Make login optional

[wiggin15]

We're trying to develop an extension using pyvmomi, and extensions don't log in using username and password, but use the LoginExtensionByCertificate API. However, when we call Connect or SmartConnect, we must provide a username and password for log in...
It would be great if the __Login function was called from Connect only if user and pwd were provided, so that it would be optional instead of mandatory.
This way we can create a Connection class and then call the API on our own: service_instance.content.sessionManager.LoginExtensionByCertificate

[hartsock]

We may get official SSO support at some point. Unofficial SSO is one of the first features we want in the pyvmomi-tools project that is yet to be released on pypi. There is a fuzzy line between whether certain features should go in the core official library or in the less official tools library.

I will look into nearer term using LoginExtensionByCertificate and see how quickly we can turn something like that around.

As always, any help is appreciated. Please coordinate with other developers before extending a large effort just to avoid duplication of work.

Edit:

By the way, naturally... if you authenticate with username and password from an administrator console script to call vim.ExtensionManager.setCertificate and set a certificate you can then later turn around and place that certificate in a location that your script can use LoginExtensionByCertificate. I think this is complex enough we might want a sample and a tool to do this with.

I've assigned myself so I won't forget to get someone to do this.

[wiggin15]

This is not SSO-related, and also we don't have a username/password at any point. We log in without calling setCertificate. If you're interested, we use the method described here: http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-ext-solutions-50.pdf page 82, "Provide a Script in the Extension Virtual Machine to Register as a vCenter Extension".
I have already implemented a workaround that works, but it required copying and refactoring connect.py (which I really didn't like to do :/)

About coordinating efforts - we're working to wrap pyvmomi with an interface similar to pyvisdk (https://github.com/infinidat/pyvisdk), which is more object-oriented (provides a class that lets you retrieve vms, hosts, folders, etc. and other convenience wrappers). Most of the work is already done, but we haven't released our code yet.
It would be great if we can pool our efforts, but unfortunately it looks like pyvmomi-tools and pyvmomi-community-samples are only assortments of helper functions, so they are less organized for our needs.

[wz200210]

HI wiggin15
is there any sample for the workaround that you mentioned, it will help me a lot!!

[wiggin15]

Hi @wz200210. We're using infi.pyvmomi_wrapper (https://github.com/Infinidat/infi.pyvmomi_wrapper). We implemented a replacement for Connect here: https://github.com/Infinidat/infi.pyvmomi_wrapper/blob/develop/src/infi/pyvmomi_wrapper/connect.py
You can use the wrapper class, infi.pyvmomi_wrapper.Client. The login is optional - you can use it like this:

from infi.pyvmomi_wrapper import Client
client = Client(vcenter_address, username, password)

or like this:

from infi.pyvmomi_wrapper import Client
client = Client(vcenter_address)
client.login(username, password)

See the documentation in the link above for what you can do with client.

I hope that in the future, the implementation of Connect will not require username and password in this repository, so we won't have to have separate implementations.

[wz200210]

@wiggin15 ， thanks very much！！！

how to use login_extension_by_certificate()in class client？how to get extension key？
i am trying to find a way login vcenter without username and password。
is there anyway like token or something like that i can use to login vcenter。

[wiggin15]

@wz200210, there's a link to a pdf file in my comment above with the page discussing how to log in with a certificate. It's not simple - you need to have an appliance (ova) installed on the vcenter and parse a file inside it, and then send an HTTP post request with an extension key, a token and a generated certificate. The details are in the document.

[wz200210]

@wiggin15 OK~i will try it out。

Can a VM with unbuntu system convert to an OVA? or it must be an VMWARE official extension service OVA?

thanks again!

[wiggin15]

AFAIK you can't convert a VM to an ova - you have to create the ova through VMWare Studio.