Aled Sage created JCLOUDS-723:
---------------------------------
Summary: CloudStack createNodesInGroup fails for service providers
with locked down APIs
Key: JCLOUDS-723
URL: https://issues.apache.org/jira/browse/JCLOUDS-723
Project: jclouds
Issue Type: Bug
Affects Versions: 1.8.0
Reporter: Aled Sage
Creating VM(s) on CloudStack fails with some service providers, because they
lock down access to parts of their API.
For example, API calls made by the listImages method are sometimes forbidden.
CloudStackComputeServiceAdapter.listImages:
https://github.com/apache/jclouds/blob/f17c876d8dc161988f586c3cf343361d896f6928/apis/cloudstack/src/main/java/org/jclouds/cloudstack/compute/strategy/CloudStackComputeServiceAdapter.java#L284-294
The method tries to list all templates. First, it lists all templates that are
executable. Then, it lists all templates associated with each project in the
account. Translated to Cloudmonkey-suitable commands, the call flow is:
* list templates listAll=true templatefilter=executable
* list accounts listAll=true
for each account response: extract name and domainid from response and call:
* list projects listAll=true account=.. domainid=..
jclouds fails because it gets a response 405 Method Not Allowed to the
listAccounts call (and would do the same for the listProjects call if it got
that far).
/api/CloudPlatformProxy?apiKey=removed&command=listAccounts&expires=2014-07-21T11%3A08%3A32%2B0000&response=json&signatureversion=3&signature=removed"
HTTP/1.1 405 Method Not Allowed
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 21 Jul 2014 11:00:19 GMT
Content-Length: 0
/api/CloudPlatformProxy?apiKey=removed&command=listProjects&expires=2014-07-21T11%3A04%3A59%2B0000&response=json&signatureversion=3&signature=removed"
HTTP/1.1 405 Method Not Allowed
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 21 Jul 2014 10:57:13 GMT
Content-Length: 0
The cloud provider's response was:
Accounts and projects are blocked simply because this is a multi tenant
service where account isolation is important. So we don’t allow users to list
all accounts on the platform as each one is tied to a customer.
Projects and domain aren’t exposed because we haven’t assessed the risks to
billing if these are enabled.
The credentials that we give you will tie you to an account and then (other
than domains and projects) you can do what you want.
I like the idea of enabling certain list API calls but only when listall is
set to false. Of course if its just stopping a test program then the incentive
in fixing it would be minimal.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
