[jira] [Reopened] (CLOUDSTACK-2078) Anti-Affinity - Error messages when deploying Vm in affinity group /deleting affinity group that does not belong to the user expose account Id and affinity group Id.

[Chandan Purushothama (JIRA)]

     [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-2078?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Chandan Purushothama reopened CLOUDSTACK-2078:
----------------------------------------------


Verified on 4.2 Build:

{ "deployvirtualmachineresponse" : 
{"uuidList":[],"errorcode":531,"cserrorcode":4365,"errortext":"Acct[5-420electrons]
 does not have permission to operate with resource 
AffinityGroup[75516146-27d8-4d93-ad71-0fbd49eed8e0]"} }

Reopening the Bug as I observed account ID in the error message in the 
management server Logs:

http://10.223.195.40:8080/client/api?command=deleteAffinityGroup&id=75516146-27d8-4d93-ad71-0fbd49eed8e0&response=json&sessionkey=1DtvgJIfz3fNgGhUmHo3Rgx9MIA%3D&_=1375832775680

2013-08-06 16:45:08,163 DEBUG [cloud.api.ApiServlet] (catalina-exec-13:null) 
===START===  10.252.120.33 -- GET  
command=deleteAffinityGroup&id=75516146-27d8-4d93-ad71-0fbd49eed8e0&response=json&sessionkey=1DtvgJIfz3fNgGhUmHo3Rgx9MIA%3D&_=1375832775680
2013-08-06 16:45:08,183 DEBUG [cloud.async.AsyncJobManagerImpl] 
(catalina-exec-13:null) submit async job-59 = [ 
eb056200-e562-4c92-b125-0ada426b150d ], details: AsyncJobVO {id:59, userId: 5, 
accountId: 5, sessionKey: null, instanceType: AffinityGroup, instanceId: null, 
cmd: 
org.apache.cloudstack.api.command.user.affinitygroup.DeleteAffinityGroupCmd, 
cmdOriginator: null, cmdInfo: 
{"response":"json","id":"75516146-27d8-4d93-ad71-0fbd49eed8e0","sessionkey":"1DtvgJIfz3fNgGhUmHo3Rgx9MIA\u003d","cmdEventType":"AG.DELETE","ctxUserId":"5","httpmethod":"GET","_":"1375832775680","ctxAccountId":"5","ctxStartEventId":"284"},
 cmdVersion: 0, callbackType: 0, callbackAddress: null, status: 0, 
processStatus: 0, resultCode: 0, result: null, initMsid: 6914427586246, 
completeMsid: null, lastUpdated: null, lastPolled: null, created: null}
2013-08-06 16:45:08,185 DEBUG [cloud.api.ApiServlet] (catalina-exec-13:null) 
===END===  10.252.120.33 -- GET  
command=deleteAffinityGroup&id=75516146-27d8-4d93-ad71-0fbd49eed8e0&response=json&sessionkey=1DtvgJIfz3fNgGhUmHo3Rgx9MIA%3D&_=1375832775680
2013-08-06 16:45:08,187 DEBUG [cloud.async.AsyncJobManagerImpl] 
(Job-Executor-26:job-59 = [ eb056200-e562-4c92-b125-0ada426b150d ]) Executing 
org.apache.cloudstack.api.command.user.affinitygroup.DeleteAffinityGroupCmd for 
job-59 = [ eb056200-e562-4c92-b125-0ada426b150d ]
2013-08-06 16:45:08,202 ERROR [cloud.async.AsyncJobManagerImpl] 
(Job-Executor-26:job-59 = [ eb056200-e562-4c92-b125-0ada426b150d ]) Unexpected 
exception while executing 
org.apache.cloudstack.api.command.user.affinitygroup.DeleteAffinityGroupCmd
com.cloud.exception.PermissionDeniedException: Acct[5-420electrons] does not 
have permission to operate with resource 
AffinityGroup[75516146-27d8-4d93-ad71-0fbd49eed8e0]
        at com.cloud.acl.DomainChecker.checkAccess(DomainChecker.java:139)
        at 
com.cloud.user.AccountManagerImpl.checkAccess(AccountManagerImpl.java:403)
        at 
org.apache.cloudstack.affinity.AffinityGroupServiceImpl.deleteAffinityGroup(AffinityGroupServiceImpl.java:164)
        at 
com.cloud.utils.component.ComponentInstantiationPostProcessor$InterceptorDispatcher.intercept(ComponentInstantiationPostProcessor.java:125)
        at 
org.apache.cloudstack.api.command.user.affinitygroup.DeleteAffinityGroupCmd.execute(DeleteAffinityGroupCmd.java:125)
        at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:158)
        at 
com.cloud.async.AsyncJobManagerImpl$1.run(AsyncJobManagerImpl.java:531)
        at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
        at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
        at java.util.concurrent.FutureTask.run(FutureTask.java:166)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
        at java.lang.Thread.run(Thread.java:679)
2013-08-06 16:45:08,214 DEBUG [cloud.async.AsyncJobManagerImpl] 
(Job-Executor-26:job-59 = [ eb056200-e562-4c92-b125-0ada426b150d ]) Complete 
async job-59 = [ eb056200-e562-4c92-b125-0ada426b150d ], jobStatus: 2, 
resultCode: 530, result: Error Code: 530 Error text: Acct[5-420electrons] does 
not have permission to operate with resource 
AffinityGroup[75516146-27d8-4d93-ad71-0fbd49eed8e0]

                
> Anti-Affinity - Error messages when deploying Vm in affinity group /deleting 
> affinity group that does not belong to the user expose account Id and 
> affinity group Id.
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-2078
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-2078
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: Management Server
>    Affects Versions: 4.2.0
>         Environment: Build from master
>            Reporter: Sangeetha Hariharan
>            Assignee: Prachi Damle
>             Fix For: 4.2.0
>
>
> In the following scenarios , we expose affinity_group_id and account_id in 
> error messages.
> 1. Error message when 1 regular user tries to delete affinity group that 
> belongs to other user by passing the uuid, We expose the affinity_group_id 
> and account_id in this error message.
> 530 Error text: Acct[3-sangee] does not have permission to operate with 
> resource AffinityGroup[7|test-2|host anti-affinity]
>  
> 2. Error message includes account Id when trying to deploy a Vm in a affinity 
> group name that does not belong to this account:
>  
> Error message seen  - { "deployvirtualmachineresponse" : 
> {"errorcode":431,"cserrorcode":4350,"errortext":"Unable to find group by name 
> sangee-1456 for account 2"} }
>  
> 3. When trying to deploy a Vm in a affinity group that does not belong to 
> this account by passing affinitygroupids:
> 2013-04-17 16:24:39,160 DEBUG [cloud.api.ApiServlet] (catalina-exec-8:null) 
> ===START===  10.217.252.128 -- GET  command=deployVirtualMachin
> e&zoneId=63fb31bd-de23-40d5-a710-4a6b922d153c&templateId=aa7c5240-a625-11e2-8627-06d4460004b1&hypervisor=XenServer&serviceOfferingId=8b3e4d
> d8-f8ae-4e12-9551-604fbb6c6313&networkIds=40ae3118-1004-4616-96ee-bd42beb9b8e1&displayname=testnew15&name=testnew15&response=json&sessionke
> y=mAdgavcYHN1AOy5Ox9a%2Fad%2B8Bt0%3D&affinitygroupids=6e2dac53-6e28-4fa9-aec8-c55719bef51e
> 2013-04-17 16:24:39,167 DEBUG [cloud.api.ApiDispatcher] 
> (catalina-exec-8:null) InfrastructureEntity name 
> is:com.cloud.offering.ServiceOffer
> ing
> 2013-04-17 16:24:39,170 DEBUG [cloud.api.ApiDispatcher] 
> (catalina-exec-8:null) ControlledEntity name 
> is:com.cloud.template.VirtualMachineTe
> mplate
> 2013-04-17 16:24:39,172 DEBUG [cloud.api.ApiDispatcher] 
> (catalina-exec-8:null) ControlledEntity name is:com.cloud.network.Network
> 2013-04-17 16:24:39,175 DEBUG [cloud.api.ApiDispatcher] 
> (catalina-exec-8:null) ControlledEntity name 
> is:org.apache.cloudstack.affinity.Affi
> nityGroup
> 2013-04-17 16:24:39,176 DEBUG [cloud.user.AccountManagerImpl] 
> (catalina-exec-8:null) Access to Acct[3-sangee] granted to Acct[3-sangee] by
> DomainChecker_EnhancerByCloudStack_daf355b4
> 2013-04-17 16:24:39,177 DEBUG [cloud.user.AccountManagerImpl] 
> (catalina-exec-8:null) Access to Acct[3-sangee] granted to Acct[3-sangee] by
> DomainChecker_EnhancerByCloudStack_daf355b4
> 2013-04-17 16:24:39,180 DEBUG [cloud.user.AccountManagerImpl] 
> (catalina-exec-8:null) Access to Ntwk[204|Guest|8] granted to Acct[3-sangee]
> by DomainChecker_EnhancerByCloudStack_daf355b4
> 2013-04-17 16:24:39,181 DEBUG [cloud.user.AccountManagerImpl] 
> (catalina-exec-8:null) Access to Tmpl[5-VHD-centos56-x86_64-xen granted to Ac
> ct[3-sangee] by DomainChecker_EnhancerByCloudStack_daf355b4
> 2013-04-17 16:24:39,182 INFO  [cloud.api.ApiServer] (catalina-exec-8:null) 
> PermissionDenied: Acct[3-sangee] does not have permission to ope
> rate with resource AffinityGroup[7|test-2|host anti-affinity] on uuids: []
> 2013-04-17 16:24:39,182 DEBUG [cloud.api.ApiServlet] (catalina-exec-8:null) 
> ===END===  10.217.252.128 -- GET  command=deployVirtualMachine&
> zoneId=63fb31bd-de23-40d5-a710-4a6b922d153c&templateId=aa7c5240-a625-11e2-8627-06d4460004b1&hypervisor=XenServer&serviceOfferingId=8b3e4dd8
> -f8ae-4e12-9551-604fbb6c6313&networkIds=40ae3118-1004-4616-96ee-bd42beb9b8e1&displayname=testnew15&name=testnew15&response=json&sessionkey=
> mAdgavcYHN1AOy5Ox9a%2Fad%2B8Bt0%3D&affinitygroupids=6e2dac53-6e28-4fa9-aec8-c55719bef51e
>  
>  

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira