Enable NSX Advanced Gateway Services on vCD 8.20 for Tenants with RBAC

vCloud Director 8.20 introduces a set of advanced networking and distributed firewall services that are accessible from a new HTML5-based graphical user interface called the vCloud Director Tenant Portal, and also from a new vCloud Director API for NSX. Most of the operations that enable, disable, and configure these services are controlled by rights that did not exist in previous vCloud Director releases.
Reference https://kb.vmware.com/kb/2149016

To leverage these new functionalities the edge must first be Converted to an Advanced  Gateway see also KB 2147625

If you then try to access the Advanced Services, even as tenant Organisation Administrator, without the proper authorisation in place this is what all you will see:

Basically you cannot configure anything on the new GUI unless you explicitly enabled the role.
The following are the role properties for Organization Administrator for the Organization named custx before any change is made

As you can see there is no Gateway Advanced Services in the list but only the default Gateway

Enabling Advanced Services Roles

Quoting from KB Using the vCloud API to Grant Distributed Firewall and Advanced Networking Services Rights in vCloud Director 8.20 (2149016)

In order to use the new features a System Administrator must use the vCloud API to grant the new rights that the organisation requires.

Please note: {{vcdServer}} is a variable I have defined inside my Postman client, see Setting up an environment with variables

1) Find the Organisation ID using GET https://{{vcdServer}}/api/query?type=organization

here it’s 0712aa06-d241-4423-a6e7-80daeee8f71e

2) Get all vCD instance Rights references with
GET https://{{vcdServer}}/api/admin?fields=RightReferences

The type we are looking for is Organization vCD Gateway. Save the highlighted part in your favourite text editor for later. You will need to cherry-pick your additional roles from this list.

3) GET the list of rights assigned to the Organization doing a
GET https://{{vcdServer}}/api/admin/org/0712aa06-d241-4423-a6e7-80daeee8f71e/rights

4) build the XML body for the PUT call
As you can see there are just three default Organization vDC Gateway rights assigned. Save all the existing rights on your text editor because in the next step we will need to execute a PUT of all the existing rights plus whatever we want in addition. So basically your XML body for the PUT  should be something like this

<OrgRights xmlns="http://www.vmware.com/vcloud/v1.5">
<!-- existing roles from step 2) with format as following -->
<RightReference href="https://vcdServer/api/admin/right/893b4d54-5677-3c89-a335-e10f96516e0c" name="Catalog: Create / Delete a Catalog" type="application/vnd.vmware.admin.right+xml">

<!-- add here you add the additional roles -->
<RightReference href="https://vcdServer/api/admin/right/d9dabcab-579e-33c5-807b-dc9232bf7eff" name="Organization vDC Gateway: View BGP Routing" type="application/vnd.vmware.admin.right+xml">
<RightReference href="https://vcdServer/api/admin/right/2c4eb5ac-15f5-33f0-8b4a-680b3a1d3707" name="Organization vDC Gateway: Configure BGP Routing" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcdServer/api/admin/right/eb525145-08e5-3934-91ef-ec80837c9177" name="Organization vDC Gateway: View OSPF Routing" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcdServer/api/admin/right/3b337aef-42a8-3ed1-8616-341152bc5790" name="Organization vDC Gateway: Configure OSPF Routing" type="application/vnd.vmware.admin.right+xml">
</OrgRights>

here I’m adding BGP and OSPF configuration roles.

5) update the roles with
PUT https://{{vcdServer}}/api/admin/org/0712aa06-d241-4423-a6e7-80daeee8f71e/rights

Attention Content-Type must be application/vnd.vmware.admin.org.rights+xml   and if you don’t expect the following error:

<Error xmlns=”http://www.vmware.com/vcloud/v1.5″ stackTrace=”javax.ws.rs.ClientErrorException: HTTP 415 Unsupported Media Type>

Log back in as System Administrator and you will see the new roles now available for selection

Login as tenant Organization Administrator we can now see BGP and OSPF are configurable from Tenant Portal (nice!)

WARNING: In my tests I have noticed that you need to logout and login again as tenant Organization Administrator in order to see the new roles applied in the Tenant Portal

Assuming you forgot to include “View NAT” role, you would repeat step 4) appending this line

<RightReference href="https://vcdServer/api/admin/right/fb860afe-2e15-3ca9-96d8-4435d1447732" name="Organization vDC Gateway: View NAT" type="application/vnd.vmware.admin.right+xml"/>

and execute the PUT again at step 5)

Login as System Administrator and add “View NAT”

and here we have it, NAT in read-only mode in the HTML5 GUI

PLEASE NOTE: System Administrator can assign/unassigned roles in the vCD GUI however editing of role rights based on a Predefined Role will change the Role itself hence it’ll change for all organisations.

Summary

I must say this RBAC granularity is very nice and useful, particularly in the Service Providers context where I can see customers wanting to subscribe only to some specific Advanced Services as opposed to the old “all-or-none” approach.

Be sociable, share!Tweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Email this to someone

5 Comments

 Add your comment
  1. Thanks Excellent article: You note about the content type should actually be “Content-type: application/vnd.vmware.admin.org.rights+xml” not application/vnd.vmware.admin.organization+xml as per the VMware article.

  2. Excellent Article!
    if you want to suffer with cli you can use these curl commands

    curl -i -k -H “Accept:application/*+xml;version=1.5” -u ‘admin@System:YOURPASSWORD’ -X POST https://vcloud_url/api/sessions

    take note of x-vcloud-authorization header

    curl -i -k -H “Accept:application/*+xml;version=1.5” -H ‘x-vcloud-authorization: OBTAINED_AUTH_HEADER’ -X GET https://vcloud_url/api/query?type=organization
    curl -i -k -H “Accept:application/*+xml;version=1.5” -H ‘x-vcloud-authorization: OBTAINED_AUTH_HEADER’ -X GET https://vcloud_url/api/admin?fields=RightReferences

    take note of organization id

    curl -i -k -H “Accept: application/*;version=27.0” -H ‘Content-type: application/vnd.vmware.admin.org.rights+xml’ -H ‘x-vcloud-authorization: OBTAINED_AUTH_HEADER’ -X GET https://vcloud_url/api/admin/org/OBTAINED_ORG_ID/rights

    create xml as your tutorial

    curl -i -k -H “Accept: application/*;version=27.0” -H ‘Content-type: application/vnd.vmware.admin.org.rights+xml’ -H ‘x-vcloud-authorization: OBTAINED_AUTH_HEADER’ -X PUT -d @filename.xml https://vcloud_url/api/admin/org/OBTAINED_ORG_ID/rights

    thank you so much!

  3. Great article Giuliano, since we have many tenants using RBAC I set about writing a PowerCLI script to automatically add the new Gateway Advanced Services rights to an individual organization by retrieving the current OrgRights and uploading a modified version via the vCloud API. I’ve published this on my blog here: http://kiwicloud.ninja/2017/08/vcloud-director-8-20-edge-gateway-roles/ – hopefully will be useful to someone else.

  4. Great article, and great COMMENTS as well, very useful!
    Thank you!

Leave a Comment

Your email address will not be published.