Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[VCDA-3509] Tkgm cluster create fix for vapp view forbidden error #1360

Merged
merged 1 commit into from
May 25, 2022
Merged

[VCDA-3509] Tkgm cluster create fix for vapp view forbidden error #1360

merged 1 commit into from
May 25, 2022

Conversation

sakthisunda
Copy link
Contributor

@sakthisunda sakthisunda commented May 25, 2022
edited by rocknes
Loading

  • Fix for Error:Status code: 403/ACCESS_TO_RESOURCE_IS_FORBIDDEN, [ dd88ceaa-47f2-46c1-a158-0fb9072d28ad ] Either you need some or all of the following rights [Base] to perform operations [VAPP_VIEW] for 75b5b162-35a4-444b-bdab-faab5d71cd6b or the target entity is invalid. (request id: dd88ceaa-47f2-46c1-a158-0fb9072d28ad)

  • Power on operation on a vm is a special operation where authorization check to access the vm is done multiple times. Since in our case the security context is getting wiped out during the power on operation, the secondary authorization checks are failing and that results in the 403 error.

  • Fix description: CSE service account to its absolute minimum during cluster deployment. Use service account client and vapp only for accessing and updating extra config for post boot customization.

  • Cluster create with control plane and worker node tested

  • Cluster resize with worker node scale up tested

  • Tested as Cluster Admin (Clone of Org admin + special rights)

  • Tested as Cluster Author (Clone of vApp Author + special rights )

  • Resize tested thru UI plugin and CLI with latest master branch

image

image

image

image

image

image

image

image

This change is Reviewable

@sakthisunda
use admin client and admin vapp only for post guest customization; cl…
5b72733 
…uster create and resize tested

Signed-off-by: Sakthi Sundaram <[email protected]>
@sakthisunda sakthisunda requested a review from Anirudh9794 May 25, 2022 19:55
Anirudh9794
Anirudh9794 approved these changes May 25, 2022
View reviewed changes
Copy link
Contributor

@Anirudh9794 Anirudh9794 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:lgtm:

Reviewed 1 of 1 files at r1, all commit messages.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved (waiting on @sakthisunda)

@sakthisunda sakthisunda merged commit 3163574 into vmware:master May 25, 2022
@sakthisunda sakthisunda mentioned this pull request Jun 22, 2022
Closed
ltimothy7 pushed a commit to ltimothy7/container-service-extension that referenced this pull request Jul 21, 2022
@sakthisunda @ltimothy7
use admin client and admin vapp only for post guest customization; cl…
739a279 
…uster create and resize tested (vmware#1360)

Signed-off-by: Sakthi Sundaram <[email protected]>
ltimothy7 pushed a commit to ltimothy7/container-service-extension that referenced this pull request Jul 22, 2022
@sakthisunda @ltimothy7
use admin client and admin vapp only for post guest customization; cl…
c08a3fd 
…uster create and resize tested (vmware#1360)

Signed-off-by: Sakthi Sundaram <[email protected]>
@ab9876543210 ab9876543210 mentioned this pull request Nov 21, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Anirudh9794 Anirudh9794 Anirudh9794 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sakthisunda @Anirudh9794