Re: Permission Denied when trying to add nictovirtualmachine as ROOT Admin

Sun, 11 Sep 2022 16:46:15 -0700

I have been traveling and just got a chance to return to this issue. Again, I want to allow the Root Admin account to add nics from different networks to any virtual machine. 'Create network permissions' from the API to try to add the ROOT Admin account to a network's permissions fails because it says that the ROOT Admin is not a member of the domain. That account is a member of the ROOT domain and all other domains are listed hierarchically beneath ROOT (EG ROOT/dev, ROOT/prod, ... etc) fwiw. I don't want to further complicate my automation by creating and keeping track of an individual Domain Admin account for each of my domains. I have found a workaround I can live with by just creating the requisite row in the network_permissions table in the db for the ROOT Admin account for each network.
Is there a pressing reason why the ROOT Admin should have rights to do pretty much everything else but not add nics to vms on different networks? Does the roadmap call for a further curtailing of ROOT Admin permissions? If not, would giving ROOT admin implicit network permissions be a feature that could be requested? 

Thanks,

Matthew Smart
President
Smart Software Solutions Inc.
108 S Pierre St.
Pierre, SD 57501

Phone: (605) 280-0383
Skype: msmart13
Email: msm...@smartsoftwareinc.com

On 9/1/22 02:23, Abhishek Kumar wrote:

Hi Matthew,

In your case does the user to which VM belongs have the access to the network 
you are trying to add to the VM?
I tried it in a test env and it works fine when the user has access to the 
network (eg, the user owns the network). But it would fail when the user 
doesn't have the access to the network.

Below is an example. First I tried to add a user owned network using domain 
admin. It worked. Then I tried adding a domain-admin owned network to the VM. 
It failed. But smae operation worked when I added proper network permissions.

(sblab) 🐌 > list networks id=4caccd89-9479-4c57-bef2-b8bdd3a99229
{
   "count": 1,
   "network": [
     {
       "account": "ACSUser",
       "acltype": "Account",
       "broadcastdomaintype": "Vlan",
       "canusefordeploy": true,
       "cidr": "10.1.1.0/24",
       "created": "2022-09-01T06:55:10+0000",
       "displaytext": "user-iso1",
       "dns1": "10.0.32.1",
       "dns2": "8.8.8.8",
       "domain": "ROOT",
       "domainid": "65609c23-2826-11ed-bf3a-1e00750002ea",
       "egressdefaultpolicy": false,
       "gateway": "10.1.1.1",
       "hasannotations": false,
       "id": "4caccd89-9479-4c57-bef2-b8bdd3a99229",
       "ispersistent": false,
       "issystem": false,
       "name": "user-iso1",
       "netmask": "255.255.255.0",
       "networkdomain": "cs4cloud.internal",
       "networkofferingavailability": "Required",
       "networkofferingconservemode": true,
       ...
}
(sblab) 🐘 > list networks id=54b35a12-0947-4897-ab3b-10059c3e1398
{
   "count": 1,
   "network": [
     {
       "account": "ACSUser",
       "acltype": "Account",
       "broadcastdomaintype": "Vlan",
       "canusefordeploy": true,
       "created": "2022-09-01T06:55:37+0000",
       "displaytext": "user-l2",
       "dns1": "10.0.32.1",
       "dns2": "8.8.8.8",
       "domain": "ROOT",
       "domainid": "65609c23-2826-11ed-bf3a-1e00750002ea",
       "hasannotations": false,
       "id": "54b35a12-0947-4897-ab3b-10059c3e1398",
       "ispersistent": false,
       "issystem": false,
       "name": "user-l2",
       "networkofferingavailability": "Optional",
       "networkofferingconservemode": true,
       "networkofferingdisplaytext": "Offering for L2 networks",
       "networkofferingid": "c872ab72-5849-4bb5-8cd9-0fa346c895ab",
       "networkofferingname": "DefaultL2NetworkOffering",
       "physicalnetworkid": "e7721ec6-797d-4c45-a790-65cb0a333501",
       "receivedbytes": 0,
       "redundantrouter": false,
       "related": "54b35a12-0947-4897-ab3b-10059c3e1398",
       "restartrequired": false,
       "sentbytes": 0,
       "service": [],
       "specifyipranges": false,
       "state": "Implemented",
       "strechedl2subnet": false,
       "tags": [],
       "traffictype": "Guest",
       "type": "L2",
       "zoneid": "fce252b8-5075-4077-80c0-4f027fea354d",
       "zonename": "ref-trl-3557-v-M7-abhishek-kumar"
     }
   ]
}

(sblab) 🐷 > deploy virtualmachine zoneid=fce252b8-5075-4077-80c0-4f027fea354d 
serviceofferingid=3ed0124f-7064-4680-82da-80204d3a3ddb 
templateid=feb21788-29be-4fb0-8618-ec0f50921838 
networkids=4caccd89-9479-4c57-bef2-b8bdd3a99229
{
   "virtualmachine": {
     "account": "ACSUser",
     "affinitygroup": [],
     "cpunumber": 1,
     "cpuspeed": 500,
     "created": "2022-09-01T07:12:40+0000",
     "details": {
       "dataDiskController": "osdefault",
       "rootDiskController": "osdefault"
     },
     "displayname": "VM-b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
     "domain": "ROOT",
     "domainid": "65609c23-2826-11ed-bf3a-1e00750002ea",
     "guestosid": "6582ae97-2826-11ed-bf3a-1e00750002ea",
     "haenable": false,
     "hasannotations": false,
     "hypervisor": "VMware",
     "id": "b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
     "isdynamicallyscalable": false,
     "jobid": "448d9d04-bc0b-4576-94a9-5ece301b52e5",
     "jobstatus": 0,
     "lastupdated": "2022-09-01T07:12:49+0000",
     "memory": 512,
     "name": "VM-b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
     "nic": [
       {
         "broadcasturi": "vlan://2227",
         "deviceid": "0",
         "extradhcpoption": [],
         "gateway": "10.1.1.1",
         "id": "b1811c73-ec60-4c50-91c3-0b562c496284",
         "ipaddress": "10.1.1.227",
         "isdefault": true,
         "isolationuri": "vlan://2227",
         "macaddress": "02:00:18:83:00:04",
         "netmask": "255.255.255.0",
         "networkid": "4caccd89-9479-4c57-bef2-b8bdd3a99229",
         "networkname": "user-iso1",
         "secondaryip": [],
         "traffictype": "Guest",
         "type": "Isolated"
       }
     ],
     ...
     "userid": "96793627-9833-4012-9247-fc8761330e96",
     "username": "user",
     "zoneid": "fce252b8-5075-4077-80c0-4f027fea354d",
     "zonename": "ref-trl-3557-v-M7-abhishek-kumar"
   }
}
(sblab) 🍀 > set username domadmin
(sblab) 🐒 > sync
Discovered 328 APIs
(sblab) 🐹 > add nictovirtualmachine 
virtualmachineid=b7ec5047-9d02-42b2-91d0-bfd3e4f1e410 
networkid=54b35a12-0947-4897-ab3b-10059c3e1398
{
   "virtualmachine": {
     "account": "ACSUser",
     "affinitygroup": [],
     "created": "2022-09-01T07:12:40+0000",
     "details": {
       "dataDiskController": "osdefault",
       "rootDiskController": "osdefault"
     },
     "displayname": "VM-b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
     "domain": "ROOT",
     "domainid": "65609c23-2826-11ed-bf3a-1e00750002ea",
     "guestosid": "6582ae97-2826-11ed-bf3a-1e00750002ea",
     "haenable": false,
     "hasannotations": false,
     "hypervisor": "VMware",
     "id": "b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
     "isdynamicallyscalable": false,
     "jobid": "3a286118-843a-4a92-b0cc-8bdc4ecd334f",
     "jobstatus": 0,
     "lastupdated": "2022-09-01T07:12:49+0000",
     "name": "VM-b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
     "nic": [
       {
         "broadcasturi": "vlan://2240",
         "deviceid": "1",
         "extradhcpoption": [],
         "id": "9d79cb1e-2c6e-4c2f-9e08-1a1e1870c23c",
         "isdefault": false,
         "isolationuri": "vlan://2240",
         "macaddress": "02:00:7e:eb:00:02",
         "networkid": "54b35a12-0947-4897-ab3b-10059c3e1398",
         "networkname": "user-l2",
         "secondaryip": [],
         "traffictype": "Guest",
         "type": "L2"
       },
       {
         "broadcasturi": "vlan://2227",
         "deviceid": "0",
         "extradhcpoption": [],
         "gateway": "10.1.1.1",
         "id": "b1811c73-ec60-4c50-91c3-0b562c496284",
         "ipaddress": "10.1.1.227",
         "isdefault": true,
         "isolationuri": "vlan://2227",
         "macaddress": "02:00:18:83:00:04",
         "netmask": "255.255.255.0",
         "networkid": "4caccd89-9479-4c57-bef2-b8bdd3a99229",
         "networkname": "user-iso1",
         "secondaryip": [],
         "traffictype": "Guest",
         "type": "Isolated"
       }
     ],
    ...
   }
}
(sblab) 🦇 > add nictovirtualmachine 
virtualmachineid=b7ec5047-9d02-42b2-91d0-bfd3e4f1e410 
networkid=79bda62e-5b08-434c-846c-8db806482da9
{
   "accountid": "e879dc18-4adb-42d8-bcc6-8bda00ba93f6",
   "cmd": "org.apache.cloudstack.api.command.user.vm.AddNicToVMCmd",
   "completed": "2022-09-01T07:13:50+0000",
   "created": "2022-09-01T07:13:50+0000",
   "jobid": "03a994d6-f001-46c8-9c37-22ae9ccede2a",
   "jobinstanceid": "b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
   "jobinstancetype": "VirtualMachine",
   "jobprocstatus": 0,
   "jobresult": {
     "errorcode": 530,
     "errortext": "Unable to use network with id= 
79bda62e-5b08-434c-846c-8db806482da9, permission denied"
   },
   "jobresultcode": 530,
   "jobresulttype": "object",
   "jobstatus": 2,
   "userid": "4628e888-55b0-4230-b0be-679fe2374e7a"
}
🙈 Error: async API failed for job 03a994d6-f001-46c8-9c37-22ae9ccede2a
(sblab) 🐀 > create networkpermissions 
networkid=79bda62e-5b08-434c-846c-8db806482da9 
accountids=9e5e5c6d-74d4-4df6-a4ad-0e575d3a2298
{
   "success": true
}
(sblab) 🐟 > add nictovirtualmachine 
virtualmachineid=b7ec5047-9d02-42b2-91d0-bfd3e4f1e410 
networkid=79bda62e-5b08-434c-846c-8db806482da9
{
   "virtualmachine": {
     "account": "ACSUser",
     "affinitygroup": [],
     "created": "2022-09-01T07:12:40+0000",
     "details": {
       "dataDiskController": "osdefault",
       "rootDiskController": "osdefault"
     },
     "displayname": "VM-b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
     "domain": "ROOT",
     "domainid": "65609c23-2826-11ed-bf3a-1e00750002ea",
     "guestosid": "6582ae97-2826-11ed-bf3a-1e00750002ea",
     "haenable": false,
     "hasannotations": false,
     "hypervisor": "VMware",
     "id": "b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
     "isdynamicallyscalable": false,
     "jobid": "bcf0f01b-b55d-42d3-9535-056315e5608c",
     "jobstatus": 0,
     "lastupdated": "2022-09-01T07:12:49+0000",
     "name": "VM-b7ec5047-9d02-42b2-91d0-bfd3e4f1e410",
     "nic": [
       {
         "broadcasturi": "vlan://2240",
         "deviceid": "1",
         "extradhcpoption": [],
         "id": "9d79cb1e-2c6e-4c2f-9e08-1a1e1870c23c",
         "isdefault": false,
         "isolationuri": "vlan://2240",
         "macaddress": "02:00:7e:eb:00:02",
         "networkid": "54b35a12-0947-4897-ab3b-10059c3e1398",
         "networkname": "user-l2",
         "secondaryip": [],
         "traffictype": "Guest",
         "type": "L2"
       },
       {
         "broadcasturi": "vlan://2231",
         "deviceid": "2",
         "extradhcpoption": [],
         "id": "c8635505-33f4-44ac-ab42-d3dc698c4da2",
         "isdefault": false,
         "isolationuri": "vlan://2231",
         "macaddress": "02:00:15:b4:00:01",
         "networkid": "79bda62e-5b08-434c-846c-8db806482da9",
         "networkname": "dom-l2",
         "secondaryip": [],
         "traffictype": "Guest",
         "type": "L2"
       },
       {
         "broadcasturi": "vlan://2227",
         "deviceid": "0",
         "extradhcpoption": [],
         "gateway": "10.1.1.1",
         "id": "b1811c73-ec60-4c50-91c3-0b562c496284",
         "ipaddress": "10.1.1.227",
         "isdefault": true,
         "isolationuri": "vlan://2227",
         "macaddress": "02:00:18:83:00:04",
         "netmask": "255.255.255.0",
         "networkid": "4caccd89-9479-4c57-bef2-b8bdd3a99229",
         "networkname": "user-iso1",
         "secondaryip": [],
         "traffictype": "Guest",
         "type": "Isolated"
       }
     ],
     ...
   }
}

Regards,
Abhishek
________________________________
From: Matthew Smart <msm...@smartsoftwareinc.com>
Sent: 01 September 2022 05:02
To: users@cloudstack.apache.org <users@cloudstack.apache.org>
Subject: Permission Denied when trying to add nictovirtualmachine as Domain 
Admin

All,
I am having an issue trying to add a nic to an existing virtual machine.
This seems very similar to issue 6590
https://github.com/apache/cloudstack/issues/6590 . The error is the same
if I try it from the UI or cloudmonkey:
Error 530, Unable to use network with id=
53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2, permission denied

It doesn't matter which network or which VM I use. I do not have any
projects defined. Any ideas?

Api log:
2022-08-31 18:28:00,903 INFO  [a.c.c.a.ApiServlet]
(qtp1750498848-285:ctx-e1ff1e99 ctx-7d49ea3e ctx-ac87c2e4)
(logid:a0a5f800) (userId=2 accountId=2 sessionId=null) 0:0:0:0:0:0:0:1
-- GET
signatureversion=3&apiKey=eHyz1TC3ZcmUd2mHc60UZU_KMO17QTXrG5a84vn0tYwbVvr7AtKLil8O0egC2UUBVPh1nD_QbQG_4zCV-Jeg_A&expires=2022-08-31T23%3A38%3A00%2B0000&jobid=85620fa4-c3ee-4b55-a220-2b2efbfc8240&command=queryAsyncJobResult&signature=DVfJ3fAUm9fTkGpJnZIPqqVTiuM%3D&response=json
200
{"queryasyncjobresultresponse":{"accountid":"4881765b-737e-11e6-af31-a4badb303ab0","userid":"488183c2-737e-11e6-af31-a4badb303ab0","cmd":"org.apache.cloudstack.api.command.admin.vm.AddNicToVMCmdByAdmin","jobstatus":2,"jobprocstatus":0,"jobresultcode":530,"jobresulttype":"object","jobresult":{"errorcode":530,"errortext":"Unable
to use network with id= 53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2, permission
denied"},"jobinstancetype":"VirtualMachine","jobinstanceid":"a13626c9-209f-4d63-b1ae-624e77863d68","created":"2022-08-31T18:27:58-0500","completed":"2022-08-31T18:27:58-0500","jobid":"85620fa4-c3ee-4b55-a220-2b2efbfc8240"}}

Management log:
2022-08-31 18:27:58,876 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(API-Job-Executor-2:ctx-90af3c61 job-25273) (logid:85620fa4) Executing
AsyncJobVO: {id:25273, userId: 2, accountId: 2, instanceType:
VirtualMachine, instanceId: 22, cmd:
org.apache.cloudstack.api.command.admin.vm.AddNicToVMCmdByAdmin,
cmdInfo:
{"expires":"2022-08-31T23:37:58+0000","apiKey":"eHyz1TC3ZcmUd2mHc60UZU_KMO17QTXrG5a84vn0tYwbVvr7AtKLil8O0egC2UUBVPh1nD_QbQG_4zCV-Jeg_A","signature":"G5byvIP9InHK1s301Dir4KAUYnM\u003d","httpmethod":"GET","ctxAccountId":"2","cmdEventType":"NIC.CREATE","signatureversion":"3","virtualmachineid":"a13626c9-209f-4d63-b1ae-624e77863d68","response":"json","ctxUserId":"2","networkid":"53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2","ctxStartEventId":"314819","ctxDetails":"{\"interface
com.cloud.vm.VirtualMachine\":\"a13626c9-209f-4d63-b1ae-624e77863d68\",\"interface
com.cloud.network.Network\":\"53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2\"}"},
cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0,
result: null, initMsid: 181122448243502, completeMsid: null,
lastUpdated: null, lastPolled: null, created: null, removed: null}
2022-08-31 18:27:58,899 ERROR [c.c.a.ApiAsyncJobDispatcher]
(API-Job-Executor-2:ctx-90af3c61 job-25273) (logid:85620fa4) Unexpected
exception while executing
org.apache.cloudstack.api.command.admin.vm.AddNicToVMCmdByAdmin
com.cloud.exception.PermissionDeniedException: Unable to use network
with id= 53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2, permission denied
      at
com.cloud.network.NetworkModelImpl.checkNetworkPermissions(NetworkModelImpl.java:1681)
      at
com.cloud.vm.UserVmManagerImpl.addNicToVirtualMachine(UserVmManagerImpl.java:1323)
      at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
      at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.base/java.lang.reflect.Method.invoke(Method.java:566)
      at
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344)
      at
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198)
      at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
      at
org.apache.cloudstack.network.contrail.management.EventUtils$EventInterceptor.invoke(EventUtils.java:107)
      at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:175)
      at
com.cloud.event.ActionEventInterceptor.invoke(ActionEventInterceptor.java:52)
      at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:175)
      at
org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97)
      at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
      at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:215)
      at com.sun.proxy.$Proxy128.addNicToVirtualMachine(Unknown Source)
      at
org.apache.cloudstack.api.command.user.vm.AddNicToVMCmd.execute(AddNicToVMCmd.java:173)
      at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:163)
      at
com.cloud.api.ApiAsyncJobDispatcher.runJob(ApiAsyncJobDispatcher.java:106)
      at
org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.runInContext(AsyncJobManagerImpl.java:620)
      at
org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:48)
      at
org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:55)
      at
org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:102)
      at
org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:52)
      at
org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:45)
      at
org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.run(AsyncJobManagerImpl.java:568)
      at
java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
      at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
      at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
      at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
      at java.base/java.lang.Thread.run(Thread.java:829)
2022-08-31 18:27:58,902 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(API-Job-Executor-2:ctx-90af3c61 job-25273) (logid:85620fa4) Complete
async job-25273, jobStatus: FAILED, resultCode: 530, result:
org.apache.cloudstack.api.response.ExceptionResponse/null/{"uuidList":[],"errorcode":"530","errortext":"Unable
to use network with id= 53e901ca-d9ac-40b6-bfe2-8bc7b581c8f2, permission
denied"}


--
Matthew Smart
President
Smart Software Solutions Inc.
108 S Pierre St.
Pierre, SD 57501

Phone: (605) 280-0383
Skype: msmart13
Email:msm...@smartsoftwareinc.com



  

























					Reply via email to