cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Min Chen (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (CLOUDSTACK-6644) Unable to attach Volume to a VM as a System User
Date Wed, 28 May 2014 21:05:02 GMT

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-6644?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Min Chen resolved CLOUDSTACK-6644.
----------------------------------

    Resolution: Not a Problem

> Unable to attach Volume to a VM as a System User
> ------------------------------------------------
>
>                 Key: CLOUDSTACK-6644
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6644
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: IAM
>    Affects Versions: 4.4.0
>            Reporter: Chandan Purushothama
>            Assignee: Min Chen
>            Priority: Blocker
>             Fix For: 4.4.0
>
>
> As System User, tried to attach a Volume belonging to an account to a VM belonging to
the same account. Failed with the following error.
> "Acct[4f0e5b12-d6d8-11e3-952f-06098c000757-system] does not have permission to perform
this operation on these resources"
> mysql> select account_id, uuid from vm_instance where uuid like '%56a4%';
> +------------+--------------------------------------+
> | account_id | uuid                                 |
> +------------+--------------------------------------+
> |          3 | 56a488ce-9baf-4d99-8e25-002d565f6731 |
> +------------+--------------------------------------+
> 1 row in set (0.00 sec)
> mysql> select account_id, uuid from volumes where uuid like '%00585b50%';
> +------------+--------------------------------------+
> | account_id | uuid                                 |
> +------------+--------------------------------------+
> |          3 | 00585b50-8c65-4e5b-95ee-853489e5499c |
> +------------+--------------------------------------+
> 1 row in set (0.00 sec)
> 2014-05-12 13:40:48,618 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (catalina-exec-2:ctx-c551e67e
ctx-2b2b4ddd ctx-4beab6a0) submit async job-190, details: AsyncJobVO {id:190, userId: 1, accountId:
1, instanceType: Volume, instanceId: 11, cmd: org.apache.cloudstack.api.command.admin.volume.AttachVolumeCmdByAdmin,
cmdInfo: {"virtualmachineid":"56a488ce-9baf-4d99-8e25-002d565f6731","cmdEventType":"VOLUME.ATTACH","ctxUserId":"1","httpmethod":"GET","deviceid":"1","apikey":"dXvODaGH1UvF0WKs63T_wCXsVEs5nFTJaNhBJCGF3sCYwgbuvUaelZf6V8tWjTsyB53LSIT9Wf4UUUQKSz8UXQ","id":"00585b50-8c65-4e5b-95ee-853489e5499c","response":"json","ctxDetails":"{\"com.cloud.storage.Volume\":11,\"Volume\":\"00585b50-8c65-4e5b-95ee-853489e5499c\",\"com.cloud.vm.VirtualMachine\":8}","ctxAccountId":"1","uuid":"00585b50-8c65-4e5b-95ee-853489e5499c","ctxStartEventId":"448","signature":"euszCT397/kGpCM1fN+GQhTJCe8\u003d"},
cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result: null, initMsid:
6638073284439, completeMsid: null, lastUpdated: null, lastPolled: null, created: null}
> 2014-05-12 13:40:48,619 DEBUG [c.c.a.ApiServlet] (catalina-exec-2:ctx-c551e67e ctx-2b2b4ddd
ctx-4beab6a0) ===END===  127.0.0.1 -- GET  apikey=dXvODaGH1UvF0WKs63T_wCXsVEs5nFTJaNhBJCGF3sCYwgbuvUaelZf6V8tWjTsyB53LSIT9Wf4UUUQKSz8UXQ&command=attachVolume&deviceid=1&id=00585b50-8c65-4e5b-95ee-853489e5499c&response=json&virtualmachineid=56a488ce-9baf-4d99-8e25-002d565f6731&apikey=dXvODaGH1UvF0WKs63T_wCXsVEs5nFTJaNhBJCGF3sCYwgbuvUaelZf6V8tWjTsyB53LSIT9Wf4UUUQKSz8UXQ&signature=euszCT397%2FkGpCM1fN%2BGQhTJCe8%3D
> 2014-05-12 13:40:48,621 DEBUG [c.c.a.ApiServlet] (catalina-exec-3:ctx-9e956cd7) ===START===
 127.0.0.1 -- GET  apikey=dXvODaGH1UvF0WKs63T_wCXsVEs5nFTJaNhBJCGF3sCYwgbuvUaelZf6V8tWjTsyB53LSIT9Wf4UUUQKSz8UXQ&command=queryAsyncJobResult&jobId=2ef19e77-29af-416f-bc16-f27df1b58e7f&response=json&apikey=dXvODaGH1UvF0WKs63T_wCXsVEs5nFTJaNhBJCGF3sCYwgbuvUaelZf6V8tWjTsyB53LSIT9Wf4UUUQKSz8UXQ&signature=O1vnDPmstm6Xa2lEazduvETJkXk%3D
> 2014-05-12 13:40:48,627 INFO  [o.a.c.f.j.i.AsyncJobMonitor] (API-Job-Executor-45:job-190)
Add job-190 into job monitoring
> 2014-05-12 13:40:48,627 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (API-Job-Executor-45:job-190)
Executing AsyncJobVO {id:190, userId: 1, accountId: 1, instanceType: Volume, instanceId: 11,
cmd: org.apache.cloudstack.api.command.admin.volume.AttachVolumeCmdByAdmin, cmdInfo: {"virtualmachineid":"56a488ce-9baf-4d99-8e25-002d565f6731","cmdEventType":"VOLUME.ATTACH","ctxUserId":"1","httpmethod":"GET","deviceid":"1","apikey":"dXvODaGH1UvF0WKs63T_wCXsVEs5nFTJaNhBJCGF3sCYwgbuvUaelZf6V8tWjTsyB53LSIT9Wf4UUUQKSz8UXQ","id":"00585b50-8c65-4e5b-95ee-853489e5499c","response":"json","ctxDetails":"{\"com.cloud.storage.Volume\":11,\"Volume\":\"00585b50-8c65-4e5b-95ee-853489e5499c\",\"com.cloud.vm.VirtualMachine\":8}","ctxAccountId":"1","uuid":"00585b50-8c65-4e5b-95ee-853489e5499c","ctxStartEventId":"448","signature":"euszCT397/kGpCM1fN+GQhTJCe8\u003d"},
cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result: null, initMsid:
6638073284439, completeMsid: null, lastUpdated: null, lastPolled: null, created: null}
> 2014-05-12 13:40:48,642 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker] (catalina-exec-3:ctx-9e956cd7
ctx-6c73263d ctx-4e50fbeb) IAM access check for 1-null-null-DomainCapability from cache
> 2014-05-12 13:40:48,645 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker] (API-Job-Executor-45:job-190
ctx-b61119c8) IAM access check for 1-null-null-SystemCapability from cache
> 2014-05-12 13:40:48,650 DEBUG [c.c.u.AccountManagerImpl] (API-Job-Executor-45:job-190
ctx-b61119c8) Root Access granted to Acct[4f0e5b12-d6d8-11e3-952f-06098c000757-system] by
AffinityGroupAccessChecker
> 2014-05-12 13:40:48,653 DEBUG [c.c.a.ApiServlet] (catalina-exec-3:ctx-9e956cd7 ctx-6c73263d
ctx-4e50fbeb) ===END===  127.0.0.1 -- GET  apikey=dXvODaGH1UvF0WKs63T_wCXsVEs5nFTJaNhBJCGF3sCYwgbuvUaelZf6V8tWjTsyB53LSIT9Wf4UUUQKSz8UXQ&command=queryAsyncJobResult&jobId=2ef19e77-29af-416f-bc16-f27df1b58e7f&response=json&apikey=dXvODaGH1UvF0WKs63T_wCXsVEs5nFTJaNhBJCGF3sCYwgbuvUaelZf6V8tWjTsyB53LSIT9Wf4UUUQKSz8UXQ&signature=O1vnDPmstm6Xa2lEazduvETJkXk%3D
> 2014-05-12 13:40:48,653 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker] (API-Job-Executor-45:job-190
ctx-b61119c8) IAM access check for 1-null-null-DomainCapability from cache
> 2014-05-12 13:40:48,659 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker] (API-Job-Executor-45:job-190
ctx-b61119c8) IAM access check for 1-null-null-DomainResourceCapability from cache
> 2014-05-12 13:40:48,660 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker] (API-Job-Executor-45:job-190
ctx-b61119c8) IAM access check for 1-VirtualMachine-OperateEntry-attachVolume from cache
> 2014-05-12 13:40:48,660 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker] (API-Job-Executor-45:job-190
ctx-b61119c8) IAM access check for 1-Volume-OperateEntry-attachVolume from cache
> 2014-05-12 13:40:48,660 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker] (API-Job-Executor-45:job-190
ctx-b61119c8) IAM access check for 1-Volume-OperateEntry-attachVolume from cache
> 2014-05-12 13:40:48,660 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker] (API-Job-Executor-45:job-190
ctx-b61119c8) IAM access check for 1-VirtualMachine-OperateEntry-attachVolume from cache
> 2014-05-12 13:40:48,660 ERROR [c.c.a.ApiAsyncJobDispatcher] (API-Job-Executor-45:job-190)
Unexpected exception while executing org.apache.cloudstack.api.command.admin.volume.AttachVolumeCmdByAdmin
> com.cloud.exception.PermissionDeniedException: Acct[4f0e5b12-d6d8-11e3-952f-06098c000757-system]
does not have permission to perform this operation on these resources
>         at org.apache.cloudstack.iam.RoleBasedEntityAccessChecker.checkAccess(RoleBasedEntityAccessChecker.java:221)
>         at com.cloud.user.AccountManagerImpl.checkAccess(AccountManagerImpl.java:539)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:606)
>         at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
>         at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
>         at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
>         at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91)
>         at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
>         at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
>         at com.sun.proxy.$Proxy100.checkAccess(Unknown Source)
>         at com.cloud.api.dispatch.ParamProcessWorker.doAccessChecks(ParamProcessWorker.java:269)
>         at com.cloud.api.dispatch.ParamProcessWorker.processParameters(ParamProcessWorker.java:220)
>         at com.cloud.api.dispatch.ParamProcessWorker.handle(ParamProcessWorker.java:93)
>         at com.cloud.api.dispatch.DispatchChain.dispatch(DispatchChain.java:37)
>         at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:79)
>         at com.cloud.api.ApiAsyncJobDispatcher.runJob(ApiAsyncJobDispatcher.java:108)
>         at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.runInContext(AsyncJobManagerImpl.java:496)
>         at org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:49)
>         at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56)
>         at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103)
>         at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53)
>         at org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:46)
>         at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.run(AsyncJobManagerImpl.java:453)
>         at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>         at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>         at java.lang.Thread.run(Thread.java:744)
> 2014-05-12 13:40:48,668 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (API-Job-Executor-45:job-190)
Complete async job-190, jobStatus: FAILED, resultCode: 530, result: org.apache.cloudstack.api.response.ExceptionResponse/null/{"uuidList":[],"errorcode":530,"errortext":"Acct[4f0e5b12-d6d8-11e3-952f-06098c000757-system]
does not have permission to perform this operation on these resources"}
> 2014-05-12 13:40:48,701 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (API-Job-Executor-45:job-190)
Done executing org.apache.cloudstack.api.command.admin.volume.AttachVolumeCmdByAdmin for job-190



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message