goneri · July 24, 2022 03:14
diff --git a/vcenter-find-required-permissions.py b/vcenter-find-required-permissions.py
 #!/usr/bin/env python3
 # Identify the minimal subset of permission required for a given Ansible playbook
 # License: GPLv3+
 # Copyright: Gonéri Le Bouder <[email protected]>
 from pyVmomi import vim

 from pyVim.connect import SmartConnect, SmartConnectNoSSL, Disconnect

 import os
 import subprocess
 import sys


 def get_role(content, name):
    for my_role in content.authorizationManager.roleList:
        if my_role.name == name:
            return my_role
    print(f"Cannot find role {name}")


 def testing():
    ret = subprocess.run(["ansible-playbook", "test-vcenter_vmtemplate_libraryitems.yaml"], capture_output=True)
    with open("testing-stdout.log", "a") as fd:
        fd.write(ret.stdout.decode())
    with open("testing-stderr.log", "a") as fd:
        fd.write(ret.stderr.decode())
    return True if ret.returncode == 0 else False


 def is_needed(privilege):
    admin_role.privilege
    content.authorizationManager.UpdateAuthorizationRole(
        newName=my_role.name,
        roleId=my_role.roleId,
        privIds=[p for p in admin_role.privilege if p != privilege],
        )
    print(f"testing {privilege}")
    return not testing()


 role_to_use = "Ansible"

 si = SmartConnectNoSSL(host='vcenter.test', user=os.environ['VMWARE_USER'], pwd=os.environ['VMWARE_PASSWORD'])
 content = si.RetrieveContent()
 admin_role = get_role(content, "Admin")
 my_role = get_role(content, role_to_use)


 needed = []
 for p in admin_role.privilege:
    if is_needed(p):
        needed.append(p)
        with open("result.log", "a") as fd:
            fd.write(f"NEEDED: {p}\n")
    else:
        with open("result.log", "a") as fd:
            fd.write(f"NOT NEEDED: {p}\n")

 print("Required permissions:")
 for p in needed:
    print(p)
	#!/usr/bin/env python3
	# Identify the minimal subset of permission required for a given Ansible playbook
	# License: GPLv3+
	# Copyright: Gonéri Le Bouder <[email protected]>
	from pyVmomi import vim

	from pyVim.connect import SmartConnect, SmartConnectNoSSL, Disconnect

	import os
	import subprocess
	import sys


	def get_role(content, name):
	for my_role in content.authorizationManager.roleList:
	if my_role.name == name:
	return my_role
	print(f"Cannot find role {name}")


	def testing():
	ret = subprocess.run(["ansible-playbook", "test-vcenter_vmtemplate_libraryitems.yaml"], capture_output=True)
	with open("testing-stdout.log", "a") as fd:
	fd.write(ret.stdout.decode())
	with open("testing-stderr.log", "a") as fd:
	fd.write(ret.stderr.decode())
	return True if ret.returncode == 0 else False


	def is_needed(privilege):
	admin_role.privilege
	content.authorizationManager.UpdateAuthorizationRole(
	newName=my_role.name,
	roleId=my_role.roleId,
	privIds=[p for p in admin_role.privilege if p != privilege],
	)
	print(f"testing {privilege}")
	return not testing()


	role_to_use = "Ansible"

	si = SmartConnectNoSSL(host='vcenter.test', user=os.environ['VMWARE_USER'], pwd=os.environ['VMWARE_PASSWORD'])
	content = si.RetrieveContent()
	admin_role = get_role(content, "Admin")
	my_role = get_role(content, role_to_use)


	needed = []
	for p in admin_role.privilege:
	if is_needed(p):
	needed.append(p)
	with open("result.log", "a") as fd:
	fd.write(f"NEEDED: {p}\n")
	else:
	with open("result.log", "a") as fd:
	fd.write(f"NOT NEEDED: {p}\n")

	print("Required permissions:")
	for p in needed:
	print(p)