VMware NSX Multi-tenancy failed to remove T0 from project through NSX UI
search cancel

VMware NSX Multi-tenancy failed to remove T0 from project through NSX UI

book

Article ID: 379304

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

In VMware NSX 4.1.x, we introduced the new multi-tenancy feature, where customers can configure multiple tenants on a single NSX deployment. Multi-tenancy enables customers to isolate security and networking configurations across tenants. NSX users across tenants can access the same NSX Manager to provision networking and security objects on shared hosts. For details, please check: https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-F7589038-AFF2-459A-BE46-BF557CDFB9E4.html 

In some cases, when trying to remove a T0 from a project (tenant) through NSX manager UI, the T0 will not be removed from the project and thus preventing the tenant from being deleted. 

When checking the browser console, an PUT API call to /policy/api/v1/orgs/default/projects/<project-UUID> fails with an HTTP status code of "400 Bad Request".

The detailed failure message has the following similar info, such as "tier_0s paths [/infra/tier-0s/<T0-UUID>] in dedicated_resources must also be present in tier_0s argument in project payload."

However, this error message may not be displayed on the UI, and this can lead users to believe the T0 has been removed from the project. 

 

An example of the abovementioned API call to the project:

Request URL: https://<NSX-Manager>/policy/api/v1/orgs/default/projects/<project-UUID>
Request Method: PUT
Status Code: 400 Bad Request
Request Body:
{
   "_create_time" : 1727325458449,
   "_create_user" : "<NSX-USER>",
   "_last_modified_time" : 1727990736750,
   "_last_modified_user" : "<NSX-USER>",
   "_protection" : "NOT_PROTECTED",
   "_revision" : 10,
   "_system_owned" : false,
   "activate_default_dfw_rules" : true,
   "dedicated_resources" : {
      "tier_0s" : [                                     =====================> This list contains an extra T0 meant to be removed. 
         "/infra/tier-0s/<T0-UUID>",
         "/infra/tier-0s/<T0-UUID>",
         "/infra/tier-0s/<T0-UUID>",
         "/infra/tier-0s/<T0-UUID>",
         "/infra/tier-0s/<T0-to-be-removed-UUID>",
         "/infra/tier-0s/<T0-UUID>",
         "/infra/tier-0s/<T0-UUID>",
         "/infra/tier-0s/<T0-UUID>"
      ]
   },
   ..........
   "tier_0s" : [                                        =====================> This list does not contain the extra T0. 
      "/infra/tier-0s/<T0-UUID>",
      "/infra/tier-0s/<T0-UUID>",
      "/infra/tier-0s/<T0-UUID>",
      "/infra/tier-0s/<T0-UUID>",
      "/infra/tier-0s/<T0-UUID>",
      "/infra/tier-0s/<T0-UUID>",
      "/infra/tier-0s/<T0-UUID>"
   ],
   "unique_id" : "<UUID>"
}


Result body:

{
  "httpStatus" : "BAD_REQUEST",
  "error_code" : 524280,
  "module_name" : "policy",
  "error_message" : "tier_0s paths [/infra/tier-0s/<T0-to-be-removed-UUID>] in dedicated_resources must also be present in tier_0s argument in project payload."
}

Environment

VMware NSX 4.1.x and VMware NSX 4.2.x

Cause

This is caused by a UI validation error where the T0 that was unselected from the project settings page remains in the final API call. 

Resolution

Workaround:

Capturing the error API call from the browser console, make modification so that the body does not contain the extra T0 to-be-removed in the "dedicated_resources: tier_0s".

Send PUT API call to the https://<nsx-manager-ip>/policy/api/v1/orgs/default/projects/<project-UUID> with the modified content in the body. 

An example as:

curl -k -u admin "https://<nsx-manager-IP>/policy/api/v1/orgs/default/projects/<project-UUID>" -X PUT -H 'Content-type: application/json' -d '{
>     "_create_time" : <keep-as-is>,
>     "_create_user" : "<keep-as-is>",
>     "_last_modified_time" : <keep-as-is>,,
>     "_last_modified_user" : "<keep-as-is>",
>     "_protection" : "NOT_PROTECTED",
>     "_revision" : <keep-as-is>,
>     "_system_owned" : false,
>     "activate_default_dfw_rules" : true,
>     "dedicated_resources" : {
>        "tier_0s" : [
>           "/infra/tier-0s/<T0-to-keep-UUID-1>",
>           "/infra/tier-0s/<T0-to-keep-UUID-2>",
>           "/infra/tier-0s/<T0-to-keep-UUID-3>"
>        ]
>     },
>     "default" : false,
>     "display_name" : "<keep-as-is>",
>     "id" : "<keep-as-is>",
>     "marked_for_delete" : false,
>     "overridden" : false,
>     "owner_id" : "<keep-as-is>",
>     "parent_path" : "/orgs/default",
>     "path" : "/orgs/default/projects/<project-UUID>",
>     "realization_id" : "<keep-as-is>",
>     "relative_path" : "<keep-as-is>",
>     "resource_type" : "Project",
>     "short_id" : "<keep-as-is>",
>     "site_infos" : [
>        {
>           "edge_cluster_paths" : [
>              "/infra/sites/default/enforcement-points/default/edge-clusters/<edge-node-UUID-keep-as-is>",
>              "/infra/sites/default/enforcement-points/default/edge-clusters/<edge-node-UUID-keep-as-is>"
>           ],
>           "site_path" : "/infra/sites/default",
>           "transport_zone_paths" : [
>              "/infra/sites/default/enforcement-points/default/transport-zones/<transport-zone-UUID-keep-as-is>"
>           ]
>        }
>     ],
>     "tier_0s" : [
>        "/infra/tier-0s/<T0-to-keep-UUID-1>",
>        "/infra/tier-0s/<T0-to-keep-UUID-2>",
>        "/infra/tier-0s/<T0-to-keep-UUID-3>"
>     ],
>     "unique_id" : "<keep-as-is>"
>  }'
Powered by Wolken Software