You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Pranav Saxena (JIRA)" <ji...@apache.org> on 2013/04/29 07:44:16 UTC
[jira] [Commented] (CLOUDSTACK-2212) [Egress Rules] [Shared
Network] Unable to configure egress rules as non-ROOT domain user
[ https://issues.apache.org/jira/browse/CLOUDSTACK-2212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13644283#comment-13644283 ]
Pranav Saxena commented on CLOUDSTACK-2212:
-------------------------------------------
Not a UI bug . The API needs to allow the permission to non-ROOT domain user to be able to execute the functionality. So while defining the API , the backend developer needs to provide the permission code number accordingly.
> [Egress Rules] [Shared Network] Unable to configure egress rules as non-ROOT domain user
> ----------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-2212
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-2212
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: Network Controller
> Affects Versions: 4.2.0
> Environment: commit 0e2ffe72aa641f4551cae63fbc36454c5934342f
> Reporter: venkata swamybabu budumuru
> Assignee: Pranav Saxena
> Fix For: 4.2.0
>
> Attachments: logs.tgz
>
>
> Steps to Reproduce :
> 1. Create an advanced zone with 1 Xen cluster
> 2. Create a shared network offering with JuniperSRX servicing the firewall related functionalities
> select * from network_offerings
> id: 17
> name: test
> uuid: ed856a34-71e9-4bef-ae71-b4781fb57626
> unique_name: test
> display_text: test
> nw_rate: NULL
> mc_rate: 10
> traffic_type: Guest
> tags: NULL
> system_only: 0
> specify_vlan: 1
> service_offering_id: NULL
> conserve_mode: 0
> created: 2013-04-26 17:04:40
> removed: NULL
> default: 0
> availability: Optional
> dedicated_lb_service: 0
> shared_source_nat_service: 1
> sort_key: 0
> redundant_router_service: 0
> state: Enabled
> guest_type: Shared
> elastic_ip_service: 0
> eip_associate_public_ip: 0
> elastic_lb_service: 0
> specify_ip_ranges: 1
> inline: 0
> is_persistent: 0
> # select * from networks
> id: 211
> name: SharedNet3
> uuid: 9aded0d9-f60c-4d06-af6d-aed9dad43b31
> display_text: SharedNet3
> traffic_type: Guest
> broadcast_domain_type: Vlan
> broadcast_uri: vlan://908
> gateway: 192.168.121.1
> cidr: 192.168.121.0/24
> mode: Dhcp
> network_offering_id: 17
> physical_network_id: 201
> data_center_id: 2
> guru_name: DirectNetworkGuru
> state: Implemented
> related: 211
> domain_id: 1
> account_id: 1
> dns1: NULL
> dns2: NULL
> guru_data: NULL
> set_fields: 0
> acl_type: Domain
> network_domain: cs1cloud.internal
> reservation_id: f0e990b9-c85e-4ff1-baa0-189f683406e5
> guest_type: Shared
> restart_required: 0
> created: 2013-04-26 17:49:15
> removed: NULL
> specify_ip_ranges: 1
> vpc_id: NULL
> ip6_gateway: NULL
> ip6_cidr: NULL
> network_cidr: NULL
> # mysql> select * from ntwk_service_map where network_id=211;
> +----+------------+----------------+---------------+---------------------+
> | id | network_id | service | provider | created |
> +----+------------+----------------+---------------+---------------------+
> | 25 | 211 | Dhcp | VirtualRouter | 2013-04-26 17:49:15 |
> | 22 | 211 | Dns | VirtualRouter | 2013-04-26 17:49:15 |
> | 21 | 211 | Firewall | JuniperSRX | 2013-04-26 17:49:15 |
> | 27 | 211 | PortForwarding | JuniperSRX | 2013-04-26 17:49:15 |
> | 23 | 211 | SourceNat | JuniperSRX | 2013-04-26 17:49:15 |
> | 24 | 211 | StaticNat | JuniperSRX | 2013-04-26 17:49:15 |
> | 26 | 211 | UserData | VirtualRouter | 2013-04-26 17:49:15 |
> 3. Create a new domain with at least one account with user role
> 4. login as above user and try to create an egress rule
> Observations:
> - It fails with the following error in the logs.
> 2013-04-26 15:01:57,880 DEBUG [cloud.user.AccountManagerImpl] (Job-Executor-53:job-169) Access to Acct[45-dom1Acc1] granted to Acct[45-dom1Acc1] by DomainChecker_EnhancerByCloudStack_4891655
> 2013-04-26 15:01:57,909 ERROR [cloud.async.AsyncJobManagerImpl] (Job-Executor-53:job-169) Unexpected exception while executing org.apache.cloudstack.api.command.user.firewall.CreateEgressFirewallRuleCmd
> com.cloud.exception.PermissionDeniedException: Acct[45-dom1Acc1] does not have permission to operate with resource Rule[6-Firewall-Add]
> at com.cloud.acl.DomainChecker.checkAccess(DomainChecker.java:132)
> at com.cloud.user.AccountManagerImpl.checkAccess(AccountManagerImpl.java:384)
> at com.cloud.network.firewall.FirewallManagerImpl.revokeFirewallRule(FirewallManagerImpl.java:654)
> at com.cloud.utils.component.ComponentInstantiationPostProcessor$InterceptorDispatcher.intercept(ComponentInstantiationPostProcessor.java:125)
> at com.cloud.network.firewall.FirewallManagerImpl.revokeFirewallRule(FirewallManagerImpl.java:683)
> at org.apache.cloudstack.api.command.user.firewall.CreateEgressFirewallRuleCmd.execute(CreateEgressFirewallRuleCmd.java:147)
> at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:155)
> at com.cloud.async.AsyncJobManagerImpl$1.run(AsyncJobManagerImpl.java:437)
> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
> at java.util.concurrent.FutureTask.run(FutureTask.java:166)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:679)
> Attaching all the required logs along with db dump.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira