Re: Permission Denied on Domain Controller on Internal LoadBalancer

Wed, 27 Jul 2022 11:21:04 -0700 

Thanks Wei,

Passing projectid same result, not so sure when you say "add the domain admin 
to the project ", we want to make it available for any user on the platform on 
demand. 

Regards,

Ricardo P

On 27/07/22, 12:51 PM, "Wei ZHOU" <[email protected]> wrote:

    Hi,

    Does the network belong to a project ? If so, please pass projectid or add
    the domain admin to the project.

    -Wei

    On Wednesday, 27 July 2022, Ricardo Pertuz <[email protected]> wrote:

    > Hi,
    >
    > Here the logs (I changed some sensitive info)
    >
    > Apilog
    > *****
    > 2022-07-27 11:34:57,218 INFO  [a.c.c.a.ApiServer] 
(qtp2109798150-1192:ctx-de4123f6
    > ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) (userId=4 accountId=4
    > sessionId=null) 192.168.xxx.xxx -- GET algorithm=source&apiKey=
    > GoHebItTOdSc4zf5NcwxDxRo&command=createLoadBalancer&
    > description=lb01&instanceport=8080&name=lb01&networkid=
    > 498611f9-xxxx-4030-aa10-e7d7ad062d1a&response=json&scheme=Internal&
    > sourceipaddressnetworkid=498611f9-cd93-4030-aa10-
    > e7d7ad062d1a&sourceport=8080&signature=gB%2BseI8Ku7ZCN9drw 531 Unable to
    > use network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a, permission
    > denied
    >
    > Management-server
    > *****************
    > 2022-07-27 11:34:57,198 DEBUG [c.c.a.ApiServlet] 
(qtp2109798150-1192:ctx-de4123f6)
    > (logid:b8e0600b) ===START===  192.168.xx.xx-- GET  
algorithm=source&apiKey=GoHebItTOdSc4zf5NcwxDxR
    > &command=createLoadBalancer&description=lb01&instanceport=
    > 8080&name=lb01&networkid=498611f9-xxxx-4030-aa10-
    > e7d7ad062d1a&response=json&scheme=Internal&sourceipaddressnetworkid=
    > 498611f9-xxx-4030-aa10-e7d7ad062d1a&sourceport=8080&signature=gB%
    > 2BseI8Ku7ZCN9drw3Lxqdo%2Bj8k%3D
    > 2022-07-27 11:34:57,201 DEBUG [c.c.a.ApiServer] 
(qtp2109798150-1192:ctx-de4123f6
    > ctx-f93ec0cc) (logid:b8e0600b) CIDRs from which account
    > 'Acct[c5aac4a3-xxxx-43a9-8117-eb2fa34fdca5-cocentrodemo1control]' is
    > allowed to perform API calls: 0.0.0.0/0,::/0
    > 2022-07-27 11:34:57,205 DEBUG [o.a.c.a.BaseCmd] 
(qtp2109798150-1192:ctx-de4123f6
    > ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) Ignoring paremeter fordisplay
    > as the caller is not authorized to pass it in
    > 2022-07-27 11:34:57,207 DEBUG [c.c.u.AccountManagerImpl]
    > (qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc ctx-8c0287a4)
    > (logid:b8e0600b) Access to Acct[39efe918-df79-45ec-b8f0-
    > 302c6d44dfa9-PrjAcct-624349294c0efe30d9ec0fd6-3] granted to
    > Acct[026a2cc9-xxxx-447a-9bf3-6a749fae743a-demo1control] by DomainChecker
    > 2022-07-27 11:34:57,209 DEBUG [o.a.c.a.BaseCmd] 
(qtp2109798150-1192:ctx-de4123f6
    > ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) Ignoring paremeter fordisplay
    > as the caller is not authorized to pass it in
    > 2022-07-27 11:34:57,217 INFO  [c.c.a.ApiServer] 
(qtp2109798150-1192:ctx-de4123f6
    > ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) PermissionDenied: Unable to 
use
    > network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a, permission denied
    > on objs: []
    > 2022-07-27 11:34:57,218 DEBUG [c.c.a.ApiServlet] 
(qtp2109798150-1192:ctx-de4123f6
    > ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) ===END===  192.168. ===
    > 192.168.xx.xx -- GET  algorithm=source&apiKey=
    > GoHebItTOdSc4zf5NcwxDxRo5v1FeY&command=createLoadBalancer&
    > description=lb01&instanceport=8080&name=lb01&networkid=
    > 498611f9-xxx-4030-aa10-e7d7ad062d1a&response=json&scheme=Internal&
    > sourceipaddressnetworkid=498611f9-xxxx-4030-aa10-
    > e7d7ad062d1a&sourceport=8080&signature=gB%2BseI8Ku7ZCN9drw3Lxqdo%2Bj8k%3D
    > 2022-07-27 11:34:57,566 DEBUG [c.c.a.m.AgentManagerImpl]
    > (AgentManager-Handler-12:null) (logid:) SeqA 47-30512: Processing Seq
    > 47-30512:  { Cmd , MgmtId: -1, via: 47, Ver: v1, Flags: 11,
    > [{"com.cloud.agent.api.ConsoleProxyLoadReportCommand"
    > :{"_proxyVmId":"7557","_loadInfo":"{
    >   "connections": []
    >
    >
    > On 27/07/22, 10:07 AM, "Wei ZHOU" <[email protected]> wrote:
    >
    >     Hi Ricardo,
    >
    >     Could you share more logs ?
    >
    >     -Wei
    >
    >     On Wed, 27 Jul 2022 at 17:04, Ricardo Pertuz <[email protected]
    > >
    >     wrote:
    >
    >     > Hi Wei,
    >     >
    >     > Tried using domainid, account and accountid and all these 3 
together,
    >     > still the same error, “Error: (HTTP 531, error code 4365) Unable to
    > use
    >     > network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a, permission
    > denied”
    >     >
    >     > Regards,
    >     >
    >     > Ricardo P
    >     >
    >     > From: Ricardo Pertuz <[email protected]>
    >     > Date: Wednesday, 27 July 2022, 9:46 AM
    >     > To: "[email protected]" <[email protected]>
    >     > Subject: Re: Permission Denied on Domain Controller on Internal
    >     > LoadBalancer
    >     >
    >     > Both, using the UI and API ( Cloudmonkey), I will pass that
    > parameter (not
    >     > in docs btw)
    >     >
    >     > Get Outlook for Android<https://aka.ms/AAb9ysg>
    >     > ________________________________
    >     > From: Wei ZHOU <[email protected]>
    >     > Sent: Wednesday, July 27, 2022 9:44:20 AM
    >     > To: users <[email protected]>
    >     > Subject: Re: Permission Denied on Domain Controller on Internal
    >     > LoadBalancer
    >     >
    >     > Hi Ricardo,
    >     >
    >     > If a domain admin creates a load balancer on an isolated network
    > which
    >     > belongs to another account, domainid/account should be passed.
    >     > By the way, did you do it by API or UI ?
    >     >
    >     > -Wei
    >     >
    >     > On Wed, 27 Jul 2022 at 16:20, Ricardo Pertuz <
    > [email protected]>
    >     > wrote:
    >     >
    >     > > Thanks Wei for replying, the caller has the role Domain Admin, so
    > we
    >     > guess
    >     > > it should be able to execute it
    >     > >
    >     > > On 27/07/22, 9:15 AM, "Wei ZHOU" <[email protected]> wrote:
    >     > >
    >     > >     Hi Ricardo,
    >     > >
    >     > >     Please check if the caller is the owner of the network, or the
    > caller
    >     > > can
    >     > >     access the network if it belongs to a project.
    >     > >
    >     > >     -Wei
    >     > >
    >     > >     On Tue, 26 Jul 2022 at 23:16, Ricardo Pertuz <
    >     > [email protected]
    >     > > >
    >     > >     wrote:
    >     > >
    >     > >     > Hi all,
    >     > >     >
    >     > >     > We use a domain controller  user in ACS  to deploy the
    >     > > infrastructure,
    >     > >     > however when we try to CreateLoadBalancer we are receiving a
    > “531
    >     > > Unable to
    >     > >     > use network with id= 498611f9-xxx-4030-aa10-e7d7ad062d1a,
    >     > permission
    >     > > denied”
    >     > >     >
    >     > >     > PermissionDenied: Unable to use network with id=
    >     > >     > 498611f9-xxx-4030-aa10-e7d7ad062d1a, permission denied on
    > objs: []
    >     > >     >
    >     > >     > Is there any configuration missing or is it a bug? It works
    > well
    >     > when
    >     > >     > using the admin user.
    >     > >     >
    >     > >     > ACS 4.15.2.0
    >     > >     > KVM
    >     > >     > Redundant VPC offering
    >     > >     >
    >     > >     > Supported Services on Network Offering
    >     > >     > SourceNat : VpcVirtualRouter
    >     > >     > Dhcp : VpcVirtualRouter
    >     > >     > Lb : InternalLbVm
    >     > >     > UserData : VpcVirtualRouter
    >     > >     > Dns : VpcVirtualRouter
    >     > >     > NetworkACL : VpcVirtualRouter
    >     > >     >
    >     > >     > BR,
    >     > >     >
    >     > >     > Ricardo
    >     > >     >
    >     > >     >
    >     > >     >
    >     > >     >
    >     > >
    >     > >
    >     >
    >
    >

Reply via email to