Unable to authenticate with a paired remote site using tenant user credentials in Cloud Director Availability 4.x
search cancel

Unable to authenticate with a paired remote site using tenant user credentials in Cloud Director Availability 4.x

book

Article ID: 315146

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

Symptoms:

  • Authenticating with a remote Cloud Director site as a tenant user in Cloud Director Availability fails, and you see an error similar to:
Unexpected VMware Cloud Director error. This operation is denied.
  • In the /opt/vmware/h4/cloud/log/cloud.log file on the Cloud Replication Management Appliance, an entry similar to:
2023-12-19 15:19:03.190 ERROR - [UI-fa6c8909-####-####-####-#########95a-r171-Ed] [https-jsse-nio-8443-exec-10] c.v.h.c.c.error.ExceptionAdvisorBase     : A GET request from tenant1@EPG-vCDA[192.168.1.90] to /config/vcloud-org-associations?site=vCDA-EPG-Cloud failed.

com.vmware.vcloud.client.exception.VcloudException: (Major code = 403, minor code = ACCESS_TO_RESOURCE_IS_FORBIDDEN) - [ UI-fa6c8909-####-####-####-#########95a-r171-Ed-66114073-####-####-####-#########3fc ] This operation is denied.

        at com.vmware.vcloud.client.VcloudClient.lambda$defaultErrorDeserializer$0(VcloudClient.java:297)
        at com.vmware.rest.client.AbstractRestClient.convert(AbstractRestClient.java:225)
        at com.vmware.vcloud.client.XmlRestClient.exchange(XmlRestClient.java:92)
        at com.vmware.vcloud.client.XmlRestClient.exchange(XmlRestClient.java:68)
        at com.vmware.vcloud.client.VcloudClient.exchange(VcloudClient.java:258)
        at com.vmware.vcloud.client.VcloudClient.getOrgAssociations(VcloudClient.java:1215)
...
  • In the /opt/vmware/vcloud-director/logs/vcloud-container-debug.log on the Cloud Director cell that processed the log in task, an entry similar to:
pool-jetty-624507         | OperationsManagerImpl          | Operation denied, required but missing operations:
[ORGANIZATION_VIEW_ASSOCIATIONS]
Operations not in users context. | requestId=UI-6eb05615-####-####-####-#########90c-r670-vV-3b2c8822-####-####-####-#########0be,request=GET https://vcd01.labs.local/api/admin/org/c868e9e2-####-####-####-#########337/associations,requestTime=1699866588017,remoteAddress=192.168.1.90:59060,userAgent=Apache-HttpClient/4.5.13 (Java/11.0.17),accept=application/*+xml;version 36.0

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.



Environment

VMware Cloud Director Availability 4.x
VMware Cloud Director 10.x

Cause

This issue occurs when the role assigned to the tenant user being used to authenticate with the remote Cloud Director site is missing the "Organization: Edit Association Settings" right in Cloud Director.

Resolution

To resolve this issue, add the "Organization: Edit Association Settings" right to the tenant user's role. For more information, see the Managing VMware Cloud Director Rights and Roles section of the Cloud Director documentation.

Additional Information

For more information on user rights requirements for Cloud Director Availability, see the Users roles rights and sessions section of the Cloud Director Availability documentation.