Nitin, I've filed it: https://issues.apache.org/jira/browse/CLOUDSTACK-4838
On Tue, Oct 8, 2013 at 8:32 PM, Nitin Mehta <nitin.me...@citrix.com> wrote: > Valery - Can you please file a bug for a better message. > You are calling as a system user (port 8096) but for the account vdc3880 > and so the system checks whether this account can access this template, > network etc. > > On 08/10/13 10:20 AM, "Valery Ciareszka" <valery.teres...@gmail.com> > wrote: > > >Finally I've found the problem > >in ./server/src/com/cloud/vm/UserVmManagerImpl.java near > > _accountMgr.checkAccess(newAccount, null, true, > >templateOwner); > > > > > >The reason was that template was not public-enabled, therefore user > >account > >could not get access to non-public template. > > > >But I think exception message could be more friendly and senseful :-) > > > > > > > >On Mon, Oct 7, 2013 at 7:30 PM, Valery Ciareszka > ><valery.teres...@gmail.com>wrote: > > > >> Hi all. > >> > >> I'm trying to deploy virtual machines through api and management throws > >> permission issues. This worked in 4.0/4.1, but now I see following: > >> > >> curl " > >> > >> > http://localhost:8096/client/?command=deployVirtualMachine&serviceofferin > >>gid=2b45be75-0ec8-4683-91a0-d95414da310d&zoneid=4a5bc8e5-bab9-4f92-9249-d > >>57ef8a0f9f8&templateid=94013c8f-b615-467f-8df2-635ac4c5efb5&networkids=59 > >>28684b-f9fc-4c2f-a74b-d6af622250f3&account=vdc3880&domainid=2744e9b6-8633 > >>-4e8d-bb4d-860fe5e7e744 > >> " > >> > >> > >> <?xml version="1.0" encoding="UTF-8"?> > >> <deployvirtualmachineresponse > >> cloud-stack-version="4.2.0"><errorcode>531</errorcode> > >> <cserrorcode>4365</cserrorcode> > >> <errortext>Acct[ebcf2919-a842-4986-a8ed-a3806dfbd8f2-vdc3880] does not > >> have permission to operate with resource > >> Acct[9d9ef909-2469-11e3-9901-90e2ba51b336-admin]</errortext> > >> </deployvirtualmachineresponse> > >> > >> Same thing upon assignVirtualMachine api call: > >> > >> curl " > >> > >> > http://localhost:8096/client/?command=assignVirtualMachine&virtualmachine > >>id=dbee3d10-0c8d-4d74-bcbd-21fb041fbfce&account=vdc3880&domainid=2744e9b6 > >>-8633-4e8d-bb4d-860fe5e7e744 > >> " > >> <?xml version="1.0" encoding="UTF-8"?><moveuservmresponse > >> > >>cloud-stack-version="4.2.0"><errorcode>530</errorcode><cserrorcode>9999</ > >>cserrorcode><errortext>Failed > >> to move vm Acct[ebcf2919-a842-4986-a8ed-a3806dfbd8f2-vdc3880] does not > >>have > >> permission to operate with resource > >> > >>Acct[9d9ef909-2469-11e3-9901-90e2ba51b336-admin]</errortext></moveuservmr > >>esponse> > >> > >> environment used: CS 4.2.0, centos 6.4, KVM > >> > >> P.S. It seems error message is being generated > >> at ./server/src/com/cloud/acl/DomainChecker.java: > >> 145 if (caller.getId() != entity.getAccountId()) { > >> 146 throw new PermissionDeniedException(caller + > >> "entry3 does not have permission to operate with resource " + > >> entity); > >> 147 } > >> > >> But I can not understand why callerid goes from vdc3880 account - I'm > >> calling API as admin (tested both through cloudmonkey and directly on > >>8096 > >> port) ? > >> > >> Any thoughts ? > >> > >> -- > >> Regards, > >> Valery > >> > >> http://protocol.by/slayer > >> > > > > > > > >-- > >Regards, > >Valery > > > >http://protocol.by/slayer > > -- Regards, Valery http://protocol.by/slayer