Attempts to Delete NAPP Principals Fail with Error "Principal … attempts to delete or modify an object … it doesn’t own"
search cancel

Attempts to Delete NAPP Principals Fail with Error "Principal … attempts to delete or modify an object … it doesn’t own"

book

Article ID: 408187

calendar_today

Updated On:

Products

VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

 When attempting to delete NAPP service principals (such as napp_platform_egress) from the NSX UI to remove stale certificates (per KB 399710), the operation may fail with the following error message:

Error: Principal '[email protected]' with role '[lb_admin, enterprise_admin, security_engineer, network_engineer]' attempts to delete or modify an object of type nsx$Certificate it doesn't own. (createUser=napp_platform_egress, allowOverwrite=null) (Error code: 289)

This issue typically occurs when trying to delete the following principals from the UI:

napp_platform_egress
napp_platform_ingress
napp_platform_kafka

 

Environment

  • Any NSX with NAPP4.2.x or SSP 5.x undeployed
  • Stale expired certificates are in-used status.
K8S_PLATFORM_CA
  • NAPP service principals linked to the certificates
napp_platform_egress
napp_platform_ingress
napp_platform_kafka

Cause

This error occurs because the principals were originally created by a different user (e.g., NAPP platform services), and the deletion attempt is made using another principal (such as [email protected]).

 

Resolution

To remove the stale principals and their linked certificates:

  1. Retrieve the list of principal identities:
curl -k -v -u "admin:${NPASSWD}" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  "https://$NSX_MGR/api/v1/trust-management/principal-identities"
Note: GET is implicit, so it can be omitted.
 

     2. Identify the principal ID from the output. Example:

"id" : "8aad081b-9060-4d65-8495-d2xxxxx"

     3. Delete the stale principal using its ID. If required, add the overwrite header:

curl -k -v -u "admin:${NPASSWD}" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -H "X-Allow-Overwrite:true" \
  -X DELETE \
  "https://$NSX_MGR/api/v1/trust-management/principal-identities/<id>"
 
    4. Replace $NSX_MGR with your NSX Manager FQDN or IP.
root@ansnsx1:~# curl -k -v -u "admin" -H "Content-Type: application/json" -H "Accept: application/json" GET "https://127.0.0.1/api/v1/trust-management/principal-identities"
Enter host password for user 'admin':<SKIP>
{  "results" : [ {    "name" : "napp_platform_ingress",    "node_id" : "nsx.application.platform",    "role" : "network_engineer",    "certificate_id" : "b21ea765-cbf7-4cc6-8519-xxxxx",    "roles_for_paths" : [ {      "path" : "/",      "roles" : [ {        "role" : "network_engineer"      } ],      "delete_path" : false    } ],    "is_protected" : true,    "resource_type" : "PrincipalIdentity",    "id" : "8aad081b-9060-4d65-8495-d2xxxxx",    "display_name" : "[email protected]",    "_system_owned" : false,    "_protection" : "NOT_PROTECTED",    "_create_time" : 1740xxxxxx,    "_create_user" : "admin",    "_last_modified_time" : 1740xxxxxx,    "_last_modified_user" : "admin",    "_revision" : 0  },

EX: principal ID:

    "id" : "8aad081b-9060-4d65-8495-d2xxxxx"
Powered by Wolken Software