Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permissions required to run nsxt_vm_tags module #499

Open
alexshallcross opened this issue Apr 10, 2024 · 5 comments
Open

Permissions required to run nsxt_vm_tags module #499

alexshallcross opened this issue Apr 10, 2024 · 5 comments
Labels
bug Something isn't working

Comments

@alexshallcross
Copy link

Describe the bug

In NSX I have created a custom security role which only has full access to the 'tags' permission. When running the nsxt_vm_tags module as a user that has that role, it fails with error 403 forbidden. The user is able to successfully alter tags through the GUI and API.

Reproduction steps

  1. Create a custom security role in NSX that only has full access to the tags permission.
  2. Assign custom security role to a user in NSX
  3. Run the nsxt_vm_tags module with the user credentials

Expected behavior

User with full access to the tags permission should be able to run this module.

Additional context

No response
@alexshallcross alexshallcross added the bug Something isn't working label Apr 10, 2024
@alagoutte
Copy link
Contributor

Hi @alexshallcross

I think, you need to add permissions to VM inventory to configure tag

@alexshallcross
Copy link
Author

Hi @alagoutte,

I've done some more testing with this. It does not work with a custom role with the VM inventory and Tag full access permissions, nor does it work with a custom role that has full access on all permissions. It will only work if the service account is assigned the built in Enterprise Admin role.

@hulr
Copy link

hulr commented Jul 5, 2024

I would like to use a custom role for creating tags on virtual machines.

I analyzed this a bit and as far as I understand, it is currently not possible to use a custom role.
The nsxt_vm_tags module is using the virtual-machines endpoint with action update_tags:

ansible-for-nsxt/plugins/modules/nsxt_vm_tags.py

Lines 278 to 280 in dfbbd04

policy_communicator.request(
VM_UPDATE_URL + '?action=update_tags', data=post_body,
method="POST", base_url='fabric')

According to the API documentation, the feature vm_vm_tags is required to execute this API action: https://dp-downloads.broadcom.com/api-content/apis/API_NTDCRA_001/4.1.2/html/api_includes/method_UpdateVirtualMachineTags.html

This feature is marked as internal and therefore it is not possible to create a custom role through the GUI nor with the API with the required permissions to create tags using the nsxt_vm_tags Ansible module.

It is only possible to create a custom role with the policy_vm_vm_tags feature, but another API endpoint must then be used: https://dp-downloads.broadcom.com/api-content/apis/API_NTDCRA_001/4.1.2/html/api_includes/method_ApplyTagOnVirtualMachine.html

{
  "features" : [ {
    "feature" : "policy_vm_vm_tags",
    "feature_name" : "Policy Vm Vm Tags",
    "feature_description" : "Policy Create and assign tags to VM",
    "permission" : "crud",
    "is_internal" : false,
    "is_execute_recommended" : false
  }, {
    "feature" : "vm_vm_tags",
    "feature_name" : "Vm Vm Tags",
    "feature_description" : "Create and assign tags to VM",
    "permission" : "none",
    "is_internal" : true,
    "is_execute_recommended" : false
  } ]
}

@akiuni
Copy link

akiuni commented Jul 5, 2024
edited
Loading

I confirm @hulr analysis. I've been able to reproduce it with postman using a limited role (Full-access on tags and VM only).

The update of tags raised a 401 FORBIDDEN when using fabric/virtual-machines and succeeded when using the policy endpoint.

So here is a short proposition (untested) to fix that issue :

diff --git a/plugins/module_utils/nsxt_resource_urls.py b/plugins/module_utils/nsxt_resource_urls.py
index 7a7096d..0225770 100644
--- a/plugins/module_utils/nsxt_resource_urls.py
+++ b/plugins/module_utils/nsxt_resource_urls.py
@@ -61,7 +61,7 @@ EDGE_CLUSTER_URL = _ENFORCEMENT_POINT_URL + '/{}/edge-clusters'
 EDGE_NODE_URL = EDGE_CLUSTER_URL + '/{}/edge-nodes'
 
 VM_LIST_URL = '/virtual-machines'
-VM_UPDATE_URL = '/virtual-machines'
+VM_UPDATE_URL = '/infra/realized-state/virtual-machines'
 
 BFD_PROFILE_URL = '/infra/bfd-profiles'
 
diff --git a/plugins/modules/nsxt_vm_tags.py b/plugins/modules/nsxt_vm_tags.py
index 8017e40..33e5936 100644
--- a/plugins/modules/nsxt_vm_tags.py
+++ b/plugins/modules/nsxt_vm_tags.py
@@ -272,12 +272,12 @@ def realize():
             module.exit_json(msg="No tags detected to update")
 
         post_body = {
-            "external_id": virtual_machine_id,
             "tags": final_tags
         }
         policy_communicator.request(
-            VM_UPDATE_URL + '?action=update_tags', data=post_body,
-            method="POST", base_url='fabric')
+            VM_UPDATE_URL + '/' + virtual_machine_id + '/tags', data=post_body,
+            method="POST", base_url='policy')
+
         module.exit_json(msg="Successfully updated tags on VM {}".format(
             virtual_machine_id), changed=True)
     except Exception as err:

akiuni pushed a commit to akiuni/ansible-for-nsxt that referenced this issue Jul 8, 2024
fix: vmware#499 - Permissions required to run nsxt_vm_tags module
cf68060 
Signed-off-by: Julien Simbola <[email protected]>
@akiuni
Copy link

akiuni commented Jul 9, 2024

I have made a PR for that bug : #507

Tested, it works fine.

However, I don't know if it is a real fix or just a workaround

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@alagoutte @alexshallcross @hulr @akiuni