Troubleshooting: HTML5 vSphere Web Client unable to add a new FlashArray
Symptom
When attempting to create a new FlashArray object utilizing the HTML5 vSphere Plugin the following error is reported:
Additionally, when reviewing the vSphere Web Client UI log vsphere-ui-runtime.log.stderr the following error is noted:
Jan 15, 2020 1:20:56 PM com.purestorage.purestoragehtml.services.util.FlashArrayUtils setFlashArrayList SEVERE: com.purestorage.purestoragehtml.services.framework.exception.PureException: Exception updating permission valuescom.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client received SOAP Fault from server: Permission to perform this operation was denied. Please see the server log to find more detail regarding exact cause of the failure. com.purestorage.purestoragehtml.services.framework.exception.PureException: Exception updating permission valuescom.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client received SOAP Fault from server: Permission to perform this operation was denied. Please see the server log to find more detail regarding exact cause of the failure. at com.purestorage.purestoragehtml.services.util.VMWareUtils.setCustomKeyValues(Unknown Source) at com.purestorage.purestoragehtml.services.util.FlashArrayUtils.setFlashArrayList(Unknown Source)
The errors (above) can be found in the following log file on the vCenter Server Appliance (VCSA): /var/log/vmware/vsphere-ui/logs/vsphere-ui-runtime.log.stderr
Diagnosis
The underlying problem here is insufficient permissions, specifically for the end-user logged in to the vCenter Server. When a FlashArray object is created all FA information is persisted in the 'Custom Attributes' field in the top-level vSphere object (in this case, vCenter). This means that the end-user must have permissions to edit Custom Attributes on the global object.
Example Screenshot of where FA information is stored:
If the end-user logged in to vCenter is unable to edit these fields, then adding a FlashArray object via the vSphere Web Client will fail.
Solution
In order to resolve these permissions must be altered on the vCenter Server. You must find the role the end-user belongs to and add the following permissions:
- Global > 'Manage Custom Attributes'
- Global > 'Set Custom Attribute'
A screenshot is provided below for reference:
Once both of these permissions have been applied you should be able to successfully create a FlashArray object using the vSphere Web Client plugin.
Note that it is likely the user with insufficient credentials to create a FlashArray will also not be able to modify permissions and thus will likely require a vSphere admin to make the required changes.
Note that a new Role made with these permissions would need to be assigned to the relevant vCenter node in the inventory.