vCloud Director 8.20 – API to Grant Privileges to Advanced Gateway

Problem:

After upgrading to Advanced Gateway Edge in VCD 8.20 the user is unable to access the new tenant portal due to a permissions issue

Example of error message:

You need some or all of the following rights [ORG_VDC_GATEWAY_CONFIGURE_SSH,
ORG_VDC_GATEWAY_VIEW_SSH] to perform operations [GATEWAY_VIEW_SSH] for
(com.vmware.vcloud.entity.gateway:c2c63647-82e7-4a40-8167-xxxxxxxxxx)

Solution:

To fix the issue a vCloud Director administrator will need to perform relevant API calls to grant access.

 

In this example I will be using Postman

 

1)  Log into the vCloud Director API using admin account (POST)

POST https://vcd-fqdn/api/sessions

Authentication – Basic Authentication: (administrator@system, <password>)
Accept: application/*+xml;version=27.0
Content-type: application/*+xml

vcd-myuat-api1

Collect the output of the attribute  x-vcloud-authorization

vcd-myuat-api2

2.  Find the Orginisation reference (GET)

GET https://vcd-fqdn/api/org

vcd-myuat-api3

Get the reference ID (as highlighted in red) for the organisation for JordansphereUAT

3.  Get the attributes of the Organisation (GET)

GET https://vCloud_fqdn/api/admin/org/{org_reference)/rights

vcd-myuat-api4

4.  Concatenate the following with the output from step 3

    <RightReference href="https://vcloud_fqdn/api/admin/right/a100f6a0-2c81-3b61-90c3-c4dbd721b3a8" name="Organization vDC Distributed Firewall: Enable/Disable" type="application/vnd.vmware.admin.right+xml"/>
    <RightReference href="https://vcloud_fqdn/api/admin/right/2c4eb5ac-15f5-33f0-8b4a-680b3a1d3707" name="Organization vDC Gateway: Configure BGP Routing" type="application/vnd.vmware.admin.right+xml"/>
    <RightReference href="https://vcloud_fqdn/api/admin/right/be1abe9a-7ddc-38f6-bdf3-94affb01e46b" name="Organization vDC Gateway: Configure DHCP" type="application/vnd.vmware.admin.right+xml"/>
    <RightReference href="https://vcloud_fqdn/api/admin/right/b755b050-772e-3c9c-9197-111c286f563d" name="Organization vDC Gateway: Configure Firewall" type="application/vnd.vmware.admin.right+xml"/>
    <RightReference href="https://vcloud_fqdn/api/admin/right/209cde55-55db-33f1-8357-b27bba6898ed" name="Organization vDC Gateway: Configure IPSec VPN" type="application/vnd.vmware.admin.right+xml"/>
    <RightReference href="https://vcloud_fqdn/api/admin/right/eeb2b2a0-33a1-36d4-a121-6547ad992d59" name="Organization vDC Gateway: Configure L2 VPN" type="application/vnd.vmware.admin.right+xml"/>
    <RightReference href="https://vcloud_fqdn/api/admin/right/27be9828-4ce4-353e-8f68-5cd69260d94c" name="Organization vDC Gateway: Configure Load Balancer" type="application/vnd.vmware.admin.right+xml"/>
    <RightReference href="https://vcloud_fqdn/api/admin/right/c9e19573-3d54-3d4a-98f2-f56e446a8ef9" name="Organization vDC Gateway: Configure NAT" type="application/vnd.vmware.admin.right+xml"/>
    <RightReference href="https://vcloud_fqdn/api/admin/right/3b337aef-42a8-3ed1-8616-341152bc5790" name="Organization vDC Gateway: Configure OSPF Routing" type="application/vnd.vmware.admin.right+xml"/>
    <RightReference href="https://vcloud_fqdn/api/admin/right/72c5e652-c8d7-3f19-ab83-283d30cb679f" name="Organization vDC Gateway: Configure Remote Access" type="application/vnd.vmware.admin.right+xml"/>
    <RightReference href="https://vcloud_fqdn/api/admin/right/92b7d500-6bb6-3176-b9eb-d1fda4ce444d" name="Organization vDC Gateway: Configure SSL VPN" type="application/vnd.vmware.admin.right+xml"/>
    <RightReference href="https://vcloud_fqdn/api/admin/right/f72af304-97b0-379e-9d6d-68eb89bdc6cf" name="Organization vDC Gateway: Configure Static Routing" type="application/vnd.vmware.admin.right+xml"/>
    <RightReference href="https://vcloud_fqdn/api/admin/right/d9dabcab-579e-33c5-807b-dc9232bf7eff" name="Organization vDC Gateway: View BGP Routing" type="application/vnd.vmware.admin.right+xml"/>
    <RightReference href="https://vcloud_fqdn/api/admin/right/8e16d30d-1ae3-3fff-8d4b-64c342b186a9" name="Organization vDC Gateway: View DHCP" type="application/vnd.vmware.admin.right+xml"/>
    <RightReference href="https://vcloud_fqdn/api/admin/right/7fee6646-ec0c-34c9-9585-aff6f4d92473" name="Organization vDC Gateway: View Firewall" type="application/vnd.vmware.admin.right+xml"/>
    <RightReference href="https://vcloud_fqdn/api/admin/right/82beb471-ab7f-3e2b-a615-136ba6645525" name="Organization vDC Gateway: View IPSec VPN" type="application/vnd.vmware.admin.right+xml"/>
    <RightReference href="https://vcloud_fqdn/api/admin/right/105191de-9e29-3495-a917-05fcb5ec1ad0" name="Organization vDC Gateway: View L2 VPN" type="application/vnd.vmware.admin.right+xml"/>
    <RightReference href="https://vcloud_fqdn/api/admin/right/2a097e48-f4c4-3714-8b24-552b2d573754" name="Organization vDC Gateway: View Load Balancer" type="application/vnd.vmware.admin.right+xml"/>
    <RightReference href="https://vcloud_fqdn/api/admin/right/fb860afe-2e15-3ca9-96d8-4435d1447732" name="Organization vDC Gateway: View NAT" type="application/vnd.vmware.admin.right+xml"/>
    <RightReference href="https://vcloud_fqdn/api/admin/right/eb525145-08e5-3934-91ef-ec80837c9177" name="Organization vDC Gateway: View OSPF Routing" type="application/vnd.vmware.admin.right+xml"/>
    <RightReference href="https://vcloud_fqdn/api/admin/right/65439584-6aad-3c2c-916f-794099ee85bf" name="Organization vDC Gateway: View Remote Access" type="application/vnd.vmware.admin.right+xml"/>
    <RightReference href="https://vcloud_fqdn/api/admin/right/cdb0edb0-9623-30a8-89de-b133db7cfeab" name="Organization vDC Gateway: View SSL VPN" type="application/vnd.vmware.admin.right+xml"/>
    <RightReference href="https://vcloud_fqdn/api/admin/right/9740be24-4dd7-373c-9237-91896338c11e" name="Organization vDC Gateway: View Static Routing" type="application/vnd.vmware.admin.right+xml"/>

 

5  Update the rights of the organisation (PUT)

https://vcd_fqdn/api/admin/org/{org_reference_id}/rights

Paste the combined list into the Body field (raw)

vcd-myuat-api4

Note: Ensure the first line starts with:

  <OrgRights xmlns="http://www.vmware.com/vcloud/v1.5"  …….

 

6. Grant permissions via vCloud Director Portal.

Sign in as an administrator -> Administration -> Roles -> Right click Organization Administrator for Organization -> Properties -> Tick box for Gateway Advanced Services

vcd-myuat-api6

 

The organization adminisrators should now be able to view the new Advanced Gateway.