subhash yedugundla created CLOUDSTACK-8922:
----------------------------------------------
Summary: Unable to delete IP tag
Key: CLOUDSTACK-8922
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8922
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: Management Server
Affects Versions: 4.5.2
Reporter: subhash yedugundla
1. Acquire new IP address
2. Create tags for the IP
3. Delete the tag from Step#2
an error occurs at Step#3 whereby the delete tag operation fails with
"Acct[f4d0c381-e0b7-4aed-aa90-3336d42f7540-71000000017] does not have
permission to operate within domain id\u003d632"
TROUBLESHOOTING
==================
Acquire new IP address
*********************
{noformat}
2014-11-19 15:08:15,870 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(catalina-exec-20:ctx-faed32b5 ctx-712308cb ctx-401bfcaf) submit async
job-72419, details: AsyncJobVO {id:72419, userId: 17, accountId: 15,
instanceType: IpAddress, instanceId: 672, cmd:
org.apache.cloudstack.api.command.user.address.AssociateIPAddrCmd, cmdInfo:
{"id":"672","response":"json","cmdEventType":"NET.IPASSIGN","ctxUserId":"17","zoneid":"a117e75f-d02e-4074-806d-889c61261394","httpmethod":"GET","ctxAccountId":"15","networkid":"0ca7c69e-c281-407b-a152-2559c10a81a6","ctxStartEventId":"166725","signature":"3NZRU6dIBxg1HMDiP/MkY2agRn4\u003d","apikey":"tuwHXs1AfpQheJeJ9BcLdoVxIBCItASnguAbus76AMUcIXuyFgHOJiIB44fO57p_bBaqyfppmxrC-rQSb-nxXg"},
cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result:
null, initMsid: 345048681027, completeMsid: null, lastUpdated: null,
lastPolled: null, created: null}
2014-11-19 15:08:15,870 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(API-Job-Executor-68:ctx-fca9add6 job-72419) Executing AsyncJobVO {id:72419,
userId: 17, accountId: 15, instanceType: IpAddress, instanceId: 672, cmd:
org.apache.cloudstack.api.command.user.address.AssociateIPAddrCmd, cmdInfo:
{"id":"672","response":"json","cmdEventType":"NET.IPASSIGN","ctxUserId":"17","zoneid":"a117e75f-d02e-4074-806d-889c61261394","httpmethod":"GET","ctxAccountId":"15","networkid":"0ca7c69e-c281-407b-a152-2559c10a81a6","ctxStartEventId":"166725","signature":"3NZRU6dIBxg1HMDiP/MkY2agRn4\u003d","apikey":"tuwHXs1AfpQheJeJ9BcLdoVxIBCItASnguAbus76AMUcIXuyFgHOJiIB44fO57p_bBaqyfppmxrC-rQSb-nxXg"},
cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result:
null, initMsid: 345048681027, completeMsid: null, lastUpdated: null,
lastPolled: null, created: null}
2014-11-19 15:08:15,890 DEBUG [c.c.u.AccountManagerImpl]
(API-Job-Executor-68:ctx-fca9add6 job-72419 ctx-96bbdee5) Access to
Ntwk[216|Guest|8] granted to
Acct[f4d0c381-e0b7-4aed-aa90-3336d42f7540-71000000017] by DomainChecker
2014-11-19 15:08:15,911 DEBUG [c.c.n.IpAddressManagerImpl]
(API-Job-Executor-68:ctx-fca9add6 job-72419 ctx-96bbdee5) Successfully
associated ip address 210.140.170.160 to network Ntwk[216|Guest|8]
2014-11-19 15:08:15,922 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(API-Job-Executor-68:ctx-fca9add6 job-72419 ctx-96bbdee5) Complete async
job-72419, jobStatus: SUCCEEDED, resultCode: 0, result:
org.apache.cloudstack.api.response.IPAddressResponse/ipaddress/{"id":"3d7c3a2a-1f2d-46dc-9905-4a7ce620e7e9","ipaddress":"210.140.170.160","allocated":"2014-11-19T15:08:15+0900","zoneid":"a117e75f-d02e-4074-806d-889c61261394","zonename":"tesla","issourcenat":false,"account":"71000000017","domainid":"cc27e32c-6acd-4fdf-a1e5-734cef8a7fe0","domain":"71000000017","forvirtualnetwork":true,"isstaticnat":false,"issystem":false,"associatednetworkid":"0ca7c69e-c281-407b-a152-2559c10a81a6","associatednetworkname":"network1","networkid":"79132c74-fe77-4bd5-9915-ce7c577fb95f","state":"Allocating","physicalnetworkid":"4a00ce42-6a30-4494-afdd-3531d883237b","tags":[],"isportable":false}
2014-11-19 15:08:15,932 INFO [o.a.c.f.j.i.AsyncJobMonitor]
(API-Job-Executor-68:ctx-fca9add6 job-72419) Remove job-72419 from job
monitoring
+-------+-------------------------------------------------------------------+------------+---------------+-------------------+---------------------+---------------------+
| id | job_cmd |
job_status | job_init_msid | job_complete_msid | created |
last_updated |
+-------+-------------------------------------------------------------------+------------+---------------+-------------------+---------------------+---------------------+
| 72419 | org.apache.cloudstack.api.command.user.address.AssociateIPAddrCmd |
1 | 345048681027 | 345048681027 | 2014-11-19 06:08:15 | 2014-11-19
06:08:15 |
+-------+-------------------------------------------------------------------+------------+---------------+-------------------+---------------------+---------------------+
1 row in set (0.00 sec)
{noformat}
Create Tag
***********
{noformat}
2014-11-19 15:08:16,376 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(catalina-exec-1:ctx-dee6efde ctx-ae7d665b ctx-34f0c207) submit async
job-72421, details: AsyncJobVO {id:72421, userId: 17, accountId: 15,
instanceType: None, instanceId: null, cmd:
org.apache.cloudstack.api.command.user.tag.CreateTagsCmd, cmdInfo:
{"response":"json","cmdEventType":"CREATE_TAGS","ctxUserId":"17","tags[0].value":"hyamashita001-test13","tags[0].key":"cloud-description","httpmethod":"GET","resourcetype":"PublicIPAddress","ctxAccountId":"15","ctxStartEventId":"166734","signature":"Wdx759HnH7eeh1YbfZbqyiPHqOI\u003d","resourceids":"3d7c3a2a-1f2d-46dc-9905-4a7ce620e7e9","apikey":"tuwHXs1AfpQheJeJ9BcLdoVxIBCItASnguAbus76AMUcIXuyFgHOJiIB44fO57p_bBaqyfppmxrC-rQSb-nxXg"},
cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result:
null, initMsid: 345048681027, completeMsid: null, lastUpdated: null,
lastPolled: null, created: null}
2014-11-19 15:08:16,376 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(API-Job-Executor-66:ctx-60c43fb5 job-72421) Executing AsyncJobVO {id:72421,
userId: 17, accountId: 15, instanceType: None, instanceId: null, cmd:
org.apache.cloudstack.api.command.user.tag.CreateTagsCmd, cmdInfo:
{"response":"json","cmdEventType":"CREATE_TAGS","ctxUserId":"17","tags[0].value":"hyamashita001-test13","tags[0].key":"cloud-description","httpmethod":"GET","resourcetype":"PublicIPAddress","ctxAccountId":"15","ctxStartEventId":"166734","signature":"Wdx759HnH7eeh1YbfZbqyiPHqOI\u003d","resourceids":"3d7c3a2a-1f2d-46dc-9905-4a7ce620e7e9","apikey":"tuwHXs1AfpQheJeJ9BcLdoVxIBCItASnguAbus76AMUcIXuyFgHOJiIB44fO57p_bBaqyfppmxrC-rQSb-nxXg"},
cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result:
null, initMsid: 345048681027, completeMsid: null, lastUpdated: null,
lastPolled: null, created: null}
2014-11-19 15:08:16,394 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(API-Job-Executor-66:ctx-60c43fb5 job-72421 ctx-269323f2) Complete async
job-72421, jobStatus: SUCCEEDED, resultCode: 0, result:
org.apache.cloudstack.api.response.SuccessResponse/null/{"success":true}
2014-11-19 15:08:16,404 INFO [o.a.c.f.j.i.AsyncJobMonitor]
(API-Job-Executor-66:ctx-60c43fb5 job-72421) Remove job-72421 from job
monitoring
+-------+----------------------------------------------------------+------------+---------------+-------------------+---------------------+---------------------+
| id | job_cmd | job_status
| job_init_msid | job_complete_msid | created | last_updated
|
+-------+----------------------------------------------------------+------------+---------------+-------------------+---------------------+---------------------+
| 72421 | org.apache.cloudstack.api.command.user.tag.CreateTagsCmd | 1
| 345048681027 | 345048681027 | 2014-11-19 06:08:16 | 2014-11-19 06:08:16
|
+-------+----------------------------------------------------------+------------+---------------+-------------------+---------------------+---------------------+
{noformat}
As we can see both the Acquire IP address process and Create TAG process
completes successfully.
Delete Tag
***********
{noformat}
2014-11-19 15:15:06,496 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(catalina-exec-18:ctx-f9096d31 ctx-c18e0cef ctx-a73fb445) submit async
job-72484, details: AsyncJobVO {id:72484, userId: 17, accountId: 15,
instanceType: None, instanceId: null, cmd:
org.apache.cloudstack.api.command.user.tag.DeleteTagsCmd, cmdInfo:
{"response":"json","cmdEventType":"DELETE_TAGS","ctxUserId":"17","tags[0].key":"cloud-description","httpmethod":"GET","resourcetype":"PublicIPAddress","ctxAccountId":"15","ctxStartEventId":"166921","signature":"7aUyelqNUGlgp+4PVdfCzJ0P7xY\u003d","resourceids":"3d7c3a2a-1f2d-46dc-9905-4a7ce620e7e9","apikey":"tuwHXs1AfpQheJeJ9BcLdoVxIBCItASnguAbus76AMUcIXuyFgHOJiIB44fO57p_bBaqyfppmxrC-rQSb-nxXg"},
cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result:
null, initMsid: 345048681027, completeMsid: null, lastUpdated: null,
lastPolled: null, created: null}
2014-11-19 15:15:06,496 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(API-Job-Executor-104:ctx-a96a8572 job-72484) Executing AsyncJobVO {id:72484,
userId: 17, accountId: 15, instanceType: None, instanceId: null, cmd:
org.apache.cloudstack.api.command.user.tag.DeleteTagsCmd, cmdInfo:
{"response":"json","cmdEventType":"DELETE_TAGS","ctxUserId":"17","tags[0].key":"cloud-description","httpmethod":"GET","resourcetype":"PublicIPAddress","ctxAccountId":"15","ctxStartEventId":"166921","signature":"7aUyelqNUGlgp+4PVdfCzJ0P7xY\u003d","resourceids":"3d7c3a2a-1f2d-46dc-9905-4a7ce620e7e9","apikey":"tuwHXs1AfpQheJeJ9BcLdoVxIBCItASnguAbus76AMUcIXuyFgHOJiIB44fO57p_bBaqyfppmxrC-rQSb-nxXg"},
cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result:
null, initMsid: 345048681027, completeMsid: null, lastUpdated: null,
lastPolled: null, created: null}
2014-11-19 15:15:06,502 DEBUG [c.c.u.AccountManagerImpl]
(API-Job-Executor-104:ctx-a96a8572 job-72484 ctx-d9207bf9) Access to
Acct[6b3b9128-2ef1-4866-8a60-33b284c749de-71000000726] granted to
Acct[f4d0c381-e0b7-4aed-aa90-3336d42f7540-71000000017] by DomainChecker
2014-11-19 15:15:06,506 DEBUG [c.c.u.AccountManagerImpl]
(catalina-exec-8:ctx-74989794 ctx-5decfcea ctx-111e7f31) Access to
Acct[f4d0c381-e0b7-4aed-aa90-3336d42f7540-71000000017] granted to
Acct[13ebed98-547c-4036-a4fd-f8c2e4e5dc5c-71000000017] by DomainChecker
2014-11-19 15:15:06,510 ERROR [c.c.a.ApiAsyncJobDispatcher]
(API-Job-Executor-104:ctx-a96a8572 job-72484) Unexpected exception while
executing org.apache.cloudstack.api.command.user.tag.DeleteTagsCmd
com.cloud.exception.PermissionDeniedException:
Acct[f4d0c381-e0b7-4aed-aa90-3336d42f7540-71000000017] does not have permission
to operate within domain id=632
at com.cloud.acl.DomainChecker.checkAccess(DomainChecker.java:77)
at
com.cloud.user.AccountManagerImpl.checkAccess(AccountManagerImpl.java:451)
at sun.reflect.GeneratedMethodAccessor250.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at
org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy83.checkAccess(Unknown Source)
at
com.cloud.tags.TaggedResourceManagerImpl.deleteTags(TaggedResourceManagerImpl.java:375)
at sun.reflect.GeneratedMethodAccessor546.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at
com.cloud.event.ActionEventInterceptor.invoke(ActionEventInterceptor.java:50)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
at
org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy315.deleteTags(Unknown Source)
at
org.apache.cloudstack.api.command.user.tag.DeleteTagsCmd.execute(DeleteTagsCmd.java:103)
at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:161)
at
com.cloud.api.ApiAsyncJobDispatcher.runJob(ApiAsyncJobDispatcher.java:97)
at
org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.runInContext(AsyncJobManagerImpl.java:507)
at
org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:50)
at
org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56)
at
org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103)
at
org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53)
at
org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:47)
at
org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.run(AsyncJobManagerImpl.java:464)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
2014-11-19 15:15:06,511 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(API-Job-Executor-104:ctx-a96a8572 job-72484) Complete async job-72484,
jobStatus: FAILED, resultCode: 530, result:
org.apache.cloudstack.api.response.ExceptionResponse/null/{"uuidList":[],"errorcode":530,"errortext":"Acct[f4d0c381-e0b7-4aed-aa90-3336d42f7540-71000000017]
does not have permission to operate within domain id\u003d632"}
2014-11-19 15:15:06,521 INFO [o.a.c.f.j.i.AsyncJobMonitor]
(API-Job-Executor-104:ctx-a96a8572 job-72484) Remove job-72484 from job
monitoring
+-------+----------------------------------------------------------+------------+---------------+-------------------+---------------------+---------------------+
| id | job_cmd | job_status
| job_init_msid | job_complete_msid | created | last_updated
|
+-------+----------------------------------------------------------+------------+---------------+-------------------+---------------------+---------------------+
| 72484 | org.apache.cloudstack.api.command.user.tag.DeleteTagsCmd | 2
| 345048681027 | 345048681027 | 2014-11-19 06:15:06 | 2014-11-19 06:15:06
|
| 72489 | org.apache.cloudstack.api.command.user.tag.DeleteTagsCmd | 2
| 345048681027 | 345048681027 | 2014-11-19 06:15:45 | 2014-11-19 06:15:45
|
+-------+----------------------------------------------------------+------------+---------------+-------------------+---------------------+---------------------+
2 rows in set (0.00 sec)
{noformat}
Account ID 15 has below credentials
{noformat}
+----+--------------+--------------------------------------+------+-----------+---------+
| id | account_name | uuid | type | domain_id |
state |
+----+--------------+--------------------------------------+------+-----------+---------+
| 15 | 71000000017 | f4d0c381-e0b7-4aed-aa90-3336d42f7540 | 2 | 11 |
enabled |
+----+--------------+--------------------------------------+------+-----------+---------+
1 row in set (0.00 sec)
{noformat}
Below is the DB record for domain id=632
{noformat}
+-----+-------------+--------------------------------------+--------+----------------+
| id | name | uuid | state |
network_domain |
+-----+-------------+--------------------------------------+--------+----------------+
| 632 | 71000000726 | 0536af94-fce7-46d2-b98a-9e3fd0f304ae | Active | NULL
|
+-----+-------------+--------------------------------------+--------+----------------+
{noformat}
Even though the logs say that access to domain id=632 has been granted to
account id=15 below;
{noformat}
2014-11-19 15:15:06,502 DEBUG [c.c.u.AccountManagerImpl]
(API-Job-Executor-104:ctx-a96a8572 job-72484 ctx-d9207bf9) Access to
Acct[6b3b9128-2ef1-4866-8a60-33b284c749de-71000000726] granted to
Acct[f4d0c381-e0b7-4aed-aa90-3336d42f7540-71000000017] by DomainChecker
{noformat}
The operation fails with no permission.
{noformat}
com.cloud.exception.PermissionDeniedException:
Acct[f4d0c381-e0b7-4aed-aa90-3336d42f7540-71000000017] does not have permission
to operate within domain id=632
{noformat}
EXPECTED BEHAVIOR
==================
User should be able to delete the tags
ACTUAL BEHAVIOR
==================
User is unable to delete tags
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
