You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cloudstack.apache.org by Valery Ciareszka <va...@gmail.com> on 2013/10/07 18:30:11 UTC

deployVirtualMachine fails

Hi all.

I'm trying to deploy virtual machines through api and management throws
permission issues. This worked in 4.0/4.1, but now I see following:

curl "
http://localhost:8096/client/?command=deployVirtualMachine&serviceofferingid=2b45be75-0ec8-4683-91a0-d95414da310d&zoneid=4a5bc8e5-bab9-4f92-9249-d57ef8a0f9f8&templateid=94013c8f-b615-467f-8df2-635ac4c5efb5&networkids=5928684b-f9fc-4c2f-a74b-d6af622250f3&account=vdc3880&domainid=2744e9b6-8633-4e8d-bb4d-860fe5e7e744
"


<?xml version="1.0" encoding="UTF-8"?>
<deployvirtualmachineresponse
cloud-stack-version="4.2.0"><errorcode>531</errorcode>
<cserrorcode>4365</cserrorcode>
<errortext>Acct[ebcf2919-a842-4986-a8ed-a3806dfbd8f2-vdc3880] does not have
permission to operate with resource
Acct[9d9ef909-2469-11e3-9901-90e2ba51b336-admin]</errortext>
</deployvirtualmachineresponse>

Same thing upon assignVirtualMachine api call:

 curl "
http://localhost:8096/client/?command=assignVirtualMachine&virtualmachineid=dbee3d10-0c8d-4d74-bcbd-21fb041fbfce&account=vdc3880&domainid=2744e9b6-8633-4e8d-bb4d-860fe5e7e744
"
<?xml version="1.0" encoding="UTF-8"?><moveuservmresponse
cloud-stack-version="4.2.0"><errorcode>530</errorcode><cserrorcode>9999</cserrorcode><errortext>Failed
to move vm Acct[ebcf2919-a842-4986-a8ed-a3806dfbd8f2-vdc3880] does not have
permission to operate with resource
Acct[9d9ef909-2469-11e3-9901-90e2ba51b336-admin]</errortext></moveuservmresponse>

environment used: CS 4.2.0, centos 6.4, KVM

P.S. It seems error message is being generated
at ./server/src/com/cloud/acl/DomainChecker.java:
145                     if (caller.getId() != entity.getAccountId()) {
146                         throw new PermissionDeniedException(caller +
"entry3 does not have permission to operate with resource " +
entity);
147                     }

But I can not understand why callerid goes from vdc3880 account -  I'm
calling API as admin (tested both through cloudmonkey and directly on 8096
port) ?

Any thoughts ?

-- 
Regards,
Valery

http://protocol.by/slayer

Re: deployVirtualMachine fails

Posted by Valery Ciareszka <va...@gmail.com>.

Nitin,
I've filed it: https://issues.apache.org/jira/browse/CLOUDSTACK-4838


On Tue, Oct 8, 2013 at 8:32 PM, Nitin Mehta <Ni...@citrix.com> wrote:

> Valery - Can you please file a bug for a  better message.
> You are calling as a system user (port 8096) but for the account vdc3880
> and so the system checks whether this account can access this template,
> network etc.
>
> On 08/10/13 10:20 AM, "Valery Ciareszka" <va...@gmail.com>
> wrote:
>
> >Finally I've found the problem
> >in ./server/src/com/cloud/vm/UserVmManagerImpl.java near
> >             _accountMgr.checkAccess(newAccount, null, true,
> >templateOwner);
> >
> >
> >The reason was that template was not public-enabled, therefore user
> >account
> >could not get access to non-public template.
> >
> >But I think exception message could be more friendly and senseful :-)
> >
> >
> >
> >On Mon, Oct 7, 2013 at 7:30 PM, Valery Ciareszka
> ><va...@gmail.com>wrote:
> >
> >> Hi all.
> >>
> >> I'm trying to deploy virtual machines through api and management throws
> >> permission issues. This worked in 4.0/4.1, but now I see following:
> >>
> >> curl "
> >>
> >>
> http://localhost:8096/client/?command=deployVirtualMachine&serviceofferin
> >>gid=2b45be75-0ec8-4683-91a0-d95414da310d&zoneid=4a5bc8e5-bab9-4f92-9249-d
> >>57ef8a0f9f8&templateid=94013c8f-b615-467f-8df2-635ac4c5efb5&networkids=59
> >>28684b-f9fc-4c2f-a74b-d6af622250f3&account=vdc3880&domainid=2744e9b6-8633
> >>-4e8d-bb4d-860fe5e7e744
> >> "
> >>
> >>
> >> <?xml version="1.0" encoding="UTF-8"?>
> >> <deployvirtualmachineresponse
> >> cloud-stack-version="4.2.0"><errorcode>531</errorcode>
> >> <cserrorcode>4365</cserrorcode>
> >> <errortext>Acct[ebcf2919-a842-4986-a8ed-a3806dfbd8f2-vdc3880] does not
> >> have permission to operate with resource
> >> Acct[9d9ef909-2469-11e3-9901-90e2ba51b336-admin]</errortext>
> >> </deployvirtualmachineresponse>
> >>
> >> Same thing upon assignVirtualMachine api call:
> >>
> >>  curl "
> >>
> >>
> http://localhost:8096/client/?command=assignVirtualMachine&virtualmachine
> >>id=dbee3d10-0c8d-4d74-bcbd-21fb041fbfce&account=vdc3880&domainid=2744e9b6
> >>-8633-4e8d-bb4d-860fe5e7e744
> >> "
> >> <?xml version="1.0" encoding="UTF-8"?><moveuservmresponse
> >>
> >>cloud-stack-version="4.2.0"><errorcode>530</errorcode><cserrorcode>9999</
> >>cserrorcode><errortext>Failed
> >> to move vm Acct[ebcf2919-a842-4986-a8ed-a3806dfbd8f2-vdc3880] does not
> >>have
> >> permission to operate with resource
> >>
> >>Acct[9d9ef909-2469-11e3-9901-90e2ba51b336-admin]</errortext></moveuservmr
> >>esponse>
> >>
> >> environment used: CS 4.2.0, centos 6.4, KVM
> >>
> >> P.S. It seems error message is being generated
> >> at ./server/src/com/cloud/acl/DomainChecker.java:
> >> 145                     if (caller.getId() != entity.getAccountId()) {
> >> 146                         throw new PermissionDeniedException(caller +
> >> "entry3 does not have permission to operate with resource " +
> >> entity);
> >> 147                     }
> >>
> >> But I can not understand why callerid goes from vdc3880 account -  I'm
> >> calling API as admin (tested both through cloudmonkey and directly on
> >>8096
> >> port) ?
> >>
> >> Any thoughts ?
> >>
> >> --
> >> Regards,
> >> Valery
> >>
> >> http://protocol.by/slayer
> >>
> >
> >
> >
> >--
> >Regards,
> >Valery
> >
> >http://protocol.by/slayer
>
>


-- 
Regards,
Valery

http://protocol.by/slayer

Re: deployVirtualMachine fails

Posted by Nitin Mehta <Ni...@citrix.com>.

Valery - Can you please file a bug for a  better message.
You are calling as a system user (port 8096) but for the account vdc3880
and so the system checks whether this account can access this template,
network etc.

On 08/10/13 10:20 AM, "Valery Ciareszka" <va...@gmail.com> wrote:

>Finally I've found the problem
>in ./server/src/com/cloud/vm/UserVmManagerImpl.java near
>             _accountMgr.checkAccess(newAccount, null, true,
>templateOwner);
>
>
>The reason was that template was not public-enabled, therefore user
>account
>could not get access to non-public template.
>
>But I think exception message could be more friendly and senseful :-)
>
>
>
>On Mon, Oct 7, 2013 at 7:30 PM, Valery Ciareszka
><va...@gmail.com>wrote:
>
>> Hi all.
>>
>> I'm trying to deploy virtual machines through api and management throws
>> permission issues. This worked in 4.0/4.1, but now I see following:
>>
>> curl "
>> 
>>http://localhost:8096/client/?command=deployVirtualMachine&serviceofferin
>>gid=2b45be75-0ec8-4683-91a0-d95414da310d&zoneid=4a5bc8e5-bab9-4f92-9249-d
>>57ef8a0f9f8&templateid=94013c8f-b615-467f-8df2-635ac4c5efb5&networkids=59
>>28684b-f9fc-4c2f-a74b-d6af622250f3&account=vdc3880&domainid=2744e9b6-8633
>>-4e8d-bb4d-860fe5e7e744
>> "
>>
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <deployvirtualmachineresponse
>> cloud-stack-version="4.2.0"><errorcode>531</errorcode>
>> <cserrorcode>4365</cserrorcode>
>> <errortext>Acct[ebcf2919-a842-4986-a8ed-a3806dfbd8f2-vdc3880] does not
>> have permission to operate with resource
>> Acct[9d9ef909-2469-11e3-9901-90e2ba51b336-admin]</errortext>
>> </deployvirtualmachineresponse>
>>
>> Same thing upon assignVirtualMachine api call:
>>
>>  curl "
>> 
>>http://localhost:8096/client/?command=assignVirtualMachine&virtualmachine
>>id=dbee3d10-0c8d-4d74-bcbd-21fb041fbfce&account=vdc3880&domainid=2744e9b6
>>-8633-4e8d-bb4d-860fe5e7e744
>> "
>> <?xml version="1.0" encoding="UTF-8"?><moveuservmresponse
>> 
>>cloud-stack-version="4.2.0"><errorcode>530</errorcode><cserrorcode>9999</
>>cserrorcode><errortext>Failed
>> to move vm Acct[ebcf2919-a842-4986-a8ed-a3806dfbd8f2-vdc3880] does not
>>have
>> permission to operate with resource
>> 
>>Acct[9d9ef909-2469-11e3-9901-90e2ba51b336-admin]</errortext></moveuservmr
>>esponse>
>>
>> environment used: CS 4.2.0, centos 6.4, KVM
>>
>> P.S. It seems error message is being generated
>> at ./server/src/com/cloud/acl/DomainChecker.java:
>> 145                     if (caller.getId() != entity.getAccountId()) {
>> 146                         throw new PermissionDeniedException(caller +
>> "entry3 does not have permission to operate with resource " +
>> entity);
>> 147                     }
>>
>> But I can not understand why callerid goes from vdc3880 account -  I'm
>> calling API as admin (tested both through cloudmonkey and directly on
>>8096
>> port) ?
>>
>> Any thoughts ?
>>
>> --
>> Regards,
>> Valery
>>
>> http://protocol.by/slayer
>>
>
>
>
>-- 
>Regards,
>Valery
>
>http://protocol.by/slayer

Re: deployVirtualMachine fails

Posted by Valery Ciareszka <va...@gmail.com>.

Finally I've found the problem
in ./server/src/com/cloud/vm/UserVmManagerImpl.java near
             _accountMgr.checkAccess(newAccount, null, true, templateOwner);


The reason was that template was not public-enabled, therefore user account
could not get access to non-public template.

But I think exception message could be more friendly and senseful :-)



On Mon, Oct 7, 2013 at 7:30 PM, Valery Ciareszka
<va...@gmail.com>wrote:

> Hi all.
>
> I'm trying to deploy virtual machines through api and management throws
> permission issues. This worked in 4.0/4.1, but now I see following:
>
> curl "
> http://localhost:8096/client/?command=deployVirtualMachine&serviceofferingid=2b45be75-0ec8-4683-91a0-d95414da310d&zoneid=4a5bc8e5-bab9-4f92-9249-d57ef8a0f9f8&templateid=94013c8f-b615-467f-8df2-635ac4c5efb5&networkids=5928684b-f9fc-4c2f-a74b-d6af622250f3&account=vdc3880&domainid=2744e9b6-8633-4e8d-bb4d-860fe5e7e744
> "
>
>
> <?xml version="1.0" encoding="UTF-8"?>
> <deployvirtualmachineresponse
> cloud-stack-version="4.2.0"><errorcode>531</errorcode>
> <cserrorcode>4365</cserrorcode>
> <errortext>Acct[ebcf2919-a842-4986-a8ed-a3806dfbd8f2-vdc3880] does not
> have permission to operate with resource
> Acct[9d9ef909-2469-11e3-9901-90e2ba51b336-admin]</errortext>
> </deployvirtualmachineresponse>
>
> Same thing upon assignVirtualMachine api call:
>
>  curl "
> http://localhost:8096/client/?command=assignVirtualMachine&virtualmachineid=dbee3d10-0c8d-4d74-bcbd-21fb041fbfce&account=vdc3880&domainid=2744e9b6-8633-4e8d-bb4d-860fe5e7e744
> "
> <?xml version="1.0" encoding="UTF-8"?><moveuservmresponse
> cloud-stack-version="4.2.0"><errorcode>530</errorcode><cserrorcode>9999</cserrorcode><errortext>Failed
> to move vm Acct[ebcf2919-a842-4986-a8ed-a3806dfbd8f2-vdc3880] does not have
> permission to operate with resource
> Acct[9d9ef909-2469-11e3-9901-90e2ba51b336-admin]</errortext></moveuservmresponse>
>
> environment used: CS 4.2.0, centos 6.4, KVM
>
> P.S. It seems error message is being generated
> at ./server/src/com/cloud/acl/DomainChecker.java:
> 145                     if (caller.getId() != entity.getAccountId()) {
> 146                         throw new PermissionDeniedException(caller +
> "entry3 does not have permission to operate with resource " +
> entity);
> 147                     }
>
> But I can not understand why callerid goes from vdc3880 account -  I'm
> calling API as admin (tested both through cloudmonkey and directly on 8096
> port) ?
>
> Any thoughts ?
>
> --
> Regards,
> Valery
>
> http://protocol.by/slayer
>



-- 
Regards,
Valery

http://protocol.by/slayer