Prachi,
Unrelated to the bug, I also want to ask why do we check for system account in
this case. In CloudStack System context should have the same privileges as an
admin. Why in this specific case we check for system account and deny access?
--Alex
> -----Original Message-----
> From: Prachi Damle
> Sent: Thursday, July 18, 2013 11:55 AM
> To: dev@cloudstack.apache.org
> Cc: Alex Huang
> Subject: RE: deleteAffinityGroup API
>
> Hi Alex,
>
> The error thrown while deleting affinitygroup by Id is: " Account and
> domainId are needed for resource creation "
>
>
> Many of our APIs call AccntManager to figure out owner of the resources the
> API is working on like this:
>
> Account caller = CallContext.current().getCallingAccount(); //earlier
> it
> was using UserContext and was replaced by CallContext
> Account owner = _accountMgr.finalizeOwner(caller, account, domainId,
> null);
>
> And AccountManager: finalizeOwner has this check at start:
>
> if (caller.getId() == Account.ACCOUNT_ID_SYSTEM && ((accountName
> == null || domainId == null) && projectId == null)) {
> throw new InvalidParameterValueException("Account and domainId
> are needed for resource creation");
> }
>
>
> Now the CallContext.current().getCallingAccount(); is returning the System
> user causing the subsequent failure. Why would it return system user, if the
> caller is admin user?
>
> Thanks,
> Prachi
>
> -----Original Message-----
> From: Prasanna Santhanam [mailto:t...@apache.org]
> Sent: Thursday, July 18, 2013 6:09 AM
> To: dev@cloudstack.apache.org
> Subject: Re: deleteAffinityGroup API
>
> On Thu, Jul 18, 2013 at 02:17:46PM +0530, Prasanna Santhanam wrote:
> > On Thu, Jul 18, 2013 at 07:14:42AM +0000, Prachi Damle wrote:
> > > Account and domainId are not required parameters of this API. It
> > > works fine with just an id too.
> > >
> > > Account and domain will be used if delete is called providing a name
> > > of the group instead of id, say by an admin for a regular user's
> > > group.
> > >
> >
> > Thanks Prachi - I think it is related to the recent changes in
> > CallContext that is making the user system for the API call preventing
> > it from deleteing the aff.group with just an id. Filed a bug for it.
>
> Ok - Alex mentioned the bug is 'Not a Problem'. So it's only the background
> CS workers which use the CallContext. But the affinity group is still failing
> to
> delete using the id.
>
> --
> Prasanna.,
>
> ------------------------
> Powered by BigRock.com
