You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Min Chen (JIRA)" <ji...@apache.org> on 2014/05/12 19:16:17 UTC
[jira] [Assigned] (CLOUDSTACK-6630) [Automation] Failed to create
PF rule with error "does not have permission to access resource"
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6630?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Min Chen reassigned CLOUDSTACK-6630:
------------------------------------
Assignee: Min Chen
> [Automation] Failed to create PF rule with error "does not have permission to access resource"
> ----------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-6630
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6630
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: IAM
> Affects Versions: 4.4.0
> Reporter: Rayees Namathponnan
> Assignee: Min Chen
> Priority: Blocker
> Fix For: 4.4.0
>
> Attachments: CLOUDSTACK-6630.rar
>
>
> Run BVT suite volume.py
> test case
> 1) creating user account with domian ROOT
> 2) deploying vm with new network
> 3) obtain new IP, apply firewall rule
> 4) apply PF rule
> Result
> PF rule creation failed with below exception
> 2014-05-10 23:58:48,482 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker] (catalina-exec-23:ctx-bc32f45f ctx-1c7a9889 ctx-d99c5930) IAM access c
> heck for 2-null-null-DomainCapability from cache: false
> 2014-05-10 23:58:48,493 DEBUG [c.c.a.ApiServlet] (catalina-exec-23:ctx-bc32f45f ctx-1c7a9889 ctx-d99c5930) ===END=== 10.223.240.194 -- GET
> signature=gD6OYRiz6Jd%2FZz7M7emIaancCr0%3D&apiKey=leb8qPblUzbfXRSpfWRZzvgKTo1pAd3Z9S7gkvok9BGpFEm1DsuPCjMeETvbMkjOEeoNX8wgMtK7K0S7ywd5cA&
> command=queryAsyncJobResult&response=json&jobid=3b680c4e-8508-4691-9d89-87dfeb400dec
> 2014-05-10 23:58:48,499 DEBUG [c.c.a.ApiServlet] (catalina-exec-22:ctx-7e9bd8bb) ===START=== 10.223.240.194 -- GET apiKey=leb8qPblUzbfXRS
> pfWRZzvgKTo1pAd3Z9S7gkvok9BGpFEm1DsuPCjMeETvbMkjOEeoNX8wgMtK7K0S7ywd5cA&virtualmachineid=eabab3fc-5229-47fe-b4b5-ae1d47c119fc&ipaddressid=3
> a2642c3-4c04-47f3-a5a5-a5446673223d&signature=fIvJyw2UfV2Y9mTnxmx7eMick6w%3D&command=createPortForwardingRule&privateport=22&protocol=TCP&p
> ublicport=2222&response=json
> 2014-05-10 23:58:48,532 DEBUG [c.c.a.m.AgentManagerImpl] (AgentManager-Handler-3:null) SeqA 6-221: Processing Seq 6-221: { Cmd , MgmtId: -
> 1, via: 6, Ver: v1, Flags: 11, [{"com.cloud.agent.api.ConsoleProxyLoadReportCommand":{"_proxyVmId":4,"_loadInfo":"{\n \"connections\": []\
> n}","wait":0}}] }
> 2014-05-10 23:58:48,536 DEBUG [c.c.a.m.AgentManagerImpl] (AgentManager-Handler-3:null) SeqA 6-221: Sending Seq 6-221: { Ans: , MgmtId: 290
> 66118877352, via: 6, Ver: v1, Flags: 100010, [{"com.cloud.agent.api.AgentControlAnswer":{"result":true,"wait":0}}] }
> 2014-05-10 23:58:48,598 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker] (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) IAM access c
> heck for 2-null-null-SystemCapability from cache: true
> 2014-05-10 23:58:48,599 DEBUG [c.c.u.AccountManagerImpl] (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) Root Access granted to A
> cct[9b57332c-d8d1-11e3-a7c8-1a6f7bb0d0a8-admin] by RoleBasedEntityAccessChecker
> 2014-05-10 23:58:48,601 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker] (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) IAM access c
> heck for 2-null-null-DomainCapability from cache: false
> 2014-05-10 23:58:48,606 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker] (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) IAM access c
> heck for 2-null-null-DomainResourceCapability from cache: false
> 2014-05-10 23:58:48,627 DEBUG [o.a.c.i.s.IAMServiceImpl] (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) Put IAM access check for
> 2-VirtualMachine8-OperateEntry-createPortForwardingRule in cache
> 2014-05-10 23:58:48,650 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker] (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) Account Acct[9b57332c-d8d1-11e3-a7c8-1a6f7bb0d0a8-admin] does not have permission to access resource Ip[10.223.122.71-1] for access type: OperateEntry
> 2014-05-10 23:58:48,650 DEBUG [o.a.c.i.s.IAMServiceImpl] (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) Put IAM access check for 2-IpAddress6-OperateEntry-createPortForwardingRule in cache
> 2014-05-10 23:58:48,651 INFO [c.c.a.ApiServer] (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) PermissionDenied: Account Acct[9b57332c-d8d1-11e3-a7c8-1a6f7bb0d0a8-admin] does not have permission to access resource Ip[10.223.122.71-1] for access type: OperateEntry on objs: []
> 2014-05-10 23:58:48,654 DEBUG [c.c.a.ApiServlet] (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) ===END=== 10.223.240.194 -- GET apiKey=leb8qPblUzbfXRSpfWRZzvgKTo1pAd3Z9S7gkvok9BGpFEm1DsuPCjMeETvbMkjOEeoNX8wgMtK7K0S7ywd5cA&virtualmachineid=eabab3fc-5229-47fe-b4b5-ae1d47c119fc&ipaddressid=3a2642c3-4c04-47f3-a5a5-a5446673223d&signature=fIvJyw2UfV2Y9mTnxmx7eMick6w%3D&command=createPortForwardingRule&privateport=22&protocol=TCP&publicport=2222&response=json
> 2014-05-10 23:58:48,809 DEBUG [c.c.a.ApiServlet] (catalina-exec-16:ctx-75c2ca30) ===START=== 10.223.240.194 -- GET apiKey=leb8qPblUzbfXRSpfWRZzvgKTo1pAd3Z9S7gkvok9BGpFEm1DsuPCjMeETvbMkjOEeoNX8wgMtK7K0S7ywd5cA&command=listDomains&signature=vw1816eP4qADj2X%2FbYUVXDSnoXA%3D&response=json
>
--
This message was sent by Atlassian JIRA
(v6.2#6252)