[ https://issues.apache.org/jira/browse/CLOUDSTACK-6745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14005502#comment-14005502 ]
Sangeetha Hariharan commented on CLOUDSTACK-6745: ------------------------------------------------- This issue is also seen when Domain admin tries to deploy a VM for a regular user in his domain in a shared network with scope "Domain"/"Account". > DomainAdmin is not able to deploy Vm for users in his domain/subdomain. > ----------------------------------------------------------------------- > > Key: CLOUDSTACK-6745 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6745 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: Management Server > Affects Versions: 4.4.0 > Environment: Build from 4.4 > Reporter: Sangeetha Hariharan > Priority: Critical > Fix For: 4.4.0 > > > DomainAdmin is not able to deploy Vm for users in his domain/subdomain. > Steps to reproduce the problem: > Create a domain d1. > Create a regular user - d1a > Deploy a VM as user d1a > Create a domain admin user - d1 > As d1 , try to deploy a VM for user - d1a in the isolated network he owns by > passing asccount and domainId of d1a. > API fails with the following exception: > "Unable to use network with id= b40ce153-83c6-41f3-905b-90ce22c9ac24, > permission denied" > 2014-05-21 13:58:48,162 INFO [a.c.c.a.ApiServer] > (catalina-exec-17:ctx-8541fadf ctx-4320442b) (userId=387 accountId=387 > sessionId=D51FD2C904EB65D7E1577D9ABAF5AACA) 10.215.2.8 -- GET > command=deployVirtualMachine&response=json&sessionkey=nEX1TsH7YWMyu7cvElRHR73m8Lc%3D&zoneid=749f7a5f-7a47-4357-bc67-1704936b58ea&templateid=90869df6-e02a-11e3-ac31-4adf980f9414&hypervisor=Simulator&serviceofferingid=da56f514-c13d-4c4d-902d-a9342f7e8dc3&networkids=b40ce153-83c6-41f3-905b-90ce22c9ac24&displayname=test123&name=test123&_=1400719259855&account=test-dom1&domainid=b83c7d69-6536-478c-a756-b3d89ac9298a > 531 Unable to use network with id= b40ce153-83c6-41f3-905b-90ce22c9ac24, > permission denied > Management server logs: > 2014-05-21 13:58:48,140 DEBUG [c.c.a.ApiServlet] > (catalina-exec-17:ctx-8541fadf) ===START=== 10.215.2.8 -- GET > command=deployVirtualMachi > ne&response=json&sessionkey=nEX1TsH7YWMyu7cvElRHR73m8Lc%3D&zoneid=749f7a5f-7a47-4357-bc67-1704936b58ea&templateid=90869df6-e02a-11e3-ac31-4 > adf980f9414&hypervisor=Simulator&serviceofferingid=da56f514-c13d-4c4d-902d-a9342f7e8dc3&networkids=b40ce153-83c6-41f3-905b-90ce22c9ac24&dis > playname=test123&name=test123&_=1400719259855&account=test-dom1&domainid=b83c7d69-6536-478c-a756-b3d89ac9298a > 2014-05-21 13:58:48,143 DEBUG [o.a.c.a.BaseCmd] > (catalina-exec-17:ctx-8541fadf ctx-4320442b) Ignoring paremeter displayvm as > the caller is > not authorized to pass it in > 2014-05-21 13:58:48,144 DEBUG [o.a.c.a.BaseCmd] > (catalina-exec-17:ctx-8541fadf ctx-4320442b) Ignoring paremeter > deploymentplanner as the ca > ller is not authorized to pass it in > 2014-05-21 13:58:48,153 DEBUG [c.c.u.AccountManagerImpl] > (catalina-exec-17:ctx-8541fadf ctx-4320442b) Access to > Acct[5afd4de2-2a81-4c40-b7e > 7-b5cb139551c1-test-dom1] granted to > Acct[f1f9a82e-f931-4f59-bf93-ae83b6e773e6-dom1-admin] by DomainChecker > 2014-05-21 13:58:48,156 DEBUG [c.c.u.AccountManagerImpl] > (catalina-exec-17:ctx-8541fadf ctx-4320442b) Access to > Acct[5afd4de2-2a81-4c40-b7e > 7-b5cb139551c1-test-dom1] granted to > Acct[f1f9a82e-f931-4f59-bf93-ae83b6e773e6-dom1-admin] by DomainChecker > 2014-05-21 13:58:48,161 INFO [c.c.a.ApiServer] > (catalina-exec-17:ctx-8541fadf ctx-4320442b) PermissionDenied: Unable to use > network with i > d= b40ce153-83c6-41f3-905b-90ce22c9ac24, permission denied on objs: [] > 2014-05-21 13:58:48,162 DEBUG [c.c.a.ApiServlet] > (catalina-exec-17:ctx-8541fadf ctx-4320442b) ===END=== 10.215.2.8 -- GET > command=deployV > irtualMachine&response=json&sessionkey=nEX1TsH7YWMyu7cvElRHR73m8Lc%3D&zoneid=749f7a5f-7a47-4357-bc67-1704936b58ea&templateid=90869df6-e02a- > 11e3-ac31-4adf980f9414&hypervisor=Simulator&serviceofferingid=da56f514-c13d-4c4d-902d-a9342f7e8dc3&networkids=b40ce153-83c6-41f3-905b-90ce2 > 2c9ac24&displayname=test123&name=test123&_=1400719259855&account=test-dom1&domainid=b83c7d69-6536-478c-a756-b3d89ac9298a -- This message was sent by Atlassian JIRA (v6.2#6252)