client.py", line 1282, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib/python3.10/http/client.py", line 1328, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.10/http/client.py", line 1277, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.10/http/client.py", line 1037, in _send_output
    self.send(msg)
  File "/usr/lib/python3.10/http/client.py", line 975, in send
    self.connect()
  File "/usr/lib/python3.10/http/client.py", line 1447, in connect
    super().connect()
  File "/usr/lib/python3.10/http/client.py", line 951, in connect
    self._tunnel()
  File "/usr/lib/python3.10/http/client.py", line 924, in _tunnel
    raise OSError(f"Tunnel connection failed: {code} {message.strip()}")
OSError: Tunnel connection failed: 407 Proxy Authentication Required

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/etc/vcp/applianceRTVEnv/lib/python3.10/site-packages/connect_to_vc_via_proxy.py", line 24, in <module>
    si = SmartConnect(protocol='https',
  File "/etc/vcp/applianceRTVEnv/lib/python3.10/site-packages/pyVim/connect.py", line 979, in SmartConnect
    return Connect(host=host,
  File "/etc/vcp/applianceRTVEnv/lib/python3.10/site-packages/pyVim/connect.py", line 318, in Connect
    si, stub = __Login(host,
  File "/etc/vcp/applianceRTVEnv/lib/python3.10/site-packages/pyVim/connect.py", line 503, in __Login
    reraise(vim.fault.HostConnectFault, fault, traceback)
  File "/etc/vcp/applianceRTVEnv/lib/python3.10/site-packages/six.py", line 718, in reraise
    raise value.with_traceback(tb)
  File "/etc/vcp/applianceRTVEnv/lib/python3.10/site-packages/pyVim/connect.py", line 491, in __Login
    content = si.RetrieveContent()
  File "/etc/vcp/applianceRTVEnv/lib/python3.10/site-packages/pyVmomi/VmomiSupport.py", line 598, in <lambda>
    self.f(*(self.args + (obj,) + args), **kwargs)
  File "/etc/vcp/applianceRTVEnv/lib/python3.10/site-packages/pyVmomi/VmomiSupport.py", line 388, in _InvokeMethod
    return self._stub.InvokeMethod(self, info, args)
  File "/etc/vcp/applianceRTVEnv/lib/python3.10/site-packages/pyVmomi/SoapAdapter.py", line 1533, in InvokeMethod
    conn.request('POST', self.path, req, headers)
  File "/usr/lib/python3.10/http/client.py", line 1282, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib/python3.10/http/client.py", line 1328, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.10/http/client.py", line 1277, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.10/http/client.py", line 1037, in _send_output
    self.send(msg)
  File "/usr/lib/python3.10/http/client.py", line 975, in send
    self.connect()
  File "/usr/lib/python3.10/http/client.py", line 1447, in connect
    super().connect()
  File "/usr/lib/python3.10/http/client.py", line 951, in connect
    self._tunnel()
  File "/usr/lib/python3.10/http/client.py", line 924, in _tunnel
    raise OSError(f"Tunnel connection failed: {code} {message.strip()}")
pyVmomi.VmomiSupport.vim.fault.HostConnectFault: (vim.fault.HostConnectFault) {
   dynamicType = <unset>,
   dynamicProperty = (vmodl.DynamicProperty) [],
   msg = 'Tunnel connection failed: 407 Proxy Authentication Required',
   faultCause = <unset>,
   faultMessage = (vmodl.LocalizableMessage) []
}

I see below messages in the proxy logs:

1689748074.915 12 10.24.131.174 TCP_TUNNEL/200 3196 CONNECT 10.24.129.1:443 [email protected] HIER_DIRECT/10.24.129.1 - 1689748074.918 2 10.24.131.174 TCP_DENIED/407 5978 CONNECT 10.24.129.1:443 - HIER_NONE/- text/html 1689748274.797 16 10.24.131.174 TCP_TUNNEL/200 3167 CONNECT 10.24.129.1:443 [email protected] HIER_DIRECT/10.24.129.1 - 1689748274.801 2 10.24.131.174 TCP_DENIED/407 5982 CONNECT 10.24.129.1:443 - HIER_NONE/- text/html

pyVmomi connects to vCenter Server 2 times.

First time here: https://github.com/vmware/pyvmomi/blob/f0fe4e279cebdfdbca5bfce699063d15b1d3bd1d/pyVim/connect.py#L663

Second time here: https://github.com/vmware/pyvmomi/blob/f0fe4e279cebdfdbca5bfce699063d15b1d3bd1d/pyVmomi/SoapAdapter.py#L1533

It seems that first request is passing and second request is failing. I am not sure why that is happening.

Describe the solution you'd like

I would like to know what I am doing wrong and any WAR to solve it? Is is even possible to connect to vCenter server via kerberos authenticated proxy sever using pyVmomi? I am trying to do register/unregister a plugin on vCenter server.

Describe alternatives you've considered

No response

Additional context

No response

VedaNiks avatar Jul 27 '23 11:07 VedaNiks