Edge Built in roles are missing

With Private Cloud release 4.17.05, we are not seeing all the built in roles like opsadmin, read only admin etc. We are also 404 error code with reason "Either organization does not exist or user store not initialized for {org}" while trying to fetch orgadmin users using below Management API.


curl -v -k -H "Authorization:Basic xxxxxx" https://{MS_IP:port}/v1/organizations/{org}/userroles/orgadmin/users

However, we are able to get organization details using:

curl -v -k -H "Authorization:Basic xxxxxx" https://{MS_IP:port}/v1/organizations/

But unable to get edge built-in roles or users within a role.
0 4 861
4 REPLIES 4

Not applicable

On-boarding of the organization may not have worked correctly. If you have management server logs when the on-boarding was attempted that will help to narrow down the issue. Please upload any errors that you are seeing currently on management server log as well.

@AMAR DEVEGOWDA

I also ran into the same issue when I created an org with API call and not with apigee provision utility.

Except org admin all other built in roles are missing. I am using Apigee private cloud 4.17.09.

Are you able to resolve this issue?

Not applicable

I am also facing the same issue with 4.18.05, I don't see any role including sysadmin after installation. Can anyone help on this? Thanks in advance..

Hi @adevegowda12 , @Priyadarshi Ajitav Jena,

I've noticed this as well when provisioning an org using APIs, it appears the docs here: https://docs.apigee.com/private-cloud/v4.18.05/provisioning-organizations are missing the steps to create the built in roles.

If you use apigee-service apigee-provision setup-org its OK, unless you have changed default values (e.g. gateway pod name).

  • You can confirm this by looking at: /opt/apigee/apigee-provision/lib/actions/setup-org
  • which calls: /opt/apigee/apigee-provision/lib/actions/create-roles

However, you can just create the roles and add permissions using management APIs as shown below.

NOTE: when you create these roles, Edge recognizes them as built in and displays them correctly 🙂

Here is an overview of the steps:

  1. Create the missing built-in roles, can be done in a single API call
  2. For each missing built-in role
    1. Get the permissions from an existing good-org and save response for next step.
    2. Create/Update the permissions for each missing built-in role in the new-org using the response from previous step (NOTE: you can leave the good-org name in the request as its ignored).
    3. Verify the results

DETAILS:

1. First create the roles in one call:

curl -n -X POST  http://{{MGMTSVR}}/v1/o/{{NEW-ORG}}/userroles \
  -H 'Content-Type: application/json' \
  -d '{
 "role" : [ 
   { "name" : "businessuser" },
   { "name" : "opsadmin" },
   { "name" : "readonlyadmin" },
   { "name" : "user" }
 ]
}
' 

2. Then get existing permissions from a good-org, create permissions in new-org and verify.

2.1 Get permissions for businessuer role from good-org:

curl -n -X GET {{MGMTSVR}}/v1/o/{{GOOD-ORG}}/userroles/businessuser/permissions 

2.2 Create permissions for businessuser role in new-org with result from 2.1:

curl -n -X POST  {{MGMTSVR}}/v1/o/{{NEW-ORG}}/userroles/businessuser/resourcepermissions \
  -H 'Content-Type: application/json' \
  -d '{
    "resourcePermission": [
        {
            "organization": "trial",
            "path": "/",
            "permissions": [
                "get"
            ]
        },
	... additional permissions omitted for brevity ...
    ]
}' 

2.3 Verify the result

curl -n -X GET {{MGMTSVR}}/v1/o/{{NEW-ORG}}/userroles/businessuser/permissions 

Repeat the steps in 2 for "opsadmin", "readonlyadmin" and "user" roles.

Verify in the UI.