Existing API Keys may no longer function after upgrade to NetBackup 8.3 or greater

Problem

When upgrading to NetBackup version 8.3 (or higher), users need to be made aware of changes needed to reassign the principals for any existing API keys. These principals will need to be reassigned to a role with the appropriate permissions needed for the functions used with that key to continue working. 

Error Message

While there are no error messages, there will be prompts during the installation/upgrade process that will reference this technical article and require user interaction to confirm acknowledgement before proceeding with the upgrade. Any NetBackup master server that is being upgraded from 8.2 (or higher) to NetBackup 8.3 (or higher) will run this check. 

This checks for existing API Keys that may be used for automation. If API keys exist, any automation that is dependent on this may fail until the principals associated to these API Keys are reassigned to the right role. For this case, the administrator can only take action post-upgrade. Since existing API keys may have no permissions after upgrade, it is recommended that the administrator resolve any issues with API keys before running any automated scripts against the upgraded instance. 

Cause

The checks performed during the upgrade process will determine if role-based access control keys are found in the NetBackup database. If the database has no entries for API keys, the check passes. 

Solution

User will need to acknowledge the message before proceeding with upgrade.  

To resolve issues, perform the following steps after successfully upgrading to NetBackup 8.3 (or higher):

Open the Web UI and log in as a principal assigned to the Administrator role. Navigate to Security > API keys from the left-hand navigation menu. Note the username of the principal associated with the key(s) shown in the table. Navigate to the Security > RBAC node. 

You now have one of two choices: 

1. Add the user to the Administrator role 

• Click on Administrators, go to Users tab.  Enter the username of the principal noted above and click Add to list. 

2. Create a new role with the appropriate access 

• Click Add and enter the information to create a new role. 

• Knowing the intended API desired to be used with the API key, use the swagger documentation available for the API on the master server to identify the required API's Access Control Namespace and Requires Operation fields.  Ensure those permissions are selected in the Select permissions step of the Add role wizard. 

• For example, to access GET /admin/jobs using an API key requires |OPERATIONS|VIEW| on the |MANAGE|JOBS| namespace.  This corresponds to the View checkbox under Global > NetBackup management > Jobs. 

• Add the user(s) noted above under the Select users tile of the Add role wizard.