[HCX] Error trying to change or add a User group to HCX Role Mapping from the appliance management interface
search cancel

[HCX] Error trying to change or add a User group to HCX Role Mapping from the appliance management interface

book

Article ID: 336972

calendar_today

Updated On:

Products

VMware HCX VMware Cloud on AWS VMware Cloud on Dell EMC

Issue/Introduction

Change or add Users groups under HCX Role Mapping to provide them with access to the HCX UI (directly or through the HCX vSphere plugins).

Symptoms:
  • When trying to change the change or add a User group to HCX Role Mapping from the appliance management interface you get a red banner with a similar error below:
"Invalid UserGroup configured. Usergroup <Old_Domain>/Administrators does not exist in VC <vCenter's_IP_or_FQDN>"
  • When checking the HTTP code while attempting to change the list of user groups you get a 500 error
  • When checking /common/logs/admin/app.log you see the error below
2023-10-11 20:18:47.141 UTC [https-jsse-nio-9443-exec-9, , ] ERROR o.a.c.c.C.[.[.[.[dispatcherServlet]- Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is java.lang.Exception: Invalid UserGroup configured. Usergroup <Old_Domain>/Administrators does not exist in VC <vCenter's_IP_or_FQDN>.] with root cause
java.lang.Exception: Invalid UserGroup configured. Usergroup <Old_Domain>/Administrators does not exist in VC <vCenter's_IP_or_FQDN>.
        at com.vmware.hybridity.admin.config.RoleConfigRestController.validateUserGroupInVc(RoleConfigRestController.java:255)


Cause

The old domain is not longer available, making the PUT API call use a mix between the new list of groups and the old list of groups.

Resolution

This will be fixed in future releases of HCX

Workaround:
Go to the appliance management interface (https://HCX_FQDN_or_IP:9443) and login as admin.
Open developer tools in Google Chrome.
Go to the Network section.
Retry to change the list of user groups under HCX Role Mapping via the HCX UI.
Copy the API call in a cURL (bash) format (the call should show up as roleMappings).

Paste the content into a text editor and make sure that the groups under the "System Administrator" and the "Enterprise Administrator" sections match.

Connect to the HCX Manager via SSH and copy & execute the modified API call from the text editor. If the change went through, the response code should be a 200.
Log out of the HCX Manager Appliance Management Interface, log back in and check the groups under role mapping.
Log out of vCenter and log back in.

Additional Information

Impact/Risks:
If the group is not longer available and it was the only group, users might not be able to access HCX and it's components. Service Meshes and their Appliances will continue to work without interruption, but new changes or updates cannot be performed.
User are not able to remove stale user groups.

Powered by Wolken Software