com.vmware.vcenter.namespace_management.supervisors package

Subpackages

Submodules

com.vmware.vcenter.namespace_management.supervisors.identity_client module

The com.vmware.vcenter.namespace_management.supervisors.identity_client module provides classes related to identity management for a Supervisor.

class com.vmware.vcenter.namespace_management.supervisors.identity_client.Providers(config)

Bases: vmware.vapi.bindings.stub.VapiInterface

The Providers class provides methods to configure identity management on a Supervisor. This class was added in vSphere API 8.0.0.1.

Parameters

config (vmware.vapi.bindings.stub.StubConfiguration) – Configuration to be used for creating the stub.

class CreateSpec(display_name=None, issuer_url=None, username_claim=None, groups_claim=None, client_id=None, client_secret=None, certificate_authority_data=None, additional_scopes=None, additional_authorize_parameters=None)

Bases: vmware.vapi.bindings.struct.VapiStruct

The Providers.CreateSpec class is used to register a new upstream identity provider for use with a Supervisor. This class was added in vSphere API 8.0.0.1.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters
  • display_name (str) – A name to be used for the given identity provider. This name will be displayed in the vCenter UI. This attribute was added in vSphere API 8.0.0.1.

  • issuer_url (str) – The URL to the identity provider issuing tokens. The OIDC discovery URL will be derived from the issuer URL, according to RFC8414: https://issuerURL/.well-known/openid-configuration. This must use HTTPS as the scheme. This attribute was added in vSphere API 8.0.0.1.

  • username_claim (str or None) – The claim from the upstream identity provider ID token or user info endpoint to inspect to obtain the username for the given user. This attribute was added in vSphere API 8.0.0.1. If None, the upstream issuer URL will be concatenated with the ‘sub’ claim to generate the username to be used with Kubernetes.

  • groups_claim (str or None) – The claim from the upstream identity provider ID token or user info endpoint to inspect to obtain the groups for the given user. This attribute was added in vSphere API 8.0.0.1. If None, no groups will be used from the upstream identity provider.

  • client_id (str) – The clientID is the OAuth 2.0 client ID registered in the upstream identity provider and used by the Supervisor. This attribute was added in vSphere API 8.0.0.1.

  • client_secret (str) – The OAuth 2.0 client secret to be used by the Supervisor when authenticating to the upstream identity provider. This attribute was added in vSphere API 8.0.0.1.

  • certificate_authority_data (str or None) – Certificate authority data to be used to establish HTTPS connections with the identity provider. This must be a PEM-encoded value. This attribute was added in vSphere API 8.0.0.1. If None, HTTPS connections with the upstream identity provider will rely on a default set of system trusted roots.

  • additional_scopes (list of str or None) – Additional scopes to be requested in tokens issued by this identity provider. This attribute was added in vSphere API 8.0.0.1. If None, no additional scopes will be requested.

  • additional_authorize_parameters ((dict of str and str) or None) – Any additional parameters to be sent to the upstream identity provider during the authorize request in the OAuth2 authorization code flow. One use case is to pass in a default tenant ID if you have a multi-tenant identity provider. For instance, with VMware’s Cloud Services Platform, if your organization ID is ‘long-form-org-id’, the ‘orgLink’ parameter can be set to “/csp/gateway/am/api/orgs/long-form-org-id” to allow users logging in to leverage that organization. This attribute was added in vSphere API 8.0.0.1. If None, no additional parameters will be sent to the upstream identity provider.

class Info(provider=None, display_name=None, issuer_url=None, username_claim=None, groups_claim=None, client_id=None, certificate_authority_data=None, additional_scopes=None, additional_authorize_parameters=None)

Bases: vmware.vapi.bindings.struct.VapiStruct

The Providers.Info class provides details about an identity provider configured with a Supervisor. This class was added in vSphere API 8.0.0.1.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters
  • provider (str) – The immutable identifier of an identity provider generated when an identity provider is registered for a Supervisor. This attribute was added in vSphere API 8.0.0.1. When clients pass a value of this class as a parameter, the attribute must be an identifier for the resource type: com.vmware.vcenter.namespace_management.identity.Provider. When methods return a value of this class as a return value, the attribute will be an identifier for the resource type: com.vmware.vcenter.namespace_management.identity.Provider.

  • display_name (str) – A name to be used for the given identity provider. This name will be displayed in the vCenter UI. This attribute was added in vSphere API 8.0.0.1.

  • issuer_url (str) –

    The URL to the identity provider issuing tokens. The OIDC discovery URL will be derived from the issuer URL, according to RFC8414: https://issuerURL/.well-known/openid-configuration. This must use HTTPS as the scheme. This attribute was added in vSphere API 8.0.0.1.

  • username_claim (str or None) – The claim from the upstream identity provider ID token or user info endpoint to inspect to obtain the username for the given user. This attribute was added in vSphere API 8.0.0.1. If None, the upstream issuer URL will be concatenated with the ‘sub’ claim to generate the username to be used with Kubernetes.

  • groups_claim (str or None) – The claim from the upstream identity provider ID token or user info endpoint to inspect to obtain the groups for the given user. This attribute was added in vSphere API 8.0.0.1. If None, no groups will be used from the upstream identity provider.

  • client_id (str) – The clientID is the OAuth 2.0 client ID registered in the upstream identity provider and used by the Supervisor. This attribute was added in vSphere API 8.0.0.1.

  • certificate_authority_data (str or None) – The certificate authority data holds the trusted roots to be used to establish HTTPS connections with the identity provider. This attribute was added in vSphere API 8.0.0.1. If None, HTTPS connections with the upstream identity provider will rely on a default set of system trusted roots.

  • additional_scopes (list of str or None) – Additional scopes to be requested in tokens issued by this identity provider. The ‘openid’ scope will always be requested. This attribute was added in vSphere API 8.0.0.1. If None, no additional scopes will be requested.

  • additional_authorize_parameters ((dict of str and str) or None) – Any additional parameters to be sent to the upstream identity provider during the authorize request in the OAuth2 authorization code flow. One use case is to pass in a default tenant ID if you have a multi-tenant identity provider. For instance, with VMware’s Cloud Services Platform, if your organization ID is ‘long-form-org-id’, the ‘orgLink’ parameter can be set to “/csp/gateway/am/api/orgs/long-form-org-id” to allow users logging in to leverage that organization. This attribute was added in vSphere API 8.0.0.1. If None, no additional parameters will be sent to the upstream identity provider.

class SetSpec(display_name=None, issuer_url=None, username_claim=None, groups_claim=None, client_id=None, client_secret=None, certificate_authority_data=None, additional_scopes=None, additional_authorize_parameters=None)

Bases: vmware.vapi.bindings.struct.VapiStruct

The Providers.SetSpec class is used to fully replace the configuration of an upstream identity provider for use with a Supervisor. This class was added in vSphere API 8.0.0.1.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters
  • display_name (str) – A name to be used for the given identity provider. This name will be displayed in the vCenter UI. This attribute was added in vSphere API 8.0.0.1.

  • issuer_url (str) –

    The URL to the identity provider issuing tokens. The OIDC discovery URL will be derived from the issuer URL, according to RFC8414: https://issuerURL/.well-known/openid-configuration. This must use HTTPS as the scheme. This attribute was added in vSphere API 8.0.0.1.

  • username_claim (str or None) – The claim from the upstream identity provider ID token or user info endpoint to inspect to obtain the username for the given user. This attribute was added in vSphere API 8.0.0.1. If None, the upstream issuer URL will be concatenated with the ‘sub’ claim to generate the username to be used with Kubernetes.

  • groups_claim (str or None) – The claim from the upstream identity provider ID token or user info endpoint to inspect to obtain the groups for the given user. This attribute was added in vSphere API 8.0.0.1. If None, no groups will be used from the upstream identity provider.

  • client_id (str) – The clientID is the OAuth 2.0 client ID registered in the upstream identity provider and used by the Supervisor. This attribute was added in vSphere API 8.0.0.1.

  • client_secret (str) – The OAuth 2.0 client secret to be used by the Supervisor when authenticating to the upstream identity provider. This attribute was added in vSphere API 8.0.0.1.

  • certificate_authority_data (str or None) – Certificate authority data to be used to establish HTTPS connections with the identity provider. This must be a PEM-encoded value. This attribute was added in vSphere API 8.0.0.1. If None, HTTPS connections with the upstream identity provider will rely on a default set of system trusted roots.

  • additional_scopes (list of str or None) – Additional scopes to be requested in tokens issued by this identity provider. This attribute was added in vSphere API 8.0.0.1. If None, no additional scopes will be requested.

  • additional_authorize_parameters ((dict of str and str) or None) – Any additional parameters to be sent to the upstream identity provider during the authorize request in the OAuth2 authorization code flow. One use case is to pass in a default tenant ID if you have a multi-tenant identity provider. For instance, with VMware’s Cloud Services Platform, if your organization ID is ‘long-form-org-id’, the ‘orgLink’ parameter can be set to “/csp/gateway/am/api/orgs/long-form-org-id” to allow users logging in to leverage that organization. This attribute was added in vSphere API 8.0.0.1. If None, no additional parameters will be sent to the upstream identity provider.

class Summary(provider=None, display_name=None)

Bases: vmware.vapi.bindings.struct.VapiStruct

The Providers.Summary class provides an overview of an identity provider configured for the given Supervisor. This class was added in vSphere API 8.0.0.1.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters
  • provider (str) – The immutable identifier of an identity provider generated when an identity provider is registered for a Supervisor. This attribute was added in vSphere API 8.0.0.1. When clients pass a value of this class as a parameter, the attribute must be an identifier for the resource type: com.vmware.vcenter.namespace_management.identity.Provider. When methods return a value of this class as a return value, the attribute will be an identifier for the resource type: com.vmware.vcenter.namespace_management.identity.Provider.

  • display_name (str) – A name to be used for the given identity provider. This name will be displayed in the vCenter UI. This attribute was added in vSphere API 8.0.0.1.

class UpdateSpec(display_name=None, issuer_url=None, username_claim=None, unset_username_claim=None, groups_claim=None, unset_groups_claim=None, client_id=None, client_secret=None, certificate_authority_data=None, unset_certificate_authority_data=None, additional_scopes=None, additional_authorize_parameters=None)

Bases: vmware.vapi.bindings.struct.VapiStruct

The Providers.UpdateSpec class contains the specification required to update the configuration of an identity provider used with a Supervisor. This class was added in vSphere API 8.0.0.1.

Tip

The arguments are used to initialize data attributes with the same names.

Parameters
  • display_name (str or None) – A name to be used for the given identity provider. This name will be displayed in the vCenter UI. This attribute was added in vSphere API 8.0.0.1. if None, the name will remained unchanged.

  • issuer_url (str or None) –

    The URL to the identity provider issuing tokens. The OIDC discovery URL will be derived from the issuer URL, according to RFC8414: https://issuerURL/.well-known/openid-configuration. This must use HTTPS as the scheme. This attribute was added in vSphere API 8.0.0.1. If None, the issuer URL will not be updated.

  • username_claim (str or None) – The claim from the upstream identity provider ID token or user info endpoint to inspect to obtain the username for the given user. This attribute was added in vSphere API 8.0.0.1. If None, the username claim will not be updated.

  • unset_username_claim (bool or None) – This represents the intent of the change to Providers.UpdateSpec.username_claim. If this field is set to true, the existing ‘usernameClaim’ value will be removed. If this field is set to false, the existing username claim will be changed to the value specified in Providers.UpdateSpec.username_claim, if any. This attribute was added in vSphere API 8.0.0.1. If None, the existing ‘usernameClaim’ value will be changed to the value specified in Providers.UpdateSpec.username_claim, if any.

  • groups_claim (str or None) – The claim from the upstream identity provider ID token or user info endpoint to inspect to obtain the groups for the given user. This attribute was added in vSphere API 8.0.0.1. If None, the groups claim will not be updated.

  • unset_groups_claim (bool or None) – This represents the intent of the change to Providers.UpdateSpec.groups_claim. If this field is set to true, the existing ‘groupsClaim’ value will be removed. If this field is set to false, the existing groups claim will be changed to the value specified in Providers.UpdateSpec.groups_claim, if any. This attribute was added in vSphere API 8.0.0.1. If None, the existing ‘groupsClaim’ value will be changed to the value specified in Providers.UpdateSpec.groups_claim, if any.

  • client_id (str or None) – The clientID is the OAuth 2.0 client ID registered in the upstream identity provider and used by the Supervisor. This attribute was added in vSphere API 8.0.0.1. If None, the client ID will not be updated.

  • client_secret (str or None) – The OAuth 2.0 client secret to be used by the Supervisor when authenticating to the upstream identity provider. This attribute was added in vSphere API 8.0.0.1. If None, the client secret will not be updated.

  • certificate_authority_data (str or None) – Certificate authority data to be used to establish HTTPS connections with the identity provider. This must be a PEM-encoded value. This attribute was added in vSphere API 8.0.0.1. If None, the certificate authority data will not be updated.

  • unset_certificate_authority_data (bool or None) – This represents the intent of the change to Providers.UpdateSpec.certificate_authority_data. If this field is set to true, the existing ‘certificateAuthorityData’ value will be removed. If this field is set to false, the existing certificate authority data will be changed to the value specified in Providers.UpdateSpec.certificate_authority_data, if any. This attribute was added in vSphere API 8.0.0.1. If None, the existing ‘certificateAuthorityData’ value will be changed to the value specified in Providers.UpdateSpec.certificate_authority_data, if any.

  • additional_scopes (list of str or None) – Additional scopes to be requested in tokens issued by this identity provider. This attribute was added in vSphere API 8.0.0.1. If None, the additional scopes will not be updated.

  • additional_authorize_parameters ((dict of str and str) or None) – Any additional parameters to be sent to the upstream identity provider during the authorize request in the OAuth2 authorization code flow. One use case is to pass in a default tenant ID if you have a multi-tenant identity provider. For instance, with VMware’s Cloud Services Platform, if your organization ID is ‘long-form-org-id’, the ‘orgLink’ parameter can be set to “/csp/gateway/am/api/orgs/long-form-org-id” to allow users logging in to leverage that organization. This attribute was added in vSphere API 8.0.0.1. If None, the additional parameters will not be updated.

create(supervisor, spec)

Create a new identity provider to be used with a Supervisor. Currently, only a single identity provider can be created. This method was added in vSphere API 8.0.0.1.

Parameters
  • supervisor (str) – the Supervisor for which the identity provider is being registered. The parameter must be an identifier for the resource type: com.vmware.vcenter.namespace_management.supervisor.Supervisor.

  • spec (Providers.CreateSpec) – the {#link CreateSpec} describing the identity provider to be registered.

Return type

str

Returns

a unique identifier for the identity provider that was registered. The return value will be an identifier for the resource type: com.vmware.vcenter.namespace_management.identity.Provider.

Raise

com.vmware.vapi.std.errors_client.Error if the system reports an error while responding to the request.

Raise

com.vmware.vapi.std.errors_client.InvalidArgument if the \@{param.name spec} contains any errors.

Raise

com.vmware.vapi.std.errors_client.Unsupported if the specified Supervisor does not exist, or if an identity provider is already configured.

Raise

com.vmware.vapi.std.errors_client.Unauthenticated if the user cannot be authenticated.

Raise

com.vmware.vapi.std.errors_client.Unauthorized if the user is missing the Namespaces.Manage privilege on the Supervisor.

delete(supervisor, provider)

Remove an identity provider configured with a given Supervisor. This will result in users no longer being able to log in to either the Supervisor or any of its workload clusters with that identity provider. This method was added in vSphere API 8.0.0.1.

Parameters
  • supervisor (str) – the identifier of the Supervisor which is associated with the identity provider being removed. The parameter must be an identifier for the resource type: com.vmware.vcenter.namespace_management.supervisor.Supervisor.

  • provider (str) – the identifier for the identity provider that is to be deleted. The parameter must be an identifier for the resource type: com.vmware.vcenter.namespace_management.identity.Provider.

Raise

com.vmware.vapi.std.errors_client.Error if the system reports an error while responding to the request.

Raise

com.vmware.vapi.std.errors_client.NotFound if the given identity provider or Supervisor cannot be found.

Raise

com.vmware.vapi.std.errors_client.Unauthenticated if the user cannot be authenticated.

Raise

com.vmware.vapi.std.errors_client.Unauthorized if the user is missing the Namespaces.Manage privilege on the Supervisor.

get(supervisor, provider)

Returns information about an identity provider configured for a Supervisor. This method was added in vSphere API 8.0.0.1.

Parameters
  • supervisor (str) – identifier for the Supervisor for which the identity provider is being read. The parameter must be an identifier for the resource type: com.vmware.vcenter.namespace_management.supervisor.Supervisor.

  • provider (str) – identifier for the identity provider that is being read. The parameter must be an identifier for the resource type: com.vmware.vcenter.namespace_management.identity.Provider.

Return type

Providers.Info

Returns

An {#link Info} representing the requested identity provider.

Raise

com.vmware.vapi.std.errors_client.NotFound if the given identity provider or Supervisor cannot be found.

Raise

com.vmware.vapi.std.errors_client.Error if the system reports an error while responding to the request.

Raise

com.vmware.vapi.std.errors_client.Unauthenticated if the user cannot be authenticated.

Raise

com.vmware.vapi.std.errors_client.Unauthorized if the user is missing the System.Read privilege on the Supervisor.

list(supervisor)

List the identity providers configured for a given Supervisor. This method was added in vSphere API 8.0.0.1.

Parameters

supervisor (str) – the Supervisor for which identity providers are being listed. The parameter must be an identifier for the resource type: com.vmware.vcenter.namespace_management.supervisor.Supervisor.

Return type

list of Providers.Summary

Returns

A list of {#link Summary} with details about the identity providers associated with a given Supervisor.

Raise

com.vmware.vapi.std.errors_client.NotFound if the given Supervisor cannot be found.

Raise

com.vmware.vapi.std.errors_client.Error if the system reports an error while responding to the request.

Raise

com.vmware.vapi.std.errors_client.Unauthenticated if the user cannot be authenticated.

Raise

com.vmware.vapi.std.errors_client.Unauthorized if the user is missing the System.Read privilege on the Supervisor.

set(supervisor, provider, spec)

Update the entire configuration for an existing identity provider used with a Supervisor. This method was added in vSphere API 8.0.0.1.

Parameters
  • supervisor (str) – the identifier for the Supervisor associated with the identity provider to be updated. The parameter must be an identifier for the resource type: com.vmware.vcenter.namespace_management.supervisor.Supervisor.

  • provider (str) – the identifier for the identity provider that is to be updated. The parameter must be an identifier for the resource type: com.vmware.vcenter.namespace_management.identity.Provider.

  • spec (Providers.SetSpec) – the {#link SetSpec} to be applied to the identity provider configuration.

Raise

com.vmware.vapi.std.errors_client.Error if the system reports an error while responding to the request.

Raise

com.vmware.vapi.std.errors_client.InvalidArgument if the \@{param.name spec} contains any errors.

Raise

com.vmware.vapi.std.errors_client.NotFound if the given identity provider or Supervisor cannot be found.

Raise

com.vmware.vapi.std.errors_client.Unauthenticated if the user cannot be authenticated.

Raise

com.vmware.vapi.std.errors_client.Unauthorized if the user is missing the Namespaces.Manage privilege on the Supervisor.

update(supervisor, provider, spec)

Update an existing identity provider used with a Supervisor. This method was added in vSphere API 8.0.0.1.

Parameters
  • supervisor (str) – the identifier for the Supervisor associated with the identity provider to be updated. The parameter must be an identifier for the resource type: com.vmware.vcenter.namespace_management.supervisor.Supervisor.

  • provider (str) – the identifier for the identity provider that is to be updated. The parameter must be an identifier for the resource type: com.vmware.vcenter.namespace_management.identity.Provider.

  • spec (Providers.UpdateSpec) – the {#UpdateSpec} to be applied to the identity provider configuration.

Raise

com.vmware.vapi.std.errors_client.Error if the system reports an error while responding to the request.

Raise

com.vmware.vapi.std.errors_client.InvalidArgument if the \@{param.name spec} contains any errors.

Raise

com.vmware.vapi.std.errors_client.NotFound if the given identity provider or Supervisor cannot be found.

Raise

com.vmware.vapi.std.errors_client.Unauthenticated if the user cannot be authenticated.

Raise

com.vmware.vapi.std.errors_client.Unauthorized if the user is missing the Namespaces.Manage privilege on the Supervisor.

class com.vmware.vcenter.namespace_management.supervisors.identity_client.StubFactory(stub_config)

Bases: vmware.vapi.bindings.stub.StubFactoryBase

Initialize StubFactoryBase

Parameters

stub_config (vmware.vapi.bindings.stub.StubConfiguration) – Stub config instance