Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🌱 Don't require Validate session privileges to check if user session is active #2235

Merged
merged 1 commit into from
Sep 1, 2023
Merged

🌱 Don't require Validate session privileges to check if user session is active #2235

merged 1 commit into from
Sep 1, 2023

Conversation

laozc
Copy link
Member

@laozc laozc commented Aug 16, 2023

What this PR does / why we need it:
Session active check does not work for Datacenter scoped TKG admin account.
API SessionIsActive requires ValidateSession permission which is not listed in current doc.
It can be replaced with a simple Datacenter retrieval call to do the same thing.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #2066

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Aug 16, 2023
@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Aug 16, 2023
@k8s-ci-robot
Copy link
Contributor

Hi @laozc. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Aug 16, 2023
@sbueringer
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 16, 2023
@chrischdi chrischdi mentioned this pull request Aug 17, 2023
Open
subbartt
subbartt reviewed Aug 20, 2023
View reviewed changes
pkg/session/session.go Outdated Show resolved Hide resolved
chrischdi
chrischdi reviewed Aug 22, 2023
View reviewed changes
pkg/session/session.go Outdated Show resolved Hide resolved
pkg/session/session.go Outdated Show resolved Hide resolved
pkg/session/session.go Outdated Show resolved Hide resolved
pkg/session/session.go Outdated Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Aug 22, 2023
@chrischdi
Copy link
Member

/lgtm

@srm09 or @randomvariable , would be awesome to get your take on this.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 22, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: eea4888bf2744c5cd234a0a7a0a6d38232b8e438

@randomvariable
Copy link
Member

Had to read the govmomi code for UserSession to understand what happened. It makes sense, but maybe worth leaving a comment that UserSession(blah) actually does a managed object retrieval for future devs.

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 28, 2023
@sbueringer
Copy link
Member

@laozc

API SessionIsActive requires ValidateSession permission which is not listed in current doc.

I think this is not correct:

Session

If I got it correctly it is just that Validate Session is required on the root (?). And using UserSession (aka getting currentSession) requires less permissions.

I'm fine in general with the change, but is there any vCenter documentation confirming that UserSession / currentSession requires no specific pemissions? (@laozc @randomvariable)

@randomvariable
Copy link
Member

I don't know if there's something confirming that permissions are not required, but permissions are described here https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-ED56F3C4-77D0-49E3-88B6-B99B8B437B62.html

Similar to what we do with CloudTrail in CAPA, at some point may want to enable the privilege recorder https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-8A5066BB-BE0C-48AD-9DDB-F3446AD3B9F6.html and capture the output, though that might be restricted in VMC.

@sbueringer
Copy link
Member

Thx for the info. That could become very useful going forward

@sbueringer sbueringer changed the title 🌱 Fixes session active check with Datacenter scoped TKG admin account 🌱 Don't require Validate session privileges to check if user session is active Sep 1, 2023
@sbueringer
Copy link
Member

sbueringer commented Sep 1, 2023
edited
Loading

Renamed the PR as it's clearly documented that a TKG admin requires session validation privileges. Nonetheless, makes sense to reduce the required privileges

image

@sbueringer
Copy link
Member

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 1, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: a0d09581253b94e95388b3774ea64d3aa148f805

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sbueringer

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 1, 2023
@k8s-ci-robot k8s-ci-robot merged commit c1c6207 into kubernetes-sigs:main Sep 1, 2023
10 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.9 milestone Sep 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@subbartt subbartt subbartt left review comments

@namra98 namra98 namra98 approved these changes

@srm09 srm09 Awaiting requested review from srm09

@zhanggbj zhanggbj Awaiting requested review from zhanggbj

@chrischdi chrischdi Awaiting requested review from chrischdi

Assignees

@chrischdi chrischdi

@sbueringer sbueringer

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
v1.9
Development

Successfully merging this pull request may close these issues.

Session validation fails with Datacenter scoped Administrator user.
7 participants
@laozc @k8s-ci-robot @sbueringer @chrischdi @randomvariable @namra98 @subbartt