"Cannot allow Operation that requires a role that exceeds the caller Principal Id"
Article ID: 324172
Updated On: 07-24-2025
Products
VMware NSX
Issue/Introduction
- Cannot allow Operation that requires a role that exceeds the caller Principal Id
- NAPP Deployment fails when local admin username is not "admin"
- NAPP Deployment fails at 70% (NAPP Registration Step)
- Local Admin user has been renamed during initial deployment of NSX Manager from "admin" to some other name.
- You can see the below error in /var/log/proton/napps.log on the NSX Manager
2023-04-06 16:12:24 ERROR api_request:29 [MainThread] - Request failed with error msg: POST /nsxapi/api/v1/trust-management/principal-identities/with-certificate returned status: 400, body: b'{\n "httpStatus" : "BAD_REQUEST",\n "error_code" : 2602,\n "module_name" : "internal-framework",\n "error_message" : "Cannot allow Operation that requires a role that exceeds the caller Principal Id\'s role."\n}'
2023-04-06 16:12:24 ERROR __main__:378 [MainThread] - Exit unexpectedly
Traceback (most recent call last):
File "/config/vmware/napps/charts/nsxi-platform-advanced/files/registration/registration.py", line 376, in <module>
main(args)
File "/config/vmware/napps/charts/nsxi-platform-advanced/files/registration/registration.py", line 327, in main
_register_cloudnative_platform_certs(fqdn)
File "/config/vmware/napps/charts/nsxi-platform-advanced/files/registration/registration.py", line 224, in _register_cloudnative_platform_certs
assert_request_success(
File "/config/vmware/napps/charts/nsxi-platform-advanced/files/registration/api_request.py", line 30, in assert_request_success
raise RuntimeError("Request failed with error msg: %s" % error_msg)
RuntimeError: Request failed with error msg: POST /nsxapi/api/v1/trust-management/principal-identities/with-certificate returned status: 400, body: b'{\n "httpStatus" : "BAD_REQUEST",\n "error_code" : 2602,\n "module_name" : "internal-framework",\n "error_message" : "Cannot allow Operation that requires a role that exceeds the caller Principal Id\'s role."\n}'
2023-04-06 16:12:24 ERROR __main__:378 [MainThread] - Exit unexpectedly
Traceback (most recent call last):
File "/config/vmware/napps/charts/nsxi-platform-advanced/files/registration/registration.py", line 376, in <module>
main(args)
File "/config/vmware/napps/charts/nsxi-platform-advanced/files/registration/registration.py", line 327, in main
_register_cloudnative_platform_certs(fqdn)
File "/config/vmware/napps/charts/nsxi-platform-advanced/files/registration/registration.py", line 224, in _register_cloudnative_platform_certs
assert_request_success(
File "/config/vmware/napps/charts/nsxi-platform-advanced/files/registration/api_request.py", line 30, in assert_request_success
raise RuntimeError("Request failed with error msg: %s" % error_msg)
RuntimeError: Request failed with error msg: POST /nsxapi/api/v1/trust-management/principal-identities/with-certificate returned status: 400, body: b'{\n "httpStatus" : "BAD_REQUEST",\n "error_code" : 2602,\n "module_name" : "internal-framework",\n "error_message" : "Cannot allow Operation that requires a role that exceeds the caller Principal Id\'s role."\n}'
Environment
VMware NSX 4.0.0.1
Cause
NAPP registration uses hard-coded X-Nsx-Username value of "admin". If the NSX Manager local admin username is changed to any other name during the initial deployment it will cause a NAPP deployment failure.
Resolution
This is a known issue and is Resolved in NSX-T version 4.2.0
Workaround:
If you have Standard NAPP deployment:
On the 3 NSX Managers, edit the below files
/config/vmware/napps/charts/nsxi-platform-standard/files/registration/api_request.py
/config/vmware/napps/charts/nsxi-platform-standard/files/registration/registration.py
Edit all X-NSX-Username references in the above files from being assigned the value of "admin" to your new local admin name
Example:
Before
root@nsx-manager01# grep "X-NSX-Username" /config/vmware/napps/charts/nsxi-platform-standard/files/registration/*
api_request.py: if "X-NSX-Username" not in headers:
api_request.py: headers["X-NSX-Username"] = "admin"
api_request.py: if "X-NSX-Username" not in headers:
api_request.py: headers["X-NSX-Username"] = "admin"
grep: __pycache__: Is a directory
registration.py: header = {'X-NSX-Username': "admin"}
registration.py: header = {'X-NSX-Username': "admin", 'X-Allow-Overwrite': True}
registration.py: headers = {'X-NSX-Username': "admin"}
registration.py: headers = {'X-NSX-Username': "admin", 'X-Allow-Overwrite': True}
After (assuming that you have renamed it "localadmin")
root@nsx-manager01# grep "X-NSX-Username" /config/vmware/napps/charts/nsxi-platform-standard/files/registration/*
api_request.py: if "X-NSX-Username" not in headers:
api_request.py: headers["X-NSX-Username"] = "localadmin"
api_request.py: if "X-NSX-Username" not in headers:
api_request.py: headers["X-NSX-Username"] = "localadmin"
grep: __pycache__: Is a directory
registration.py: header = {'X-NSX-Username': "localadmin"}
registration.py: header = {'X-NSX-Username': "localadmin", 'X-Allow-Overwrite': True}
registration.py: headers = {'X-NSX-Username': "localadmin"}
registration.py: headers = {'X-NSX-Username': "localadmin", 'X-Allow-Overwrite': True}
Click "Retry" on NAPP installation UI screen, after which the installation should complete successfully.
If you have Advanced NAPP deployment:
On the 3 NSX Managers, edit the below files
/config/vmware/napps/charts/nsxi-platform-advanced/files/registration/api_request.py
/config/vmware/napps/charts/nsxi-platform-advanced/files/registration/registration.py
Edit all X-NSX-Username references in the above file from being assigned the value of "admin" to your new local admin name
Example:
Before
root@nsx-manager01# grep "X-NSX-Username" /config/vmware/napps/charts/nsxi-platform-advanced/files/registration/*
api_request.py: if "X-NSX-Username" not in headers:
api_request.py: headers["X-NSX-Username"] = "admin"
api_request.py: if "X-NSX-Username" not in headers:
api_request.py: headers["X-NSX-Username"] = "admin"
grep: __pycache__: Is a directory
registration.py: header = {'X-NSX-Username': "admin"}
registration.py: header = {'X-NSX-Username': "admin", 'X-Allow-Overwrite': True}
registration.py: headers = {'X-NSX-Username': "admin"}
registration.py: headers = {'X-NSX-Username': "admin", 'X-Allow-Overwrite': True}
After (assuming that you have renamed it "localadmin")
root@nsx-manager01# grep "X-NSX-Username" /config/vmware/napps/charts/nsxi-platform-advanced/files/registration/*
api_request.py: if "X-NSX-Username" not in headers:
api_request.py: headers["X-NSX-Username"] = "localadmin"
api_request.py: if "X-NSX-Username" not in headers:
api_request.py: headers["X-NSX-Username"] = "localadmin"
grep: __pycache__: Is a directory
registration.py: header = {'X-NSX-Username': "localadmin"}
registration.py: header = {'X-NSX-Username': "localadmin", 'X-Allow-Overwrite': True}
registration.py: headers = {'X-NSX-Username': "localadmin"}
registration.py: headers = {'X-NSX-Username': "localadmin", 'X-Allow-Overwrite': True}
Click "Retry" on NAPP installation UI screen, after which the installation should complete successfully.
Workaround:
If you have Standard NAPP deployment:
On the 3 NSX Managers, edit the below files
/config/vmware/napps/charts/nsxi-platform-standard/files/registration/api_request.py
/config/vmware/napps/charts/nsxi-platform-standard/files/registration/registration.py
Edit all X-NSX-Username references in the above files from being assigned the value of "admin" to your new local admin name
Example:
Before
root@nsx-manager01# grep "X-NSX-Username" /config/vmware/napps/charts/nsxi-platform-standard/files/registration/*
api_request.py: if "X-NSX-Username" not in headers:
api_request.py: headers["X-NSX-Username"] = "admin"
api_request.py: if "X-NSX-Username" not in headers:
api_request.py: headers["X-NSX-Username"] = "admin"
grep: __pycache__: Is a directory
registration.py: header = {'X-NSX-Username': "admin"}
registration.py: header = {'X-NSX-Username': "admin", 'X-Allow-Overwrite': True}
registration.py: headers = {'X-NSX-Username': "admin"}
registration.py: headers = {'X-NSX-Username': "admin", 'X-Allow-Overwrite': True}
After (assuming that you have renamed it "localadmin")
root@nsx-manager01# grep "X-NSX-Username" /config/vmware/napps/charts/nsxi-platform-standard/files/registration/*
api_request.py: if "X-NSX-Username" not in headers:
api_request.py: headers["X-NSX-Username"] = "localadmin"
api_request.py: if "X-NSX-Username" not in headers:
api_request.py: headers["X-NSX-Username"] = "localadmin"
grep: __pycache__: Is a directory
registration.py: header = {'X-NSX-Username': "localadmin"}
registration.py: header = {'X-NSX-Username': "localadmin", 'X-Allow-Overwrite': True}
registration.py: headers = {'X-NSX-Username': "localadmin"}
registration.py: headers = {'X-NSX-Username': "localadmin", 'X-Allow-Overwrite': True}
Click "Retry" on NAPP installation UI screen, after which the installation should complete successfully.
If you have Advanced NAPP deployment:
On the 3 NSX Managers, edit the below files
/config/vmware/napps/charts/nsxi-platform-advanced/files/registration/api_request.py
/config/vmware/napps/charts/nsxi-platform-advanced/files/registration/registration.py
Edit all X-NSX-Username references in the above file from being assigned the value of "admin" to your new local admin name
Example:
Before
root@nsx-manager01# grep "X-NSX-Username" /config/vmware/napps/charts/nsxi-platform-advanced/files/registration/*
api_request.py: if "X-NSX-Username" not in headers:
api_request.py: headers["X-NSX-Username"] = "admin"
api_request.py: if "X-NSX-Username" not in headers:
api_request.py: headers["X-NSX-Username"] = "admin"
grep: __pycache__: Is a directory
registration.py: header = {'X-NSX-Username': "admin"}
registration.py: header = {'X-NSX-Username': "admin", 'X-Allow-Overwrite': True}
registration.py: headers = {'X-NSX-Username': "admin"}
registration.py: headers = {'X-NSX-Username': "admin", 'X-Allow-Overwrite': True}
After (assuming that you have renamed it "localadmin")
root@nsx-manager01# grep "X-NSX-Username" /config/vmware/napps/charts/nsxi-platform-advanced/files/registration/*
api_request.py: if "X-NSX-Username" not in headers:
api_request.py: headers["X-NSX-Username"] = "localadmin"
api_request.py: if "X-NSX-Username" not in headers:
api_request.py: headers["X-NSX-Username"] = "localadmin"
grep: __pycache__: Is a directory
registration.py: header = {'X-NSX-Username': "localadmin"}
registration.py: header = {'X-NSX-Username': "localadmin", 'X-Allow-Overwrite': True}
registration.py: headers = {'X-NSX-Username': "localadmin"}
registration.py: headers = {'X-NSX-Username': "localadmin", 'X-Allow-Overwrite': True}
Click "Retry" on NAPP installation UI screen, after which the installation should complete successfully.
Feedback
Yes
No
Powered by
