User/service account cannot download .vmx files
search cancel

User/service account cannot download .vmx files

book

Article ID: 322184

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

Some Users or Service Accounts are unable to download .vmx file via vCenter and gives the below error:

 

/var/log/vmware/vpxd/vpxd.log:

YYYY-MM-DDT00:00:55.242Z warning vpxd[14615] [Originator@6876 sub=Vmomi opID=558a27ee] VMOMI activation LRO failed; <<52924273-09de-033c-bd3c-7239e0a7f30e, <TCP '127.0.0.1 : 8085'>, <TCP '127.0.0.1 : 43026'>>, nfcService, vim.NfcService.fileManagement>, N3Vim5Fault12NoPermission9ExceptionE(Fault cause: vim.fault.NoPermission
--> )
--> [context]zKq7AVECAQAAAH1IQAEUdnB4ZAAA7tg3bGlidm1hY29yZS5zbwAAp3gsACVsLQAL6TIBqbdvdnB4ZAABhKyLgWadFQEBjQB+gm63BQFsaWJ2aW0tdHlwZXMuc28AgRi9YQGBE8BgAYFUwWABgYLQYAGB5f1fAYGwp2ABAKdJIwBPnyMArGQ3A4d/AGxpYnB0aHJlYWQuc28uMAAELzYPbGliYy5zby42AA==[/context]
YYYY-MM-DDT00:00:55.246Z info vpxd[14615] [Originator@6876 sub=vpxLro opID=558a27ee] [VpxLRO] -- FINISH lro-110582456
YYYY-MM-DDT00:00:55.246Z info vpxd[14615] [Originator@6876 sub=Default opID=558a27ee] [VpxLRO] -- ERROR lro-110582456 -- nfcService -- vim.NfcService.fileManagement: vim.fault.NoPermission:
--> Result:
--> (vim.fault.NoPermission) {
--> faultCause = (vmodl.MethodFault) null,
--> faultMessage = <unset>,
--> object = 'vim.Datastore:XXXXX-XXXXX-XXXXX-XXX:datastore-12345',
--> privilegeId = "Cryptographer.Access",
--> missingPrivileges = <unset>
--> msg = ""
--> }
--> Args:
-->
--> Arg ds:
--> 'vim.Datastore:XXXXX-XXXXX-XXXXX-XXX:datastore-12345'
--> Arg hostForAccess:
--> 'vim.HostSystem:YYYY-YYYYY-YYYYYY-YYYYY:host-1234'
--> Arg files:
--> (string)

/var/log/vmware/vsphere-ui/logs/dataservice.log:

[YYYY-MM-DDT00:00:08.956Z] [ERROR] http-nio-5090-exec-8 70117895 103181 200717 RiseToViseResult [queryId: qb-164990:urn:vmomi:ClusterComputeResource:
domain-c1234:XXXXX-XXXXX-XXXXX-XXX:vxSummary.c.0:1747406376:rel-01] Returning partial results as one or more data providers responded with
error. com.vmware.vise.data.query.DataException: Unauthorized (com.vmware.vapi.std.errors.unauthorized) => {
    messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
    id = vapi.authz.error.no.privs,
    defaultMessage = The following (object: com.vmware.vcenter.trusted_infrastructure.trusted_clusters.attestation.services.list privileges: TrustedAdmin.Rea
dTrustedHosts) privileges are insufficient to user,
    args = [object: com.vmware.vcenter.trusted_infrastructure.trusted_clusters.attestation.services.list privileges: TrustedAdmin.ReadTrustedHosts],
    params = <null>,
    localized = <null>
}],
    data = <null>,
    errorType = UNAUTHORIZED
}
        at com.vmware.vise.data.query.DataException.newInstance(DataException.java:139)
        at com.vmware.vise.data.query.DataException.newInstance(DataException.java:121)
        at com.vmware.vise.data.query.impl.ServicePropertyProviderAdapter.getProperties(ServicePropertyProviderAdapter.java:150)
        at com.vmware.vise.data.query.impl.DataManager.getDataFromPropertyProvider(DataManager.java:1200)
        at com.vmware.vise.data.query.impl.DataManager.getResultFromPropertyProvider(DataManager.java:1167)
        at com.vmware.vise.data.query.impl.DataManager.access$000(DataManager.java:78)
        at com.vmware.vise.data.query.impl.DataManager$1.call(DataManager.java:931)
        at com.vmware.vise.data.query.impl.DataManager$1.call(DataManager.java:927)
        at com.vmware.vise.util.concurrent.ExecutorUtil$2.call(ExecutorUtil.java:826)
        at com.vmware.vise.util.concurrent.ExecutorUtil$ThreadContextPropagatingTask.call(ExecutorUtil.java:1240)
        at com.vmware.vise.data.query.impl.DataServiceThreadPoolDecorator$1.call(DataServiceThreadPoolDecorator.java:174)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:750)
Caused by: com.vmware.vapi.std.errors.Unauthorized: Unauthorized (com.vmware.vapi.std.errors.unauthorized) => {
    messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
    id = vapi.authz.error.no.privs,
    defaultMessage = The following (object: com.vmware.vcenter.trusted_infrastructure.trusted_clusters.attestation.services.list privileges: TrustedAdmin.Rea
dTrustedHosts) privileges are insufficient to user

 

 

Environment

VMware vCenter Server 7.0.x

Cause

Vim API VpxdNfcServiceProxy::FileManagement uses host level privilege, which will request PRIV_CRYPTOGRAPHER_ACCESS for all files even non-encrypted files when host is in encryption mode

Any User which does not have Cryptographer.Access privilege will not be able to download .vmx file, if the respective host has encryption mode enabled, irrespective of whether the VM is encrypted or not.

 

Resolution

Issue is fixed in  vSphere 7.0.3 PO8 and vSphere 8.0.1 Update 2

Workaround: 

Assign Cryptographic Access privilege to the Role assigned to the User/Service Account.

 

Powered by Wolken Software