This code is generic to all APIs - not just for deleteAffinity API.
Alena do you know why does accountmanager deny access to system user?
-----Original Message-----
From: Alex Huang
Sent: Thursday, July 18, 2013 4:39 PM
To: Prachi Damle; dev@cloudstack.apache.org
Subject: RE: deleteAffinityGroup API
Prachi,
Unrelated to the bug, I also want to ask why do we check for system account in
this case. In CloudStack System context should have the same privileges as an
admin. Why in this specific case we check for system account and deny access?
--Alex
> -----Original Message-----
> From: Prachi Damle
> Sent: Thursday, July 18, 2013 11:55 AM
> To: dev@cloudstack.apache.org
> Cc: Alex Huang
> Subject: RE: deleteAffinityGroup API
>
> Hi Alex,
>
> The error thrown while deleting affinitygroup by Id is: " Account and
> domainId are needed for resource creation "
>
>
> Many of our APIs call AccntManager to figure out owner of the
> resources the API is working on like this:
>
> Account caller = CallContext.current().getCallingAccount();
> //earlier it was using UserContext and was replaced by CallContext
> Account owner = _accountMgr.finalizeOwner(caller, account,
> domainId, null);
>
> And AccountManager: finalizeOwner has this check at start:
>
> if (caller.getId() == Account.ACCOUNT_ID_SYSTEM &&
> ((accountName == null || domainId == null) && projectId == null)) {
> throw new InvalidParameterValueException("Account and
> domainId are needed for resource creation");
> }
>
>
> Now the CallContext.current().getCallingAccount(); is returning the
> System user causing the subsequent failure. Why would it return system
> user, if the caller is admin user?
>
> Thanks,
> Prachi
>
> -----Original Message-----
> From: Prasanna Santhanam [mailto:t...@apache.org]
> Sent: Thursday, July 18, 2013 6:09 AM
> To: dev@cloudstack.apache.org
> Subject: Re: deleteAffinityGroup API
>
> On Thu, Jul 18, 2013 at 02:17:46PM +0530, Prasanna Santhanam wrote:
> > On Thu, Jul 18, 2013 at 07:14:42AM +0000, Prachi Damle wrote:
> > > Account and domainId are not required parameters of this API. It
> > > works fine with just an id too.
> > >
> > > Account and domain will be used if delete is called providing a
> > > name of the group instead of id, say by an admin for a regular
> > > user's group.
> > >
> >
> > Thanks Prachi - I think it is related to the recent changes in
> > CallContext that is making the user system for the API call
> > preventing it from deleteing the aff.group with just an id. Filed a bug for
> > it.
>
> Ok - Alex mentioned the bug is 'Not a Problem'. So it's only the
> background CS workers which use the CallContext. But the affinity
> group is still failing to delete using the id.
>
> --
> Prasanna.,
>
> ------------------------
> Powered by BigRock.com
