NSX Upgrade fails with the error: "Principal 'UC' with role '[enterprise_admin]' attempts to delete or modify an object of type nsx$VersionWhitelist it doesn't own."
search cancel

NSX Upgrade fails with the error: "Principal 'UC' with role '[enterprise_admin]' attempts to delete or modify an object of type nsx$VersionWhitelist it doesn't own."

book

Article ID: 404214

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • You are trying to upgrade NSX, and when navigating to System -> Lifecycle Management -> Upgrade, you receive the following error:
    org.springframework.web.client.HttpClientErrorException$BadRequest: 400 : "{<EOL> "httpStatus" : "BAD_REQUEST",<EOL> "error_code" : 289,<EOL> "module_name" : "common-services",<EOL> "error_message" : "Principal 'UC' with role '[enterprise_admin]' attempts to delete or modify an object of type nsx$VersionWhitelist it doesn't own. (createUser=#####, allowOverwrite=null)"<EOL>}:
  • When running an NSX API (e.g., curl -k -X POST -H "Content-Type: application/xml" -u admin https://<NSX-Manager-IP>/api/v1/upgrade/plan?action=upgrade), you receive an "Error in rest call" message.
  • This indicates that the version whitelist for the EDGE or CCP component was created by a principal user, while during an upgrade, the UC attempts to update it using a system user.

    {
    "details" : "org.springframework.web.client.HttpClientErrorException$BadRequest: 400 : \"
    {<EOL> \"httpStatus\" : \"BAD_REQUEST\",<EOL> \"error_code\" : 289,<EOL> \"module_name\" : \"common-services\",<EOL> \"error_message\" : \"Principal 'UC' with role '[enterprise_admin]' attempts to delete or modify an object of type nsx$VersionWhitelist it doesn't own. (createUser=#####, allowOverwrite=null)\"<EOL>}
    \"",
    "httpStatus" : "INTERNAL_SERVER_ERROR",
    "error_code" : 30014,
    "module_name" : "upgrade-coordinator",
    "error_message" : "[UC] Error in rest call. url= /nsxapi/api/v1/upgrade/version-whitelist/EDGE , method= PUT , response=
    {\n \"httpStatus\" : \"BAD_REQUEST\",\n \"error_code\" : 289,\n \"module_name\" : \"common-services\",\n \"error_message\" : \"Principal 'UC' with role '[enterprise_admin]' attempts to delete or modify an object of type nsx$VersionWhitelist it doesn't own. (createUser=#####, allowOverwrite=null)\"\n}
    , error= 400 : \"
    {<EOL> \"httpStatus\" : \"BAD_REQUEST\",<EOL> \"error_code\" : 289,<EOL> \"module_name\" : \"common-services\",<EOL> \"error_message\" : \"Principal 'UC' with role '[enterprise_admin]' attempts to delete or modify an object of type nsx$VersionWhitelist it doesn't own. (createUser=#####, allowOverwrite=null)\"<EOL>}
    \" ."
    }
    OR

    [UC] Error in rest call. url= /nsxapi/api/v1/upgrade/version-whitelist/CCP , method= PUT , response= {
    "error_message" : "Principal 'UC' with role '[enterprise_admin]' attempts to delete or modify an object of type nsx$VersionWhitelist it doesn't own. (createUser=#####, allowOverwrite=null)"
    } , error= 400 : "{<EOL>  "httpStatus" : "BAD_REQUEST",<EOL>  "error_code" : 289,<EOL>  "module_name" : "common-services",<EOL>  "error_message" : "Principal 'UC' with role '[enterprise_admin]' attempts to delete or modify an object of type nsx$VersionWhitelist it doesn't own. (createUser=#####, allowOverwrite=null)"<EOL>}" .
  • Next, to confirm, you can run a GET API call to the version-whitelist for the affected component, in this case, EDGE.
    For example:
    curl -k -X GET -H "Content-Type: application/xml" -u admin https://<NSX-Manager-IP>/api/v1/upgrade/version-whitelist/EDGE
    {
      "component_type" : "EDGE",
      "resource_type" : "",
      "id" : "EDGE",
      "display_name" : "EDGE",
      "acceptable_versions" : [ "4.1.1.0.0.22224325" ],
      "_create_time" : #############,
      "_create_user" : "example_username",
      "_last_modified_time" : #############,
      "_last_modified_user" : "example_username",
      "_system_owned" : false,
      "_protection" : "REQUIRE_OVERRIDE",
      "_revision" : 1
    }

Environment

VMware NSX 4.x

Cause

The VersionWhitelisting was created or updated by an account other than the 'UC' user.
Consequently, when an NSX upgrade is triggered via the Upgrade Coordinator (using admin account), the Edge pre-upgrade process attempts to update the version whitelist to accept target versions, but this operation fails due to ownership validation.

Resolution

This is a known issue impacting VMware NSX.

If you believe you have encountered this issue, please open a support case with Broadcom Support and refer to this KB article.
For more information, see Creating and managing Broadcom support cases.

Powered by Wolken Software