VMware Horizon Community
solgaeDK
VMware Employee
VMware Employee

View 5.1.1 - Rebalance operation failed (Permission denied)

I am having trouble getting the rebalance operation to work. I am attempting to migrate the linked-clone desktops from one datastore to another by following the KB article: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=102875...

However, the rebalance operation will fail, and the desktops are on the error state with the following message:

Permission to perform this operation was denied

The event table only shows: Refit operation rebalance failed

After that, the desktop will be recovered and recomposed but still on the old datastore.

All hosts within the cluster have access to both new and old datastore. The vCenter user account used for View has all the permissions required for View Manager and View Composer as listed on the documentation, with one additional privilege assigned as per this KB article: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=204216...

Looking at the logs for View Connection server and View Composer comes up nothing.

Any help is appreciated.

Thanks,

2 Replies
solgaeDK
VMware Employee
VMware Employee

Solved the problem my own. Here's how I fixed it:

1. First, the permission assignment for the account used for View on my vCenter's Permissions tab was somehow glitched. When I attempted to change the assigned role to Administrator, I was getting the error: Call "AuthorizationManager.SetEntityPermissions" for object "AuthorizationManager" on vCenter Server "vCenter Server FQDN" failed, even though my account had Administrator role privilege.

To fix it, just delete and re-create that particular permission object. If you have any child objects assigned with a different role, just delete and let the role propagate from the parent, and then re-assign the role.

2. Second, it looks like the VMware View documentation is missing the permission required for rebalancing task. Rebalance will invoke the relocateVM_Task API to relocate the desktop VM to a different datastore, which requires Resource -> Relocate privilege. Ensure that you assign this permission to the role you're using for View Composer/Management. Of course, the alternative is to use the Administrator role, but if you're in the environment that enforces minimally-required privilege practice, that is not an option.

Thanks.

bdwyer
Contributor
Contributor

SolgaeDK

Thanks a ton for posting this response.  I had a similar issue attempting to re-locate linked-clones to newly presented datastores (SAN Migration).  I had tried so many different tasks to resolve the issue.  Even weirder still ONE of the LC's in the pool rebalanced without erroring out, but all the remaining LC's were failing with that permissions error.  To add complexity to my environment, I am supporting two domains (with a firewall in between domains) in this Horizon environment and that in and of itself has presented more than its share of challenges.

Anyway, in my case the problem was the secondary domain composer account credentials clearly became wonky.  I've actually battled that same issue in the past for another issue.  I honestly didn't think about the credentials in the composer config because one VM did actually re-balance to the new datastore.  Sure enough though after reading your post, I immediately went and reset/validated the View Composer credentials and voila!  All clones now re-balance to the new datastore.  For anyone who's interested, I'm running Horizon View 6.1 build 2509221.

Thanks again Solgae, you put me back on course and saved me from wasting even more time than I already had!

Reply
0 Kudos