You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Rayees Namathponnan (JIRA)" <ji...@apache.org> on 2014/05/11 17:05:15 UTC

[jira] [Created] (CLOUDSTACK-6630) [Automation] Failed to create PF rule with error "does not have permission to access resource"

Rayees Namathponnan created CLOUDSTACK-6630:
-----------------------------------------------

             Summary: [Automation] Failed to create PF rule with error "does not have permission to access resource"
                 Key: CLOUDSTACK-6630
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6630
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: IAM
    Affects Versions: 4.4.0
            Reporter: Rayees Namathponnan
            Priority: Blocker
             Fix For: 4.4.0


Run  BVT suite volume.py

test case creating account, deploying vm and configuring SNAT with PF rule,

Result

PF rule creation failed with below exception 


2014-05-10 23:58:48,482 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker] (catalina-exec-23:ctx-bc32f45f ctx-1c7a9889 ctx-d99c5930) IAM access c
heck for 2-null-null-DomainCapability from cache: false
2014-05-10 23:58:48,493 DEBUG [c.c.a.ApiServlet] (catalina-exec-23:ctx-bc32f45f ctx-1c7a9889 ctx-d99c5930) ===END===  10.223.240.194 -- GET
  signature=gD6OYRiz6Jd%2FZz7M7emIaancCr0%3D&apiKey=leb8qPblUzbfXRSpfWRZzvgKTo1pAd3Z9S7gkvok9BGpFEm1DsuPCjMeETvbMkjOEeoNX8wgMtK7K0S7ywd5cA&
command=queryAsyncJobResult&response=json&jobid=3b680c4e-8508-4691-9d89-87dfeb400dec
2014-05-10 23:58:48,499 DEBUG [c.c.a.ApiServlet] (catalina-exec-22:ctx-7e9bd8bb) ===START===  10.223.240.194 -- GET  apiKey=leb8qPblUzbfXRS
pfWRZzvgKTo1pAd3Z9S7gkvok9BGpFEm1DsuPCjMeETvbMkjOEeoNX8wgMtK7K0S7ywd5cA&virtualmachineid=eabab3fc-5229-47fe-b4b5-ae1d47c119fc&ipaddressid=3
a2642c3-4c04-47f3-a5a5-a5446673223d&signature=fIvJyw2UfV2Y9mTnxmx7eMick6w%3D&command=createPortForwardingRule&privateport=22&protocol=TCP&p
ublicport=2222&response=json
2014-05-10 23:58:48,532 DEBUG [c.c.a.m.AgentManagerImpl] (AgentManager-Handler-3:null) SeqA 6-221: Processing Seq 6-221:  { Cmd , MgmtId: -
1, via: 6, Ver: v1, Flags: 11, [{"com.cloud.agent.api.ConsoleProxyLoadReportCommand":{"_proxyVmId":4,"_loadInfo":"{\n  \"connections\": []\
n}","wait":0}}] }
2014-05-10 23:58:48,536 DEBUG [c.c.a.m.AgentManagerImpl] (AgentManager-Handler-3:null) SeqA 6-221: Sending Seq 6-221:  { Ans: , MgmtId: 290
66118877352, via: 6, Ver: v1, Flags: 100010, [{"com.cloud.agent.api.AgentControlAnswer":{"result":true,"wait":0}}] }
2014-05-10 23:58:48,598 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker] (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) IAM access c
heck for 2-null-null-SystemCapability from cache: true
2014-05-10 23:58:48,599 DEBUG [c.c.u.AccountManagerImpl] (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) Root Access granted to A
cct[9b57332c-d8d1-11e3-a7c8-1a6f7bb0d0a8-admin] by RoleBasedEntityAccessChecker
2014-05-10 23:58:48,601 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker] (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) IAM access c
heck for 2-null-null-DomainCapability from cache: false
2014-05-10 23:58:48,606 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker] (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) IAM access c
heck for 2-null-null-DomainResourceCapability from cache: false
2014-05-10 23:58:48,627 DEBUG [o.a.c.i.s.IAMServiceImpl] (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) Put IAM access check for
 2-VirtualMachine8-OperateEntry-createPortForwardingRule in cache
2014-05-10 23:58:48,650 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker] (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) Account Acct[9b57332c-d8d1-11e3-a7c8-1a6f7bb0d0a8-admin] does not have permission to access resource Ip[10.223.122.71-1] for access type: OperateEntry
2014-05-10 23:58:48,650 DEBUG [o.a.c.i.s.IAMServiceImpl] (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) Put IAM access check for 2-IpAddress6-OperateEntry-createPortForwardingRule in cache
2014-05-10 23:58:48,651 INFO  [c.c.a.ApiServer] (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) PermissionDenied: Account Acct[9b57332c-d8d1-11e3-a7c8-1a6f7bb0d0a8-admin] does not have permission to access resource Ip[10.223.122.71-1] for access type: OperateEntry on objs: []
2014-05-10 23:58:48,654 DEBUG [c.c.a.ApiServlet] (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) ===END===  10.223.240.194 -- GET  apiKey=leb8qPblUzbfXRSpfWRZzvgKTo1pAd3Z9S7gkvok9BGpFEm1DsuPCjMeETvbMkjOEeoNX8wgMtK7K0S7ywd5cA&virtualmachineid=eabab3fc-5229-47fe-b4b5-ae1d47c119fc&ipaddressid=3a2642c3-4c04-47f3-a5a5-a5446673223d&signature=fIvJyw2UfV2Y9mTnxmx7eMick6w%3D&command=createPortForwardingRule&privateport=22&protocol=TCP&publicport=2222&response=json
2014-05-10 23:58:48,809 DEBUG [c.c.a.ApiServlet] (catalina-exec-16:ctx-75c2ca30) ===START===  10.223.240.194 -- GET  apiKey=leb8qPblUzbfXRSpfWRZzvgKTo1pAd3Z9S7gkvok9BGpFEm1DsuPCjMeETvbMkjOEeoNX8wgMtK7K0S7ywd5cA&command=listDomains&signature=vw1816eP4qADj2X%2FbYUVXDSnoXA%3D&response=json


  



--
This message was sent by Atlassian JIRA
(v6.2#6252)