VMware Cloud Community
sven_knockaert
Contributor
Contributor
Jump to solution

VRA 8.1 deployment "Create Failed"

A particular user with the roles "Organisation member", "Project member", "Service Broker User" fails to successfully deploy a catalog item.
In Step-6 (Machine Provisioning) the user gets the error: "Create Failed: IllegalAccessError: forbidden"

When i add the role "Service broker viewer" to this user, he is able to deploy the catalog item successful.

But this makes no sense to me. With the role "Service broker viewer", the user gets to many menu items in his console.

Screenshot 2020-09-17 161247.jpg
This is the case with local (System) users and with users from AD.

Any ideas for a solution or suggestions for troubleshooting?

Message was edited by: sven.knockaert

Tags (1)
Reply
0 Kudos
1 Solution

Accepted Solutions
sven_knockaert
Contributor
Contributor
Jump to solution

With the update to vRA8.2 this issue is resolved.

Thanks everyone!

View solution in original post

Reply
0 Kudos
11 Replies
Lalegre
Virtuoso
Virtuoso
Jump to solution

Hey sven.knockaert​,

So I just did exactly what you detailed with the creation of a new user but the deployment finished successfully. I added the next roles to the user:

  • Organization Member
  • Project Member
  • Service Broker User

With those roles everything worked as expected. I am using vRA 8.1 Patch 2 in my platform, maybe it is an issue related with the version.

However in case not, is that user member of multiple projects? All the components of the blueprint are entitled to use within that project?

If you can give us a little more detail maybe we can figure it out.

Reply
0 Kudos
sven_knockaert
Contributor
Contributor
Jump to solution

Hey @Lalegre

We also have vRA 8.1 Patch 2 (8.1.0.9583 (16633378))

This problem occurs with every user that has only the "Service Broker User" role.

From the moment I add the role "Service Broker Viewer", those users are able to successfully request and deploy a template.

I doesn't make a difference if this user is only a member of one project or multiple projects.

If the user can deploy with the extra "Service Broker viewer" role, I would assume that all the components are entitled to use within that project?

This is a really annoying problem, as I have to give my users too many roles (SB user and viewer) with the result that they have too many menu items and information available.

Reply
0 Kudos
Lalegre
Virtuoso
Virtuoso
Jump to solution

To be honest with you this seems weird as I did exactly that but without adding the "Service Broker Viewer" role.

How are you doing the entitle of the permissions, to groups or individual users?

Reply
0 Kudos
sven_knockaert
Contributor
Contributor
Jump to solution

To groups or individuals doesn't make any difference.

This is what I get with only the "Service Broker User" role:

Screenshot 2020-09-21 111343.jpg

when I look at the events log: (Error: java.lang.IllegalAccessError: forbidden)

Screenshot 2020-09-21 112504.jpg

Reply
0 Kudos
Lalegre
Virtuoso
Virtuoso
Jump to solution

Unfortunately could not find anything related to your error.

Does this happen to you with all the Blueprints? What if you create a new simple Blueprint with just a VM and one network and nothing else?

Reply
0 Kudos
sven_knockaert
Contributor
Contributor
Jump to solution

With the suggestions you gave me, I found the cause, but not the solution...

We use the "ImageRef" property for the use of Linked Clones =>

resources: demo-machine:

type: Cloud.vSphere.Machine

properties:

  imageRef: 'demo-machine/snapshot-01'

  cpuCount: 1

  totalMemoryMB: 1024

With the normal usage of the "Image" property, all users with only the "service broker user" role can request and deploy a template successfully.

Question is now: How can we let normal users deploy a template that uses linked clones?

Reply
0 Kudos
Lalegre
Virtuoso
Virtuoso
Jump to solution

Hey Sven,

Here I am guessing that the issue could be related about the user you are using to connect to vCenter Server, maybe it has lack of permissions and cannot clone from a Snapshot.

However this is not related at all with the "Service Broker Viewer" issue you were facing and I still think that is completely weird. However is it possible that you are using a user with not so many permissions in vSphere?

UPDATE: I tested exactly same scenario as you and it failed with the same error that you are facing so tomorrow I will keep doing some troubleshooting to see if I can find something

Reply
0 Kudos
sven_knockaert
Contributor
Contributor
Jump to solution

I'm glad to hear that you can reproduce this problem...

The Cloud Account for vSphere (vCenter) is using our main account (Administrator@vsphere.local) for the moment.

So this account should have all the permissions.

Reply
0 Kudos
Lalegre
Virtuoso
Virtuoso
Jump to solution

Hello Sven,

I couldn't anything related with the error we both faced.

I tried multiple combinations, change of credentials, creations of new users, combination of permissions, change of template, deploying in more than one vCenter, etc and no luck. I got into the logs but they do not point to nothing specific but to some Java error related.

At this point i would recommend you to follow the issue with VMware because as we discussed previously there is a big chance that this issues is nothing more that bug related and if that is the case then we will need to wait for the next update or patch, whatever comes first.

Sorry I couldn´t find the solution :smileyconfused:

Reply
0 Kudos
sven_knockaert
Contributor
Contributor
Jump to solution

@Lalegre

No problem. I really appreciate your efforts to resolve the issue!

Reply
0 Kudos
sven_knockaert
Contributor
Contributor
Jump to solution

With the update to vRA8.2 this issue is resolved.

Thanks everyone!

Reply
0 Kudos