You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Ricardo Pertuz <ri...@kuasar.co> on 2022/07/26 21:15:53 UTC
Permission Denied on Domain Controller on Internal LoadBalancer
Hi all,
We use a domain controller user in ACS to deploy the infrastructure, however when we try to CreateLoadBalancer we are receiving a “531 Unable to use network with id= 498611f9-xxx-4030-aa10-e7d7ad062d1a, permission denied”
PermissionDenied: Unable to use network with id= 498611f9-xxx-4030-aa10-e7d7ad062d1a, permission denied on objs: []
Is there any configuration missing or is it a bug? It works well when using the admin user.
ACS 4.15.2.0
KVM
Redundant VPC offering
Supported Services on Network Offering
SourceNat : VpcVirtualRouter
Dhcp : VpcVirtualRouter
Lb : InternalLbVm
UserData : VpcVirtualRouter
Dns : VpcVirtualRouter
NetworkACL : VpcVirtualRouter
BR,
Ricardo
Re: Permission Denied on Domain Controller on Internal LoadBalancer
Posted by Ricardo Pertuz <ri...@kuasar.co>.
Hi, any hint?
From: Ricardo Pertuz <ri...@kuasar.co>
Date: Tuesday, 26 July 2022, 4:15 PM
To: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>
Subject: Permission Denied on Domain Controller on Internal LoadBalancer
Hi all,
We use a domain controller user in ACS to deploy the infrastructure, however when we try to CreateLoadBalancer we are receiving a “531 Unable to use network with id= 498611f9-xxx-4030-aa10-e7d7ad062d1a, permission denied”
PermissionDenied: Unable to use network with id= 498611f9-xxx-4030-aa10-e7d7ad062d1a, permission denied on objs: []
Is there any configuration missing or is it a bug? It works well when using the admin user.
ACS 4.15.2.0
KVM
Redundant VPC offering
Supported Services on Network Offering
SourceNat : VpcVirtualRouter
Dhcp : VpcVirtualRouter
Lb : InternalLbVm
UserData : VpcVirtualRouter
Dns : VpcVirtualRouter
NetworkACL : VpcVirtualRouter
BR,
Ricardo
Re: Permission Denied on Domain Controller on Internal LoadBalancer
Posted by Ricardo Pertuz <ri...@kuasar.co>.
Please follow
https://github.com/apache/cloudstack/issues/6590
BR
On 28/07/22, 7:45 AM, "Wei ZHOU" <us...@gmail.com> wrote:
Hi Ricardo,
Can you create a github issue to describe how to reproduce the issue ?
Thanks
https://github.com/apache/cloudstack/issues
-Wei
On Wed, 27 Jul 2022 at 20:21, Ricardo Pertuz <ri...@kuasar.co>
wrote:
> Thanks Wei,
>
> Passing projectid same result, not so sure when you say "add the domain
> admin to the project ", we want to make it available for any user on the
> platform on demand.
>
> Regards,
>
> Ricardo P
>
> On 27/07/22, 12:51 PM, "Wei ZHOU" <us...@gmail.com> wrote:
>
> Hi,
>
> Does the network belong to a project ? If so, please pass projectid or
> add
> the domain admin to the project.
>
> -Wei
>
> On Wednesday, 27 July 2022, Ricardo Pertuz <ri...@kuasar.co>
> wrote:
>
> > Hi,
> >
> > Here the logs (I changed some sensitive info)
> >
> > Apilog
> > *****
> > 2022-07-27 11:34:57,218 INFO [a.c.c.a.ApiServer]
> (qtp2109798150-1192:ctx-de4123f6
> > ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) (userId=4 accountId=4
> > sessionId=null) 192.168.xxx.xxx -- GET algorithm=source&apiKey=
> > GoHebItTOdSc4zf5NcwxDxRo&command=createLoadBalancer&
> > description=lb01&instanceport=8080&name=lb01&networkid=
> > 498611f9-xxxx-4030-aa10-e7d7ad062d1a&response=json&scheme=Internal&
> > sourceipaddressnetworkid=498611f9-cd93-4030-aa10-
> > e7d7ad062d1a&sourceport=8080&signature=gB%2BseI8Ku7ZCN9drw 531
> Unable to
> > use network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a, permission
> > denied
> >
> > Management-server
> > *****************
> > 2022-07-27 11:34:57,198 DEBUG [c.c.a.ApiServlet]
> (qtp2109798150-1192:ctx-de4123f6)
> > (logid:b8e0600b) ===START=== 192.168.xx.xx-- GET
> algorithm=source&apiKey=GoHebItTOdSc4zf5NcwxDxR
> > &command=createLoadBalancer&description=lb01&instanceport=
> > 8080&name=lb01&networkid=498611f9-xxxx-4030-aa10-
> > e7d7ad062d1a&response=json&scheme=Internal&sourceipaddressnetworkid=
> > 498611f9-xxx-4030-aa10-e7d7ad062d1a&sourceport=8080&signature=gB%
> > 2BseI8Ku7ZCN9drw3Lxqdo%2Bj8k%3D
> > 2022-07-27 11:34:57,201 DEBUG [c.c.a.ApiServer]
> (qtp2109798150-1192:ctx-de4123f6
> > ctx-f93ec0cc) (logid:b8e0600b) CIDRs from which account
> > 'Acct[c5aac4a3-xxxx-43a9-8117-eb2fa34fdca5-cocentrodemo1control]' is
> > allowed to perform API calls: 0.0.0.0/0,::/0
> > 2022-07-27 11:34:57,205 DEBUG [o.a.c.a.BaseCmd]
> (qtp2109798150-1192:ctx-de4123f6
> > ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) Ignoring paremeter
> fordisplay
> > as the caller is not authorized to pass it in
> > 2022-07-27 11:34:57,207 DEBUG [c.c.u.AccountManagerImpl]
> > (qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc ctx-8c0287a4)
> > (logid:b8e0600b) Access to Acct[39efe918-df79-45ec-b8f0-
> > 302c6d44dfa9-PrjAcct-624349294c0efe30d9ec0fd6-3] granted to
> > Acct[026a2cc9-xxxx-447a-9bf3-6a749fae743a-demo1control] by
> DomainChecker
> > 2022-07-27 11:34:57,209 DEBUG [o.a.c.a.BaseCmd]
> (qtp2109798150-1192:ctx-de4123f6
> > ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) Ignoring paremeter
> fordisplay
> > as the caller is not authorized to pass it in
> > 2022-07-27 11:34:57,217 INFO [c.c.a.ApiServer]
> (qtp2109798150-1192:ctx-de4123f6
> > ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) PermissionDenied: Unable
> to use
> > network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a, permission
> denied
> > on objs: []
> > 2022-07-27 11:34:57,218 DEBUG [c.c.a.ApiServlet]
> (qtp2109798150-1192:ctx-de4123f6
> > ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) ===END=== 192.168. ===
> > 192.168.xx.xx -- GET algorithm=source&apiKey=
> > GoHebItTOdSc4zf5NcwxDxRo5v1FeY&command=createLoadBalancer&
> > description=lb01&instanceport=8080&name=lb01&networkid=
> > 498611f9-xxx-4030-aa10-e7d7ad062d1a&response=json&scheme=Internal&
> > sourceipaddressnetworkid=498611f9-xxxx-4030-aa10-
> >
> e7d7ad062d1a&sourceport=8080&signature=gB%2BseI8Ku7ZCN9drw3Lxqdo%2Bj8k%3D
> > 2022-07-27 11:34:57,566 DEBUG [c.c.a.m.AgentManagerImpl]
> > (AgentManager-Handler-12:null) (logid:) SeqA 47-30512: Processing Seq
> > 47-30512: { Cmd , MgmtId: -1, via: 47, Ver: v1, Flags: 11,
> > [{"com.cloud.agent.api.ConsoleProxyLoadReportCommand"
> > :{"_proxyVmId":"7557","_loadInfo":"{
> > "connections": []
> >
> >
> > On 27/07/22, 10:07 AM, "Wei ZHOU" <us...@gmail.com> wrote:
> >
> > Hi Ricardo,
> >
> > Could you share more logs ?
> >
> > -Wei
> >
> > On Wed, 27 Jul 2022 at 17:04, Ricardo Pertuz <
> ricardo.pertuz@kuasar.co
> > >
> > wrote:
> >
> > > Hi Wei,
> > >
> > > Tried using domainid, account and accountid and all these 3
> together,
> > > still the same error, “Error: (HTTP 531, error code 4365)
> Unable to
> > use
> > > network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a,
> permission
> > denied”
> > >
> > > Regards,
> > >
> > > Ricardo P
> > >
> > > From: Ricardo Pertuz <ri...@kuasar.co>
> > > Date: Wednesday, 27 July 2022, 9:46 AM
> > > To: "users@cloudstack.apache.org" <users@cloudstack.apache.org
> >
> > > Subject: Re: Permission Denied on Domain Controller on Internal
> > > LoadBalancer
> > >
> > > Both, using the UI and API ( Cloudmonkey), I will pass that
> > parameter (not
> > > in docs btw)
> > >
> > > Get Outlook for Android<https://aka.ms/AAb9ysg>
> > > ________________________________
> > > From: Wei ZHOU <us...@gmail.com>
> > > Sent: Wednesday, July 27, 2022 9:44:20 AM
> > > To: users <us...@cloudstack.apache.org>
> > > Subject: Re: Permission Denied on Domain Controller on Internal
> > > LoadBalancer
> > >
> > > Hi Ricardo,
> > >
> > > If a domain admin creates a load balancer on an isolated
> network
> > which
> > > belongs to another account, domainid/account should be passed.
> > > By the way, did you do it by API or UI ?
> > >
> > > -Wei
> > >
> > > On Wed, 27 Jul 2022 at 16:20, Ricardo Pertuz <
> > ricardo.pertuz@kuasar.co>
> > > wrote:
> > >
> > > > Thanks Wei for replying, the caller has the role Domain
> Admin, so
> > we
> > > guess
> > > > it should be able to execute it
> > > >
> > > > On 27/07/22, 9:15 AM, "Wei ZHOU" <us...@gmail.com>
> wrote:
> > > >
> > > > Hi Ricardo,
> > > >
> > > > Please check if the caller is the owner of the network,
> or the
> > caller
> > > > can
> > > > access the network if it belongs to a project.
> > > >
> > > > -Wei
> > > >
> > > > On Tue, 26 Jul 2022 at 23:16, Ricardo Pertuz <
> > > ricardo.pertuz@kuasar.co
> > > > >
> > > > wrote:
> > > >
> > > > > Hi all,
> > > > >
> > > > > We use a domain controller user in ACS to deploy the
> > > > infrastructure,
> > > > > however when we try to CreateLoadBalancer we are
> receiving a
> > “531
> > > > Unable to
> > > > > use network with id=
> 498611f9-xxx-4030-aa10-e7d7ad062d1a,
> > > permission
> > > > denied”
> > > > >
> > > > > PermissionDenied: Unable to use network with id=
> > > > > 498611f9-xxx-4030-aa10-e7d7ad062d1a, permission denied
> on
> > objs: []
> > > > >
> > > > > Is there any configuration missing or is it a bug? It
> works
> > well
> > > when
> > > > > using the admin user.
> > > > >
> > > > > ACS 4.15.2.0
> > > > > KVM
> > > > > Redundant VPC offering
> > > > >
> > > > > Supported Services on Network Offering
> > > > > SourceNat : VpcVirtualRouter
> > > > > Dhcp : VpcVirtualRouter
> > > > > Lb : InternalLbVm
> > > > > UserData : VpcVirtualRouter
> > > > > Dns : VpcVirtualRouter
> > > > > NetworkACL : VpcVirtualRouter
> > > > >
> > > > > BR,
> > > > >
> > > > > Ricardo
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> >
> >
>
>
Re: Permission Denied on Domain Controller on Internal LoadBalancer
Posted by Wei ZHOU <us...@gmail.com>.
Hi Ricardo,
Can you create a github issue to describe how to reproduce the issue ?
Thanks
https://github.com/apache/cloudstack/issues
-Wei
On Wed, 27 Jul 2022 at 20:21, Ricardo Pertuz <ri...@kuasar.co>
wrote:
> Thanks Wei,
>
> Passing projectid same result, not so sure when you say "add the domain
> admin to the project ", we want to make it available for any user on the
> platform on demand.
>
> Regards,
>
> Ricardo P
>
> On 27/07/22, 12:51 PM, "Wei ZHOU" <us...@gmail.com> wrote:
>
> Hi,
>
> Does the network belong to a project ? If so, please pass projectid or
> add
> the domain admin to the project.
>
> -Wei
>
> On Wednesday, 27 July 2022, Ricardo Pertuz <ri...@kuasar.co>
> wrote:
>
> > Hi,
> >
> > Here the logs (I changed some sensitive info)
> >
> > Apilog
> > *****
> > 2022-07-27 11:34:57,218 INFO [a.c.c.a.ApiServer]
> (qtp2109798150-1192:ctx-de4123f6
> > ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) (userId=4 accountId=4
> > sessionId=null) 192.168.xxx.xxx -- GET algorithm=source&apiKey=
> > GoHebItTOdSc4zf5NcwxDxRo&command=createLoadBalancer&
> > description=lb01&instanceport=8080&name=lb01&networkid=
> > 498611f9-xxxx-4030-aa10-e7d7ad062d1a&response=json&scheme=Internal&
> > sourceipaddressnetworkid=498611f9-cd93-4030-aa10-
> > e7d7ad062d1a&sourceport=8080&signature=gB%2BseI8Ku7ZCN9drw 531
> Unable to
> > use network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a, permission
> > denied
> >
> > Management-server
> > *****************
> > 2022-07-27 11:34:57,198 DEBUG [c.c.a.ApiServlet]
> (qtp2109798150-1192:ctx-de4123f6)
> > (logid:b8e0600b) ===START=== 192.168.xx.xx-- GET
> algorithm=source&apiKey=GoHebItTOdSc4zf5NcwxDxR
> > &command=createLoadBalancer&description=lb01&instanceport=
> > 8080&name=lb01&networkid=498611f9-xxxx-4030-aa10-
> > e7d7ad062d1a&response=json&scheme=Internal&sourceipaddressnetworkid=
> > 498611f9-xxx-4030-aa10-e7d7ad062d1a&sourceport=8080&signature=gB%
> > 2BseI8Ku7ZCN9drw3Lxqdo%2Bj8k%3D
> > 2022-07-27 11:34:57,201 DEBUG [c.c.a.ApiServer]
> (qtp2109798150-1192:ctx-de4123f6
> > ctx-f93ec0cc) (logid:b8e0600b) CIDRs from which account
> > 'Acct[c5aac4a3-xxxx-43a9-8117-eb2fa34fdca5-cocentrodemo1control]' is
> > allowed to perform API calls: 0.0.0.0/0,::/0
> > 2022-07-27 11:34:57,205 DEBUG [o.a.c.a.BaseCmd]
> (qtp2109798150-1192:ctx-de4123f6
> > ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) Ignoring paremeter
> fordisplay
> > as the caller is not authorized to pass it in
> > 2022-07-27 11:34:57,207 DEBUG [c.c.u.AccountManagerImpl]
> > (qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc ctx-8c0287a4)
> > (logid:b8e0600b) Access to Acct[39efe918-df79-45ec-b8f0-
> > 302c6d44dfa9-PrjAcct-624349294c0efe30d9ec0fd6-3] granted to
> > Acct[026a2cc9-xxxx-447a-9bf3-6a749fae743a-demo1control] by
> DomainChecker
> > 2022-07-27 11:34:57,209 DEBUG [o.a.c.a.BaseCmd]
> (qtp2109798150-1192:ctx-de4123f6
> > ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) Ignoring paremeter
> fordisplay
> > as the caller is not authorized to pass it in
> > 2022-07-27 11:34:57,217 INFO [c.c.a.ApiServer]
> (qtp2109798150-1192:ctx-de4123f6
> > ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) PermissionDenied: Unable
> to use
> > network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a, permission
> denied
> > on objs: []
> > 2022-07-27 11:34:57,218 DEBUG [c.c.a.ApiServlet]
> (qtp2109798150-1192:ctx-de4123f6
> > ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) ===END=== 192.168. ===
> > 192.168.xx.xx -- GET algorithm=source&apiKey=
> > GoHebItTOdSc4zf5NcwxDxRo5v1FeY&command=createLoadBalancer&
> > description=lb01&instanceport=8080&name=lb01&networkid=
> > 498611f9-xxx-4030-aa10-e7d7ad062d1a&response=json&scheme=Internal&
> > sourceipaddressnetworkid=498611f9-xxxx-4030-aa10-
> >
> e7d7ad062d1a&sourceport=8080&signature=gB%2BseI8Ku7ZCN9drw3Lxqdo%2Bj8k%3D
> > 2022-07-27 11:34:57,566 DEBUG [c.c.a.m.AgentManagerImpl]
> > (AgentManager-Handler-12:null) (logid:) SeqA 47-30512: Processing Seq
> > 47-30512: { Cmd , MgmtId: -1, via: 47, Ver: v1, Flags: 11,
> > [{"com.cloud.agent.api.ConsoleProxyLoadReportCommand"
> > :{"_proxyVmId":"7557","_loadInfo":"{
> > "connections": []
> >
> >
> > On 27/07/22, 10:07 AM, "Wei ZHOU" <us...@gmail.com> wrote:
> >
> > Hi Ricardo,
> >
> > Could you share more logs ?
> >
> > -Wei
> >
> > On Wed, 27 Jul 2022 at 17:04, Ricardo Pertuz <
> ricardo.pertuz@kuasar.co
> > >
> > wrote:
> >
> > > Hi Wei,
> > >
> > > Tried using domainid, account and accountid and all these 3
> together,
> > > still the same error, “Error: (HTTP 531, error code 4365)
> Unable to
> > use
> > > network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a,
> permission
> > denied”
> > >
> > > Regards,
> > >
> > > Ricardo P
> > >
> > > From: Ricardo Pertuz <ri...@kuasar.co>
> > > Date: Wednesday, 27 July 2022, 9:46 AM
> > > To: "users@cloudstack.apache.org" <users@cloudstack.apache.org
> >
> > > Subject: Re: Permission Denied on Domain Controller on Internal
> > > LoadBalancer
> > >
> > > Both, using the UI and API ( Cloudmonkey), I will pass that
> > parameter (not
> > > in docs btw)
> > >
> > > Get Outlook for Android<https://aka.ms/AAb9ysg>
> > > ________________________________
> > > From: Wei ZHOU <us...@gmail.com>
> > > Sent: Wednesday, July 27, 2022 9:44:20 AM
> > > To: users <us...@cloudstack.apache.org>
> > > Subject: Re: Permission Denied on Domain Controller on Internal
> > > LoadBalancer
> > >
> > > Hi Ricardo,
> > >
> > > If a domain admin creates a load balancer on an isolated
> network
> > which
> > > belongs to another account, domainid/account should be passed.
> > > By the way, did you do it by API or UI ?
> > >
> > > -Wei
> > >
> > > On Wed, 27 Jul 2022 at 16:20, Ricardo Pertuz <
> > ricardo.pertuz@kuasar.co>
> > > wrote:
> > >
> > > > Thanks Wei for replying, the caller has the role Domain
> Admin, so
> > we
> > > guess
> > > > it should be able to execute it
> > > >
> > > > On 27/07/22, 9:15 AM, "Wei ZHOU" <us...@gmail.com>
> wrote:
> > > >
> > > > Hi Ricardo,
> > > >
> > > > Please check if the caller is the owner of the network,
> or the
> > caller
> > > > can
> > > > access the network if it belongs to a project.
> > > >
> > > > -Wei
> > > >
> > > > On Tue, 26 Jul 2022 at 23:16, Ricardo Pertuz <
> > > ricardo.pertuz@kuasar.co
> > > > >
> > > > wrote:
> > > >
> > > > > Hi all,
> > > > >
> > > > > We use a domain controller user in ACS to deploy the
> > > > infrastructure,
> > > > > however when we try to CreateLoadBalancer we are
> receiving a
> > “531
> > > > Unable to
> > > > > use network with id=
> 498611f9-xxx-4030-aa10-e7d7ad062d1a,
> > > permission
> > > > denied”
> > > > >
> > > > > PermissionDenied: Unable to use network with id=
> > > > > 498611f9-xxx-4030-aa10-e7d7ad062d1a, permission denied
> on
> > objs: []
> > > > >
> > > > > Is there any configuration missing or is it a bug? It
> works
> > well
> > > when
> > > > > using the admin user.
> > > > >
> > > > > ACS 4.15.2.0
> > > > > KVM
> > > > > Redundant VPC offering
> > > > >
> > > > > Supported Services on Network Offering
> > > > > SourceNat : VpcVirtualRouter
> > > > > Dhcp : VpcVirtualRouter
> > > > > Lb : InternalLbVm
> > > > > UserData : VpcVirtualRouter
> > > > > Dns : VpcVirtualRouter
> > > > > NetworkACL : VpcVirtualRouter
> > > > >
> > > > > BR,
> > > > >
> > > > > Ricardo
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> >
> >
>
>
Re: Permission Denied on Domain Controller on Internal LoadBalancer
Posted by Ricardo Pertuz <ri...@kuasar.co>.
Thanks Wei,
Passing projectid same result, not so sure when you say "add the domain admin to the project ", we want to make it available for any user on the platform on demand.
Regards,
Ricardo P
On 27/07/22, 12:51 PM, "Wei ZHOU" <us...@gmail.com> wrote:
Hi,
Does the network belong to a project ? If so, please pass projectid or add
the domain admin to the project.
-Wei
On Wednesday, 27 July 2022, Ricardo Pertuz <ri...@kuasar.co> wrote:
> Hi,
>
> Here the logs (I changed some sensitive info)
>
> Apilog
> *****
> 2022-07-27 11:34:57,218 INFO [a.c.c.a.ApiServer] (qtp2109798150-1192:ctx-de4123f6
> ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) (userId=4 accountId=4
> sessionId=null) 192.168.xxx.xxx -- GET algorithm=source&apiKey=
> GoHebItTOdSc4zf5NcwxDxRo&command=createLoadBalancer&
> description=lb01&instanceport=8080&name=lb01&networkid=
> 498611f9-xxxx-4030-aa10-e7d7ad062d1a&response=json&scheme=Internal&
> sourceipaddressnetworkid=498611f9-cd93-4030-aa10-
> e7d7ad062d1a&sourceport=8080&signature=gB%2BseI8Ku7ZCN9drw 531 Unable to
> use network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a, permission
> denied
>
> Management-server
> *****************
> 2022-07-27 11:34:57,198 DEBUG [c.c.a.ApiServlet] (qtp2109798150-1192:ctx-de4123f6)
> (logid:b8e0600b) ===START=== 192.168.xx.xx-- GET algorithm=source&apiKey=GoHebItTOdSc4zf5NcwxDxR
> &command=createLoadBalancer&description=lb01&instanceport=
> 8080&name=lb01&networkid=498611f9-xxxx-4030-aa10-
> e7d7ad062d1a&response=json&scheme=Internal&sourceipaddressnetworkid=
> 498611f9-xxx-4030-aa10-e7d7ad062d1a&sourceport=8080&signature=gB%
> 2BseI8Ku7ZCN9drw3Lxqdo%2Bj8k%3D
> 2022-07-27 11:34:57,201 DEBUG [c.c.a.ApiServer] (qtp2109798150-1192:ctx-de4123f6
> ctx-f93ec0cc) (logid:b8e0600b) CIDRs from which account
> 'Acct[c5aac4a3-xxxx-43a9-8117-eb2fa34fdca5-cocentrodemo1control]' is
> allowed to perform API calls: 0.0.0.0/0,::/0
> 2022-07-27 11:34:57,205 DEBUG [o.a.c.a.BaseCmd] (qtp2109798150-1192:ctx-de4123f6
> ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) Ignoring paremeter fordisplay
> as the caller is not authorized to pass it in
> 2022-07-27 11:34:57,207 DEBUG [c.c.u.AccountManagerImpl]
> (qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc ctx-8c0287a4)
> (logid:b8e0600b) Access to Acct[39efe918-df79-45ec-b8f0-
> 302c6d44dfa9-PrjAcct-624349294c0efe30d9ec0fd6-3] granted to
> Acct[026a2cc9-xxxx-447a-9bf3-6a749fae743a-demo1control] by DomainChecker
> 2022-07-27 11:34:57,209 DEBUG [o.a.c.a.BaseCmd] (qtp2109798150-1192:ctx-de4123f6
> ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) Ignoring paremeter fordisplay
> as the caller is not authorized to pass it in
> 2022-07-27 11:34:57,217 INFO [c.c.a.ApiServer] (qtp2109798150-1192:ctx-de4123f6
> ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) PermissionDenied: Unable to use
> network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a, permission denied
> on objs: []
> 2022-07-27 11:34:57,218 DEBUG [c.c.a.ApiServlet] (qtp2109798150-1192:ctx-de4123f6
> ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) ===END=== 192.168. ===
> 192.168.xx.xx -- GET algorithm=source&apiKey=
> GoHebItTOdSc4zf5NcwxDxRo5v1FeY&command=createLoadBalancer&
> description=lb01&instanceport=8080&name=lb01&networkid=
> 498611f9-xxx-4030-aa10-e7d7ad062d1a&response=json&scheme=Internal&
> sourceipaddressnetworkid=498611f9-xxxx-4030-aa10-
> e7d7ad062d1a&sourceport=8080&signature=gB%2BseI8Ku7ZCN9drw3Lxqdo%2Bj8k%3D
> 2022-07-27 11:34:57,566 DEBUG [c.c.a.m.AgentManagerImpl]
> (AgentManager-Handler-12:null) (logid:) SeqA 47-30512: Processing Seq
> 47-30512: { Cmd , MgmtId: -1, via: 47, Ver: v1, Flags: 11,
> [{"com.cloud.agent.api.ConsoleProxyLoadReportCommand"
> :{"_proxyVmId":"7557","_loadInfo":"{
> "connections": []
>
>
> On 27/07/22, 10:07 AM, "Wei ZHOU" <us...@gmail.com> wrote:
>
> Hi Ricardo,
>
> Could you share more logs ?
>
> -Wei
>
> On Wed, 27 Jul 2022 at 17:04, Ricardo Pertuz <ricardo.pertuz@kuasar.co
> >
> wrote:
>
> > Hi Wei,
> >
> > Tried using domainid, account and accountid and all these 3 together,
> > still the same error, “Error: (HTTP 531, error code 4365) Unable to
> use
> > network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a, permission
> denied”
> >
> > Regards,
> >
> > Ricardo P
> >
> > From: Ricardo Pertuz <ri...@kuasar.co>
> > Date: Wednesday, 27 July 2022, 9:46 AM
> > To: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>
> > Subject: Re: Permission Denied on Domain Controller on Internal
> > LoadBalancer
> >
> > Both, using the UI and API ( Cloudmonkey), I will pass that
> parameter (not
> > in docs btw)
> >
> > Get Outlook for Android<https://aka.ms/AAb9ysg>
> > ________________________________
> > From: Wei ZHOU <us...@gmail.com>
> > Sent: Wednesday, July 27, 2022 9:44:20 AM
> > To: users <us...@cloudstack.apache.org>
> > Subject: Re: Permission Denied on Domain Controller on Internal
> > LoadBalancer
> >
> > Hi Ricardo,
> >
> > If a domain admin creates a load balancer on an isolated network
> which
> > belongs to another account, domainid/account should be passed.
> > By the way, did you do it by API or UI ?
> >
> > -Wei
> >
> > On Wed, 27 Jul 2022 at 16:20, Ricardo Pertuz <
> ricardo.pertuz@kuasar.co>
> > wrote:
> >
> > > Thanks Wei for replying, the caller has the role Domain Admin, so
> we
> > guess
> > > it should be able to execute it
> > >
> > > On 27/07/22, 9:15 AM, "Wei ZHOU" <us...@gmail.com> wrote:
> > >
> > > Hi Ricardo,
> > >
> > > Please check if the caller is the owner of the network, or the
> caller
> > > can
> > > access the network if it belongs to a project.
> > >
> > > -Wei
> > >
> > > On Tue, 26 Jul 2022 at 23:16, Ricardo Pertuz <
> > ricardo.pertuz@kuasar.co
> > > >
> > > wrote:
> > >
> > > > Hi all,
> > > >
> > > > We use a domain controller user in ACS to deploy the
> > > infrastructure,
> > > > however when we try to CreateLoadBalancer we are receiving a
> “531
> > > Unable to
> > > > use network with id= 498611f9-xxx-4030-aa10-e7d7ad062d1a,
> > permission
> > > denied”
> > > >
> > > > PermissionDenied: Unable to use network with id=
> > > > 498611f9-xxx-4030-aa10-e7d7ad062d1a, permission denied on
> objs: []
> > > >
> > > > Is there any configuration missing or is it a bug? It works
> well
> > when
> > > > using the admin user.
> > > >
> > > > ACS 4.15.2.0
> > > > KVM
> > > > Redundant VPC offering
> > > >
> > > > Supported Services on Network Offering
> > > > SourceNat : VpcVirtualRouter
> > > > Dhcp : VpcVirtualRouter
> > > > Lb : InternalLbVm
> > > > UserData : VpcVirtualRouter
> > > > Dns : VpcVirtualRouter
> > > > NetworkACL : VpcVirtualRouter
> > > >
> > > > BR,
> > > >
> > > > Ricardo
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> >
>
>
Re: Permission Denied on Domain Controller on Internal LoadBalancer
Posted by Wei ZHOU <us...@gmail.com>.
Hi,
Does the network belong to a project ? If so, please pass projectid or add
the domain admin to the project.
-Wei
On Wednesday, 27 July 2022, Ricardo Pertuz <ri...@kuasar.co> wrote:
> Hi,
>
> Here the logs (I changed some sensitive info)
>
> Apilog
> *****
> 2022-07-27 11:34:57,218 INFO [a.c.c.a.ApiServer] (qtp2109798150-1192:ctx-de4123f6
> ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) (userId=4 accountId=4
> sessionId=null) 192.168.xxx.xxx -- GET algorithm=source&apiKey=
> GoHebItTOdSc4zf5NcwxDxRo&command=createLoadBalancer&
> description=lb01&instanceport=8080&name=lb01&networkid=
> 498611f9-xxxx-4030-aa10-e7d7ad062d1a&response=json&scheme=Internal&
> sourceipaddressnetworkid=498611f9-cd93-4030-aa10-
> e7d7ad062d1a&sourceport=8080&signature=gB%2BseI8Ku7ZCN9drw 531 Unable to
> use network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a, permission
> denied
>
> Management-server
> *****************
> 2022-07-27 11:34:57,198 DEBUG [c.c.a.ApiServlet] (qtp2109798150-1192:ctx-de4123f6)
> (logid:b8e0600b) ===START=== 192.168.xx.xx-- GET algorithm=source&apiKey=GoHebItTOdSc4zf5NcwxDxR
> &command=createLoadBalancer&description=lb01&instanceport=
> 8080&name=lb01&networkid=498611f9-xxxx-4030-aa10-
> e7d7ad062d1a&response=json&scheme=Internal&sourceipaddressnetworkid=
> 498611f9-xxx-4030-aa10-e7d7ad062d1a&sourceport=8080&signature=gB%
> 2BseI8Ku7ZCN9drw3Lxqdo%2Bj8k%3D
> 2022-07-27 11:34:57,201 DEBUG [c.c.a.ApiServer] (qtp2109798150-1192:ctx-de4123f6
> ctx-f93ec0cc) (logid:b8e0600b) CIDRs from which account
> 'Acct[c5aac4a3-xxxx-43a9-8117-eb2fa34fdca5-cocentrodemo1control]' is
> allowed to perform API calls: 0.0.0.0/0,::/0
> 2022-07-27 11:34:57,205 DEBUG [o.a.c.a.BaseCmd] (qtp2109798150-1192:ctx-de4123f6
> ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) Ignoring paremeter fordisplay
> as the caller is not authorized to pass it in
> 2022-07-27 11:34:57,207 DEBUG [c.c.u.AccountManagerImpl]
> (qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc ctx-8c0287a4)
> (logid:b8e0600b) Access to Acct[39efe918-df79-45ec-b8f0-
> 302c6d44dfa9-PrjAcct-624349294c0efe30d9ec0fd6-3] granted to
> Acct[026a2cc9-xxxx-447a-9bf3-6a749fae743a-demo1control] by DomainChecker
> 2022-07-27 11:34:57,209 DEBUG [o.a.c.a.BaseCmd] (qtp2109798150-1192:ctx-de4123f6
> ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) Ignoring paremeter fordisplay
> as the caller is not authorized to pass it in
> 2022-07-27 11:34:57,217 INFO [c.c.a.ApiServer] (qtp2109798150-1192:ctx-de4123f6
> ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) PermissionDenied: Unable to use
> network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a, permission denied
> on objs: []
> 2022-07-27 11:34:57,218 DEBUG [c.c.a.ApiServlet] (qtp2109798150-1192:ctx-de4123f6
> ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) ===END=== 192.168. ===
> 192.168.xx.xx -- GET algorithm=source&apiKey=
> GoHebItTOdSc4zf5NcwxDxRo5v1FeY&command=createLoadBalancer&
> description=lb01&instanceport=8080&name=lb01&networkid=
> 498611f9-xxx-4030-aa10-e7d7ad062d1a&response=json&scheme=Internal&
> sourceipaddressnetworkid=498611f9-xxxx-4030-aa10-
> e7d7ad062d1a&sourceport=8080&signature=gB%2BseI8Ku7ZCN9drw3Lxqdo%2Bj8k%3D
> 2022-07-27 11:34:57,566 DEBUG [c.c.a.m.AgentManagerImpl]
> (AgentManager-Handler-12:null) (logid:) SeqA 47-30512: Processing Seq
> 47-30512: { Cmd , MgmtId: -1, via: 47, Ver: v1, Flags: 11,
> [{"com.cloud.agent.api.ConsoleProxyLoadReportCommand"
> :{"_proxyVmId":"7557","_loadInfo":"{
> "connections": []
>
>
> On 27/07/22, 10:07 AM, "Wei ZHOU" <us...@gmail.com> wrote:
>
> Hi Ricardo,
>
> Could you share more logs ?
>
> -Wei
>
> On Wed, 27 Jul 2022 at 17:04, Ricardo Pertuz <ricardo.pertuz@kuasar.co
> >
> wrote:
>
> > Hi Wei,
> >
> > Tried using domainid, account and accountid and all these 3 together,
> > still the same error, “Error: (HTTP 531, error code 4365) Unable to
> use
> > network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a, permission
> denied”
> >
> > Regards,
> >
> > Ricardo P
> >
> > From: Ricardo Pertuz <ri...@kuasar.co>
> > Date: Wednesday, 27 July 2022, 9:46 AM
> > To: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>
> > Subject: Re: Permission Denied on Domain Controller on Internal
> > LoadBalancer
> >
> > Both, using the UI and API ( Cloudmonkey), I will pass that
> parameter (not
> > in docs btw)
> >
> > Get Outlook for Android<https://aka.ms/AAb9ysg>
> > ________________________________
> > From: Wei ZHOU <us...@gmail.com>
> > Sent: Wednesday, July 27, 2022 9:44:20 AM
> > To: users <us...@cloudstack.apache.org>
> > Subject: Re: Permission Denied on Domain Controller on Internal
> > LoadBalancer
> >
> > Hi Ricardo,
> >
> > If a domain admin creates a load balancer on an isolated network
> which
> > belongs to another account, domainid/account should be passed.
> > By the way, did you do it by API or UI ?
> >
> > -Wei
> >
> > On Wed, 27 Jul 2022 at 16:20, Ricardo Pertuz <
> ricardo.pertuz@kuasar.co>
> > wrote:
> >
> > > Thanks Wei for replying, the caller has the role Domain Admin, so
> we
> > guess
> > > it should be able to execute it
> > >
> > > On 27/07/22, 9:15 AM, "Wei ZHOU" <us...@gmail.com> wrote:
> > >
> > > Hi Ricardo,
> > >
> > > Please check if the caller is the owner of the network, or the
> caller
> > > can
> > > access the network if it belongs to a project.
> > >
> > > -Wei
> > >
> > > On Tue, 26 Jul 2022 at 23:16, Ricardo Pertuz <
> > ricardo.pertuz@kuasar.co
> > > >
> > > wrote:
> > >
> > > > Hi all,
> > > >
> > > > We use a domain controller user in ACS to deploy the
> > > infrastructure,
> > > > however when we try to CreateLoadBalancer we are receiving a
> “531
> > > Unable to
> > > > use network with id= 498611f9-xxx-4030-aa10-e7d7ad062d1a,
> > permission
> > > denied”
> > > >
> > > > PermissionDenied: Unable to use network with id=
> > > > 498611f9-xxx-4030-aa10-e7d7ad062d1a, permission denied on
> objs: []
> > > >
> > > > Is there any configuration missing or is it a bug? It works
> well
> > when
> > > > using the admin user.
> > > >
> > > > ACS 4.15.2.0
> > > > KVM
> > > > Redundant VPC offering
> > > >
> > > > Supported Services on Network Offering
> > > > SourceNat : VpcVirtualRouter
> > > > Dhcp : VpcVirtualRouter
> > > > Lb : InternalLbVm
> > > > UserData : VpcVirtualRouter
> > > > Dns : VpcVirtualRouter
> > > > NetworkACL : VpcVirtualRouter
> > > >
> > > > BR,
> > > >
> > > > Ricardo
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> >
>
>
Re: Permission Denied on Domain Controller on Internal LoadBalancer
Posted by Ricardo Pertuz <ri...@kuasar.co>.
Hi,
Here the logs (I changed some sensitive info)
Apilog
*****
2022-07-27 11:34:57,218 INFO [a.c.c.a.ApiServer] (qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) (userId=4 accountId=4 sessionId=null) 192.168.xxx.xxx -- GET algorithm=source&apiKey=GoHebItTOdSc4zf5NcwxDxRo&command=createLoadBalancer&description=lb01&instanceport=8080&name=lb01&networkid=498611f9-xxxx-4030-aa10-e7d7ad062d1a&response=json&scheme=Internal&sourceipaddressnetworkid=498611f9-cd93-4030-aa10-e7d7ad062d1a&sourceport=8080&signature=gB%2BseI8Ku7ZCN9drw 531 Unable to use network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a, permission denied
Management-server
*****************
2022-07-27 11:34:57,198 DEBUG [c.c.a.ApiServlet] (qtp2109798150-1192:ctx-de4123f6) (logid:b8e0600b) ===START=== 192.168.xx.xx-- GET algorithm=source&apiKey=GoHebItTOdSc4zf5NcwxDxR &command=createLoadBalancer&description=lb01&instanceport=8080&name=lb01&networkid=498611f9-xxxx-4030-aa10-e7d7ad062d1a&response=json&scheme=Internal&sourceipaddressnetworkid=498611f9-xxx-4030-aa10-e7d7ad062d1a&sourceport=8080&signature=gB%2BseI8Ku7ZCN9drw3Lxqdo%2Bj8k%3D
2022-07-27 11:34:57,201 DEBUG [c.c.a.ApiServer] (qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc) (logid:b8e0600b) CIDRs from which account 'Acct[c5aac4a3-xxxx-43a9-8117-eb2fa34fdca5-cocentrodemo1control]' is allowed to perform API calls: 0.0.0.0/0,::/0
2022-07-27 11:34:57,205 DEBUG [o.a.c.a.BaseCmd] (qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) Ignoring paremeter fordisplay as the caller is not authorized to pass it in
2022-07-27 11:34:57,207 DEBUG [c.c.u.AccountManagerImpl] (qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) Access to Acct[39efe918-df79-45ec-b8f0-302c6d44dfa9-PrjAcct-624349294c0efe30d9ec0fd6-3] granted to Acct[026a2cc9-xxxx-447a-9bf3-6a749fae743a-demo1control] by DomainChecker
2022-07-27 11:34:57,209 DEBUG [o.a.c.a.BaseCmd] (qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) Ignoring paremeter fordisplay as the caller is not authorized to pass it in
2022-07-27 11:34:57,217 INFO [c.c.a.ApiServer] (qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) PermissionDenied: Unable to use network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a, permission denied on objs: []
2022-07-27 11:34:57,218 DEBUG [c.c.a.ApiServlet] (qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) ===END=== 192.168. === 192.168.xx.xx -- GET algorithm=source&apiKey=GoHebItTOdSc4zf5NcwxDxRo5v1FeY&command=createLoadBalancer&description=lb01&instanceport=8080&name=lb01&networkid=498611f9-xxx-4030-aa10-e7d7ad062d1a&response=json&scheme=Internal&sourceipaddressnetworkid=498611f9-xxxx-4030-aa10-e7d7ad062d1a&sourceport=8080&signature=gB%2BseI8Ku7ZCN9drw3Lxqdo%2Bj8k%3D
2022-07-27 11:34:57,566 DEBUG [c.c.a.m.AgentManagerImpl] (AgentManager-Handler-12:null) (logid:) SeqA 47-30512: Processing Seq 47-30512: { Cmd , MgmtId: -1, via: 47, Ver: v1, Flags: 11, [{"com.cloud.agent.api.ConsoleProxyLoadReportCommand":{"_proxyVmId":"7557","_loadInfo":"{
"connections": []
On 27/07/22, 10:07 AM, "Wei ZHOU" <us...@gmail.com> wrote:
Hi Ricardo,
Could you share more logs ?
-Wei
On Wed, 27 Jul 2022 at 17:04, Ricardo Pertuz <ri...@kuasar.co>
wrote:
> Hi Wei,
>
> Tried using domainid, account and accountid and all these 3 together,
> still the same error, “Error: (HTTP 531, error code 4365) Unable to use
> network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a, permission denied”
>
> Regards,
>
> Ricardo P
>
> From: Ricardo Pertuz <ri...@kuasar.co>
> Date: Wednesday, 27 July 2022, 9:46 AM
> To: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>
> Subject: Re: Permission Denied on Domain Controller on Internal
> LoadBalancer
>
> Both, using the UI and API ( Cloudmonkey), I will pass that parameter (not
> in docs btw)
>
> Get Outlook for Android<https://aka.ms/AAb9ysg>
> ________________________________
> From: Wei ZHOU <us...@gmail.com>
> Sent: Wednesday, July 27, 2022 9:44:20 AM
> To: users <us...@cloudstack.apache.org>
> Subject: Re: Permission Denied on Domain Controller on Internal
> LoadBalancer
>
> Hi Ricardo,
>
> If a domain admin creates a load balancer on an isolated network which
> belongs to another account, domainid/account should be passed.
> By the way, did you do it by API or UI ?
>
> -Wei
>
> On Wed, 27 Jul 2022 at 16:20, Ricardo Pertuz <ri...@kuasar.co>
> wrote:
>
> > Thanks Wei for replying, the caller has the role Domain Admin, so we
> guess
> > it should be able to execute it
> >
> > On 27/07/22, 9:15 AM, "Wei ZHOU" <us...@gmail.com> wrote:
> >
> > Hi Ricardo,
> >
> > Please check if the caller is the owner of the network, or the caller
> > can
> > access the network if it belongs to a project.
> >
> > -Wei
> >
> > On Tue, 26 Jul 2022 at 23:16, Ricardo Pertuz <
> ricardo.pertuz@kuasar.co
> > >
> > wrote:
> >
> > > Hi all,
> > >
> > > We use a domain controller user in ACS to deploy the
> > infrastructure,
> > > however when we try to CreateLoadBalancer we are receiving a “531
> > Unable to
> > > use network with id= 498611f9-xxx-4030-aa10-e7d7ad062d1a,
> permission
> > denied”
> > >
> > > PermissionDenied: Unable to use network with id=
> > > 498611f9-xxx-4030-aa10-e7d7ad062d1a, permission denied on objs: []
> > >
> > > Is there any configuration missing or is it a bug? It works well
> when
> > > using the admin user.
> > >
> > > ACS 4.15.2.0
> > > KVM
> > > Redundant VPC offering
> > >
> > > Supported Services on Network Offering
> > > SourceNat : VpcVirtualRouter
> > > Dhcp : VpcVirtualRouter
> > > Lb : InternalLbVm
> > > UserData : VpcVirtualRouter
> > > Dns : VpcVirtualRouter
> > > NetworkACL : VpcVirtualRouter
> > >
> > > BR,
> > >
> > > Ricardo
> > >
> > >
> > >
> > >
> >
> >
>
Re: Permission Denied on Domain Controller on Internal LoadBalancer
Posted by Wei ZHOU <us...@gmail.com>.
Hi Ricardo,
Could you share more logs ?
-Wei
On Wed, 27 Jul 2022 at 17:04, Ricardo Pertuz <ri...@kuasar.co>
wrote:
> Hi Wei,
>
> Tried using domainid, account and accountid and all these 3 together,
> still the same error, “Error: (HTTP 531, error code 4365) Unable to use
> network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a, permission denied”
>
> Regards,
>
> Ricardo P
>
> From: Ricardo Pertuz <ri...@kuasar.co>
> Date: Wednesday, 27 July 2022, 9:46 AM
> To: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>
> Subject: Re: Permission Denied on Domain Controller on Internal
> LoadBalancer
>
> Both, using the UI and API ( Cloudmonkey), I will pass that parameter (not
> in docs btw)
>
> Get Outlook for Android<https://aka.ms/AAb9ysg>
> ________________________________
> From: Wei ZHOU <us...@gmail.com>
> Sent: Wednesday, July 27, 2022 9:44:20 AM
> To: users <us...@cloudstack.apache.org>
> Subject: Re: Permission Denied on Domain Controller on Internal
> LoadBalancer
>
> Hi Ricardo,
>
> If a domain admin creates a load balancer on an isolated network which
> belongs to another account, domainid/account should be passed.
> By the way, did you do it by API or UI ?
>
> -Wei
>
> On Wed, 27 Jul 2022 at 16:20, Ricardo Pertuz <ri...@kuasar.co>
> wrote:
>
> > Thanks Wei for replying, the caller has the role Domain Admin, so we
> guess
> > it should be able to execute it
> >
> > On 27/07/22, 9:15 AM, "Wei ZHOU" <us...@gmail.com> wrote:
> >
> > Hi Ricardo,
> >
> > Please check if the caller is the owner of the network, or the caller
> > can
> > access the network if it belongs to a project.
> >
> > -Wei
> >
> > On Tue, 26 Jul 2022 at 23:16, Ricardo Pertuz <
> ricardo.pertuz@kuasar.co
> > >
> > wrote:
> >
> > > Hi all,
> > >
> > > We use a domain controller user in ACS to deploy the
> > infrastructure,
> > > however when we try to CreateLoadBalancer we are receiving a “531
> > Unable to
> > > use network with id= 498611f9-xxx-4030-aa10-e7d7ad062d1a,
> permission
> > denied”
> > >
> > > PermissionDenied: Unable to use network with id=
> > > 498611f9-xxx-4030-aa10-e7d7ad062d1a, permission denied on objs: []
> > >
> > > Is there any configuration missing or is it a bug? It works well
> when
> > > using the admin user.
> > >
> > > ACS 4.15.2.0
> > > KVM
> > > Redundant VPC offering
> > >
> > > Supported Services on Network Offering
> > > SourceNat : VpcVirtualRouter
> > > Dhcp : VpcVirtualRouter
> > > Lb : InternalLbVm
> > > UserData : VpcVirtualRouter
> > > Dns : VpcVirtualRouter
> > > NetworkACL : VpcVirtualRouter
> > >
> > > BR,
> > >
> > > Ricardo
> > >
> > >
> > >
> > >
> >
> >
>
Re: Permission Denied on Domain Controller on Internal LoadBalancer
Posted by Ricardo Pertuz <ri...@kuasar.co>.
Hi Wei,
Tried using domainid, account and accountid and all these 3 together, still the same error, “Error: (HTTP 531, error code 4365) Unable to use network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a, permission denied”
Regards,
Ricardo P
From: Ricardo Pertuz <ri...@kuasar.co>
Date: Wednesday, 27 July 2022, 9:46 AM
To: "users@cloudstack.apache.org" <us...@cloudstack.apache.org>
Subject: Re: Permission Denied on Domain Controller on Internal LoadBalancer
Both, using the UI and API ( Cloudmonkey), I will pass that parameter (not in docs btw)
Get Outlook for Android<https://aka.ms/AAb9ysg>
________________________________
From: Wei ZHOU <us...@gmail.com>
Sent: Wednesday, July 27, 2022 9:44:20 AM
To: users <us...@cloudstack.apache.org>
Subject: Re: Permission Denied on Domain Controller on Internal LoadBalancer
Hi Ricardo,
If a domain admin creates a load balancer on an isolated network which
belongs to another account, domainid/account should be passed.
By the way, did you do it by API or UI ?
-Wei
On Wed, 27 Jul 2022 at 16:20, Ricardo Pertuz <ri...@kuasar.co>
wrote:
> Thanks Wei for replying, the caller has the role Domain Admin, so we guess
> it should be able to execute it
>
> On 27/07/22, 9:15 AM, "Wei ZHOU" <us...@gmail.com> wrote:
>
> Hi Ricardo,
>
> Please check if the caller is the owner of the network, or the caller
> can
> access the network if it belongs to a project.
>
> -Wei
>
> On Tue, 26 Jul 2022 at 23:16, Ricardo Pertuz <ricardo.pertuz@kuasar.co
> >
> wrote:
>
> > Hi all,
> >
> > We use a domain controller user in ACS to deploy the
> infrastructure,
> > however when we try to CreateLoadBalancer we are receiving a “531
> Unable to
> > use network with id= 498611f9-xxx-4030-aa10-e7d7ad062d1a, permission
> denied”
> >
> > PermissionDenied: Unable to use network with id=
> > 498611f9-xxx-4030-aa10-e7d7ad062d1a, permission denied on objs: []
> >
> > Is there any configuration missing or is it a bug? It works well when
> > using the admin user.
> >
> > ACS 4.15.2.0
> > KVM
> > Redundant VPC offering
> >
> > Supported Services on Network Offering
> > SourceNat : VpcVirtualRouter
> > Dhcp : VpcVirtualRouter
> > Lb : InternalLbVm
> > UserData : VpcVirtualRouter
> > Dns : VpcVirtualRouter
> > NetworkACL : VpcVirtualRouter
> >
> > BR,
> >
> > Ricardo
> >
> >
> >
> >
>
>
Re: Permission Denied on Domain Controller on Internal LoadBalancer
Posted by Ricardo Pertuz <ri...@kuasar.co>.
Both, using the UI and API ( Cloudmonkey), I will pass that parameter (not in docs btw)
Get Outlook for Android<https://aka.ms/AAb9ysg>
________________________________
From: Wei ZHOU <us...@gmail.com>
Sent: Wednesday, July 27, 2022 9:44:20 AM
To: users <us...@cloudstack.apache.org>
Subject: Re: Permission Denied on Domain Controller on Internal LoadBalancer
Hi Ricardo,
If a domain admin creates a load balancer on an isolated network which
belongs to another account, domainid/account should be passed.
By the way, did you do it by API or UI ?
-Wei
On Wed, 27 Jul 2022 at 16:20, Ricardo Pertuz <ri...@kuasar.co>
wrote:
> Thanks Wei for replying, the caller has the role Domain Admin, so we guess
> it should be able to execute it
>
> On 27/07/22, 9:15 AM, "Wei ZHOU" <us...@gmail.com> wrote:
>
> Hi Ricardo,
>
> Please check if the caller is the owner of the network, or the caller
> can
> access the network if it belongs to a project.
>
> -Wei
>
> On Tue, 26 Jul 2022 at 23:16, Ricardo Pertuz <ricardo.pertuz@kuasar.co
> >
> wrote:
>
> > Hi all,
> >
> > We use a domain controller user in ACS to deploy the
> infrastructure,
> > however when we try to CreateLoadBalancer we are receiving a “531
> Unable to
> > use network with id= 498611f9-xxx-4030-aa10-e7d7ad062d1a, permission
> denied”
> >
> > PermissionDenied: Unable to use network with id=
> > 498611f9-xxx-4030-aa10-e7d7ad062d1a, permission denied on objs: []
> >
> > Is there any configuration missing or is it a bug? It works well when
> > using the admin user.
> >
> > ACS 4.15.2.0
> > KVM
> > Redundant VPC offering
> >
> > Supported Services on Network Offering
> > SourceNat : VpcVirtualRouter
> > Dhcp : VpcVirtualRouter
> > Lb : InternalLbVm
> > UserData : VpcVirtualRouter
> > Dns : VpcVirtualRouter
> > NetworkACL : VpcVirtualRouter
> >
> > BR,
> >
> > Ricardo
> >
> >
> >
> >
>
>
Re: Permission Denied on Domain Controller on Internal LoadBalancer
Posted by Wei ZHOU <us...@gmail.com>.
Hi Ricardo,
If a domain admin creates a load balancer on an isolated network which
belongs to another account, domainid/account should be passed.
By the way, did you do it by API or UI ?
-Wei
On Wed, 27 Jul 2022 at 16:20, Ricardo Pertuz <ri...@kuasar.co>
wrote:
> Thanks Wei for replying, the caller has the role Domain Admin, so we guess
> it should be able to execute it
>
> On 27/07/22, 9:15 AM, "Wei ZHOU" <us...@gmail.com> wrote:
>
> Hi Ricardo,
>
> Please check if the caller is the owner of the network, or the caller
> can
> access the network if it belongs to a project.
>
> -Wei
>
> On Tue, 26 Jul 2022 at 23:16, Ricardo Pertuz <ricardo.pertuz@kuasar.co
> >
> wrote:
>
> > Hi all,
> >
> > We use a domain controller user in ACS to deploy the
> infrastructure,
> > however when we try to CreateLoadBalancer we are receiving a “531
> Unable to
> > use network with id= 498611f9-xxx-4030-aa10-e7d7ad062d1a, permission
> denied”
> >
> > PermissionDenied: Unable to use network with id=
> > 498611f9-xxx-4030-aa10-e7d7ad062d1a, permission denied on objs: []
> >
> > Is there any configuration missing or is it a bug? It works well when
> > using the admin user.
> >
> > ACS 4.15.2.0
> > KVM
> > Redundant VPC offering
> >
> > Supported Services on Network Offering
> > SourceNat : VpcVirtualRouter
> > Dhcp : VpcVirtualRouter
> > Lb : InternalLbVm
> > UserData : VpcVirtualRouter
> > Dns : VpcVirtualRouter
> > NetworkACL : VpcVirtualRouter
> >
> > BR,
> >
> > Ricardo
> >
> >
> >
> >
>
>
Re: Permission Denied on Domain Controller on Internal LoadBalancer
Posted by Ricardo Pertuz <ri...@kuasar.co>.
Thanks Wei for replying, the caller has the role Domain Admin, so we guess it should be able to execute it
On 27/07/22, 9:15 AM, "Wei ZHOU" <us...@gmail.com> wrote:
Hi Ricardo,
Please check if the caller is the owner of the network, or the caller can
access the network if it belongs to a project.
-Wei
On Tue, 26 Jul 2022 at 23:16, Ricardo Pertuz <ri...@kuasar.co>
wrote:
> Hi all,
>
> We use a domain controller user in ACS to deploy the infrastructure,
> however when we try to CreateLoadBalancer we are receiving a “531 Unable to
> use network with id= 498611f9-xxx-4030-aa10-e7d7ad062d1a, permission denied”
>
> PermissionDenied: Unable to use network with id=
> 498611f9-xxx-4030-aa10-e7d7ad062d1a, permission denied on objs: []
>
> Is there any configuration missing or is it a bug? It works well when
> using the admin user.
>
> ACS 4.15.2.0
> KVM
> Redundant VPC offering
>
> Supported Services on Network Offering
> SourceNat : VpcVirtualRouter
> Dhcp : VpcVirtualRouter
> Lb : InternalLbVm
> UserData : VpcVirtualRouter
> Dns : VpcVirtualRouter
> NetworkACL : VpcVirtualRouter
>
> BR,
>
> Ricardo
>
>
>
>
Re: Permission Denied on Domain Controller on Internal LoadBalancer
Posted by Wei ZHOU <us...@gmail.com>.
Hi Ricardo,
Please check if the caller is the owner of the network, or the caller can
access the network if it belongs to a project.
-Wei
On Tue, 26 Jul 2022 at 23:16, Ricardo Pertuz <ri...@kuasar.co>
wrote:
> Hi all,
>
> We use a domain controller user in ACS to deploy the infrastructure,
> however when we try to CreateLoadBalancer we are receiving a “531 Unable to
> use network with id= 498611f9-xxx-4030-aa10-e7d7ad062d1a, permission denied”
>
> PermissionDenied: Unable to use network with id=
> 498611f9-xxx-4030-aa10-e7d7ad062d1a, permission denied on objs: []
>
> Is there any configuration missing or is it a bug? It works well when
> using the admin user.
>
> ACS 4.15.2.0
> KVM
> Redundant VPC offering
>
> Supported Services on Network Offering
> SourceNat : VpcVirtualRouter
> Dhcp : VpcVirtualRouter
> Lb : InternalLbVm
> UserData : VpcVirtualRouter
> Dns : VpcVirtualRouter
> NetworkACL : VpcVirtualRouter
>
> BR,
>
> Ricardo
>
>
>
>