venkata swamybabu budumuru created CLOUDSTACK-2212:
------------------------------------------------------
Summary: [Egress Rules] [Shared Network] Unable to configure
egress rules as non-ROOT domain user
Key: CLOUDSTACK-2212
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-2212
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: Network Controller
Affects Versions: 4.2.0
Environment: commit 0e2ffe72aa641f4551cae63fbc36454c5934342f
Reporter: venkata swamybabu budumuru
Assignee: Pranav Saxena
Fix For: 4.2.0
Steps to Reproduce :
1. Create an advanced zone with 1 Xen cluster
2. Create a shared network offering with JuniperSRX servicing the firewall
related functionalities
select * from network_offerings
id: 17
name: test
uuid: ed856a34-71e9-4bef-ae71-b4781fb57626
unique_name: test
display_text: test
nw_rate: NULL
mc_rate: 10
traffic_type: Guest
tags: NULL
system_only: 0
specify_vlan: 1
service_offering_id: NULL
conserve_mode: 0
created: 2013-04-26 17:04:40
removed: NULL
default: 0
availability: Optional
dedicated_lb_service: 0
shared_source_nat_service: 1
sort_key: 0
redundant_router_service: 0
state: Enabled
guest_type: Shared
elastic_ip_service: 0
eip_associate_public_ip: 0
elastic_lb_service: 0
specify_ip_ranges: 1
inline: 0
is_persistent: 0
# select * from networks
id: 211
name: SharedNet3
uuid: 9aded0d9-f60c-4d06-af6d-aed9dad43b31
display_text: SharedNet3
traffic_type: Guest
broadcast_domain_type: Vlan
broadcast_uri: vlan://908
gateway: 192.168.121.1
cidr: 192.168.121.0/24
mode: Dhcp
network_offering_id: 17
physical_network_id: 201
data_center_id: 2
guru_name: DirectNetworkGuru
state: Implemented
related: 211
domain_id: 1
account_id: 1
dns1: NULL
dns2: NULL
guru_data: NULL
set_fields: 0
acl_type: Domain
network_domain: cs1cloud.internal
reservation_id: f0e990b9-c85e-4ff1-baa0-189f683406e5
guest_type: Shared
restart_required: 0
created: 2013-04-26 17:49:15
removed: NULL
specify_ip_ranges: 1
vpc_id: NULL
ip6_gateway: NULL
ip6_cidr: NULL
network_cidr: NULL
# mysql> select * from ntwk_service_map where network_id=211;
+----+------------+----------------+---------------+---------------------+
| id | network_id | service | provider | created |
+----+------------+----------------+---------------+---------------------+
| 25 | 211 | Dhcp | VirtualRouter | 2013-04-26 17:49:15 |
| 22 | 211 | Dns | VirtualRouter | 2013-04-26 17:49:15 |
| 21 | 211 | Firewall | JuniperSRX | 2013-04-26 17:49:15 |
| 27 | 211 | PortForwarding | JuniperSRX | 2013-04-26 17:49:15 |
| 23 | 211 | SourceNat | JuniperSRX | 2013-04-26 17:49:15 |
| 24 | 211 | StaticNat | JuniperSRX | 2013-04-26 17:49:15 |
| 26 | 211 | UserData | VirtualRouter | 2013-04-26 17:49:15 |
3. Create a new domain with at least one account with user role
4. login as above user and try to create an egress rule
Observations:
- It fails with the following error in the logs.
2013-04-26 15:01:57,880 DEBUG [cloud.user.AccountManagerImpl]
(Job-Executor-53:job-169) Access to Acct[45-dom1Acc1] granted to
Acct[45-dom1Acc1] by DomainChecker_EnhancerByCloudStack_4891655
2013-04-26 15:01:57,909 ERROR [cloud.async.AsyncJobManagerImpl]
(Job-Executor-53:job-169) Unexpected exception while executing
org.apache.cloudstack.api.command.user.firewall.CreateEgressFirewallRuleCmd
com.cloud.exception.PermissionDeniedException: Acct[45-dom1Acc1] does not have
permission to operate with resource Rule[6-Firewall-Add]
at com.cloud.acl.DomainChecker.checkAccess(DomainChecker.java:132)
at
com.cloud.user.AccountManagerImpl.checkAccess(AccountManagerImpl.java:384)
at
com.cloud.network.firewall.FirewallManagerImpl.revokeFirewallRule(FirewallManagerImpl.java:654)
at
com.cloud.utils.component.ComponentInstantiationPostProcessor$InterceptorDispatcher.intercept(ComponentInstantiationPostProcessor.java:125)
at
com.cloud.network.firewall.FirewallManagerImpl.revokeFirewallRule(FirewallManagerImpl.java:683)
at
org.apache.cloudstack.api.command.user.firewall.CreateEgressFirewallRuleCmd.execute(CreateEgressFirewallRuleCmd.java:147)
at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:155)
at
com.cloud.async.AsyncJobManagerImpl$1.run(AsyncJobManagerImpl.java:437)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:679)
Attaching all the required logs along with db dump.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
