App Launchpad Plugin fails to load for Tenant users in the Cloud Director Tenant UI
search cancel

App Launchpad Plugin fails to load for Tenant users in the Cloud Director Tenant UI

book

Article ID: 321462

calendar_today

Updated On: 08-15-2023

Products

VMware Cloud Director

Issue/Introduction

Symptoms:
  • Tenant user is attempting to open the App Launchpad Plugin in the Cloud Director Tenant UI by clicking More > App Launchpad.
  • A spinning icon appears initially, but a blank page is shown in the Tenant UI after a short period.
  • Browser developer console shows a 403 Forbidden error on a GET to /api/alp/v1/system-onboard-status.
Request URL:
https://vcloud.example.com/api/alp/v1/system-onboard-status

Response:
{
    "status": 403,
    "message": "[ <UUID> ] This operation is denied.",
    "resource": "/api/alp/v1/system-onboard-status",
    "details": {
        "cause": "[ <UUID> ] This operation is denied."
    },
    "requestId": "<REQUEST_UUID>"
}
  • The /opt/vmware/alp/log/alp-default.log on the App Launchpad server show errors of the form:
ERROR c.v.alp.proxy.mqtt.MqttMessageRouter - [MQTT] Failed to get response from alp service
com.vmware.alp.error.RestClientException: {"status":403,"message":"[ <UUID> ] This operation is denied.","resource":"/api/alp/v1/system-onboard-status","details":{"cause":"[ <UUID> ] This operation is denied."},"requestId":"<REQUEST_UUID>"}
        at com.vmware.alp.client.RestClientBase.exchange(RestClientBase.java:156)
        at com.vmware.alp.proxy.mqtt.MqttMessageRouter.getResponseFromAlpService(MqttMessageRouter.java:68)
        at com.vmware.alp.proxy.mqtt.MqttHandlerServiceImpl.handleMqttMessage(MqttHandlerServiceImpl.java:37)
        at com.vmware.alp.proxy.mqtt.MqttConfig.lambda$null$0(MqttConfig.java:100)
        at com.vmware.alp.service.sync.AsyncTasks$AsyncTask.compute(AsyncTasks.java:36)
        at com.vmware.alp.service.sync.AsyncTasks$AsyncTask.compute(AsyncTasks.java:27)
        at java.util.concurrent.RecursiveTask.exec(RecursiveTask.java:94)
        at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289)
        at java.util.concurrent.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1056)
        at java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1692)
        at java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:175)
       
  • Browser developer console shows the Tenant user having a PROVIDER_ADMIN role for App Launchpad on a GET to /api/alp/v1/current-user instead of the expected TENANT_USER role.
Request URL:
https://vcloud.example.com/api/alp/v1/current-user

Response:
{
    "name": "ExampleTenantUserName",
    "id": "<TENANT_USER_UUID>",
    "fullName": "ExampleTenantUserName",
    "role": "PROVIDER_ADMIN",
    "tenant": {
        "id": "<TENANT_UUID>",
        "name": "ExampleOrganizationName",
        "enabled": true
    },
    "site": {
        "id": "<SITE_UUID>",
        "name": "Example Cloud Director"
    }
}
       
  • System users can access the App Launchpad Plugin without issue.


Environment

VMware Cloud Director 10.x

Cause

App Launchpad determines a user's role based on the Rights that they have been granted in Cloud Director.
If the Global Role assigned to a Tenant user contains all of the following Rights they will be incorrectly determined to be a System level user:
  • Share a Catalog to Other Organizations (Catalog: Publish)
  • Administrator View (General: Administrator View)
  • Create Organization (Organization: Create or Delete)
  • Create Organization VDC (Organization vDC: Create)
  • View Tenant Portal Plugin Information (UI Plugins: View)
The Rights required for a Tenant user to utilise App Launchpad are outlined in the documentation on Access Control and User Roles.

Resolution

To resolve this issue remove one or more of these Rights from the Global Role assigned to the Tenant user encountering the issue.
  1. Log into the Cloud Director Provider UI as a System Administrator.
  2. Edit the Global Role assigned to the Tenant user as per the documentation on how to View and Edit a Global Tenant Role.
  3. Remove one or all of the following Rights from the Global Role:
  • Share a Catalog to Other Organizations (Catalog: Publish)
  • Administrator View (General: Administrator View)
  • Create Organization (Organization: Create or Delete)
  • Create Organization VDC (Organization vDC: Create)
NOTE: Do not remove the Right, View Tenant Portal Plugin Information (UI Plugins: View), as this is required by the Tenant user to access App Launchpad.
  1. Ensure the Global Role contains the all other Rights required for App Launchpad Tenant users as per the documentation on Access Control and User Roles.
  2. Log back into the Tenant UI as the Tenant user and confirm that the App Launchpad Plugin now loads.