Log Insight Roles and permissions are not migrated after upgrading
Article ID: 318407
Updated On:
Products
VMware Aria Suite
Issue/Introduction
Symptoms:
- After upgrading vRealize Log Insight from 8.4.x to 8.6.x, logging in as the local admin user displays the About page without permissions to navigate elsewhere in the product.
- This issue can also present itself after attempting an upgrade to 8.6.x, and then reverting to snapshots taken prior to the upgrade attempt on 8.4.x
Environment
VMware vRealize Log Insight 8.6.x
Cause
Starting with vRealize Log Insight version 8.6.0, more granular capabilities have been introduced for roles and permissions, and the old capabilities are not always properly migrated. Some known causes of this are:
- Upgrading one node of a multi-node cluster, then reverting back to a snapshot of a previous 8.4.x version
- The upgrade fails for some nodes, leaving the permissions in an inconsistent state within the Cassandra database.
Resolution
This is a known issue in vRealize Log Insight, and there is no resolution at this time. Please subscribe to the article to be alerted to any updates.
Workaround:
To workaround the issue, please follow the beneath steps for identifying the issue within the Cassandra database, and fixing it both for 8.6.x and 8.4.x versions (in the case of having reverted to the 8.4.x version and facing a similar issue).
- SSH to the vRealize Log Insight primary node as the root user
Note: If you do not know your root credential, please refer to this article to reset it
- Log into the Cassandra database following this process
- List the role capabilities
select id,name,capabilities from logdb.group;
Example output:
id | name | capabilities
--------------------------------------+----------------------------------------------+--------------------------------------------------------------------------------------------------------------
########-####-####-####-##########02 | com.vmware.loginsight.database.user | {'ANALYTICS', 'DASHBOARD'}
########-####-####-####-##########02 | com.vmware.loginsight.database.dashboardUser | {'DASHBOARD'}
########-####-####-####-##########01 | com.vmware.loginsight.database.superAdmin | {'ANALYTICS', 'DASHBOARD', 'EDIT_ADMIN', 'EDIT_SHARED', 'INTERNAL', 'INVENTORY', 'STATISTICS', 'VIEW_ADMIN'}
########-####-####-####-##########1e | com.vmware.loginsight.database.viewOnlyAdmin | {'ANALYTICS', 'DASHBOARD', 'EDIT_SHARED', 'VIEW_ADMIN'}
########-####-####-####-##########84 | test | {'ANALYTICS', 'DASHBOARD'}
- Update the capabilities for the predefined roles using the following command and expected values
update logdb.group set capabilities=expectedCapabilitiesValues where id=roleId;
Note: Replace roleId in the above command with the value taken from the output of step 3 (made bold in the example ouput). Run the command for each predefined role.
Predefined Roles are the entries with following names:
com.vmware.loginsight.database.superAdmin (Super Admin)
com.vmware.loginsight.database.viewOnlyAdmin (View Admin)
com.vmware.loginsight.database.user (User)
com.vmware.loginsight.database.dashboardUser (Dashboard User)
Note: Replace expectedCapabilitiesValues with the values beneath. Be sure to copy the entire contents, including the "curly braces," and to use the values for the version you are currently on.
Note: Replace roleId in the above command with the value taken from the output of step 3 (made bold in the example ouput). Run the command for each predefined role.
Predefined Roles are the entries with following names:
com.vmware.loginsight.database.superAdmin (Super Admin)
com.vmware.loginsight.database.viewOnlyAdmin (View Admin)
com.vmware.loginsight.database.user (User)
com.vmware.loginsight.database.dashboardUser (Dashboard User)
Note: Replace expectedCapabilitiesValues with the values beneath. Be sure to copy the entire contents, including the "curly braces," and to use the values for the version you are currently on.
These are the expectedCapabilitiesValues for the vRealize Log Insight 8.4.x predefined roles:
Super Admin:
{'ANALYTICS', 'DASHBOARD', 'EDIT_ADMIN', 'EDIT_SHARED', 'INTERNAL', 'INVENTORY', 'STATISTICS', 'VIEW_ADMIN'}
View Admin:
{'ANALYTICS', 'DASHBOARD', 'EDIT_SHARED', 'VIEW_ADMIN'}
User:
{'ANALYTICS', 'DASHBOARD'}
Dashboard User:
{'DASHBOARD'}
These are the expectedCapabilitiesValues for the vRealize Log Insight 8.6.x predefined roles:
Super Admin:
{'EDIT_ACCESS_CONTROL', 'EDIT_AGENTS', 'EDIT_ALERTS', 'EDIT_AUTHENTICATION_CONFIG', 'EDIT_CERTIFICATES', 'EDIT_CLUSTER', 'EDIT_CONTENT_PACKS', 'EDIT_EXPORT', 'EDIT_EXTRACTED_FIELDS', 'EDIT_FORWARDING', 'EDIT_GENERAL_CONFIG', 'EDIT_HOSTS', 'EDIT_INTERACTIVE_ANALYTICS', 'EDIT_LICENSE', 'EDIT_LOG_FILTER', 'EDIT_LOG_MASK', 'EDIT_NSX_INTEGRATION', 'EDIT_PARTITIONS', 'EDIT_SHARED_DASHBOARDS', 'EDIT_SHARED_DASHBOARD_URLS', 'EDIT_SMTP_CONFIG', 'EDIT_SSL_CONFIG', 'EDIT_SYSTEM_MONITOR', 'EDIT_TIME_CONFIG', 'EDIT_USER_DASHBOARDS', 'EDIT_VROPS_INTEGRATION', 'EDIT_VSPHERE_INTEGRATION', 'EDIT_WEBHOOK_CONFIG', 'INTERNAL', 'INVENTORY', 'STATISTICS', 'VIEW_ACCESS_CONTROL', 'VIEW_AGENTS', 'VIEW_ALERTS', 'VIEW_AUTHENTICATION_CONFIG', 'VIEW_CERTIFICATES', 'VIEW_CLUSTER', 'VIEW_CONTENT_PACKS', 'VIEW_CONTENT_PACK_DASHBOARDS', 'VIEW_EXPORT', 'VIEW_EXTRACTED_FIELDS', 'VIEW_FORWARDING', 'VIEW_GENERAL_CONFIG', 'VIEW_HOSTS', 'VIEW_INTERACTIVE_ANALYTICS', 'VIEW_LICENSE', 'VIEW_LOG_FILTER', 'VIEW_LOG_MASK', 'VIEW_NSX_INTEGRATION', 'VIEW_PARTITIONS', 'VIEW_SHARED_DASHBOARDS', 'VIEW_SHARED_DASHBOARD_URLS', 'VIEW_SMTP_CONFIG', 'VIEW_SSL_CONFIG', 'VIEW_SYSTEM_MONITOR', 'VIEW_TIME_CONFIG', 'VIEW_USER_DASHBOARDS', 'VIEW_VROPS_INTEGRATION', 'VIEW_VSPHERE_INTEGRATION', 'VIEW_WEBHOOK_CONFIG'}
View Admin:
{'EDIT_ALERTS', 'EDIT_CONTENT_PACKS', 'EDIT_EXPORT', 'EDIT_EXTRACTED_FIELDS', 'EDIT_INTERACTIVE_ANALYTICS', 'EDIT_SHARED_DASHBOARDS', 'EDIT_SHARED_DASHBOARD_URLS', 'EDIT_USER_DASHBOARDS', 'VIEW_ACCESS_CONTROL', 'VIEW_AGENTS', 'VIEW_ALERTS', 'VIEW_AUTHENTICATION_CONFIG', 'VIEW_CERTIFICATES', 'VIEW_CLUSTER', 'VIEW_CONTENT_PACKS', 'VIEW_CONTENT_PACK_DASHBOARDS', 'VIEW_EXPORT', 'VIEW_EXTRACTED_FIELDS', 'VIEW_FORWARDING', 'VIEW_GENERAL_CONFIG', 'VIEW_HOSTS', 'VIEW_INTERACTIVE_ANALYTICS', 'VIEW_LICENSE', 'VIEW_LOG_FILTER', 'VIEW_LOG_MASK', 'VIEW_NSX_INTEGRATION', 'VIEW_PARTITIONS', 'VIEW_SHARED_DASHBOARDS', 'VIEW_SHARED_DASHBOARD_URLS', 'VIEW_SMTP_CONFIG', 'VIEW_SSL_CONFIG', 'VIEW_SYSTEM_MONITOR', 'VIEW_TIME_CONFIG', 'VIEW_USER_DASHBOARDS', 'VIEW_VROPS_INTEGRATION', 'VIEW_VSPHERE_INTEGRATION', 'VIEW_WEBHOOK_CONFIG'}
User:
{'EDIT_CONTENT_PACKS', 'EDIT_EXPORT', 'EDIT_EXTRACTED_FIELDS', 'EDIT_INTERACTIVE_ANALYTICS', 'EDIT_SHARED_DASHBOARDS', 'EDIT_SHARED_DASHBOARD_URLS', 'EDIT_USER_DASHBOARDS', 'VIEW_ALERTS', 'VIEW_CONTENT_PACKS', 'VIEW_CONTENT_PACK_DASHBOARDS', 'VIEW_EXPORT', 'VIEW_EXTRACTED_FIELDS', 'VIEW_INTERACTIVE_ANALYTICS', 'VIEW_SHARED_DASHBOARDS', 'VIEW_SHARED_DASHBOARD_URLS', 'VIEW_USER_DASHBOARDS'}
Dashboard User:
{'EDIT_SHARED_DASHBOARDS', 'EDIT_SHARED_DASHBOARD_URLS', 'EDIT_USER_DASHBOARDS', 'VIEW_CONTENT_PACK_DASHBOARDS', 'VIEW_SHARED_DASHBOARDS', 'VIEW_SHARED_DASHBOARD_URLS', 'VIEW_USER_DASHBOARDS'}
- If there are custom roles besides predefined roles, then we have 2 options to proceed:
- Use the same update command from step 2, putting empty list of capabilities ({}) for expectedCapabilitiesValues, then open the Administration > Access Control section of the UI with the local admin user and re-assign the required capabilities for that custom role.
OR
- Use the same update command from step 2, putting a list of required capabilities for expectedCapabilitiesValues that are required for the custom role. Please note that it will be some sub set of Super Admin capabilities.
Feedback
Yes
No
Powered by
