GRE tunnels cannot be created by non admin users who have been assigned with full Enterprise Admin privileges
search cancel

GRE tunnels cannot be created by non admin users who have been assigned with full Enterprise Admin privileges

book

Article ID: 330274

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

To provide a workaround to the users who want to use non-admin users to create GRE tunnel via API call.

Symptoms:
  • Users cannot create GRE tunnels via API call with non admin users.
  • Error seen while executing the API call :
// User is not authorized to access object edge-Id and feature edge.tunnel,
please check object access scope and feature permissions for the user.//

In vsm.log on NSX manager you will see similar logs :
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2020-03-26 16:04:13.894 GMT ERROR http-nio-127.0.0.1-7441-exec-14 BaseRestController:521 - - [nsxv@6876 comp="nsx-manager" level="ERROR" subcomp="manager"] REST API failed : 'User is not
authorized to access object edge-3 and feature edge.tunnel, please check object access scope and feature permissions for the user.'

com.vmware.vshield.vsm.exceptions.AccessDeniedException: null
    at com.vmware.vshield.vsm.aspects.security.VsmSecuredAspect.secureCheck(VsmSecuredAspect.java:130) ~[vsm-core-1.0.jar:?]

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Cause

The issue is that there are missing entries in vsmRoles.properties for auth identifier "edge.tunnel".

Resolution

This issue is resolved in VMware NSX Data Center for vSphere 6.4.7, available at VMware Downloads.


Workaround:
Log a support request with VMware NSX GSS and mention this KB to obtain the workaround

Additional Information

Impact/Risks:

Non Admin users assigned with full Enterprise Admin privileges cannot create GRE tunnels

However, only the account "admin" is authorized to create the GRE tunnels via API call

This is a known issue affecting VMware NSX for vSphere 6.4.0 to 6.4.6.