[
https://issues.apache.org/jira/browse/CLOUDSTACK-6630?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rayees Namathponnan updated CLOUDSTACK-6630:
--------------------------------------------
Description:
Run BVT suite volume.py
test case
1) creating user account with domian ROOT
2) deploying vm with new network
3) obtain new IP, apply firewall rule
4) apply PF rule
Result
PF rule creation failed with below exception
2014-05-10 23:58:48,482 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker]
(catalina-exec-23:ctx-bc32f45f ctx-1c7a9889 ctx-d99c5930) IAM access c
heck for 2-null-null-DomainCapability from cache: false
2014-05-10 23:58:48,493 DEBUG [c.c.a.ApiServlet] (catalina-exec-23:ctx-bc32f45f
ctx-1c7a9889 ctx-d99c5930) ===END=== 10.223.240.194 -- GET
signature=gD6OYRiz6Jd%2FZz7M7emIaancCr0%3D&apiKey=leb8qPblUzbfXRSpfWRZzvgKTo1pAd3Z9S7gkvok9BGpFEm1DsuPCjMeETvbMkjOEeoNX8wgMtK7K0S7ywd5cA&
command=queryAsyncJobResult&response=json&jobid=3b680c4e-8508-4691-9d89-87dfeb400dec
2014-05-10 23:58:48,499 DEBUG [c.c.a.ApiServlet]
(catalina-exec-22:ctx-7e9bd8bb) ===START=== 10.223.240.194 -- GET
apiKey=leb8qPblUzbfXRS
pfWRZzvgKTo1pAd3Z9S7gkvok9BGpFEm1DsuPCjMeETvbMkjOEeoNX8wgMtK7K0S7ywd5cA&virtualmachineid=eabab3fc-5229-47fe-b4b5-ae1d47c119fc&ipaddressid=3
a2642c3-4c04-47f3-a5a5-a5446673223d&signature=fIvJyw2UfV2Y9mTnxmx7eMick6w%3D&command=createPortForwardingRule&privateport=22&protocol=TCP&p
ublicport=2222&response=json
2014-05-10 23:58:48,532 DEBUG [c.c.a.m.AgentManagerImpl]
(AgentManager-Handler-3:null) SeqA 6-221: Processing Seq 6-221: { Cmd ,
MgmtId: -
1, via: 6, Ver: v1, Flags: 11,
[{"com.cloud.agent.api.ConsoleProxyLoadReportCommand":{"_proxyVmId":4,"_loadInfo":"{\n
\"connections\": []\
n}","wait":0}}] }
2014-05-10 23:58:48,536 DEBUG [c.c.a.m.AgentManagerImpl]
(AgentManager-Handler-3:null) SeqA 6-221: Sending Seq 6-221: { Ans: , MgmtId:
290
66118877352, via: 6, Ver: v1, Flags: 100010,
[{"com.cloud.agent.api.AgentControlAnswer":{"result":true,"wait":0}}] }
2014-05-10 23:58:48,598 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker]
(catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) IAM access c
heck for 2-null-null-SystemCapability from cache: true
2014-05-10 23:58:48,599 DEBUG [c.c.u.AccountManagerImpl]
(catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) Root Access granted
to A
cct[9b57332c-d8d1-11e3-a7c8-1a6f7bb0d0a8-admin] by RoleBasedEntityAccessChecker
2014-05-10 23:58:48,601 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker]
(catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) IAM access c
heck for 2-null-null-DomainCapability from cache: false
2014-05-10 23:58:48,606 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker]
(catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) IAM access c
heck for 2-null-null-DomainResourceCapability from cache: false
2014-05-10 23:58:48,627 DEBUG [o.a.c.i.s.IAMServiceImpl]
(catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) Put IAM access check
for
2-VirtualMachine8-OperateEntry-createPortForwardingRule in cache
2014-05-10 23:58:48,650 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker]
(catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) Account
Acct[9b57332c-d8d1-11e3-a7c8-1a6f7bb0d0a8-admin] does not have permission to
access resource Ip[10.223.122.71-1] for access type: OperateEntry
2014-05-10 23:58:48,650 DEBUG [o.a.c.i.s.IAMServiceImpl]
(catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) Put IAM access check
for 2-IpAddress6-OperateEntry-createPortForwardingRule in cache
2014-05-10 23:58:48,651 INFO [c.c.a.ApiServer] (catalina-exec-22:ctx-7e9bd8bb
ctx-34961f5e ctx-f2fd7c7d) PermissionDenied: Account
Acct[9b57332c-d8d1-11e3-a7c8-1a6f7bb0d0a8-admin] does not have permission to
access resource Ip[10.223.122.71-1] for access type: OperateEntry on objs: []
2014-05-10 23:58:48,654 DEBUG [c.c.a.ApiServlet] (catalina-exec-22:ctx-7e9bd8bb
ctx-34961f5e ctx-f2fd7c7d) ===END=== 10.223.240.194 -- GET
apiKey=leb8qPblUzbfXRSpfWRZzvgKTo1pAd3Z9S7gkvok9BGpFEm1DsuPCjMeETvbMkjOEeoNX8wgMtK7K0S7ywd5cA&virtualmachineid=eabab3fc-5229-47fe-b4b5-ae1d47c119fc&ipaddressid=3a2642c3-4c04-47f3-a5a5-a5446673223d&signature=fIvJyw2UfV2Y9mTnxmx7eMick6w%3D&command=createPortForwardingRule&privateport=22&protocol=TCP&publicport=2222&response=json
2014-05-10 23:58:48,809 DEBUG [c.c.a.ApiServlet]
(catalina-exec-16:ctx-75c2ca30) ===START=== 10.223.240.194 -- GET
apiKey=leb8qPblUzbfXRSpfWRZzvgKTo1pAd3Z9S7gkvok9BGpFEm1DsuPCjMeETvbMkjOEeoNX8wgMtK7K0S7ywd5cA&command=listDomains&signature=vw1816eP4qADj2X%2FbYUVXDSnoXA%3D&response=json
was:
Run BVT suite volume.py
test case creating account, deploying vm and configuring SNAT with PF rule,
Result
PF rule creation failed with below exception
2014-05-10 23:58:48,482 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker]
(catalina-exec-23:ctx-bc32f45f ctx-1c7a9889 ctx-d99c5930) IAM access c
heck for 2-null-null-DomainCapability from cache: false
2014-05-10 23:58:48,493 DEBUG [c.c.a.ApiServlet] (catalina-exec-23:ctx-bc32f45f
ctx-1c7a9889 ctx-d99c5930) ===END=== 10.223.240.194 -- GET
signature=gD6OYRiz6Jd%2FZz7M7emIaancCr0%3D&apiKey=leb8qPblUzbfXRSpfWRZzvgKTo1pAd3Z9S7gkvok9BGpFEm1DsuPCjMeETvbMkjOEeoNX8wgMtK7K0S7ywd5cA&
command=queryAsyncJobResult&response=json&jobid=3b680c4e-8508-4691-9d89-87dfeb400dec
2014-05-10 23:58:48,499 DEBUG [c.c.a.ApiServlet]
(catalina-exec-22:ctx-7e9bd8bb) ===START=== 10.223.240.194 -- GET
apiKey=leb8qPblUzbfXRS
pfWRZzvgKTo1pAd3Z9S7gkvok9BGpFEm1DsuPCjMeETvbMkjOEeoNX8wgMtK7K0S7ywd5cA&virtualmachineid=eabab3fc-5229-47fe-b4b5-ae1d47c119fc&ipaddressid=3
a2642c3-4c04-47f3-a5a5-a5446673223d&signature=fIvJyw2UfV2Y9mTnxmx7eMick6w%3D&command=createPortForwardingRule&privateport=22&protocol=TCP&p
ublicport=2222&response=json
2014-05-10 23:58:48,532 DEBUG [c.c.a.m.AgentManagerImpl]
(AgentManager-Handler-3:null) SeqA 6-221: Processing Seq 6-221: { Cmd ,
MgmtId: -
1, via: 6, Ver: v1, Flags: 11,
[{"com.cloud.agent.api.ConsoleProxyLoadReportCommand":{"_proxyVmId":4,"_loadInfo":"{\n
\"connections\": []\
n}","wait":0}}] }
2014-05-10 23:58:48,536 DEBUG [c.c.a.m.AgentManagerImpl]
(AgentManager-Handler-3:null) SeqA 6-221: Sending Seq 6-221: { Ans: , MgmtId:
290
66118877352, via: 6, Ver: v1, Flags: 100010,
[{"com.cloud.agent.api.AgentControlAnswer":{"result":true,"wait":0}}] }
2014-05-10 23:58:48,598 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker]
(catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) IAM access c
heck for 2-null-null-SystemCapability from cache: true
2014-05-10 23:58:48,599 DEBUG [c.c.u.AccountManagerImpl]
(catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) Root Access granted
to A
cct[9b57332c-d8d1-11e3-a7c8-1a6f7bb0d0a8-admin] by RoleBasedEntityAccessChecker
2014-05-10 23:58:48,601 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker]
(catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) IAM access c
heck for 2-null-null-DomainCapability from cache: false
2014-05-10 23:58:48,606 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker]
(catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) IAM access c
heck for 2-null-null-DomainResourceCapability from cache: false
2014-05-10 23:58:48,627 DEBUG [o.a.c.i.s.IAMServiceImpl]
(catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) Put IAM access check
for
2-VirtualMachine8-OperateEntry-createPortForwardingRule in cache
2014-05-10 23:58:48,650 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker]
(catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) Account
Acct[9b57332c-d8d1-11e3-a7c8-1a6f7bb0d0a8-admin] does not have permission to
access resource Ip[10.223.122.71-1] for access type: OperateEntry
2014-05-10 23:58:48,650 DEBUG [o.a.c.i.s.IAMServiceImpl]
(catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) Put IAM access check
for 2-IpAddress6-OperateEntry-createPortForwardingRule in cache
2014-05-10 23:58:48,651 INFO [c.c.a.ApiServer] (catalina-exec-22:ctx-7e9bd8bb
ctx-34961f5e ctx-f2fd7c7d) PermissionDenied: Account
Acct[9b57332c-d8d1-11e3-a7c8-1a6f7bb0d0a8-admin] does not have permission to
access resource Ip[10.223.122.71-1] for access type: OperateEntry on objs: []
2014-05-10 23:58:48,654 DEBUG [c.c.a.ApiServlet] (catalina-exec-22:ctx-7e9bd8bb
ctx-34961f5e ctx-f2fd7c7d) ===END=== 10.223.240.194 -- GET
apiKey=leb8qPblUzbfXRSpfWRZzvgKTo1pAd3Z9S7gkvok9BGpFEm1DsuPCjMeETvbMkjOEeoNX8wgMtK7K0S7ywd5cA&virtualmachineid=eabab3fc-5229-47fe-b4b5-ae1d47c119fc&ipaddressid=3a2642c3-4c04-47f3-a5a5-a5446673223d&signature=fIvJyw2UfV2Y9mTnxmx7eMick6w%3D&command=createPortForwardingRule&privateport=22&protocol=TCP&publicport=2222&response=json
2014-05-10 23:58:48,809 DEBUG [c.c.a.ApiServlet]
(catalina-exec-16:ctx-75c2ca30) ===START=== 10.223.240.194 -- GET
apiKey=leb8qPblUzbfXRSpfWRZzvgKTo1pAd3Z9S7gkvok9BGpFEm1DsuPCjMeETvbMkjOEeoNX8wgMtK7K0S7ywd5cA&command=listDomains&signature=vw1816eP4qADj2X%2FbYUVXDSnoXA%3D&response=json
> [Automation] Failed to create PF rule with error "does not have permission to
> access resource"
> ----------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-6630
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6630
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: IAM
> Affects Versions: 4.4.0
> Reporter: Rayees Namathponnan
> Priority: Blocker
> Fix For: 4.4.0
>
> Attachments: CLOUDSTACK-6630.rar
>
>
> Run BVT suite volume.py
> test case
> 1) creating user account with domian ROOT
> 2) deploying vm with new network
> 3) obtain new IP, apply firewall rule
> 4) apply PF rule
> Result
> PF rule creation failed with below exception
> 2014-05-10 23:58:48,482 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker]
> (catalina-exec-23:ctx-bc32f45f ctx-1c7a9889 ctx-d99c5930) IAM access c
> heck for 2-null-null-DomainCapability from cache: false
> 2014-05-10 23:58:48,493 DEBUG [c.c.a.ApiServlet]
> (catalina-exec-23:ctx-bc32f45f ctx-1c7a9889 ctx-d99c5930) ===END===
> 10.223.240.194 -- GET
>
> signature=gD6OYRiz6Jd%2FZz7M7emIaancCr0%3D&apiKey=leb8qPblUzbfXRSpfWRZzvgKTo1pAd3Z9S7gkvok9BGpFEm1DsuPCjMeETvbMkjOEeoNX8wgMtK7K0S7ywd5cA&
> command=queryAsyncJobResult&response=json&jobid=3b680c4e-8508-4691-9d89-87dfeb400dec
> 2014-05-10 23:58:48,499 DEBUG [c.c.a.ApiServlet]
> (catalina-exec-22:ctx-7e9bd8bb) ===START=== 10.223.240.194 -- GET
> apiKey=leb8qPblUzbfXRS
> pfWRZzvgKTo1pAd3Z9S7gkvok9BGpFEm1DsuPCjMeETvbMkjOEeoNX8wgMtK7K0S7ywd5cA&virtualmachineid=eabab3fc-5229-47fe-b4b5-ae1d47c119fc&ipaddressid=3
> a2642c3-4c04-47f3-a5a5-a5446673223d&signature=fIvJyw2UfV2Y9mTnxmx7eMick6w%3D&command=createPortForwardingRule&privateport=22&protocol=TCP&p
> ublicport=2222&response=json
> 2014-05-10 23:58:48,532 DEBUG [c.c.a.m.AgentManagerImpl]
> (AgentManager-Handler-3:null) SeqA 6-221: Processing Seq 6-221: { Cmd ,
> MgmtId: -
> 1, via: 6, Ver: v1, Flags: 11,
> [{"com.cloud.agent.api.ConsoleProxyLoadReportCommand":{"_proxyVmId":4,"_loadInfo":"{\n
> \"connections\": []\
> n}","wait":0}}] }
> 2014-05-10 23:58:48,536 DEBUG [c.c.a.m.AgentManagerImpl]
> (AgentManager-Handler-3:null) SeqA 6-221: Sending Seq 6-221: { Ans: ,
> MgmtId: 290
> 66118877352, via: 6, Ver: v1, Flags: 100010,
> [{"com.cloud.agent.api.AgentControlAnswer":{"result":true,"wait":0}}] }
> 2014-05-10 23:58:48,598 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker]
> (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) IAM access c
> heck for 2-null-null-SystemCapability from cache: true
> 2014-05-10 23:58:48,599 DEBUG [c.c.u.AccountManagerImpl]
> (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) Root Access granted
> to A
> cct[9b57332c-d8d1-11e3-a7c8-1a6f7bb0d0a8-admin] by
> RoleBasedEntityAccessChecker
> 2014-05-10 23:58:48,601 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker]
> (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) IAM access c
> heck for 2-null-null-DomainCapability from cache: false
> 2014-05-10 23:58:48,606 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker]
> (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) IAM access c
> heck for 2-null-null-DomainResourceCapability from cache: false
> 2014-05-10 23:58:48,627 DEBUG [o.a.c.i.s.IAMServiceImpl]
> (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) Put IAM access
> check for
> 2-VirtualMachine8-OperateEntry-createPortForwardingRule in cache
> 2014-05-10 23:58:48,650 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker]
> (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) Account
> Acct[9b57332c-d8d1-11e3-a7c8-1a6f7bb0d0a8-admin] does not have permission to
> access resource Ip[10.223.122.71-1] for access type: OperateEntry
> 2014-05-10 23:58:48,650 DEBUG [o.a.c.i.s.IAMServiceImpl]
> (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) Put IAM access
> check for 2-IpAddress6-OperateEntry-createPortForwardingRule in cache
> 2014-05-10 23:58:48,651 INFO [c.c.a.ApiServer]
> (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) PermissionDenied:
> Account Acct[9b57332c-d8d1-11e3-a7c8-1a6f7bb0d0a8-admin] does not have
> permission to access resource Ip[10.223.122.71-1] for access type:
> OperateEntry on objs: []
> 2014-05-10 23:58:48,654 DEBUG [c.c.a.ApiServlet]
> (catalina-exec-22:ctx-7e9bd8bb ctx-34961f5e ctx-f2fd7c7d) ===END===
> 10.223.240.194 -- GET
> apiKey=leb8qPblUzbfXRSpfWRZzvgKTo1pAd3Z9S7gkvok9BGpFEm1DsuPCjMeETvbMkjOEeoNX8wgMtK7K0S7ywd5cA&virtualmachineid=eabab3fc-5229-47fe-b4b5-ae1d47c119fc&ipaddressid=3a2642c3-4c04-47f3-a5a5-a5446673223d&signature=fIvJyw2UfV2Y9mTnxmx7eMick6w%3D&command=createPortForwardingRule&privateport=22&protocol=TCP&publicport=2222&response=json
> 2014-05-10 23:58:48,809 DEBUG [c.c.a.ApiServlet]
> (catalina-exec-16:ctx-75c2ca30) ===START=== 10.223.240.194 -- GET
> apiKey=leb8qPblUzbfXRSpfWRZzvgKTo1pAd3Z9S7gkvok9BGpFEm1DsuPCjMeETvbMkjOEeoNX8wgMtK7K0S7ywd5cA&command=listDomains&signature=vw1816eP4qADj2X%2FbYUVXDSnoXA%3D&response=json
>
--
This message was sent by Atlassian JIRA
(v6.2#6252)
