App Launchpad Plugin fails to load for Tenant users in the Cloud Director Tenant UI
Article ID: 321462
Updated On: 08-15-2023
Products
VMware Cloud Director
Issue/Introduction
Symptoms:
- Tenant user is attempting to open the App Launchpad Plugin in the Cloud Director Tenant UI by clicking More > App Launchpad.
- A spinning icon appears initially, but a blank page is shown in the Tenant UI after a short period.
- Browser developer console shows a 403 Forbidden error on a GET to /api/alp/v1/system-onboard-status.
Request URL:
https://vcloud.example.com/api/alp/v1/system-onboard-status
Response:
{
"status": 403,
"message": "[ <UUID> ] This operation is denied.",
"resource": "/api/alp/v1/system-onboard-status",
"details": {
"cause": "[ <UUID> ] This operation is denied."
},
"requestId": "<REQUEST_UUID>"
}
https://vcloud.example.com/api/alp/v1/system-onboard-status
Response:
{
"status": 403,
"message": "[ <UUID> ] This operation is denied.",
"resource": "/api/alp/v1/system-onboard-status",
"details": {
"cause": "[ <UUID> ] This operation is denied."
},
"requestId": "<REQUEST_UUID>"
}
- The /opt/vmware/alp/log/alp-default.log on the App Launchpad server show errors of the form:
ERROR c.v.alp.proxy.mqtt.MqttMessageRouter - [MQTT] Failed to get response from alp service
com.vmware.alp.error.RestClientException: {"status":403,"message":"[ <UUID> ] This operation is denied.","resource":"/api/alp/v1/system-onboard-status","details":{"cause":"[ <UUID> ] This operation is denied."},"requestId":"<REQUEST_UUID>"}
at com.vmware.alp.client.RestClientBase.exchange(RestClientBase.java:156)
at com.vmware.alp.proxy.mqtt.MqttMessageRouter.getResponseFromAlpService(MqttMessageRouter.java:68)
at com.vmware.alp.proxy.mqtt.MqttHandlerServiceImpl.handleMqttMessage(MqttHandlerServiceImpl.java:37)
at com.vmware.alp.proxy.mqtt.MqttConfig.lambda$null$0(MqttConfig.java:100)
at com.vmware.alp.service.sync.AsyncTasks$AsyncTask.compute(AsyncTasks.java:36)
at com.vmware.alp.service.sync.AsyncTasks$AsyncTask.compute(AsyncTasks.java:27)
at java.util.concurrent.RecursiveTask.exec(RecursiveTask.java:94)
at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289)
at java.util.concurrent.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1056)
at java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1692)
at java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:175)
com.vmware.alp.error.RestClientException: {"status":403,"message":"[ <UUID> ] This operation is denied.","resource":"/api/alp/v1/system-onboard-status","details":{"cause":"[ <UUID> ] This operation is denied."},"requestId":"<REQUEST_UUID>"}
at com.vmware.alp.client.RestClientBase.exchange(RestClientBase.java:156)
at com.vmware.alp.proxy.mqtt.MqttMessageRouter.getResponseFromAlpService(MqttMessageRouter.java:68)
at com.vmware.alp.proxy.mqtt.MqttHandlerServiceImpl.handleMqttMessage(MqttHandlerServiceImpl.java:37)
at com.vmware.alp.proxy.mqtt.MqttConfig.lambda$null$0(MqttConfig.java:100)
at com.vmware.alp.service.sync.AsyncTasks$AsyncTask.compute(AsyncTasks.java:36)
at com.vmware.alp.service.sync.AsyncTasks$AsyncTask.compute(AsyncTasks.java:27)
at java.util.concurrent.RecursiveTask.exec(RecursiveTask.java:94)
at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289)
at java.util.concurrent.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1056)
at java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1692)
at java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:175)
- Browser developer console shows the Tenant user having a PROVIDER_ADMIN role for App Launchpad on a GET to /api/alp/v1/current-user instead of the expected TENANT_USER role.
Request URL:
https://vcloud.example.com/api/alp/v1/current-user
Response:
{
"name": "ExampleTenantUserName",
"id": "<TENANT_USER_UUID>",
"fullName": "ExampleTenantUserName",
"role": "PROVIDER_ADMIN",
"tenant": {
"id": "<TENANT_UUID>",
"name": "ExampleOrganizationName",
"enabled": true
},
"site": {
"id": "<SITE_UUID>",
"name": "Example Cloud Director"
}
}
https://vcloud.example.com/api/alp/v1/current-user
Response:
{
"name": "ExampleTenantUserName",
"id": "<TENANT_USER_UUID>",
"fullName": "ExampleTenantUserName",
"role": "PROVIDER_ADMIN",
"tenant": {
"id": "<TENANT_UUID>",
"name": "ExampleOrganizationName",
"enabled": true
},
"site": {
"id": "<SITE_UUID>",
"name": "Example Cloud Director"
}
}
- System users can access the App Launchpad Plugin without issue.
Environment
VMware Cloud Director 10.x
Cause
App Launchpad determines a user's role based on the Rights that they have been granted in Cloud Director.
If the Global Role assigned to a Tenant user contains all of the following Rights they will be incorrectly determined to be a System level user:
If the Global Role assigned to a Tenant user contains all of the following Rights they will be incorrectly determined to be a System level user:
- Share a Catalog to Other Organizations (Catalog: Publish)
- Administrator View (General: Administrator View)
- Create Organization (Organization: Create or Delete)
- Create Organization VDC (Organization vDC: Create)
- View Tenant Portal Plugin Information (UI Plugins: View)
Resolution
To resolve this issue remove one or more of these Rights from the Global Role assigned to the Tenant user encountering the issue.
- Log into the Cloud Director Provider UI as a System Administrator.
- Edit the Global Role assigned to the Tenant user as per the documentation on how to View and Edit a Global Tenant Role.
- Remove one or all of the following Rights from the Global Role:
- Share a Catalog to Other Organizations (Catalog: Publish)
- Administrator View (General: Administrator View)
- Create Organization (Organization: Create or Delete)
- Create Organization VDC (Organization vDC: Create)
NOTE: Do not remove the Right, View Tenant Portal Plugin Information (UI Plugins: View), as this is required by the Tenant user to access App Launchpad.
- Ensure the Global Role contains the all other Rights required for App Launchpad Tenant users as per the documentation on Access Control and User Roles.
- Log back into the Tenant UI as the Tenant user and confirm that the App Launchpad Plugin now loads.
Feedback
Was this article helpful?
Yes
No
Powered by
