Sorry, I've been unable to stick with this ticket as more pressing matters came up.
Total speculation so far, but my gut reaction is this is probably a certificate issue. I have no evidence to support this theory, but with VMware, it's usually a good place to start.
I looked at it a little bit more today and delved a little deeper into the API. I used a Chrome extension called Postman to test the API.
For those new to this, I'll try and provide enough detail so you can reproduce:
Establish Session:
POST: https://vc/rest/com/vmware/cis/session
Authorization: Basic Auth
Username: administrator@vsphere.local
Password: <your password>
Check "Save helper data to request" (not sure if this is necessary)
Click Send
This will generate a SAML token and spit it back in a cookie -- it's not obvious in Postman, but the cookie is "vmware-api-session-id" and you can see the value in a json the POST returns.
Once you establish this authentication you can use the API documented here:
Online Documentation - vSphere Automation SDK for REST 6.5 - VMware {code}
When I use the "vcenter" or "cis" API it works fine. When I try anything under the "appliance" API it fails:
So these work:
GET: https://vc/rest/vcenter/vm
GET: https://vc/rest/vcenter/vm/vm-100
POST: https://vc/rest/com/vmware/cis/session?~action=get
These do not, and get that vapi.security.authorization.invalid error:
POST: https://vc/rest/appliance/recovery/backup/job
HEADER: Content-Type: application/json
HEADER: Accept: application/json
BODY: raw: JSON (application/json):
{ "piece":
{
"location_type":"FTP",
"comment":"Automatic backup",
"parts":["seat"],
"location":"ftp://backup/vcsa-test",
"location_user":"backup",
"location_password":"yourpassword"
}
}
GET: https://vc/rest/appliance/monitoring
The full error response in JSON is:
{
"type": "com.vmware.vapi.std.errors.unauthorized",
"value": {
"messages": [
{
"args": [],
"default_message": "Unable to authorize user",
"id": "vapi.security.authorization.invalid"
}
]
}
}
I did not see anything in the vpxd logs. When monitoring them, they didn't even appear to have a response to my attempts.
I did however stumble across this in the /var/log/vmware/applmgmt/vapi.log and vami.log. The list is the attempted GET for monitoring, and the create is the attempted POST for the backup:
2017-04-04T16:08:11.094 [3000]INFO:vmware.appliance.vapi.auth:Authorization request for service_id: com.vmware.appliance.monitoring, operation_id: list
2017-04-04T16:08:11.094 [3000]ERROR:vmware.appliance.extensions.authorization.authorization_sso:FindAllParentGroups Failed {[Errno 2] No such file or directory}
2017-04-04T16:08:11.094 [3000]ERROR:vmware.appliance.extensions.authorization.authorization_sso:FindAllParentGroups Failed {[Errno 2] No such file or directory}
2017-04-04T16:08:11.094 [3000]INFO:twisted:"127.0.0.1" - - [04/Apr/2017:16:08:10 +0000] "POST /api HTTP/1.1" 200 332 "-" "vAPI http client"
2017-04-04T16:10:50.094 [3000]INFO:vmware.appliance.vapi.auth:Authorization request for service_id: com.vmware.appliance.recovery.backup.job, operation_id: create
2017-04-04T16:10:50.094 [3000]ERROR:vmware.appliance.extensions.authorization.authorization_sso:FindAllParentGroups Failed {[Errno 2] No such file or directory}
2017-04-04T16:10:50.094 [3000]ERROR:vmware.appliance.extensions.authorization.authorization_sso:FindAllParentGroups Failed {[Errno 2] No such file or directory}
2017-04-04T16:10:50.094 [3000]INFO:twisted:"127.0.0.1" - - [04/Apr/2017:16:10:49 +0000] "POST /api HTTP/1.1" 200 332 "-" "vAPI http client
No idea if this is related, as the timing didn't seem to work out. But I did find these entries in /var/log/vmware/vapi/endpoint interesting:
2017-04-04T15:32:00.500Z | INFO | state-manager1 | DefaultStateManager | Invoking rebuild cis-api-connections-builder
2017-04-04T15:32:00.633Z | INFO | state-manager1 | ApiConnectionsCisUtil | Unsupported source (metadata) type in metadata source entry cis.common.ep.localurl : http://localhost:16666/cls/
2017-04-04T15:32:00.633Z | WARN | state-manager1 | ApiConnectionsCisUtil | Cannot find metadata source definitions in VAPI endpoint Service Endpoint of type com.vmware.cis.data.provider with protocol vapi.json.http at http://localhost:16666/cls/
2017-04-04T15:32:00.633Z | WARN | state-manager1 | ApiConnectionsCisUtil | Unable to find metadata endpoint in service Service with localization key cis.content-library.ServiceDescription and id 5e812b2e-01b8-49c7-9184-9e9782d8e86e.
2017-04-04T15:32:00.633Z | INFO | state-manager1 | ApiConnectionsCisUtil | Unsupported source (metadata) type in metadata source entry cis.common.ep.localurl : http://localhost:16666/cls/
2017-04-04T15:32:00.633Z | INFO | state-manager1 | ApiConnectionsStateBuilder | Cannot resolve protocol priorities between the following services. Will use the first one.
First: 5e812b2e-01b8-49c7-9184-9e9782d8e86e\com.vmware.cis.cls.vapi at http://vc:80/cls/
Second: 5e812b2e-01b8-49c7-9184-9e9782d8e86e\com.vmware.cis.cls.vapi at http://localhost:16666/cls/
2017-04-04T15:32:00.633Z | INFO | state-manager1 | ApiConnectionsCisUtil | Unsupported source (metadata) type in metadata source entry cis.common.ep.localurl : http://localhost:16666/cls/
2017-04-04T15:32:00.633Z | WARN | state-manager1 | ApiConnectionsCisUtil | Cannot find metadata source definitions in VAPI endpoint Service Endpoint of type com.vmware.cdc.provider with protocol vapi.json.http at http://localhost:16666/cls/
2017-04-04T15:32:00.633Z | WARN | state-manager1 | ApiConnectionsCisUtil | Unable to find metadata endpoint in service Service with localization key cis.content-library.ServiceDescription and id 5e812b2e-01b8-49c7-9184-9e9782d8e86e.
2017-04-04T15:32:00.633Z | INFO | state-manager1 | ApiConnectionsCisUtil | Unsupported source (metadata) type in metadata source entry cis.common.ep.localurl : http://localhost:10080/invsvc/vapi
2017-04-04T15:32:00.633Z | INFO | state-manager1 | ApiConnectionsCisUtil | Unsupported source (metadata) type in metadata source entry cis.common.ep.localurl : http://localhost:8900/vmonapi
2017-04-04T15:32:00.633Z | INFO | state-manager1 | ApiConnectionsCisUtil | Unsupported source (metadata) type in metadata source entry cis.common.ep.localurl : http://localhost:9090/ds/vapi
2017-04-04T15:32:00.634Z | WARN | state-manager1 | ApiConnectionsCisUtil | Cannot find metadata source files/URLs in VAPI endpoint Service Endpoint of type com.vmware.vapi.endpoint with protocol vapi.json.http at http://vc:80/site/api
2017-04-04T15:32:00.634Z | WARN | state-manager1 | ApiConnectionsCisUtil | Unable to find metadata endpoint in service Service with localization key cis.vapi.endpoint.serviceDescriptionResourceKey and id e0cc58e8-7ce4-48f9-9426-61648da55b2d.
2017-04-04T15:32:00.634Z | INFO | state-manager1 | ApiConnectionsCisUtil | Unsupported source (metadata) type in metadata source entry cis.common.ep.localurl : http://localhost:12346/site/api
2017-04-04T15:32:00.634Z | WARN | state-manager1 | ApiConnectionsCisUtil | Cannot find metadata source definitions in VAPI endpoint Service Endpoint of type com.vmware.vapi.endpoint with protocol vapi.json.http at http://localhost:12346/site/api
2017-04-04T15:32:00.634Z | WARN | state-manager1 | ApiConnectionsCisUtil | Unable to find metadata endpoint in service Service with localization key cis.vapi.endpoint.serviceDescriptionResourceKey and id e0cc58e8-7ce4-48f9-9426-61648da55b2d.
2017-04-04T15:32:00.634Z | INFO | state-manager1 | DefaultStateManager | Invoking rebuild vim-adapter-settings-builder
2017-04-04T15:32:00.709Z | INFO | state-manager1 | DefaultStateManager | Invoking rebuild vapi-vcenter-servlet-builder
2017-04-04T15:32:00.710Z | INFO | state-manager1 | DefaultStateManager | Invoking rebuild api-interfaces-builder
2017-04-04T15:32:00.727Z | INFO | state-manager1 | DefaultStateManager | Invoking rebuild metadata-sync-builder