You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Matthew Smart <ms...@smartsoftwareinc.com> on 2022/09/11 23:45:48 UTC
Re: Permission Denied when trying to add nictovirtualmachine as ROOT Admin
I have been traveling and just got a chance to return to this issue.
Again, I want to allow the Root Admin account to add nics from different
networks to any virtual machine. 'Create network permissions' from the
API to try to add the ROOT Admin account to a network's permissions
fails because it says that the ROOT Admin is not a member of the domain.
That account is a member of the ROOT domain and all other domains are
listed hierarchically beneath ROOT (EG ROOT/dev, ROOT/prod, ... etc)
fwiw. I don't want to further complicate my automation by creating and
keeping track of an individual Domain Admin account for each of my
domains. I have found a workaround I can live with by just creating the
requisite row in the network_permissions table in the db for the ROOT
Admin account for each network.
Is there a pressing reason why the ROOT Admin should have rights to do
pretty much everything else but not add nics to vms on different
networks? Does the roadmap call for a further curtailing of ROOT Admin
permissions? If not, would giving ROOT admin implicit network
permissions be a feature that could be requested?
Thanks,
Matthew Smart
President
Smart Software Solutions Inc.
108 S Pierre St.
Pierre, SD 57501
Phone: (605) 280-0383
Skype: msmart13
Email: msmart@smartsoftwareinc.com
On 9/1/22 02:23, Abhishek Kumar wrote:
> Hi Matthew,
>
> In your case does the user to which VM belongs have the access to the network you are trying to add to the VM?
> I tried it in a test env and it works fine when the user has access to the network (eg, the user owns the network). But it would fail when the user doesn't have the access to the network.
>
> Below is an example. First I tried to add a user owned network using domain admin. It worked. Then I tried adding a domain-admin owned network to the VM. It failed. But smae operation worked when I added proper network permissions.
>
> (sblab) 🐌 > list networks id=4caccd89-9479-4c57-bef2-b8bdd3a99229
> {
> "count": 1,
> "network": [
> {
> "account": "ACSUser",
> "acltype": "Account",
> "broadcastdomaintype": "Vlan",
> "canusefordeploy": true,
> "cidr": "10.1.1.0/24",
> "created": "2022-09-01T06:55:10+0000",
> "displaytext": "user-iso1",
> "dns1": "10.0.32.1",
> "dns2": "8.8.8.8",
> "domain": "ROOT",
> "domainid": "65609c23-2826-11ed-bf3a-1e00750002ea",
> "egressdefaultpolicy": false,
> "gateway": "10.1.1.1",
> "hasannotations": false,
> "id": "4caccd89-9479-4c57-bef2-b8bdd3a99229",
> "ispersistent": false,
> "issystem": false,
> "name": "user-iso1",
> "netmask": "255.255.255.0",
> "networkdomain": "cs4cloud.internal",
> "networkofferingavailability": "Required",
> "networkofferingconservemode": true,
> ...
> }
> (sblab) 🐘 > list networks id=54b35a12-0947-4897-ab3b-10059c3e1398
> {
> "count": 1,
> "network": [
> {
> "account": "ACSUser",
> "acltype": "Account",
> "broadcastdomaintype": "Vlan",
> "canusefordeploy": true,
> "created": "2022-09-01T06:55:37+0000",
> "displaytext": "user-l2",
> "dns1": "10.0.32.1",
> "dns2": "8.8.8.8",
> "domain": "ROOT",
> "domainid": "65609c23-2826-11ed-bf3a-1e00750002ea",
> "hasannotations": false,
> "id": "54b35a12-0947-4897-ab3b-10059c3e1398",
> "ispersistent": false,
> "issystem": false,
> "name": "user-l2",
> "networkofferingavailability": "Optional",
> "networkofferingconservemode": true,
> "networkofferingdisplaytext": "Offering for L2 networks",
> "networkofferingid": "c872ab72-5849-4bb5-8cd9-0fa346c895ab",
> "networkofferingname": "DefaultL2NetworkOffering",
> "physicalnetworkid": "e7721ec6-797d-4c45-a790-65cb0a333501",
> "receivedbytes": 0,
> "redundantrouter": false,
> "related": "54b35a12-0947-4897-ab3b-10059c3e1398",
> "restartrequired": false,
> "sentbytes": 0,
> "service": [],
> "specifyipranges": false,
> "state": "Implemented",
> "strechedl2subnet": false,
> "tags": [],
> "traffictype": "Guest",
> "type": "L2",
> "zoneid": "fce252b8-5075-4077-80c0-4f027fea354d",
> "zonename": "ref-trl-3557-v-M7-abhishek-kumar"
> }
> ]
> }
>
> (sblab) 🐷 > deploy virtualmachine zoneid=fce252b8-5075-4077-80c0-4f027fea354d serviceofferingid=3ed0124f-7064-4680-82da-80204d3a3ddb templateid=feb21788-29be-4fb0-8618-ec0f50921838 networkids=4caccd89-9479-4c57-bef2-b8bdd3a99229
> {
> "virtualmachine": {
> "account": "ACSUser",
> "affinitygroup": [],
> "cpunumber": 1,
> "cpuspeed": 500,
> "created": "2022-09-01T07:12:40+0000",
> "details": {
> "dataDiskController": "osdefault",
> "rootDiskController": "osdefault"
> },
> "displayname": "VM-b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
> "domain": "ROOT",
> "domainid": "65609c23-2826-11ed-bf3a-1e00750002ea",
> "guestosid": "6582ae97-2826-11ed-bf3a-1e00750002ea",
> "haenable": false,
> "hasannotations": false,
> "hypervisor": "VMware",
> "id": "b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
> "isdynamicallyscalable": false,
> "jobid": "448d9d04-bc0b-4576-94a9-5ece301b52e5",
> "jobstatus": 0,
> "lastupdated": "2022-09-01T07:12:49+0000",
> "memory": 512,
> "name": "VM-b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
> "nic": [
> {
> "broadcasturi": "vlan://2227",
> "deviceid": "0",
> "extradhcpoption": [],
> "gateway": "10.1.1.1",
> "id": "b1811c73-ec60-4c50-91c3-0b562c496284",
> "ipaddress": "10.1.1.227",
> "isdefault": true,
> "isolationuri": "vlan://2227",
> "macaddress": "02:00:18:83:00:04",
> "netmask": "255.255.255.0",
> "networkid": "4caccd89-9479-4c57-bef2-b8bdd3a99229",
> "networkname": "user-iso1",
> "secondaryip": [],
> "traffictype": "Guest",
> "type": "Isolated"
> }
> ],
> ...
> "userid": "96793627-9833-4012-9247-fc8761330e96",
> "username": "user",
> "zoneid": "fce252b8-5075-4077-80c0-4f027fea354d",
> "zonename": "ref-trl-3557-v-M7-abhishek-kumar"
> }
> }
> (sblab) 🍀 > set username domadmin
> (sblab) 🐒 > sync
> Discovered 328 APIs
> (sblab) 🐹 > add nictovirtualmachine virtualmachineid=b7ec5047-9d02-42b2-91d0-bfd3e4f1e410 networkid=54b35a12-0947-4897-ab3b-10059c3e1398
> {
> "virtualmachine": {
> "account": "ACSUser",
> "affinitygroup": [],
> "created": "2022-09-01T07:12:40+0000",
> "details": {
> "dataDiskController": "osdefault",
> "rootDiskController": "osdefault"
> },
> "displayname": "VM-b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
> "domain": "ROOT",
> "domainid": "65609c23-2826-11ed-bf3a-1e00750002ea",
> "guestosid": "6582ae97-2826-11ed-bf3a-1e00750002ea",
> "haenable": false,
> "hasannotations": false,
> "hypervisor": "VMware",
> "id": "b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
> "isdynamicallyscalable": false,
> "jobid": "3a286118-843a-4a92-b0cc-8bdc4ecd334f",
> "jobstatus": 0,
> "lastupdated": "2022-09-01T07:12:49+0000",
> "name": "VM-b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
> "nic": [
> {
> "broadcasturi": "vlan://2240",
> "deviceid": "1",
> "extradhcpoption": [],
> "id": "9d79cb1e-2c6e-4c2f-9e08-1a1e1870c23c",
> "isdefault": false,
> "isolationuri": "vlan://2240",
> "macaddress": "02:00:7e:eb:00:02",
> "networkid": "54b35a12-0947-4897-ab3b-10059c3e1398",
> "networkname": "user-l2",
> "secondaryip": [],
> "traffictype": "Guest",
> "type": "L2"
> },
> {
> "broadcasturi": "vlan://2227",
> "deviceid": "0",
> "extradhcpoption": [],
> "gateway": "10.1.1.1",
> "id": "b1811c73-ec60-4c50-91c3-0b562c496284",
> "ipaddress": "10.1.1.227",
> "isdefault": true,
> "isolationuri": "vlan://2227",
> "macaddress": "02:00:18:83:00:04",
> "netmask": "255.255.255.0",
> "networkid": "4caccd89-9479-4c57-bef2-b8bdd3a99229",
> "networkname": "user-iso1",
> "secondaryip": [],
> "traffictype": "Guest",
> "type": "Isolated"
> }
> ],
> ...
> }
> }
> (sblab) 🦇 > add nictovirtualmachine virtualmachineid=b7ec5047-9d02-42b2-91d0-bfd3e4f1e410 networkid=79bda62e-5b08-434c-846c-8db806482da9
> {
> "accountid": "e879dc18-4adb-42d8-bcc6-8bda00ba93f6",
> "cmd": "org.apache.cloudstack.api.command.user.vm.AddNicToVMCmd",
> "completed": "2022-09-01T07:13:50+0000",
> "created": "2022-09-01T07:13:50+0000",
> "jobid": "03a994d6-f001-46c8-9c37-22ae9ccede2a",
> "jobinstanceid": "b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
> "jobinstancetype": "VirtualMachine",
> "jobprocstatus": 0,
> "jobresult": {
> "errorcode": 530,
> "errortext": "Unable to use network with id= 79bda62e-5b08-434c-846c-8db806482da9, permission denied"
> },
> "jobresultcode": 530,
> "jobresulttype": "object",
> "jobstatus": 2,
> "userid": "4628e888-55b0-4230-b0be-679fe2374e7a"
> }
> 🙈 Error: async API failed for job 03a994d6-f001-46c8-9c37-22ae9ccede2a
> (sblab) 🐀 > create networkpermissions networkid=79bda62e-5b08-434c-846c-8db806482da9 accountids=9e5e5c6d-74d4-4df6-a4ad-0e575d3a2298
> {
> "success": true
> }
> (sblab) 🐟 > add nictovirtualmachine virtualmachineid=b7ec5047-9d02-42b2-91d0-bfd3e4f1e410 networkid=79bda62e-5b08-434c-846c-8db806482da9
> {
> "virtualmachine": {
> "account": "ACSUser",
> "affinitygroup": [],
> "created": "2022-09-01T07:12:40+0000",
> "details": {
> "dataDiskController": "osdefault",
> "rootDiskController": "osdefault"
> },
> "displayname": "VM-b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
> "domain": "ROOT",
> "domainid": "65609c23-2826-11ed-bf3a-1e00750002ea",
> "guestosid": "6582ae97-2826-11ed-bf3a-1e00750002ea",
> "haenable": false,
> "hasannotations": false,
> "hypervisor": "VMware",
> "id": "b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
> "isdynamicallyscalable": false,
> "jobid": "bcf0f01b-b55d-42d3-9535-056315e5608c",
> "jobstatus": 0,
> "lastupdated": "2022-09-01T07:12:49+0000",
> "name": "VM-b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
> "nic": [
> {
> "broadcasturi": "vlan://2240",
> "deviceid": "1",
> "extradhcpoption": [],
> "id": "9d79cb1e-2c6e-4c2f-9e08-1a1e1870c23c",
> "isdefault": false,
> "isolationuri": "vlan://2240",
> "macaddress": "02:00:7e:eb:00:02",
> "networkid": "54b35a12-0947-4897-ab3b-10059c3e1398",
> "networkname": "user-l2",
> "secondaryip": [],
> "traffictype": "Guest",
> "type": "L2"
> },
> {
> "broadcasturi": "vlan://2231",
> "deviceid": "2",
> "extradhcpoption": [],
> "id": "c8635505-33f4-44ac-ab42-d3dc698c4da2",
> "isdefault": false,
> "isolationuri": "vlan://2231",
> "macaddress": "02:00:15:b4:00:01",
> "networkid": "79bda62e-5b08-434c-846c-8db806482da9",
> "networkname": "dom-l2",
> "secondaryip": [],
> "traffictype": "Guest",
> "type": "L2"
> },
> {
> "broadcasturi": "vlan://2227",
> "deviceid": "0",
> "extradhcpoption": [],
> "gateway": "10.1.1.1",
> "id": "b1811c73-ec60-4c50-91c3-0b562c496284",
> "ipaddress": "10.1.1.227",
> "isdefault": true,
> "isolationuri": "vlan://2227",
> "macaddress": "02:00:18:83:00:04",
> "netmask": "255.255.255.0",
> "networkid": "4caccd89-9479-4c57-bef2-b8bdd3a99229",
> "networkname": "user-iso1",
> "secondaryip": [],
> "traffictype": "Guest",
> "type": "Isolated"
> }
> ],
> ...
> }
> }
>
> Regards,
> Abhishek
> ________________________________
> From: Matthew Smart <ms...@smartsoftwareinc.com>
> Sent: 01 September 2022 05:02
> To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
> Subject: Permission Denied when trying to add nictovirtualmachine as Domain Admin
>
> All,
> I am having an issue trying to add a nic to an existing virtual machine.
> This seems very similar to issue 6590
> https://github.com/apache/cloudstack/issues/6590 . The error is the same
> if I try it from the UI or cloudmonkey:
> Error 530, Unable to use network with id=
> 53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2, permission denied
>
> It doesn't matter which network or which VM I use. I do not have any
> projects defined. Any ideas?
>
> Api log:
> 2022-08-31 18:28:00,903 INFO [a.c.c.a.ApiServlet]
> (qtp1750498848-285:ctx-e1ff1e99 ctx-7d49ea3e ctx-ac87c2e4)
> (logid:a0a5f800) (userId=2 accountId=2 sessionId=null) 0:0:0:0:0:0:0:1
> -- GET
> signatureversion=3&apiKey=eHyz1TC3ZcmUd2mHc60UZU_KMO17QTXrG5a84vn0tYwbVvr7AtKLil8O0egC2UUBVPh1nD_QbQG_4zCV-Jeg_A&expires=2022-08-31T23%3A38%3A00%2B0000&jobid=85620fa4-c3ee-4b55-a220-2b2efbfc8240&command=queryAsyncJobResult&signature=DVfJ3fAUm9fTkGpJnZIPqqVTiuM%3D&response=json
> 200
> {"queryasyncjobresultresponse":{"accountid":"4881765b-737e-11e6-af31-a4badb303ab0","userid":"488183c2-737e-11e6-af31-a4badb303ab0","cmd":"org.apache.cloudstack.api.command.admin.vm.AddNicToVMCmdByAdmin","jobstatus":2,"jobprocstatus":0,"jobresultcode":530,"jobresulttype":"object","jobresult":{"errorcode":530,"errortext":"Unable
> to use network with id= 53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2, permission
> denied"},"jobinstancetype":"VirtualMachine","jobinstanceid":"a13626c9-209f-4d63-b1ae-624e77863d68","created":"2022-08-31T18:27:58-0500","completed":"2022-08-31T18:27:58-0500","jobid":"85620fa4-c3ee-4b55-a220-2b2efbfc8240"}}
>
> Management log:
> 2022-08-31 18:27:58,876 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
> (API-Job-Executor-2:ctx-90af3c61 job-25273) (logid:85620fa4) Executing
> AsyncJobVO: {id:25273, userId: 2, accountId: 2, instanceType:
> VirtualMachine, instanceId: 22, cmd:
> org.apache.cloudstack.api.command.admin.vm.AddNicToVMCmdByAdmin,
> cmdInfo:
> {"expires":"2022-08-31T23:37:58+0000","apiKey":"eHyz1TC3ZcmUd2mHc60UZU_KMO17QTXrG5a84vn0tYwbVvr7AtKLil8O0egC2UUBVPh1nD_QbQG_4zCV-Jeg_A","signature":"G5byvIP9InHK1s301Dir4KAUYnM\u003d","httpmethod":"GET","ctxAccountId":"2","cmdEventType":"NIC.CREATE","signatureversion":"3","virtualmachineid":"a13626c9-209f-4d63-b1ae-624e77863d68","response":"json","ctxUserId":"2","networkid":"53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2","ctxStartEventId":"314819","ctxDetails":"{\"interface
> com.cloud.vm.VirtualMachine\":\"a13626c9-209f-4d63-b1ae-624e77863d68\",\"interface
> com.cloud.network.Network\":\"53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2\"}"},
> cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0,
> result: null, initMsid: 181122448243502, completeMsid: null,
> lastUpdated: null, lastPolled: null, created: null, removed: null}
> 2022-08-31 18:27:58,899 ERROR [c.c.a.ApiAsyncJobDispatcher]
> (API-Job-Executor-2:ctx-90af3c61 job-25273) (logid:85620fa4) Unexpected
> exception while executing
> org.apache.cloudstack.api.command.admin.vm.AddNicToVMCmdByAdmin
> com.cloud.exception.PermissionDeniedException: Unable to use network
> with id= 53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2, permission denied
> at
> com.cloud.network.NetworkModelImpl.checkNetworkPermissions(NetworkModelImpl.java:1681)
> at
> com.cloud.vm.UserVmManagerImpl.addNicToVirtualMachine(UserVmManagerImpl.java:1323)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at
> org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
> at
> org.apache.cloudstack.network.contrail.management.EventUtils$EventInterceptor.invoke(EventUtils.java:107)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:175)
> at
> com.cloud.event.ActionEventInterceptor.invoke(ActionEventInterceptor.java:52)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:175)
> at
> org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
> at
> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:215)
> at com.sun.proxy.$Proxy128.addNicToVirtualMachine(Unknown Source)
> at
> org.apache.cloudstack.api.command.user.vm.AddNicToVMCmd.execute(AddNicToVMCmd.java:173)
> at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:163)
> at
> com.cloud.api.ApiAsyncJobDispatcher.runJob(ApiAsyncJobDispatcher.java:106)
> at
> org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.runInContext(AsyncJobManagerImpl.java:620)
> at
> org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:48)
> at
> org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:55)
> at
> org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:102)
> at
> org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:52)
> at
> org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:45)
> at
> org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.run(AsyncJobManagerImpl.java:568)
> at
> java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
> at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
> at
> java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
> at
> java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
> at java.base/java.lang.Thread.run(Thread.java:829)
> 2022-08-31 18:27:58,902 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
> (API-Job-Executor-2:ctx-90af3c61 job-25273) (logid:85620fa4) Complete
> async job-25273, jobStatus: FAILED, resultCode: 530, result:
> org.apache.cloudstack.api.response.ExceptionResponse/null/{"uuidList":[],"errorcode":"530","errortext":"Unable
> to use network with id= 53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2, permission
> denied"}
>
>
> --
> Matthew Smart
> President
> Smart Software Solutions Inc.
> 108 S Pierre St.
> Pierre, SD 57501
>
> Phone: (605) 280-0383
> Skype: msmart13
> Email:msmart@smartsoftwareinc.com
>
>
>
>