vRA Upgrade Governance

 

UpgradeGovernance upgrades Entitlements and Approval policies in the self-service platform vRA. Entitlements determine which users or groups can request catalog items or perform specific actions on requested items. Approval policies attached to entitled catalog items or entitled actions allow additional controls to the environment. This blog post makes an attempt to give step by step procedure to debug known scenarios that come up in entitlements and approvals migration in UpgradeGovernance from 6.x to 7.x.

 

Scenario 1 :

 

Approval policies of certain type should be associated with only those types in the entitlement like below:

Policy Generic Type: Request should be mapped to Services/Entitled Items/Entitled Actions
Policy Type: CatalogItemRequest should be mapped to Entitled Items
Policy Type: ResourceActionRequest should be mapped to Entitled Actions

This validation was existing in UI from 6.x, but was introduced in 7.0 REST API. So there is possibility of user assigning wrong type of approval policy to entitlement through API call in 6.x. When these entitlements are migrated to 7.x, validation failure occurs.

How to diagnose this case using logs :

 

IAAS install log :

“C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\Cafe\Vcac-Config.exe” UpgradeGovernance -v
Starting upgrade for Approval Policies And Entitlements.
System.AggregateException: One or more errors occurred. —> VMware.Cafe.JsonResponseException: System exception.

Catalina.out :

Completed migrating entitlements for tenant [<tenant>] but with errors. See event log for more detials.

Errors encountered in migrating ‘Entitlements’. See ‘Administration > Events > Event Logs’ under events with ‘Target Type’ as ‘EntitlementUpgrade’. Retry migration…

audit.log

Error in migrating entitlement [<entitlement name>] with id [<entitlement name>] in subtenant [<Business group>] of tenant [<tenant>]. Details: [[Rest Error]: {Status code: 400}, {Error code: 20142} , {Error Source: null}, {Error Msg: The approvalPolicyId [<approvalPolicyId>] is not valid for its associated entitlement.}, {System Msg: The approvalPolicyId [<approvalPolicyId>] is not valid for its associated entitlement.}]

How to fix :

Open the entitlement in the above log statement from UI and remove the above mentioned approval policy from the entitlement. Retry the migration script.

 

Scenario 2:

 

If there are entitlements for subtenants which do not exist in the system in 6.x, these entitlements cannot be upgraded to 7.0. This happens when some subtenants are deleted from the system but their corresponding entitlements are not deleted. From 7.1 onwards, the error is ignored and upgrade continues with out bailing out.

How to diagnose this case using logs :

 

IAAS install log :

{“errors”:[{“code”:50505,”message”:”System exception.”,”systemMessage”:”Errors encountered in migrating ‘Entitlements’. See ‘Administration > Events > Event Logs’ under events with ‘Target Type’ as ‘EntitlementUpgrade’. Retry migration…”,”moreInfoUrl”:null}]

Catalina.out

com.vmware.vcac.iaas.upgrade.service.impl.IaaSGovernanceMigrationServiceImpl.invokeEntitlementUpdate:625 – Updating entitlement [<Entitlement-name>] in tenant [<tenant-name>] with additional operations [composition.resource.action.deployment.archive]

 Error :Unable to retrieve tenant by ID: <subTenantId> in the tenant ID: <tenantId>

If there is following statement along with the above error, scenario-2 is not the root cause for migration failure .

Entitlement[<Entitlement-name>] with id[<Entitlement-id>] had its subtenant<subTenant> removed and will be ignored.

How to fix :

Delete the entitlements for non-existent subtenants and retry the migration script.

 

Scenario 3:

 

If the system is heavy and the entitlement migration from 6.x to 7.x does not complete in given http request timeout( default 100sec)  period, another call is made to migrate entitlements which causes governance migration to fail.

How to diagnose this case using logs :

 

Catalina.out:
com.vmware.vcac.platform.service.rest.resolver.ApplicationExceptionHandler.handleConflict:714 – Object of class [com.vmware.vcac.catalog.domain.Entitlement] with identifier [ceeee8b9-760a-4366-b2b2-221cc4261a5a]: optimistic locking failed; nested exception is org.hibernate.StaleObjectStateException: Row was updated or deleted by another transaction (or unsaved-value mapping was incorrect): [com.vmware.vcac.catalog.domain.Entitlement#ceeee8b9-760a-4366-b2b2-221cc4261a5a]
org.springframework.orm.ObjectOptimisticLockingFailureException: Object of class [com.vmware.vcac.catalog.domain.Entitlement] with identifier [ceeee8b9-760a-4366-b2b2-221cc4261a5a]: optimistic locking failed; nested exception is org.hibernate.StaleObjectStateException: Row was updated or deleted by another transaction (or unsaved-value mapping was incorrect): [com.vmware.vcac.catalog.domain.Entitlement#ceeee8b9-760a-4366-b2b2-221cc4261a5a]

How to fix :

Retry the migration script.

 

Refer to https://blogs.vmware.com/management/2018/01/debug-tips-vra-7-x-entitlements.html for debug tips on entitlements and approvals in vRA 7.x.

Refer to https://blogs.vmware.com/management/2017/05/vrealize-automation-api-samples-for-postman.html for vRA API examples.