Skip to content

Commit 9a069d5

Browse files
author
William Lam
committed
vSphere Privilege Recorder Sample
1 parent 8d6b184 commit 9a069d5

File tree

1 file changed

+113
-0
lines changed

1 file changed

+113
-0
lines changed

powershell/Get-VCenterPrivileges.ps1

Lines changed: 113 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,113 @@
1+
Function Get-VCenterPrivileges {
2+
<#
3+
.DESCRIPTION Function to retreive privileges from vSphere privileges recorder
4+
.NOTES Author: William Lam
5+
.NOTES Site: www.williamlam.com
6+
.PARAMETER SessionToken
7+
Session Token returned from logging into vCenter REST API
8+
.PARAMETER Objects
9+
Array of vSphere Objects (type,id) to filter from privilege checks
10+
.PARAMETER Principals
11+
Array of vSphere Users (domain,name) to filter from privilege checks
12+
.PARAMETER OpIds
13+
Array of vSphere Operation Ids to filter from privilege checks
14+
.PARAMETER Sessions
15+
Array of vSphere Session IDs to filter from privilege checks
16+
.EXAMPLE
17+
# Filter privileges for Object of type VirtualMachine with MoRef ID vm-121005
18+
Get-VCenterPrivileges -SessionToken $sessionToken -Troubleshoot -Objects @(@{"type"="VirtualMachine";"id"="vm-121005"})
19+
.EXAMPLE
20+
# Filter privileges for Principal user with [email protected]
21+
Get-VCenterPrivileges -SessionToken $sessionToken -Troubleshoot -Principals @(@{"domain"="vsphere.local";"name"="william"})
22+
.EXAMPLE
23+
# Filter privileges for Operation ID "create-marvel-vm"
24+
Get-VCenterPrivileges -SessionToken $sessionToken -Troubleshoot -OpIds @("create-marvel-vm")
25+
.EXAMPLE
26+
# Filter privileges for Session "52fcf343-ee6a-47b4-b3cf-58bca9f88424"
27+
Get-VCenterPrivileges -SessionToken $sessionToken -Troubleshoot -Sessions @("52fcf343-ee6a-47b4-b3cf-58bca9f88424")
28+
.EXAMPLE
29+
# Filter privileges for Object of type VirtualMachine with MoRef ID vm-121005 and for Principal user with [email protected]
30+
Get-VCenterPrivileges -SessionToken $sessionToken -Troubleshoot -Objects @(@{"type"="VirtualMachine";"id"="vm-121005"}) -Principals @(@{"domain"="vsphere.local";"name"="william"})
31+
#>
32+
param(
33+
[Parameter(Mandatory=$true)][string]$SessionToken,
34+
[Parameter(Mandatory=$false)][object[]]$Objects,
35+
[Parameter(Mandatory=$false)][object[]]$Principals,
36+
[Parameter(Mandatory=$false)][string[]]$OpIds,
37+
[Parameter(Mandatory=$false)][string[]]$Sessions,
38+
[Parameter(Mandatory=$false)][string]$Marker,
39+
[Switch]$Troubleshoot
40+
)
41+
42+
$headers = @{
43+
"vmware-api-session-id"=$sessionToken
44+
"Content-Type"="application/json"
45+
"Accept"="application/json"
46+
}
47+
48+
# Filter Spec
49+
$payload = @{
50+
filter = @{
51+
}
52+
}
53+
54+
# Add Object to filter spec
55+
if($Objects) {
56+
$payload.filter.add("objects",$Objects)
57+
}
58+
59+
# Add Principal to filter spec
60+
if($Principals) {
61+
$payload.filter.add("principals",$Principals)
62+
}
63+
64+
# Add OpId to filter spec
65+
if($OpIds) {
66+
$payload.filter.add("op_ids",$OpIds)
67+
}
68+
69+
if($Sessions) {
70+
$payload.filter.add("sessions",$Sessions)
71+
}
72+
73+
$body = $payload | ConvertTo-Json -Depth 10
74+
75+
$privCheckURL = "https://${vcenter_server}/api/vcenter/authorization/privilege-checks?action=list"
76+
77+
# Include Marker
78+
if($Marker) {
79+
$privCheckURL = "${privCheckURL}&marker=${Marker}"
80+
}
81+
82+
if($Troubleshoot) {
83+
Write-Host -ForegroundColor cyan "`n[DEBUG] - `n$privCheckURL`n"
84+
Write-Host -ForegroundColor cyan "[DEBUG]`n$body`n"
85+
}
86+
87+
try {
88+
if($PSVersionTable.PSEdition -eq "Core") {
89+
$requests = Invoke-WebRequest -Uri $privCheckURL -Method POST -Body $body -Headers $headers -SkipCertificateCheck
90+
} else {
91+
$requests = Invoke-WebRequest -Uri $privCheckURL -Method POST -Body $body -Headers $headers
92+
}
93+
} catch {
94+
if($_.Exception.Response.StatusCode -eq "Unauthorized") {
95+
Write-Host -ForegroundColor Red "`nvCenter Server REST API session is no longer valid, please re-authenticate to retrieve a new token`n"
96+
break
97+
} else {
98+
Write-Error "Error in performing privilege check operation"
99+
Write-Error "`n($_.Exception.Message)`n"
100+
break
101+
}
102+
}
103+
104+
if($requests.StatusCode -eq 200) {
105+
Write-Host -ForegroundColor Green "Marker: " -NoNewline
106+
# Print Marker
107+
Write-Host $(($requests.Content | ConvertFrom-Json).marker)
108+
# Print Privileges
109+
($requests.Content | ConvertFrom-Json).items
110+
} else {
111+
Write-Host -ForegroundColor red "`nFailed to perform privilege check operation`n"
112+
}
113+
}

0 commit comments

Comments
 (0)