"/policy/api/v1/infra/segments/<SEGMENT_ID>/segment-security-profile-binding-maps/<SECURE_ID>" PATCH API is accepting invalid values in payload
search cancel

"/policy/api/v1/infra/segments/<SEGMENT_ID>/segment-security-profile-binding-maps/<SECURE_ID>" PATCH API is accepting invalid values in payload

book

Article ID: 375540

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Using the NSX Policy PATCH API "/policy/api/v1/infra/segments/<SEGMENT_ID>/segment-security-profile-binding-maps/<SECURE_ID>", invalid values are accepted.
  • The invalid values can lead to segments becoming unmanageable in the NSX-T UI.
  • For example, the following body, for the PATCH, has an incorrect value in the segment_security_profile_path:
    {
        "resource_type": "SegmentSecurityProfileBindingMap",
        "segment_security_profile_path": "//infra/segment-security-profiles/${SEGMENT_SECURITY_ID}",
        "spoofguard_profile_path": "/infra/spoofguard-profiles/${SPOOFGUARD_ID}"
    }

Environment

  • VMware NSX 4.1.x
  • VMware NSX 4.2.x

Cause

The segment_security_profile_path parameter, for the Segments Policy PATCH API, has no validation for the request payload.

Resolution

This is a known issue impacting VMware NSX.

Workaround 1:

If you have already encountered this issue and the Segment is unmanageable in the NSX-T UI.

1. GET API Request, to read the configuration, with the segment binding map, which ahs the invalid value(s), in our example below the double '//': GET "/policy/api/v1/infra/segments/<SEGMENT_ID>/segment-security-profile-binding-maps/<SECURE_ID>" 

2. First PATCH API request, body with the profile path removed: PATCH: "/policy/api/v1/infra/segments/<SEGMENT_ID>/segment-security-profile-binding-maps/<SECURE_ID>"

3.  Second PATCH API request, now with profile path and the invalid value(s) removed from the path received in the GET API call above: PATCH: "/policy/api/v1/infra/segments/<SEGMENT_ID>/segment-security-profile-binding-maps/<SECURE_ID>"

Workaround 2:

Delete the Infra segment security profile binding map using DELETE API endpoint here and re-create it.

Additional Information

Powered by Wolken Software