Sangeetha Hariharan created CLOUDSTACK-6745:
-----------------------------------------------
Summary: DomainAdmin is not able to deploy Vm for users in his
domain/subdomain.
Key: CLOUDSTACK-6745
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6745
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: Management Server
Affects Versions: 4.4.0
Environment: Build from 4.4
Reporter: Sangeetha Hariharan
Priority: Critical
Fix For: 4.4.0
DomainAdmin is not able to deploy Vm for users in his domain/subdomain.
Steps to reproduce the problem:
Create a domain d1.
Create a regular user - d1a
Deploy a VM as user d1a
Create a domain admin user - d1
As d1 , try to deploy a VM for user - d1a in the isolated network he owns by
passing asccount and domainId of d1a.
API fails with the following exception:
"Unable to use network with id= b40ce153-83c6-41f3-905b-90ce22c9ac24,
permission denied"
2014-05-21 13:58:48,162 INFO [a.c.c.a.ApiServer]
(catalina-exec-17:ctx-8541fadf ctx-4320442b) (userId=387 accountId=387
sessionId=D51FD2C904EB65D7E1577D9ABAF5AACA) 10.215.2.8 -- GET
command=deployVirtualMachine&response=json&sessionkey=nEX1TsH7YWMyu7cvElRHR73m8Lc%3D&zoneid=749f7a5f-7a47-4357-bc67-1704936b58ea&templateid=90869df6-e02a-11e3-ac31-4adf980f9414&hypervisor=Simulator&serviceofferingid=da56f514-c13d-4c4d-902d-a9342f7e8dc3&networkids=b40ce153-83c6-41f3-905b-90ce22c9ac24&displayname=test123&name=test123&_=1400719259855&account=test-dom1&domainid=b83c7d69-6536-478c-a756-b3d89ac9298a
531 Unable to use network with id= b40ce153-83c6-41f3-905b-90ce22c9ac24,
permission denied
Management server logs:
2014-05-21 13:58:48,140 DEBUG [c.c.a.ApiServlet]
(catalina-exec-17:ctx-8541fadf) ===START=== 10.215.2.8 -- GET
command=deployVirtualMachi
ne&response=json&sessionkey=nEX1TsH7YWMyu7cvElRHR73m8Lc%3D&zoneid=749f7a5f-7a47-4357-bc67-1704936b58ea&templateid=90869df6-e02a-11e3-ac31-4
adf980f9414&hypervisor=Simulator&serviceofferingid=da56f514-c13d-4c4d-902d-a9342f7e8dc3&networkids=b40ce153-83c6-41f3-905b-90ce22c9ac24&dis
playname=test123&name=test123&_=1400719259855&account=test-dom1&domainid=b83c7d69-6536-478c-a756-b3d89ac9298a
2014-05-21 13:58:48,143 DEBUG [o.a.c.a.BaseCmd] (catalina-exec-17:ctx-8541fadf
ctx-4320442b) Ignoring paremeter displayvm as the caller is
not authorized to pass it in
2014-05-21 13:58:48,144 DEBUG [o.a.c.a.BaseCmd] (catalina-exec-17:ctx-8541fadf
ctx-4320442b) Ignoring paremeter deploymentplanner as the ca
ller is not authorized to pass it in
2014-05-21 13:58:48,153 DEBUG [c.c.u.AccountManagerImpl]
(catalina-exec-17:ctx-8541fadf ctx-4320442b) Access to
Acct[5afd4de2-2a81-4c40-b7e
7-b5cb139551c1-test-dom1] granted to
Acct[f1f9a82e-f931-4f59-bf93-ae83b6e773e6-dom1-admin] by DomainChecker
2014-05-21 13:58:48,156 DEBUG [c.c.u.AccountManagerImpl]
(catalina-exec-17:ctx-8541fadf ctx-4320442b) Access to
Acct[5afd4de2-2a81-4c40-b7e
7-b5cb139551c1-test-dom1] granted to
Acct[f1f9a82e-f931-4f59-bf93-ae83b6e773e6-dom1-admin] by DomainChecker
2014-05-21 13:58:48,161 INFO [c.c.a.ApiServer] (catalina-exec-17:ctx-8541fadf
ctx-4320442b) PermissionDenied: Unable to use network with i
d= b40ce153-83c6-41f3-905b-90ce22c9ac24, permission denied on objs: []
2014-05-21 13:58:48,162 DEBUG [c.c.a.ApiServlet] (catalina-exec-17:ctx-8541fadf
ctx-4320442b) ===END=== 10.215.2.8 -- GET command=deployV
irtualMachine&response=json&sessionkey=nEX1TsH7YWMyu7cvElRHR73m8Lc%3D&zoneid=749f7a5f-7a47-4357-bc67-1704936b58ea&templateid=90869df6-e02a-
11e3-ac31-4adf980f9414&hypervisor=Simulator&serviceofferingid=da56f514-c13d-4c4d-902d-a9342f7e8dc3&networkids=b40ce153-83c6-41f3-905b-90ce2
2c9ac24&displayname=test123&name=test123&_=1400719259855&account=test-dom1&domainid=b83c7d69-6536-478c-a756-b3d89ac9298a
--
This message was sent by Atlassian JIRA
(v6.2#6252)
