Recently we were having a strange issue on our VMware Cloud Director (VCD) 10.2.1 environment. Within this environment we want our tenants to be able to share their Organization Networks from one Org VDC to another. This is useful if you have a management Org VDC in which some networks are present that you want to share to all of your other Org VDC’s within the Organization. Essentially creating a sort of “provider” network for the tenants.
Working environment context
Let’s have a look at the OrgVDC Networking tab first before an OrgVDC network is shared, it should look like this:
We can clearly see that the network “test” isn’t shared right now. To share this network we have to press on it click “Edit” and check the slider to share the network to other OrgVDC’s inside the Organization and press Save:
If we go back at the OrgVDC Network screen we can see that the network is now shared:
In our environment however our customers were not able to share the network at all. This seemed strange to me because they did have the permission granted to them through our custom Right Bundle in VCD. That permission would be the “Edit Properties” and “Create Shared Organization VDC Network” within the “Organization VDC Network” department in a Rights Bundle.
If the customer wanted to share the network, the entire “Share” slider button is not available to them. This is what we saw once we logged in and tried to share the OrgVDC Network:
We did quickly find out that by granting the customer all permissions from another Right Bundle they were able to view the “Share” slider. But since this is not a viable solution in a production environment we had to look the issue up. At this point I wondered if this was also happening when we tried to edit the OrgVDC Network through the API? Well let’s have a look at that.
Luckily for us we can quickly construct a GET API call to VCD to have a look at the settings for the network. Just follow the below steps. You can use Postman for this or any other REST API client:
- Go back to the OrgVDC Network overview and open up your browsers Developer tool. Go to the Network tab and press Start/Run if it is not already running.
- Open up the network again and press stop on the collection.
- Look up the page that starts with an “urn:vcloud:network:xxxxxxxxxx” name. This should at this point look like something as below:
- Now that we have the unique identifier for this specific network we can construct a GET API call such as below (don’t forget to edit the URN):
- Once we execute this we should receive the below output. In this output we can see that the network is currently not shared to other OrgVDC’s:
- Now to actually be able to share the network through the API we will have to change the previous API call to a PUT call. We will also have to add a header named “Content-Type” with the “application/json” value. The rest can stay the same.
- Copy the previous output and paste it in the “Body” for the API call. Don’t select any encoding and paste it as raw text.
- Change the “shared” value from “false” to “true” and run the API call.
- Now re-run the GET API call to confirm if the network is shared or not.
This actually made the OrgVDC Network shared within the VCD environment. At this point I was 100% sure this was not permission related since we did the API call with the user we used to view the OrgVDC Network properties from within the GUI. At this point I was out of options since the logging from the VCD cells did not yield any useful information and I created a support case with VMware.
After multiple very long sessions with VMware GSS we both decided it indeed was not a permission issue but an issue with the VCD API. VMware tested a couple of things within a test environment and they in the end concluded that this issue was occuring due to a rare bug within VCD 10.2.1 which affected some GUI elements. We had to strip down each specific permission in the database to find the solution!
The resolution was actually really simple. We had to add the permission “View VDC Group” in the Rights Bundle for our customers. By adding this permisison our customers were able to share the Network again from the VDC UI rather than from the API.
The good news however is that this is fixed in VCD 10.2.2. It is not mentioned in the Release Notes for VCD 10.2.2 but I was assured by VMware, and I tested this extensively in our environment once we upgraded it to VCD 10.2.2. Starting from this version it’s possible to remove the “View VDC Group” permission again if needed.
I hope this was useful for you guys if you are still running VCD 10.2.1. I really suggest that you upgrade to VCD 10.3 or atleast 10.2.2 for all the new fancy features such as more Tanzu support, NSX-T parity, Globaly Placement Policies and much much more!