Hi Matthew,
In your case does the user to which VM belongs have the access to the network
you are trying to add to the VM?
I tried it in a test env and it works fine when the user has access to the
network (eg, the user owns the network). But it would fail when the user
doesn't have the access to the network.
Below is an example. First I tried to add a user owned network using domain
admin. It worked. Then I tried adding a domain-admin owned network to the VM.
It failed. But smae operation worked when I added proper network permissions.
(sblab) 🐌 > list networks id=4caccd89-9479-4c57-bef2-b8bdd3a99229
{
"count": 1,
"network": [
{
"account": "ACSUser",
"acltype": "Account",
"broadcastdomaintype": "Vlan",
"canusefordeploy": true,
"cidr": "10.1.1.0/24",
"created": "2022-09-01T06:55:10+0000",
"displaytext": "user-iso1",
"dns1": "10.0.32.1",
"dns2": "8.8.8.8",
"domain": "ROOT",
"domainid": "65609c23-2826-11ed-bf3a-1e00750002ea",
"egressdefaultpolicy": false,
"gateway": "10.1.1.1",
"hasannotations": false,
"id": "4caccd89-9479-4c57-bef2-b8bdd3a99229",
"ispersistent": false,
"issystem": false,
"name": "user-iso1",
"netmask": "255.255.255.0",
"networkdomain": "cs4cloud.internal",
"networkofferingavailability": "Required",
"networkofferingconservemode": true,
...
}
(sblab) 🐘 > list networks id=54b35a12-0947-4897-ab3b-10059c3e1398
{
"count": 1,
"network": [
{
"account": "ACSUser",
"acltype": "Account",
"broadcastdomaintype": "Vlan",
"canusefordeploy": true,
"created": "2022-09-01T06:55:37+0000",
"displaytext": "user-l2",
"dns1": "10.0.32.1",
"dns2": "8.8.8.8",
"domain": "ROOT",
"domainid": "65609c23-2826-11ed-bf3a-1e00750002ea",
"hasannotations": false,
"id": "54b35a12-0947-4897-ab3b-10059c3e1398",
"ispersistent": false,
"issystem": false,
"name": "user-l2",
"networkofferingavailability": "Optional",
"networkofferingconservemode": true,
"networkofferingdisplaytext": "Offering for L2 networks",
"networkofferingid": "c872ab72-5849-4bb5-8cd9-0fa346c895ab",
"networkofferingname": "DefaultL2NetworkOffering",
"physicalnetworkid": "e7721ec6-797d-4c45-a790-65cb0a333501",
"receivedbytes": 0,
"redundantrouter": false,
"related": "54b35a12-0947-4897-ab3b-10059c3e1398",
"restartrequired": false,
"sentbytes": 0,
"service": [],
"specifyipranges": false,
"state": "Implemented",
"strechedl2subnet": false,
"tags": [],
"traffictype": "Guest",
"type": "L2",
"zoneid": "fce252b8-5075-4077-80c0-4f027fea354d",
"zonename": "ref-trl-3557-v-M7-abhishek-kumar"
}
]
}
(sblab) 🐷 > deploy virtualmachine zoneid=fce252b8-5075-4077-80c0-4f027fea354d
serviceofferingid=3ed0124f-7064-4680-82da-80204d3a3ddb
templateid=feb21788-29be-4fb0-8618-ec0f50921838
networkids=4caccd89-9479-4c57-bef2-b8bdd3a99229
{
"virtualmachine": {
"account": "ACSUser",
"affinitygroup": [],
"cpunumber": 1,
"cpuspeed": 500,
"created": "2022-09-01T07:12:40+0000",
"details": {
"dataDiskController": "osdefault",
"rootDiskController": "osdefault"
},
"displayname": "VM-b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
"domain": "ROOT",
"domainid": "65609c23-2826-11ed-bf3a-1e00750002ea",
"guestosid": "6582ae97-2826-11ed-bf3a-1e00750002ea",
"haenable": false,
"hasannotations": false,
"hypervisor": "VMware",
"id": "b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
"isdynamicallyscalable": false,
"jobid": "448d9d04-bc0b-4576-94a9-5ece301b52e5",
"jobstatus": 0,
"lastupdated": "2022-09-01T07:12:49+0000",
"memory": 512,
"name": "VM-b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
"nic": [
{
"broadcasturi": "vlan://2227",
"deviceid": "0",
"extradhcpoption": [],
"gateway": "10.1.1.1",
"id": "b1811c73-ec60-4c50-91c3-0b562c496284",
"ipaddress": "10.1.1.227",
"isdefault": true,
"isolationuri": "vlan://2227",
"macaddress": "02:00:18:83:00:04",
"netmask": "255.255.255.0",
"networkid": "4caccd89-9479-4c57-bef2-b8bdd3a99229",
"networkname": "user-iso1",
"secondaryip": [],
"traffictype": "Guest",
"type": "Isolated"
}
],
...
"userid": "96793627-9833-4012-9247-fc8761330e96",
"username": "user",
"zoneid": "fce252b8-5075-4077-80c0-4f027fea354d",
"zonename": "ref-trl-3557-v-M7-abhishek-kumar"
}
}
(sblab) 🍀 > set username domadmin
(sblab) 🐒 > sync
Discovered 328 APIs
(sblab) 🐹 > add nictovirtualmachine
virtualmachineid=b7ec5047-9d02-42b2-91d0-bfd3e4f1e410
networkid=54b35a12-0947-4897-ab3b-10059c3e1398
{
"virtualmachine": {
"account": "ACSUser",
"affinitygroup": [],
"created": "2022-09-01T07:12:40+0000",
"details": {
"dataDiskController": "osdefault",
"rootDiskController": "osdefault"
},
"displayname": "VM-b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
"domain": "ROOT",
"domainid": "65609c23-2826-11ed-bf3a-1e00750002ea",
"guestosid": "6582ae97-2826-11ed-bf3a-1e00750002ea",
"haenable": false,
"hasannotations": false,
"hypervisor": "VMware",
"id": "b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
"isdynamicallyscalable": false,
"jobid": "3a286118-843a-4a92-b0cc-8bdc4ecd334f",
"jobstatus": 0,
"lastupdated": "2022-09-01T07:12:49+0000",
"name": "VM-b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
"nic": [
{
"broadcasturi": "vlan://2240",
"deviceid": "1",
"extradhcpoption": [],
"id": "9d79cb1e-2c6e-4c2f-9e08-1a1e1870c23c",
"isdefault": false,
"isolationuri": "vlan://2240",
"macaddress": "02:00:7e:eb:00:02",
"networkid": "54b35a12-0947-4897-ab3b-10059c3e1398",
"networkname": "user-l2",
"secondaryip": [],
"traffictype": "Guest",
"type": "L2"
},
{
"broadcasturi": "vlan://2227",
"deviceid": "0",
"extradhcpoption": [],
"gateway": "10.1.1.1",
"id": "b1811c73-ec60-4c50-91c3-0b562c496284",
"ipaddress": "10.1.1.227",
"isdefault": true,
"isolationuri": "vlan://2227",
"macaddress": "02:00:18:83:00:04",
"netmask": "255.255.255.0",
"networkid": "4caccd89-9479-4c57-bef2-b8bdd3a99229",
"networkname": "user-iso1",
"secondaryip": [],
"traffictype": "Guest",
"type": "Isolated"
}
],
...
}
}
(sblab) 🦇 > add nictovirtualmachine
virtualmachineid=b7ec5047-9d02-42b2-91d0-bfd3e4f1e410
networkid=79bda62e-5b08-434c-846c-8db806482da9
{
"accountid": "e879dc18-4adb-42d8-bcc6-8bda00ba93f6",
"cmd": "org.apache.cloudstack.api.command.user.vm.AddNicToVMCmd",
"completed": "2022-09-01T07:13:50+0000",
"created": "2022-09-01T07:13:50+0000",
"jobid": "03a994d6-f001-46c8-9c37-22ae9ccede2a",
"jobinstanceid": "b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
"jobinstancetype": "VirtualMachine",
"jobprocstatus": 0,
"jobresult": {
"errorcode": 530,
"errortext": "Unable to use network with id=
79bda62e-5b08-434c-846c-8db806482da9, permission denied"
},
"jobresultcode": 530,
"jobresulttype": "object",
"jobstatus": 2,
"userid": "4628e888-55b0-4230-b0be-679fe2374e7a"
}
🙈 Error: async API failed for job 03a994d6-f001-46c8-9c37-22ae9ccede2a
(sblab) 🐀 > create networkpermissions
networkid=79bda62e-5b08-434c-846c-8db806482da9
accountids=9e5e5c6d-74d4-4df6-a4ad-0e575d3a2298
{
"success": true
}
(sblab) 🐟 > add nictovirtualmachine
virtualmachineid=b7ec5047-9d02-42b2-91d0-bfd3e4f1e410
networkid=79bda62e-5b08-434c-846c-8db806482da9
{
"virtualmachine": {
"account": "ACSUser",
"affinitygroup": [],
"created": "2022-09-01T07:12:40+0000",
"details": {
"dataDiskController": "osdefault",
"rootDiskController": "osdefault"
},
"displayname": "VM-b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
"domain": "ROOT",
"domainid": "65609c23-2826-11ed-bf3a-1e00750002ea",
"guestosid": "6582ae97-2826-11ed-bf3a-1e00750002ea",
"haenable": false,
"hasannotations": false,
"hypervisor": "VMware",
"id": "b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
"isdynamicallyscalable": false,
"jobid": "bcf0f01b-b55d-42d3-9535-056315e5608c",
"jobstatus": 0,
"lastupdated": "2022-09-01T07:12:49+0000",
"name": "VM-b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
"nic": [
{
"broadcasturi": "vlan://2240",
"deviceid": "1",
"extradhcpoption": [],
"id": "9d79cb1e-2c6e-4c2f-9e08-1a1e1870c23c",
"isdefault": false,
"isolationuri": "vlan://2240",
"macaddress": "02:00:7e:eb:00:02",
"networkid": "54b35a12-0947-4897-ab3b-10059c3e1398",
"networkname": "user-l2",
"secondaryip": [],
"traffictype": "Guest",
"type": "L2"
},
{
"broadcasturi": "vlan://2231",
"deviceid": "2",
"extradhcpoption": [],
"id": "c8635505-33f4-44ac-ab42-d3dc698c4da2",
"isdefault": false,
"isolationuri": "vlan://2231",
"macaddress": "02:00:15:b4:00:01",
"networkid": "79bda62e-5b08-434c-846c-8db806482da9",
"networkname": "dom-l2",
"secondaryip": [],
"traffictype": "Guest",
"type": "L2"
},
{
"broadcasturi": "vlan://2227",
"deviceid": "0",
"extradhcpoption": [],
"gateway": "10.1.1.1",
"id": "b1811c73-ec60-4c50-91c3-0b562c496284",
"ipaddress": "10.1.1.227",
"isdefault": true,
"isolationuri": "vlan://2227",
"macaddress": "02:00:18:83:00:04",
"netmask": "255.255.255.0",
"networkid": "4caccd89-9479-4c57-bef2-b8bdd3a99229",
"networkname": "user-iso1",
"secondaryip": [],
"traffictype": "Guest",
"type": "Isolated"
}
],
...
}
}
Regards,
Abhishek
________________________________
From: Matthew Smart <msm...@smartsoftwareinc.com>
Sent: 01 September 2022 05:02
To: users@cloudstack.apache.org <users@cloudstack.apache.org>
Subject: Permission Denied when trying to add nictovirtualmachine as Domain
Admin
All,
I am having an issue trying to add a nic to an existing virtual machine.
This seems very similar to issue 6590
https://github.com/apache/cloudstack/issues/6590 . The error is the same
if I try it from the UI or cloudmonkey:
Error 530, Unable to use network with id=
53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2, permission denied
It doesn't matter which network or which VM I use. I do not have any
projects defined. Any ideas?
Api log:
2022-08-31 18:28:00,903 INFO [a.c.c.a.ApiServlet]
(qtp1750498848-285:ctx-e1ff1e99 ctx-7d49ea3e ctx-ac87c2e4)
(logid:a0a5f800) (userId=2 accountId=2 sessionId=null) 0:0:0:0:0:0:0:1
-- GET
signatureversion=3&apiKey=eHyz1TC3ZcmUd2mHc60UZU_KMO17QTXrG5a84vn0tYwbVvr7AtKLil8O0egC2UUBVPh1nD_QbQG_4zCV-Jeg_A&expires=2022-08-31T23%3A38%3A00%2B0000&jobid=85620fa4-c3ee-4b55-a220-2b2efbfc8240&command=queryAsyncJobResult&signature=DVfJ3fAUm9fTkGpJnZIPqqVTiuM%3D&response=json
200
{"queryasyncjobresultresponse":{"accountid":"4881765b-737e-11e6-af31-a4badb303ab0","userid":"488183c2-737e-11e6-af31-a4badb303ab0","cmd":"org.apache.cloudstack.api.command.admin.vm.AddNicToVMCmdByAdmin","jobstatus":2,"jobprocstatus":0,"jobresultcode":530,"jobresulttype":"object","jobresult":{"errorcode":530,"errortext":"Unable
to use network with id= 53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2, permission
denied"},"jobinstancetype":"VirtualMachine","jobinstanceid":"a13626c9-209f-4d63-b1ae-624e77863d68","created":"2022-08-31T18:27:58-0500","completed":"2022-08-31T18:27:58-0500","jobid":"85620fa4-c3ee-4b55-a220-2b2efbfc8240"}}
Management log:
2022-08-31 18:27:58,876 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(API-Job-Executor-2:ctx-90af3c61 job-25273) (logid:85620fa4) Executing
AsyncJobVO: {id:25273, userId: 2, accountId: 2, instanceType:
VirtualMachine, instanceId: 22, cmd:
org.apache.cloudstack.api.command.admin.vm.AddNicToVMCmdByAdmin,
cmdInfo:
{"expires":"2022-08-31T23:37:58+0000","apiKey":"eHyz1TC3ZcmUd2mHc60UZU_KMO17QTXrG5a84vn0tYwbVvr7AtKLil8O0egC2UUBVPh1nD_QbQG_4zCV-Jeg_A","signature":"G5byvIP9InHK1s301Dir4KAUYnM\u003d","httpmethod":"GET","ctxAccountId":"2","cmdEventType":"NIC.CREATE","signatureversion":"3","virtualmachineid":"a13626c9-209f-4d63-b1ae-624e77863d68","response":"json","ctxUserId":"2","networkid":"53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2","ctxStartEventId":"314819","ctxDetails":"{\"interface
com.cloud.vm.VirtualMachine\":\"a13626c9-209f-4d63-b1ae-624e77863d68\",\"interface
com.cloud.network.Network\":\"53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2\"}"},
cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0,
result: null, initMsid: 181122448243502, completeMsid: null,
lastUpdated: null, lastPolled: null, created: null, removed: null}
2022-08-31 18:27:58,899 ERROR [c.c.a.ApiAsyncJobDispatcher]
(API-Job-Executor-2:ctx-90af3c61 job-25273) (logid:85620fa4) Unexpected
exception while executing
org.apache.cloudstack.api.command.admin.vm.AddNicToVMCmdByAdmin
com.cloud.exception.PermissionDeniedException: Unable to use network
with id= 53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2, permission denied
at
com.cloud.network.NetworkModelImpl.checkNetworkPermissions(NetworkModelImpl.java:1681)
at
com.cloud.vm.UserVmManagerImpl.addNicToVirtualMachine(UserVmManagerImpl.java:1323)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
at
org.apache.cloudstack.network.contrail.management.EventUtils$EventInterceptor.invoke(EventUtils.java:107)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:175)
at
com.cloud.event.ActionEventInterceptor.invoke(ActionEventInterceptor.java:52)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:175)
at
org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:215)
at com.sun.proxy.$Proxy128.addNicToVirtualMachine(Unknown Source)
at
org.apache.cloudstack.api.command.user.vm.AddNicToVMCmd.execute(AddNicToVMCmd.java:173)
at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:163)
at
com.cloud.api.ApiAsyncJobDispatcher.runJob(ApiAsyncJobDispatcher.java:106)
at
org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.runInContext(AsyncJobManagerImpl.java:620)
at
org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:48)
at
org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:55)
at
org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:102)
at
org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:52)
at
org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:45)
at
org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.run(AsyncJobManagerImpl.java:568)
at
java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
2022-08-31 18:27:58,902 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(API-Job-Executor-2:ctx-90af3c61 job-25273) (logid:85620fa4) Complete
async job-25273, jobStatus: FAILED, resultCode: 530, result:
org.apache.cloudstack.api.response.ExceptionResponse/null/{"uuidList":[],"errorcode":"530","errortext":"Unable
to use network with id= 53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2, permission
denied"}
--
Matthew Smart
President
Smart Software Solutions Inc.
108 S Pierre St.
Pierre, SD 57501
Phone: (605) 280-0383
Skype: msmart13
Email:msm...@smartsoftwareinc.com