Account privileges errors when attempting to configure NSX-V 6.4.8 Data sources in vRNI 5.3.x
Article ID: 317457
Updated On:
Products
VMware Aria Operations for Networks
VMware NSX
Issue/Introduction
Symptoms:
When attempting to enable NSX Edge data collection / Ipfix / latency metric collection for NSX-V on vRNI, the customer is receiving errors in UI showing that the account does not have system admin or enterprise admin privileges on one of the NSX-V Data sources. If a user is given admin privileges by giving privileges to an LDAP group of which it is part of, then the user won’t be able to enable the above features.
From the vRNI collector logs you will see below exceptions:
2021-02-03T15:31:40.643Z INFO nsx.utils.NSXUtils collector-process-msg-exec-42 getUserRole:1780 Getting user role. Path: /api/2.0/services/usermgmt/role/[email protected], params: {VXLAN_API_VERSION=2.0, [email protected]}
2021-02-03T15:31:40.684Z ERROR dataprovider.utils.HttpUtils collector-process-msg-exec-42 checkCodeAndThrow:53 Could not get response for /api/2.0/services/usermgmt/role/[email protected], status 400
2021-02-03T15:31:40.684Z ERROR dataprovider.utils.HttpUtils collector-process-msg-exec-42 checkStatusAndThrow:41 API /api/2.0/services/usermgmt/role/[email protected] error response <_xml version="1.0" encoding="UTF-8"_>
<error><errorCode>402</errorCode><details>User [email protected] does not exist.</details><moduleName>core-services</moduleName></error>
2021-02-03T15:31:40.685Z WARN common.utils.CommonUtils collector-process-msg-exec-42 logException:2416 Error while getting nsx version or user role for nsx: https://NSXManager.dalha1m01.pr.dir:443
com.vnera.dataproviders.core.common.impl.dataprovider.utils.exceptions.HttpException: Could not get response for /api/2.0/services/usermgmt/role/[email protected], status 400
at com.vnera.dataproviders.core.common.impl.dataprovider.utils.HttpUtils.checkCodeAndThrow(HttpUtils.java:54)
at com.vnera.dataproviders.core.common.impl.dataprovider.utils.HttpUtils.checkStatusAndThrow(HttpUtils.java:34)
at com.vnera.dataproviders.core.common.impl.dataprovider.utils.HttpUtils.checkStatusAndThrow(HttpUtils.java:23)
at com.vnera.dataproviders.core.impl.vmware.nsx.utils.NSXUtils.getUserRole(NSXUtils.java:1782)
at com.vnera.dataproviders.core.impl.vmware.nsx.utils.NSXUtils.checkNsxtUserPrivilegeForLatency(NSXUtils.java:1744)
at com.vnera.dataproviders.core.impl.vmware.nsx.utils.NSXUtils.canUseCentralCLI(NSXUtils.java:1711)
at com.vnera.collector.core.engine.customrequest.handler.NSXCustomRequestHandler.processCanUseCentralCliCommand(NSXCustomRequestHandler.java:66)
at com.vnera.collector.core.engine.customrequest.handler.NSXCustomRequestHandler.process(NSXCustomRequestHandler.java:33)
at com.vnera.collector.core.engine.CollectorControlHandler.requestOutOfBandDataFromCollector(CollectorControlHandler.java:78)
at com.vnera.collector.core.engine.SaasCommandProcessor.processMessage(SaasCommandProcessor.java:212)
at com.vnera.collector.core.saascommunication.SaasListener.lambda$receiveMessage$0(SaasListener.java:108)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
When attempting to enable NSX Edge data collection / Ipfix / latency metric collection for NSX-V on vRNI, the customer is receiving errors in UI showing that the account does not have system admin or enterprise admin privileges on one of the NSX-V Data sources. If a user is given admin privileges by giving privileges to an LDAP group of which it is part of, then the user won’t be able to enable the above features.
From the vRNI collector logs you will see below exceptions:
2021-02-03T15:31:40.643Z INFO nsx.utils.NSXUtils collector-process-msg-exec-42 getUserRole:1780 Getting user role. Path: /api/2.0/services/usermgmt/role/[email protected], params: {VXLAN_API_VERSION=2.0, [email protected]}
2021-02-03T15:31:40.684Z ERROR dataprovider.utils.HttpUtils collector-process-msg-exec-42 checkCodeAndThrow:53 Could not get response for /api/2.0/services/usermgmt/role/[email protected], status 400
2021-02-03T15:31:40.684Z ERROR dataprovider.utils.HttpUtils collector-process-msg-exec-42 checkStatusAndThrow:41 API /api/2.0/services/usermgmt/role/[email protected] error response <_xml version="1.0" encoding="UTF-8"_>
<error><errorCode>402</errorCode><details>User [email protected] does not exist.</details><moduleName>core-services</moduleName></error>
2021-02-03T15:31:40.685Z WARN common.utils.CommonUtils collector-process-msg-exec-42 logException:2416 Error while getting nsx version or user role for nsx: https://NSXManager.dalha1m01.pr.dir:443
com.vnera.dataproviders.core.common.impl.dataprovider.utils.exceptions.HttpException: Could not get response for /api/2.0/services/usermgmt/role/[email protected], status 400
at com.vnera.dataproviders.core.common.impl.dataprovider.utils.HttpUtils.checkCodeAndThrow(HttpUtils.java:54)
at com.vnera.dataproviders.core.common.impl.dataprovider.utils.HttpUtils.checkStatusAndThrow(HttpUtils.java:34)
at com.vnera.dataproviders.core.common.impl.dataprovider.utils.HttpUtils.checkStatusAndThrow(HttpUtils.java:23)
at com.vnera.dataproviders.core.impl.vmware.nsx.utils.NSXUtils.getUserRole(NSXUtils.java:1782)
at com.vnera.dataproviders.core.impl.vmware.nsx.utils.NSXUtils.checkNsxtUserPrivilegeForLatency(NSXUtils.java:1744)
at com.vnera.dataproviders.core.impl.vmware.nsx.utils.NSXUtils.canUseCentralCLI(NSXUtils.java:1711)
at com.vnera.collector.core.engine.customrequest.handler.NSXCustomRequestHandler.processCanUseCentralCliCommand(NSXCustomRequestHandler.java:66)
at com.vnera.collector.core.engine.customrequest.handler.NSXCustomRequestHandler.process(NSXCustomRequestHandler.java:33)
at com.vnera.collector.core.engine.CollectorControlHandler.requestOutOfBandDataFromCollector(CollectorControlHandler.java:78)
at com.vnera.collector.core.engine.SaasCommandProcessor.processMessage(SaasCommandProcessor.java:212)
at com.vnera.collector.core.saascommunication.SaasListener.lambda$receiveMessage$0(SaasListener.java:108)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware vRealize Network Insight 6.x
VMware vRealize Network Insight 5.3.x
VMware NSX Data Center for vSphere 6.4.x
VMware vRealize Network Insight 5.3.x
VMware NSX Data Center for vSphere 6.4.x
Cause
From vRNI 5.3, we don't support group-based roles for NSX.
Before enabling the above features, we fire this API /api/2.0/services/usermgmt/role/{user-id}, to find the privileges of the user.
However, we receive a user does not exist response.
Before enabling the above features, we fire this API /api/2.0/services/usermgmt/role/{user-id}, to find the privileges of the user.
However, we receive a user does not exist response.
Resolution
The user needs to be assigned roles explicitly in the users and domain section of Network and Security.
Additional Information
Impact/Risks:
For vRNI 5.3 and above, when trying to enable IPFIX only, it’ll result in the above problem
For vRNI 6.0 and above, when trying to enable any of the above features such as NSX Edge data collection / Ipfix / latency metric collection it’ll result in the above problem.
For vRNI 5.3 and above, when trying to enable IPFIX only, it’ll result in the above problem
For vRNI 6.0 and above, when trying to enable any of the above features such as NSX Edge data collection / Ipfix / latency metric collection it’ll result in the above problem.
Feedback
Yes
No
Powered by
