Return-Path: X-Original-To: apmail-cloudstack-issues-archive@www.apache.org Delivered-To: apmail-cloudstack-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0E1EF18CC9 for ; Thu, 1 Oct 2015 09:52:32 +0000 (UTC) Received: (qmail 14592 invoked by uid 500); 1 Oct 2015 09:52:26 -0000 Delivered-To: apmail-cloudstack-issues-archive@cloudstack.apache.org Received: (qmail 14562 invoked by uid 500); 1 Oct 2015 09:52:26 -0000 Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list issues@cloudstack.apache.org Received: (qmail 14553 invoked by uid 500); 1 Oct 2015 09:52:26 -0000 Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org Received: (qmail 14550 invoked by uid 99); 1 Oct 2015 09:52:26 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 01 Oct 2015 09:52:26 +0000 Date: Thu, 1 Oct 2015 09:52:26 +0000 (UTC) From: "ASF GitHub Bot (JIRA)" To: cloudstack-issues@incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (CLOUDSTACK-8922) Unable to delete IP tag MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CLOUDSTACK-8922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14939597#comment-14939597 ] ASF GitHub Bot commented on CLOUDSTACK-8922: -------------------------------------------- GitHub user yvsubhash opened a pull request: https://github.com/apache/cloudstack/pull/905 BUG-ID: CLOUDSTACK-8922: Unable to delete IP tag Root Cause: Due to wrong search string we are fetching a resource which does not belong to current account and domain. This results in permission exception. Solution: Code changes has been done to fix the incorrect search string. You can merge this pull request into a Git repository by running: $ git pull https://github.com/yvsubhash/cloudstack CLOUDSTACK-8922 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/cloudstack/pull/905.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #905 ---- commit c0b98d3578092c71e33e869e57f7ea5d40baee7d Author: Subhash Yedugundla Date: 2015-06-10T06:15:57Z BUG-ID: CLOUDSTACK-8922: Unable to delete IP tag ---- > Unable to delete IP tag > ----------------------- > > Key: CLOUDSTACK-8922 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8922 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the default.) > Components: Management Server > Affects Versions: 4.5.2 > Reporter: subhash yedugundla > > 1. Acquire new IP address > 2. Create tags for the IP > 3. Delete the tag from Step#2 > an error occurs at Step#3 whereby the delete tag operation fails with "Acct[f4d0c381-e0b7-4aed-aa90-3336d42f7540-71000000017] does not have permission to operate within domain id\u003d632" > TROUBLESHOOTING > ================== > Acquire new IP address > ********************* > {noformat} > 2014-11-19 15:08:15,870 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (catalina-exec-20:ctx-faed32b5 ctx-712308cb ctx-401bfcaf) submit async job-72419, details: AsyncJobVO {id:72419, userId: 17, accountId: 15, instanceType: IpAddress, instanceId: 672, cmd: org.apache.cloudstack.api.command.user.address.AssociateIPAddrCmd, cmdInfo: {"id":"672","response":"json","cmdEventType":"NET.IPASSIGN","ctxUserId":"17","zoneid":"a117e75f-d02e-4074-806d-889c61261394","httpmethod":"GET","ctxAccountId":"15","networkid":"0ca7c69e-c281-407b-a152-2559c10a81a6","ctxStartEventId":"166725","signature":"3NZRU6dIBxg1HMDiP/MkY2agRn4\u003d","apikey":"tuwHXs1AfpQheJeJ9BcLdoVxIBCItASnguAbus76AMUcIXuyFgHOJiIB44fO57p_bBaqyfppmxrC-rQSb-nxXg"}, cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result: null, initMsid: 345048681027, completeMsid: null, lastUpdated: null, lastPolled: null, created: null} > 2014-11-19 15:08:15,870 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (API-Job-Executor-68:ctx-fca9add6 job-72419) Executing AsyncJobVO {id:72419, userId: 17, accountId: 15, instanceType: IpAddress, instanceId: 672, cmd: org.apache.cloudstack.api.command.user.address.AssociateIPAddrCmd, cmdInfo: {"id":"672","response":"json","cmdEventType":"NET.IPASSIGN","ctxUserId":"17","zoneid":"a117e75f-d02e-4074-806d-889c61261394","httpmethod":"GET","ctxAccountId":"15","networkid":"0ca7c69e-c281-407b-a152-2559c10a81a6","ctxStartEventId":"166725","signature":"3NZRU6dIBxg1HMDiP/MkY2agRn4\u003d","apikey":"tuwHXs1AfpQheJeJ9BcLdoVxIBCItASnguAbus76AMUcIXuyFgHOJiIB44fO57p_bBaqyfppmxrC-rQSb-nxXg"}, cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result: null, initMsid: 345048681027, completeMsid: null, lastUpdated: null, lastPolled: null, created: null} > 2014-11-19 15:08:15,890 DEBUG [c.c.u.AccountManagerImpl] (API-Job-Executor-68:ctx-fca9add6 job-72419 ctx-96bbdee5) Access to Ntwk[216|Guest|8] granted to Acct[f4d0c381-e0b7-4aed-aa90-3336d42f7540-71000000017] by DomainChecker > 2014-11-19 15:08:15,911 DEBUG [c.c.n.IpAddressManagerImpl] (API-Job-Executor-68:ctx-fca9add6 job-72419 ctx-96bbdee5) Successfully associated ip address 210.140.170.160 to network Ntwk[216|Guest|8] > 2014-11-19 15:08:15,922 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (API-Job-Executor-68:ctx-fca9add6 job-72419 ctx-96bbdee5) Complete async job-72419, jobStatus: SUCCEEDED, resultCode: 0, result: org.apache.cloudstack.api.response.IPAddressResponse/ipaddress/{"id":"3d7c3a2a-1f2d-46dc-9905-4a7ce620e7e9","ipaddress":"210.140.170.160","allocated":"2014-11-19T15:08:15+0900","zoneid":"a117e75f-d02e-4074-806d-889c61261394","zonename":"tesla","issourcenat":false,"account":"71000000017","domainid":"cc27e32c-6acd-4fdf-a1e5-734cef8a7fe0","domain":"71000000017","forvirtualnetwork":true,"isstaticnat":false,"issystem":false,"associatednetworkid":"0ca7c69e-c281-407b-a152-2559c10a81a6","associatednetworkname":"network1","networkid":"79132c74-fe77-4bd5-9915-ce7c577fb95f","state":"Allocating","physicalnetworkid":"4a00ce42-6a30-4494-afdd-3531d883237b","tags":[],"isportable":false} > 2014-11-19 15:08:15,932 INFO [o.a.c.f.j.i.AsyncJobMonitor] (API-Job-Executor-68:ctx-fca9add6 job-72419) Remove job-72419 from job monitoring > +-------+-------------------------------------------------------------------+------------+---------------+-------------------+---------------------+---------------------+ > | id | job_cmd | job_status | job_init_msid | job_complete_msid | created | last_updated | > +-------+-------------------------------------------------------------------+------------+---------------+-------------------+---------------------+---------------------+ > | 72419 | org.apache.cloudstack.api.command.user.address.AssociateIPAddrCmd | 1 | 345048681027 | 345048681027 | 2014-11-19 06:08:15 | 2014-11-19 06:08:15 | > +-------+-------------------------------------------------------------------+------------+---------------+-------------------+---------------------+---------------------+ > 1 row in set (0.00 sec) > {noformat} > Create Tag > *********** > {noformat} > 2014-11-19 15:08:16,376 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (catalina-exec-1:ctx-dee6efde ctx-ae7d665b ctx-34f0c207) submit async job-72421, details: AsyncJobVO {id:72421, userId: 17, accountId: 15, instanceType: None, instanceId: null, cmd: org.apache.cloudstack.api.command.user.tag.CreateTagsCmd, cmdInfo: {"response":"json","cmdEventType":"CREATE_TAGS","ctxUserId":"17","tags[0].value":"hyamashita001-test13","tags[0].key":"cloud-description","httpmethod":"GET","resourcetype":"PublicIPAddress","ctxAccountId":"15","ctxStartEventId":"166734","signature":"Wdx759HnH7eeh1YbfZbqyiPHqOI\u003d","resourceids":"3d7c3a2a-1f2d-46dc-9905-4a7ce620e7e9","apikey":"tuwHXs1AfpQheJeJ9BcLdoVxIBCItASnguAbus76AMUcIXuyFgHOJiIB44fO57p_bBaqyfppmxrC-rQSb-nxXg"}, cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result: null, initMsid: 345048681027, completeMsid: null, lastUpdated: null, lastPolled: null, created: null} > 2014-11-19 15:08:16,376 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (API-Job-Executor-66:ctx-60c43fb5 job-72421) Executing AsyncJobVO {id:72421, userId: 17, accountId: 15, instanceType: None, instanceId: null, cmd: org.apache.cloudstack.api.command.user.tag.CreateTagsCmd, cmdInfo: {"response":"json","cmdEventType":"CREATE_TAGS","ctxUserId":"17","tags[0].value":"hyamashita001-test13","tags[0].key":"cloud-description","httpmethod":"GET","resourcetype":"PublicIPAddress","ctxAccountId":"15","ctxStartEventId":"166734","signature":"Wdx759HnH7eeh1YbfZbqyiPHqOI\u003d","resourceids":"3d7c3a2a-1f2d-46dc-9905-4a7ce620e7e9","apikey":"tuwHXs1AfpQheJeJ9BcLdoVxIBCItASnguAbus76AMUcIXuyFgHOJiIB44fO57p_bBaqyfppmxrC-rQSb-nxXg"}, cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result: null, initMsid: 345048681027, completeMsid: null, lastUpdated: null, lastPolled: null, created: null} > 2014-11-19 15:08:16,394 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (API-Job-Executor-66:ctx-60c43fb5 job-72421 ctx-269323f2) Complete async job-72421, jobStatus: SUCCEEDED, resultCode: 0, result: org.apache.cloudstack.api.response.SuccessResponse/null/{"success":true} > 2014-11-19 15:08:16,404 INFO [o.a.c.f.j.i.AsyncJobMonitor] (API-Job-Executor-66:ctx-60c43fb5 job-72421) Remove job-72421 from job monitoring > +-------+----------------------------------------------------------+------------+---------------+-------------------+---------------------+---------------------+ > | id | job_cmd | job_status | job_init_msid | job_complete_msid | created | last_updated | > +-------+----------------------------------------------------------+------------+---------------+-------------------+---------------------+---------------------+ > | 72421 | org.apache.cloudstack.api.command.user.tag.CreateTagsCmd | 1 | 345048681027 | 345048681027 | 2014-11-19 06:08:16 | 2014-11-19 06:08:16 | > +-------+----------------------------------------------------------+------------+---------------+-------------------+---------------------+---------------------+ > {noformat} > As we can see both the Acquire IP address process and Create TAG process completes successfully. > Delete Tag > *********** > {noformat} > 2014-11-19 15:15:06,496 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (catalina-exec-18:ctx-f9096d31 ctx-c18e0cef ctx-a73fb445) submit async job-72484, details: AsyncJobVO {id:72484, userId: 17, accountId: 15, instanceType: None, instanceId: null, cmd: org.apache.cloudstack.api.command.user.tag.DeleteTagsCmd, cmdInfo: {"response":"json","cmdEventType":"DELETE_TAGS","ctxUserId":"17","tags[0].key":"cloud-description","httpmethod":"GET","resourcetype":"PublicIPAddress","ctxAccountId":"15","ctxStartEventId":"166921","signature":"7aUyelqNUGlgp+4PVdfCzJ0P7xY\u003d","resourceids":"3d7c3a2a-1f2d-46dc-9905-4a7ce620e7e9","apikey":"tuwHXs1AfpQheJeJ9BcLdoVxIBCItASnguAbus76AMUcIXuyFgHOJiIB44fO57p_bBaqyfppmxrC-rQSb-nxXg"}, cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result: null, initMsid: 345048681027, completeMsid: null, lastUpdated: null, lastPolled: null, created: null} > 2014-11-19 15:15:06,496 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (API-Job-Executor-104:ctx-a96a8572 job-72484) Executing AsyncJobVO {id:72484, userId: 17, accountId: 15, instanceType: None, instanceId: null, cmd: org.apache.cloudstack.api.command.user.tag.DeleteTagsCmd, cmdInfo: {"response":"json","cmdEventType":"DELETE_TAGS","ctxUserId":"17","tags[0].key":"cloud-description","httpmethod":"GET","resourcetype":"PublicIPAddress","ctxAccountId":"15","ctxStartEventId":"166921","signature":"7aUyelqNUGlgp+4PVdfCzJ0P7xY\u003d","resourceids":"3d7c3a2a-1f2d-46dc-9905-4a7ce620e7e9","apikey":"tuwHXs1AfpQheJeJ9BcLdoVxIBCItASnguAbus76AMUcIXuyFgHOJiIB44fO57p_bBaqyfppmxrC-rQSb-nxXg"}, cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result: null, initMsid: 345048681027, completeMsid: null, lastUpdated: null, lastPolled: null, created: null} > 2014-11-19 15:15:06,502 DEBUG [c.c.u.AccountManagerImpl] (API-Job-Executor-104:ctx-a96a8572 job-72484 ctx-d9207bf9) Access to Acct[6b3b9128-2ef1-4866-8a60-33b284c749de-71000000726] granted to Acct[f4d0c381-e0b7-4aed-aa90-3336d42f7540-71000000017] by DomainChecker > 2014-11-19 15:15:06,506 DEBUG [c.c.u.AccountManagerImpl] (catalina-exec-8:ctx-74989794 ctx-5decfcea ctx-111e7f31) Access to Acct[f4d0c381-e0b7-4aed-aa90-3336d42f7540-71000000017] granted to Acct[13ebed98-547c-4036-a4fd-f8c2e4e5dc5c-71000000017] by DomainChecker > 2014-11-19 15:15:06,510 ERROR [c.c.a.ApiAsyncJobDispatcher] (API-Job-Executor-104:ctx-a96a8572 job-72484) Unexpected exception while executing org.apache.cloudstack.api.command.user.tag.DeleteTagsCmd > com.cloud.exception.PermissionDeniedException: Acct[f4d0c381-e0b7-4aed-aa90-3336d42f7540-71000000017] does not have permission to operate within domain id=632 > at com.cloud.acl.DomainChecker.checkAccess(DomainChecker.java:77) > at com.cloud.user.AccountManagerImpl.checkAccess(AccountManagerImpl.java:451) > at sun.reflect.GeneratedMethodAccessor250.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) > at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) > at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) > at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91) > at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) > at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) > at com.sun.proxy.$Proxy83.checkAccess(Unknown Source) > at com.cloud.tags.TaggedResourceManagerImpl.deleteTags(TaggedResourceManagerImpl.java:375) > at sun.reflect.GeneratedMethodAccessor546.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) > at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) > at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) > at com.cloud.event.ActionEventInterceptor.invoke(ActionEventInterceptor.java:50) > at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161) > at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91) > at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) > at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) > at com.sun.proxy.$Proxy315.deleteTags(Unknown Source) > at org.apache.cloudstack.api.command.user.tag.DeleteTagsCmd.execute(DeleteTagsCmd.java:103) > at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:161) > at com.cloud.api.ApiAsyncJobDispatcher.runJob(ApiAsyncJobDispatcher.java:97) > at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.runInContext(AsyncJobManagerImpl.java:507) > at org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:50) > at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56) > at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103) > at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53) > at org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:47) > at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.run(AsyncJobManagerImpl.java:464) > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > 2014-11-19 15:15:06,511 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (API-Job-Executor-104:ctx-a96a8572 job-72484) Complete async job-72484, jobStatus: FAILED, resultCode: 530, result: org.apache.cloudstack.api.response.ExceptionResponse/null/{"uuidList":[],"errorcode":530,"errortext":"Acct[f4d0c381-e0b7-4aed-aa90-3336d42f7540-71000000017] does not have permission to operate within domain id\u003d632"} > 2014-11-19 15:15:06,521 INFO [o.a.c.f.j.i.AsyncJobMonitor] (API-Job-Executor-104:ctx-a96a8572 job-72484) Remove job-72484 from job monitoring > +-------+----------------------------------------------------------+------------+---------------+-------------------+---------------------+---------------------+ > | id | job_cmd | job_status | job_init_msid | job_complete_msid | created | last_updated | > +-------+----------------------------------------------------------+------------+---------------+-------------------+---------------------+---------------------+ > | 72484 | org.apache.cloudstack.api.command.user.tag.DeleteTagsCmd | 2 | 345048681027 | 345048681027 | 2014-11-19 06:15:06 | 2014-11-19 06:15:06 | > | 72489 | org.apache.cloudstack.api.command.user.tag.DeleteTagsCmd | 2 | 345048681027 | 345048681027 | 2014-11-19 06:15:45 | 2014-11-19 06:15:45 | > +-------+----------------------------------------------------------+------------+---------------+-------------------+---------------------+---------------------+ > 2 rows in set (0.00 sec) > {noformat} > Account ID 15 has below credentials > {noformat} > +----+--------------+--------------------------------------+------+-----------+---------+ > | id | account_name | uuid | type | domain_id | state | > +----+--------------+--------------------------------------+------+-----------+---------+ > | 15 | 71000000017 | f4d0c381-e0b7-4aed-aa90-3336d42f7540 | 2 | 11 | enabled | > +----+--------------+--------------------------------------+------+-----------+---------+ > 1 row in set (0.00 sec) > {noformat} > Below is the DB record for domain id=632 > {noformat} > +-----+-------------+--------------------------------------+--------+----------------+ > | id | name | uuid | state | network_domain | > +-----+-------------+--------------------------------------+--------+----------------+ > | 632 | 71000000726 | 0536af94-fce7-46d2-b98a-9e3fd0f304ae | Active | NULL | > +-----+-------------+--------------------------------------+--------+----------------+ > {noformat} > Even though the logs say that access to domain id=632 has been granted to account id=15 below; > {noformat} > 2014-11-19 15:15:06,502 DEBUG [c.c.u.AccountManagerImpl] (API-Job-Executor-104:ctx-a96a8572 job-72484 ctx-d9207bf9) Access to Acct[6b3b9128-2ef1-4866-8a60-33b284c749de-71000000726] granted to Acct[f4d0c381-e0b7-4aed-aa90-3336d42f7540-71000000017] by DomainChecker > {noformat} > The operation fails with no permission. > {noformat} > com.cloud.exception.PermissionDeniedException: Acct[f4d0c381-e0b7-4aed-aa90-3336d42f7540-71000000017] does not have permission to operate within domain id=632 > {noformat} > EXPECTED BEHAVIOR > ================== > User should be able to delete the tags > ACTUAL BEHAVIOR > ================== > User is unable to delete tags -- This message was sent by Atlassian JIRA (v6.3.4#6332)