[jira] [Reopened] (CLOUDSTACK-5578) KVM - Network down - When the host looses network connectivity , it is not able to fence itself.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-5578?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan reopened CLOUDSTACK-5578: - Hi Kishan, This is a problem that KVM host is not able to reboot itself which is the expected behavior. The host is attempting to reboot which fails . Is it possible to make the host forcefully reboot in such cases? Thanks Sangeetha KVM - Network down - When the host looses network connectivity , it is not able to fence itself. Key: CLOUDSTACK-5578 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5578 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.2.0 Environment: Build from 4.3 Reporter: Sangeetha Hariharan Assignee: Kishan Kavala Priority: Critical Fix For: 4.5.0 Attachments: DisconnectedHost.png, kvm-hostdisconnect.rar KVM - Network down - When the host looses network connectivity , it is not able to fence itself. Steps to reproduce the problem: Set up - Advanced zone with 2 Rhel 6.3 hosts in cluster. Deploy ~10 Vms. Simulate network disconnect on the host ( ifdown em1) Host gets marked as Down and all the Vms gets HA-ed to the other host. On the KVM host which lost connectivity , attempt to shutdown itself fails. It was not able to umount the primary store. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7891) Fix failure in integration.component.test_escalations_instances.TestInstances/test_15_revert_vm_to_snapshot.
Sangeetha Hariharan created CLOUDSTACK-7891: --- Summary: Fix failure in integration.component.test_escalations_instances.TestInstances/test_15_revert_vm_to_snapshot. Key: CLOUDSTACK-7891 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7891 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Test Reporter: Sangeetha Hariharan Fix failure in integration.component.test_escalations_instances.TestInstances/test_15_revert_vm_to_snapshot. Following exception seen when this test case is executed: Disallowed failure integration.component.test_escalations_instances.TestInstances/test_15_revert_vm_to_snapshot: RevertToVMSnapshotCmd failed: VM Snapshot revert not allowed. This will result in VM state change. You can revert running VM to disk and memor -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7772) [Automation] - Fix test failure for ntegration.component.test_escalations_instances.TestInstances.test_15_revert_vm_to_snapshot
Sangeetha Hariharan created CLOUDSTACK-7772:
---
Summary: [Automation] - Fix test failure for
ntegration.component.test_escalations_instances.TestInstances.test_15_revert_vm_to_snapshot
Key: CLOUDSTACK-7772
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7772
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Environment: Build from master
Reporter: Sangeetha Hariharan
Fix test failure for
integration.component.test_escalations_instances.TestInstances.test_15_revert_vm_to_snapshot.
reverting snapshot fails with following exception:
Job failed: {jobprocstatus : 0, created : u'2014-10-22T08:43:54+', cmd :
u'org.apache.cloudstack.api.command.user.vmsnapshot.RevertToVMSnapshotCmd',
userid : u'507aefe6-8aae-49c3-974d-30a45c5bc79d', jobstatus : 2, jobid :
u'51d73ace-1e7a-425d-b17d-05d675bbfe01', jobresultcode : 530, jobresulttype :
u'object', jobresult : {errorcode : 530, errortext : u'VM Snapshot revert not
allowed. This will result in VM state change. You can revert running VM to disk
and memory type snapshot and stopped VM to disk type snapshot'}, accountid :
u'ae6ef7e5-217f-494e-857d-ecd53653faf9'}
Root cause is CS does not support for reverting Vms in Running state to a
diskonly snapshot.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (CLOUDSTACK-7772) [Automation] - Fix test failure for integration.component.test_escalations_instances.TestInstances.test_15_revert_vm_to_snapshot
[
https://issues.apache.org/jira/browse/CLOUDSTACK-7772?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sangeetha Hariharan updated CLOUDSTACK-7772:
Summary: [Automation] - Fix test failure for
integration.component.test_escalations_instances.TestInstances.test_15_revert_vm_to_snapshot
(was: [Automation] - Fix test failure for
ntegration.component.test_escalations_instances.TestInstances.test_15_revert_vm_to_snapshot)
[Automation] - Fix test failure for
integration.component.test_escalations_instances.TestInstances.test_15_revert_vm_to_snapshot
-
Key: CLOUDSTACK-7772
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7772
Project: CloudStack
Issue Type: Bug
Security Level: Public(Anyone can view this level - this is the
default.)
Environment: Build from master
Reporter: Sangeetha Hariharan
Fix test failure for
integration.component.test_escalations_instances.TestInstances.test_15_revert_vm_to_snapshot.
reverting snapshot fails with following exception:
Job failed: {jobprocstatus : 0, created : u'2014-10-22T08:43:54+', cmd :
u'org.apache.cloudstack.api.command.user.vmsnapshot.RevertToVMSnapshotCmd',
userid : u'507aefe6-8aae-49c3-974d-30a45c5bc79d', jobstatus : 2, jobid :
u'51d73ace-1e7a-425d-b17d-05d675bbfe01', jobresultcode : 530, jobresulttype :
u'object', jobresult : {errorcode : 530, errortext : u'VM Snapshot revert not
allowed. This will result in VM state change. You can revert running VM to
disk and memory type snapshot and stopped VM to disk type snapshot'},
accountid : u'ae6ef7e5-217f-494e-857d-ecd53653faf9'}
Root cause is CS does not support for reverting Vms in Running state to a
diskonly snapshot.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7762) [Automation] - Fix test failure for test_02_revert_vm_snapshots in smoke/test_vm_snapshots.py
Sangeetha Hariharan created CLOUDSTACK-7762:
---
Summary: [Automation] - Fix test failure for
test_02_revert_vm_snapshots in smoke/test_vm_snapshots.py
Key: CLOUDSTACK-7762
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7762
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: Test
Affects Versions: 4.5.0
Environment: Build from master
Reporter: Sangeetha Hariharan
Fix For: 4.5.0
test_02_revert_vm_snapshots in smoke/test_vm_snapshots.py fails in BVT runs
with the following exception:
2014-10-20 16:41:00,497 INFO [o.a.c.f.j.i.AsyncJobMonitor]
(API-Job-Executor-120:ctx-83b738d9 job-459) Add job-459 into job monitoring
2014-10-20 16:41:00,497 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(API-Job-Executor-120:ctx-83b738d9 job-459) Executing AsyncJobVO {id:459,
userId: 2, accountId: 2, instanceType: None, instanceId: null, cmd:
org.apache.cloudstack.api.command.admin.vmsnapshot.RevertToVMSnapshotCmdByAdmin,
cmdInfo:
{response:json,ctxDetails:{\com.cloud.vm.snapshot.VMSnapshot\:\12280973-a1e4-43e3-80b3-3afacd607909\},cmdEventType:VMSNAPSHOT.REVERTTO,ctxUserId:2,httpmethod:GET,vmsnapshotid:12280973-a1e4-43e3-80b3-3afacd607909,ctxAccountId:2,ctxStartEventId:1406,apiKey:aJwkScf5ziRwz8gKQ9HB0Ce6hSsTJTUtmUDUQ_U2teV3vVmuLQRLad8xqAgr7CrFOEQbywdVpKSt2yC_ORXLYg,signature:cYBxgg8eBfktovmCaHYox2xoTE8\u003d},
cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result:
null, initMsid: 11489258594360, completeMsid: null, lastUpdated: null,
lastPolled: null, created: null}
2014-10-20 16:41:00,529 ERROR [c.c.a.ApiAsyncJobDispatcher]
(API-Job-Executor-120:ctx-83b738d9 job-459) Unexpected exception while
executing
org.apache.cloudstack.api.command.admin.vmsnapshot.RevertToVMSnapshotCmdByAdmin
com.cloud.exception.InvalidParameterValueException: VM Snapshot revert not
allowed. This will result in VM state change. You can revert running VM to disk
and memory type snapshot and stopped VM to disk type snapshot
at
com.cloud.vm.snapshot.VMSnapshotManagerImpl.revertToSnapshot(VMSnapshotManagerImpl.java:581)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (CLOUDSTACK-7746) Baremetal related script erros seen on router console
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7746?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-7746: Assignee: (was: Rayees Namathponnan) Baremetal related script erros seen on router console - Key: CLOUDSTACK-7746 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7746 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.5.0 Environment: Build from master Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.5.0 Attachments: router.png Baremetal related script erros seen on router console. Advanced zone set up with 3 xenserver hosts in a cluster. When logging into the console view of router , following script errors are seen: /opt/cloud/bin/baremetal-vr.py:159: SyntaxWarning : name 'server' is assigned to before glocal declaration. .. Attached is the screen shot -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Assigned] (CLOUDSTACK-7746) Baremetal related script erros seen on router console
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7746?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan reassigned CLOUDSTACK-7746: --- Assignee: Rayees Namathponnan Baremetal related script erros seen on router console - Key: CLOUDSTACK-7746 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7746 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.5.0 Environment: Build from master Reporter: Sangeetha Hariharan Assignee: Rayees Namathponnan Priority: Critical Fix For: 4.5.0 Attachments: router.png Baremetal related script erros seen on router console. Advanced zone set up with 3 xenserver hosts in a cluster. When logging into the console view of router , following script errors are seen: /opt/cloud/bin/baremetal-vr.py:159: SyntaxWarning : name 'server' is assigned to before glocal declaration. .. Attached is the screen shot -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7742) Xenserver HA - SSVM failing to start since it is running out of management ip address
Sangeetha Hariharan created CLOUDSTACK-7742: --- Summary: Xenserver HA - SSVM failing to start since it is running out of management ip address Key: CLOUDSTACK-7742 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7742 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.5.0 Environment: Build from master Reporter: Sangeetha Hariharan HA - SSVM failing to start since it is running out of management ip address Set up: Cluster with 3 Xenserver hosts. I am executing host HA scenarios where host is being brought down ( or simulating contol path network failure / storage network failure). After couple of such scenarios , i see that the SSVM fails to start as part of HA the reason being running out of management nic: management server logs: 014-10-16 12:15:44,311 DEBUG [c.c.u.d.T.Transaction] (Work-Job-Executor-106:ctx-323991ca job-771/job-943 ctx-3a2e9ed6) Rolling back the transaction: Time = 1 Name = Work-Job-Executor-106; called by -TransactionLegacy.rollback:902-DataCenterIpAddressDaoImpl.takeIpAddress:61-GeneratedMethodAccessor493.invoke:-1-DelegatingMethodAccessorImpl.invoke:43-Method.invoke:606-AopUtils.invokeJoinpointUsingReflection:317-ReflectiveMethodInvocation.invokeJoinpoint:183-ReflectiveMethodInvocation.proceed:150-TransactionContextInterceptor.invoke:34-ReflectiveMethodInvocation.proceed:161-ExposeInvocationInterceptor.invoke:91-ReflectiveMethodInvocation.proceed:172 2014-10-16 12:15:44,312 INFO [c.c.v.VirtualMachineManagerImpl] (Work-Job-Executor-106:ctx-323991ca job-771/job-943 ctx-3a2e9ed6) Insufficient capacity com.cloud.exception.InsufficientAddressCapacityException: Unable to get a management ip addressScope=interface com.cloud.dc.Pod; id=1 at com.cloud.network.guru.PodBasedNetworkGuru.reserve(PodBasedNetworkGuru.java:123) at com.cloud.network.guru.StorageNetworkGuru.reserve(StorageNetworkGuru.java:122) at org.apache.cloudstack.engine.orchestration.NetworkOrchestrator.prepareNic(NetworkOrchestrator.java:1338) at org.apache.cloudstack.engine.orchestration.NetworkOrchestrator.prepare(NetworkOrchestrator.java:1309) at com.cloud.vm.VirtualMachineManagerImpl.orchestrateStart(VirtualMachineManagerImpl.java:970) at com.cloud.vm.VirtualMachineManagerImpl.orchestrateStart(VirtualMachineManagerImpl.java:4590) at sun.reflect.GeneratedMethodAccessor210.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at com.cloud.vm.VmWorkJobHandlerProxy.handleVmWorkJob(VmWorkJobHandlerProxy.java:107) at com.cloud.vm.VirtualMachineManagerImpl.handleVmWorkJob(VirtualMachineManagerImpl.java:4746) at com.cloud.vm.VmWorkJobDispatcher.runJob(VmWorkJobDispatcher.java:102) at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.runInContext(AsyncJobManagerImpl.java:513) at org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:49) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53) at org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:46) at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.run(AsyncJobManagerImpl.java:470) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) 2014-10-16 12:15:44,324 DEBUG [c.c.v.VirtualMachineManagerImpl] (Work-Job-Executor-106:ctx-323991ca job-771/job-943 ctx-3a2e9ed6) Cleaning up resources for the vm VM[SecondaryStorageVm|s-115-VM] in Starting state There are 2 issues here: 1. Some of the SSVMs that are in destroyed state still have not released the management Ips back to the freepool. 2. Some of these destroyed SSVMs have 2 management ip addresses associated with it . why is this the case? 3. I still see 1 management ip address that is free , but SSVM is still not able to come up. mysql select id,name,state from vm_instance where id in (1,7,18,71); ++-+---+ | id | name| state
[jira] [Updated] (CLOUDSTACK-7742) Xenserver HA - SSVM failing to start since it is running out of management ip address
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7742?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-7742: Attachment: ssvm-fail.rar Xenserver HA - SSVM failing to start since it is running out of management ip address -- Key: CLOUDSTACK-7742 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7742 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.5.0 Environment: Build from master Reporter: Sangeetha Hariharan Attachments: ssvm-fail.rar HA - SSVM failing to start since it is running out of management ip address Set up: Cluster with 3 Xenserver hosts. I am executing host HA scenarios where host is being brought down ( or simulating contol path network failure / storage network failure). After couple of such scenarios , i see that the SSVM fails to start as part of HA the reason being running out of management nic: management server logs: 014-10-16 12:15:44,311 DEBUG [c.c.u.d.T.Transaction] (Work-Job-Executor-106:ctx-323991ca job-771/job-943 ctx-3a2e9ed6) Rolling back the transaction: Time = 1 Name = Work-Job-Executor-106; called by -TransactionLegacy.rollback:902-DataCenterIpAddressDaoImpl.takeIpAddress:61-GeneratedMethodAccessor493.invoke:-1-DelegatingMethodAccessorImpl.invoke:43-Method.invoke:606-AopUtils.invokeJoinpointUsingReflection:317-ReflectiveMethodInvocation.invokeJoinpoint:183-ReflectiveMethodInvocation.proceed:150-TransactionContextInterceptor.invoke:34-ReflectiveMethodInvocation.proceed:161-ExposeInvocationInterceptor.invoke:91-ReflectiveMethodInvocation.proceed:172 2014-10-16 12:15:44,312 INFO [c.c.v.VirtualMachineManagerImpl] (Work-Job-Executor-106:ctx-323991ca job-771/job-943 ctx-3a2e9ed6) Insufficient capacity com.cloud.exception.InsufficientAddressCapacityException: Unable to get a management ip addressScope=interface com.cloud.dc.Pod; id=1 at com.cloud.network.guru.PodBasedNetworkGuru.reserve(PodBasedNetworkGuru.java:123) at com.cloud.network.guru.StorageNetworkGuru.reserve(StorageNetworkGuru.java:122) at org.apache.cloudstack.engine.orchestration.NetworkOrchestrator.prepareNic(NetworkOrchestrator.java:1338) at org.apache.cloudstack.engine.orchestration.NetworkOrchestrator.prepare(NetworkOrchestrator.java:1309) at com.cloud.vm.VirtualMachineManagerImpl.orchestrateStart(VirtualMachineManagerImpl.java:970) at com.cloud.vm.VirtualMachineManagerImpl.orchestrateStart(VirtualMachineManagerImpl.java:4590) at sun.reflect.GeneratedMethodAccessor210.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at com.cloud.vm.VmWorkJobHandlerProxy.handleVmWorkJob(VmWorkJobHandlerProxy.java:107) at com.cloud.vm.VirtualMachineManagerImpl.handleVmWorkJob(VirtualMachineManagerImpl.java:4746) at com.cloud.vm.VmWorkJobDispatcher.runJob(VmWorkJobDispatcher.java:102) at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.runInContext(AsyncJobManagerImpl.java:513) at org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:49) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53) at org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:46) at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.run(AsyncJobManagerImpl.java:470) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) 2014-10-16 12:15:44,324 DEBUG [c.c.v.VirtualMachineManagerImpl] (Work-Job-Executor-106:ctx-323991ca job-771/job-943 ctx-3a2e9ed6) Cleaning up resources for the vm VM[SecondaryStorageVm|s-115-VM] in Starting state There are 2 issues here: 1. Some of the SSVMs that are in destroyed state still have not released the management Ips back to the freepool. 2.
[jira] [Updated] (CLOUDSTACK-7742) Xenserver HA - SSVM failing to start since it is running out of management ip address
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7742?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-7742: Description: HA - SSVM failing to start since it is running out of management ip address Set up: Cluster with 3 Xenserver hosts. I am executing host HA scenarios where host is being brought down ( or simulating contol path network failure / storage network failure). After couple of such scenarios , i see that the SSVM fails to start as part of HA the reason being running out of management nic: management server logs: 014-10-16 12:15:44,311 DEBUG [c.c.u.d.T.Transaction] (Work-Job-Executor-106:ctx-323991ca job-771/job-943 ctx-3a2e9ed6) Rolling back the transaction: Time = 1 Name = Work-Job-Executor-106; called by -TransactionLegacy.rollback:902-DataCenterIpAddressDaoImpl.takeIpAddress:61-GeneratedMethodAccessor493.invoke:-1-DelegatingMethodAccessorImpl.invoke:43-Method.invoke:606-AopUtils.invokeJoinpointUsingReflection:317-ReflectiveMethodInvocation.invokeJoinpoint:183-ReflectiveMethodInvocation.proceed:150-TransactionContextInterceptor.invoke:34-ReflectiveMethodInvocation.proceed:161-ExposeInvocationInterceptor.invoke:91-ReflectiveMethodInvocation.proceed:172 2014-10-16 12:15:44,312 INFO [c.c.v.VirtualMachineManagerImpl] (Work-Job-Executor-106:ctx-323991ca job-771/job-943 ctx-3a2e9ed6) Insufficient capacity com.cloud.exception.InsufficientAddressCapacityException: Unable to get a management ip addressScope=interface com.cloud.dc.Pod; id=1 at com.cloud.network.guru.PodBasedNetworkGuru.reserve(PodBasedNetworkGuru.java:123) at com.cloud.network.guru.StorageNetworkGuru.reserve(StorageNetworkGuru.java:122) at org.apache.cloudstack.engine.orchestration.NetworkOrchestrator.prepareNic(NetworkOrchestrator.java:1338) at org.apache.cloudstack.engine.orchestration.NetworkOrchestrator.prepare(NetworkOrchestrator.java:1309) at com.cloud.vm.VirtualMachineManagerImpl.orchestrateStart(VirtualMachineManagerImpl.java:970) at com.cloud.vm.VirtualMachineManagerImpl.orchestrateStart(VirtualMachineManagerImpl.java:4590) at sun.reflect.GeneratedMethodAccessor210.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at com.cloud.vm.VmWorkJobHandlerProxy.handleVmWorkJob(VmWorkJobHandlerProxy.java:107) at com.cloud.vm.VirtualMachineManagerImpl.handleVmWorkJob(VirtualMachineManagerImpl.java:4746) at com.cloud.vm.VmWorkJobDispatcher.runJob(VmWorkJobDispatcher.java:102) at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.runInContext(AsyncJobManagerImpl.java:513) at org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:49) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53) at org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:46) at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.run(AsyncJobManagerImpl.java:470) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) 2014-10-16 12:15:44,324 DEBUG [c.c.v.VirtualMachineManagerImpl] (Work-Job-Executor-106:ctx-323991ca job-771/job-943 ctx-3a2e9ed6) Cleaning up resources for the vm VM[SecondaryStorageVm|s-115-VM] in Starting state There are 2 issues here: 1. Some of the SSVMs that are in destroyed state still have not released the management Ips back to the freepool of management ip address. 2. When CPVM is stopped , seems like the ipaddress associated with it has not been released to the freepool of management ip address. mysql select id,name,state from vm_instance where id in (1,7,18,71); ++-+---+ | id | name| state | ++-+---+ | 1 | v-1-VM | Running | | 7 | s-7-VM | Destroyed | | 18 | s-18-VM | Destroyed | | 71 | s-71-VM | Destroyed | ++-+---+ 4 rows in set (0.00 sec) mysql select instance_id from nics where id in (select nic_id from op_dc_ip_address_alloc where taken is not null); +-+ | instance_id | +-+ | 1 | | 7 | |
[jira] [Updated] (CLOUDSTACK-7746) Baremetal related script erros seen on router console
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7746?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-7746: Attachment: router.png Baremetal related script erros seen on router console - Key: CLOUDSTACK-7746 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7746 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.5.0 Environment: Build from master Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.5.0 Attachments: router.png Baremetal related script erros seen on router console. Advanced zone set up with 3 xenserver hosts in a cluster. When logging into the console view of router , following script errors are seen: /opt/cloud/bin/baremetal-vr.py:159: SyntaxWarning : name 'server' is assigned to before glocal declaration. .. Attached is the screen shot -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7732) [Automation] - Automate organization States Test Cases relating to enabling/disabling of zone,pod,host and cluster.
Sangeetha Hariharan created CLOUDSTACK-7732: --- Summary: [Automation] - Automate organization States Test Cases relating to enabling/disabling of zone,pod,host and cluster. Key: CLOUDSTACK-7732 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7732 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Test Affects Versions: 4.5.0 Reporter: Sangeetha Hariharan Fix For: 4.5.0 [Automation] - Automate organization States Test Cases relating to enabling/disabling of zone,pod,host and cluster -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (CLOUDSTACK-7733) Admin/Regular User is not allowed to stop/start Vms that are running on disabled hosts.
[
https://issues.apache.org/jira/browse/CLOUDSTACK-7733?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sangeetha Hariharan updated CLOUDSTACK-7733:
Priority: Critical (was: Major)
Admin/Regular User is not allowed to stop/start Vms that are running on
disabled hosts.
---
Key: CLOUDSTACK-7733
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7733
Project: CloudStack
Issue Type: Bug
Security Level: Public(Anyone can view this level - this is the
default.)
Components: Management Server
Affects Versions: 4.5.0
Environment: Build from master
Reporter: Sangeetha Hariharan
Priority: Critical
Steps to reproduce the problem:
Deploy a Vm in a host say host1 using a service offering that has hosttags
that matches with host1.
Disable host.
As admin , stop this VM.
Now try to start the VM.
This fails with job failed due to exception Unable to create a deployment
for VM[User|i-20-63-VM
{jobprocstatus : 0, created : u'2014-10-15T08:21:04-0400', jobresult :
{errorcode : 530, errortext : u'Job failed due to exception Unable to create
a deployment for VM[User|i-20-63-VM]'}, cmd :
u'org.apache.cloudstack.api.command.admin.vm.StartVMCmdByAdmin', userid :
u'f3d01d86-93bb-4ec7-a249-f1dc59ba33a1', jobstatus : 2, jobid :
u'fbe3432d-f90c-49d7-a5ea-f1e65e88aae7', jobresultcode : 530, jobinstanceid :
u'c9987836-8d76-4a55-bdce-6ef81c4cf51d', jobresulttype : u'object',
jobinstancetype : u'VirtualMachine', accountid :
u'54b7a442-2b1f-4df9-b3cc-14a4d8537a74'}
Management server logs indicating that Vms cannot be started on the last host
Id , when the host is disabled:
2014-10-15 09:37:24,480 DEBUG [c.c.d.DeploymentPlanningManagerImpl]
(Work-Job-Executor-79:ctx-746fc
d6f job-558/job-559 ctx-246fb1a1) Trying to allocate a host and storage pools
from dc:1, pod:1,clus
ter:2, requested cpu: 100, requested ram: 134217728
2014-10-15 09:37:24,480 DEBUG [c.c.d.DeploymentPlanningManagerImpl]
(Work-Job-Executor-79:ctx-746fcd6f job-558/job-559 ctx-246fb1a1) Is ROOT
volume READY (pool already allocated)?: Yes
2014-10-15 09:37:24,480 DEBUG [c.c.d.DeploymentPlanningManagerImpl]
(Work-Job-Executor-79:ctx-746fcd6f job-558/job-559 ctx-246fb1a1) This VM has
last host_id specified, trying to choose the same host: 4
2014-10-15 09:37:24,484 DEBUG [c.c.d.DeploymentPlanningManagerImpl]
(Work-Job-Executor-79:ctx-746fcd6f job-558/job-559 ctx-246fb1a1) The last
host of this VM is not UP or is not enabled, host status is: Up, host
resource state is: Disabled
2014-10-15 09:37:24,484 DEBUG [c.c.d.DeploymentPlanningManagerImpl]
(Work-Job-Executor-79:ctx-746fcd6f job-558/job-559 ctx-246fb1a1) Cannot
choose the last host to deploy this VM
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-7697) HA - No alerts being generated when SSVM/CPVM is being HA-ed to a different hosts.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14167295#comment-14167295 ] Sangeetha Hariharan commented on CLOUDSTACK-7697: - When HA of SSVM and CPVM is being done , we see the agent state from Alert-Up. HA - No alerts being generated when SSVM/CPVM is being HA-ed to a different hosts. -- Key: CLOUDSTACK-7697 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7697 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.5.0 Environment: Build from 4.5 Reporter: Sangeetha Hariharan Fix For: 4.5.0 HA - No alerts being generated when SSVM/CPVM is being HA-ed to a different hosts. Steps to reproduce the problem: Zone with 1 cluster having 2 hosts. Bring down master host where SSVM and CPVM is running. All user Vms , SSVM and CPVM running in this host is HA-ed to another host. There is no Alert being generated for SSVM and CPVM being detected as being stopped . Also there are no events/alerts being generated for all the user Vms that were detected as being stopped and started in a different host. Should we expect events/alerts being generated for these as well ? mysql select * from alert; ++--+--++++-++-+-+--+--++ | id | uuid | type | cluster_id | pod_id | data_center_id | subject | sent_count | created | last_sent | resolved | archived | name | ++--+--++++-++-+-+--+--++ | 1 | aeef592e-3bb4-431e-911d-16280bf8a8ad | 14 | NULL | 0 | 0 | Management network CIDR is not configured originally. Set it default to 10.223.130.0/24 | 1 | 2014-10-09 22:19:14 | 2014-10-09 22:19:14 | NULL |0 | ALERT.MANAGEMENT | | 2 | 1a0bb67d-9346-4078-a80d-e6669116e7fd | 14 | NULL | 0 | 0 | Management server node 10.223.130.101 is up | 1 | 2014-10-09 22:19:16 | 2014-10-09 22:19:16 | NULL |0 | ALERT.MANAGEMENT | | 3 | 5c37924e-50cd-413f-a37a-ac275dbc46f9 | 13 | NULL | 0 | 0 | No usage server process running | 1 | 2014-10-09 23:19:14 | 2014-10-09 23:19:14 | NULL |0 | ALERT.USAGE| | 4 | 4d1b8b64-f59a-4405-a244-14e054297f04 |2 | 1 | 1 | 1 | System Alert: Low Available Storage in cluster cluster1 pod pod1 of availability zone zone1 | 1 | 2014-10-09 23:39:44 | 2014-10-09 23:39:44 | NULL |0 | ALERT.STORAGE | | 5 | aaf9bb96-799c-40d0-a652-96566c7ff47a |7 | NULL | 1 | 1 | Host is down, name: Rack3Host20.lab.vmops.com (id:1), availability zone: zone1, pod: pod1 | 1 | 2014-10-10 15:05:41 | 2014-10-10 15:05:41 | NULL |0 | ALERT.COMPUTE.HOST | ++--+--++++-++-+-+--+--++ 5 rows in set (0.00 sec) mysql -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7629) addBaremetalRct() API call is not available in cloudstackAPI library in marvin.
Sangeetha Hariharan created CLOUDSTACK-7629: --- Summary: addBaremetalRct() API call is not available in cloudstackAPI library in marvin. Key: CLOUDSTACK-7629 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7629 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.5.0 Reporter: Sangeetha Hariharan Assignee: frank zhang Fix For: 4.5.0 addBaremetalRct() API call is not available in cloudstackAPI library in marvin. When a new API call is added , we expect the python libraries for this API to be available as part of cloudstackAPI in marvin. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7618) Baremetal - AddHost() API docs should include parameters - cpunumber,cpuspeed,memory,hostmac
Sangeetha Hariharan created CLOUDSTACK-7618: --- Summary: Baremetal - AddHost() API docs should include parameters - cpunumber,cpuspeed,memory,hostmac Key: CLOUDSTACK-7618 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7618 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.5.0 Reporter: Sangeetha Hariharan Fix For: 4.5.0 Baremetal - AddHost() API docs should include parameters - cpunumber,cpuspeed,memory,hostmac. When adding a baremetal host , following 4 parameters are supported for addHost() API call - cpunumber,cpuspeed,memory,hostmac. API docs should include information about these parameters. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Assigned] (CLOUDSTACK-7618) Baremetal - AddHost() API docs should include parameters - cpunumber,cpuspeed,memory,hostmac
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7618?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan reassigned CLOUDSTACK-7618: --- Assignee: frank zhang Baremetal - AddHost() API docs should include parameters - cpunumber,cpuspeed,memory,hostmac Key: CLOUDSTACK-7618 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7618 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.5.0 Reporter: Sangeetha Hariharan Assignee: frank zhang Fix For: 4.5.0 Baremetal - AddHost() API docs should include parameters - cpunumber,cpuspeed,memory,hostmac. When adding a baremetal host , following 4 parameters are supported for addHost() API call - cpunumber,cpuspeed,memory,hostmac. API docs should include information about these parameters. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7619) Baremetal - Have an out of the box Isolated network offering with PXE DHCP services provided by VR slong with all other services from default isolated network offe
Sangeetha Hariharan created CLOUDSTACK-7619: --- Summary: Baremetal - Have an out of the box Isolated network offering with PXE DHCP services provided by VR slong with all other services from default isolated network offering for baremetal instances. Key: CLOUDSTACK-7619 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7619 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Affects Versions: 4.5.0 Reporter: Sangeetha Hariharan Assignee: frank zhang Fix For: 4.5.0 Baremetal - Have an out of the box Isolated network offering with PXE DHCP services provided by VR slong with all other services from default isolated network offering for baremetal instances. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Closed] (CLOUDSTACK-7567) Automate ACL test cases relating to depoying VM in shared network with different scopes - All/Domain/Domain with subdomain/Account for Admin, domain admin and regular
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7567?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-7567. --- Resolution: Fixed Automate ACL test cases relating to depoying VM in shared network with different scopes - All/Domain/Domain with subdomain/Account for Admin, domain admin and regular users. - Key: CLOUDSTACK-7567 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7567 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Automate ACL test cases relating to depoying VM in shared network with different scopes - All/Domain/Domain with subdomain/Account for Admin, domain admin and regular users. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Closed] (CLOUDSTACK-7585) Automation - Fix test_acl_sharednetwork.py and test_acl_sharednetwork_deployVM-impersonation.py to pick Shared Network network offering when creating networks.
[
https://issues.apache.org/jira/browse/CLOUDSTACK-7585?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sangeetha Hariharan closed CLOUDSTACK-7585.
---
Resolution: Fixed
Automation - Fix test_acl_sharednetwork.py and
test_acl_sharednetwork_deployVM-impersonation.py to pick Shared Network
network offering when creating networks.
-
Key: CLOUDSTACK-7585
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7585
Project: CloudStack
Issue Type: Bug
Security Level: Public(Anyone can view this level - this is the
default.)
Components: Test
Affects Versions: 4.5.0
Environment: test_acl_sharednetwork.py and
test_acl_sharednetwork_deployVM-impersonation.py cases executed against
simulator build in advanced zone set up.
Reporter: Sangeetha Hariharan
Fix For: 4.5.0
Automation - Fix test_acl_sharednetwork.py and
test_acl_sharednetwork_deployVM-impersonation.py to pick Shared Network
network offering when creating networks.
Attempting to create shared network on the advanced zone set up fails with
following exception since the script tried to create network with shared
network with securitygroup enabled network offering , when the real intent
was to create network with shared network.
2014-09-17 07:30:36,714 INFO [a.c.c.a.ApiServer]
(catalina-exec-4:ctx-371aa034 ctx-671b4b25 ctx-6c06fff3) (userId=566
accountId=621 sessionId=null) 10.220.135.94 -- GET
jobid=9edd5afa-ade4-414b-9c84-ae045162140capiKey=1Qwx85LkDHJa5pbSN6BZwGrP-GyVSkzkG70wWLzaostLbopRqtgR-vpR9GMwohyfvt4wzldxj1QizAsjcrqDTAcommand=queryAsyncJobResultresponse=jsonsignature=kwsOpv9uEajw1D5rC1rvKAl3mXU%3D
200 { queryasyncjobresultresponse :
{accountid:dfb8610d-1488-4e73-8d6d-75dabebc4891,userid:1898cb06-16c9-4a6c-976e-9e7dfa933550,cmd:org.apache.cloudstack.api.command.user.vm.DeployVMCmd,jobstatus:0,jobprocstatus:0,jobresultcode:0,jobinstancetype:VirtualMachine,jobinstanceid:a0b03a69-6468-4957-855a-da5d6541452f,created:2014-09-17T07:30:36+,jobid:9edd5afa-ade4-414b-9c84-ae045162140c}
}
2014-09-17 07:30:36,821 INFO [a.c.c.a.ApiServer]
(catalina-exec-13:ctx-70aa613c ctx-d326566c ctx-1b289a9f) (userId=2
accountId=2 sessionId=null) 10.220.135.94 -- GET
endip=10.223.1.100apiKey=d-PIiwVeP_F-GpoQ0a8eSAnon806DSJGS9L34BPW3jmsAQz2LUNePLC9XQ-ILIMcDrGMSzQmMk8xrbfrRkpyXwname=SharedNetwork-Allnetworkofferingid=4dc8bedc-58e5-47ef-b462-8c13b18765e4startip=10.223.1.2vlan=4001zoneid=6c748d63-12c2-48c3-b84e-e81ff63ea441netmask=255.255.255.0acltype=Domaindisplaytext=SharedNetwork-Allsignature=NSWuzSOrbpLs9ggT6A3lf7SzXQs%3Dcommand=createNetworkresponse=jsongateway=10.223.1.1
530 Provider SecurityGroupProvider is either not enabled or doesn't support
service SecurityGroup in physical network id=200
Root cause for this issue , is we query for networkoffering with
name=DefaultSharedNetworkOffering which results in returning 2 entries ,
DefaultSharedNetworkOffering and
DefaultSharedNetworkOfferingWithSGService. The script ends up picking the
network offering of DefaultSharedNetworkOfferingWithSGService
2014-09-17 07:30:36,653 INFO [a.c.c.a.ApiServer]
(catalina-exec-9:ctx-d64b7593 ctx-f74a4a25 ctx-f14b10c9) (userId=2
accountId=2 sessionId=null) 10.220.135.94 -- GET
response=jsonapiKey=d-PIiwVeP_F-GpoQ0a8eSAnon806DSJGS9L34BPW3jmsAQz2LUNePLC9XQ-ILIMcDrGMSzQmMk8xrbfrRkpyXwcommand=listNetworkOfferingsname=DefaultSharedNetworkOfferingsignature=djKbBqXshW0SNBHMJjDnldyk7Ls%3D
200 { listnetworkofferingsresponse : { count:2 ,networkoffering : [
{id:4dc8bedc-58e5-47ef-b462-8c13b18765e4,name:DefaultSharedNetworkOfferingWithSGService,displaytext:Offering
for Shared Security group enabled
networks,traffictype:Guest,isdefault:true,specifyvlan:true,conservemode:true,specifyipranges:true,availability:Optional,networkrate:200,state:Enabled,guestiptype:Shared,serviceofferingid:caf28ce7-1a81-4767-9e64-c0b16700beed,service:[{name:Dhcp,provider:[{name:VirtualRouter}]},{name:SecurityGroup,provider:[{name:SecurityGroupProvider}]},{name:Dns,provider:[{name:VirtualRouter}]},{name:UserData,provider:[{name:VirtualRouter}]}],forvpc:false,ispersistent:false,egressdefaultpolicy:false,supportsstrechedl2subnet:false},
{id:09d13c2a-4cd7-4700-a092-3192605c29cb,name:DefaultSharedNetworkOffering,displaytext:Offering
for Shared
[jira] [Closed] (CLOUDSTACK-7551) Automate ACL test cases relating to impersonation when depoying VM in shared network.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7551?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-7551. --- Resolution: Fixed Automate ACL test cases relating to impersonation when depoying VM in shared network. -- Key: CLOUDSTACK-7551 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7551 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Automate ACL test cases relating to impersonation when depoying VM in shared network. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7587) Automation - Add simulator_only attribute to acl related test cases.
Sangeetha Hariharan created CLOUDSTACK-7587: --- Summary: Automation - Add simulator_only attribute to acl related test cases. Key: CLOUDSTACK-7587 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7587 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Reporter: Sangeetha Hariharan Automation - Add simulator_only attribute to acl related test cases. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Closed] (CLOUDSTACK-7587) Automation - Add simulator_only attribute to acl related test cases.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7587?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-7587. --- Resolution: Fixed Automation - Add simulator_only attribute to acl related test cases. Key: CLOUDSTACK-7587 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7587 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Reporter: Sangeetha Hariharan Automation - Add simulator_only attribute to acl related test cases. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Closed] (CLOUDSTACK-7514) Automation] - Automate ACL test cases relating to listSnapshots()
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7514?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-7514. --- Resolution: Fixed Automation] - Automate ACL test cases relating to listSnapshots() - Key: CLOUDSTACK-7514 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7514 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Assignee: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to listSnapshots() -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Resolved] (CLOUDSTACK-7033) [Automation] - Automate ACL test cases relating to isolate Network for deleteNetwork() api..
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7033?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan resolved CLOUDSTACK-7033. - Resolution: Fixed [Automation] - Automate ACL test cases relating to isolate Network for deleteNetwork() api.. Key: CLOUDSTACK-7033 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7033 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Assignee: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to isolate Network for deleteNetwork() api -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Closed] (CLOUDSTACK-7033) [Automation] - Automate ACL test cases relating to isolate Network for deleteNetwork() api..
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7033?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-7033. --- [Automation] - Automate ACL test cases relating to isolate Network for deleteNetwork() api.. Key: CLOUDSTACK-7033 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7033 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Assignee: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to isolate Network for deleteNetwork() api -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Closed] (CLOUDSTACK-7034) [Automation] - Automate ACL test cases relating to listVirtualMachines()
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7034?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-7034. --- Resolution: Fixed [Automation] - Automate ACL test cases relating to listVirtualMachines() Key: CLOUDSTACK-7034 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7034 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to listVirtualMachines() -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7585) Automation - Fix test_acl_sharednetwork.py and test_acl_sharednetwork_deployVM-impersonation.py to pick Shared Network network offering when creating networks.
Sangeetha Hariharan created CLOUDSTACK-7585:
---
Summary: Automation - Fix test_acl_sharednetwork.py and
test_acl_sharednetwork_deployVM-impersonation.py to pick Shared Network
network offering when creating networks.
Key: CLOUDSTACK-7585
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7585
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: Test
Affects Versions: 4.5.0
Environment: test_acl_sharednetwork.py and
test_acl_sharednetwork_deployVM-impersonation.py cases executed against
simulator build in advanced zone set up.
Reporter: Sangeetha Hariharan
Fix For: 4.5.0
Automation - Fix test_acl_sharednetwork.py and
test_acl_sharednetwork_deployVM-impersonation.py to pick Shared Network
network offering when creating networks.
Attempting to create shared network on the advanced zone set up fails with
following exception since the script tried to create network with shared
network with securitygroup enabled network offering , when the real intent was
to create network with shared network.
2014-09-17 07:30:36,714 INFO [a.c.c.a.ApiServer] (catalina-exec-4:ctx-371aa034
ctx-671b4b25 ctx-6c06fff3) (userId=566 accountId=621 sessionId=null)
10.220.135.94 -- GET
jobid=9edd5afa-ade4-414b-9c84-ae045162140capiKey=1Qwx85LkDHJa5pbSN6BZwGrP-GyVSkzkG70wWLzaostLbopRqtgR-vpR9GMwohyfvt4wzldxj1QizAsjcrqDTAcommand=queryAsyncJobResultresponse=jsonsignature=kwsOpv9uEajw1D5rC1rvKAl3mXU%3D
200 { queryasyncjobresultresponse :
{accountid:dfb8610d-1488-4e73-8d6d-75dabebc4891,userid:1898cb06-16c9-4a6c-976e-9e7dfa933550,cmd:org.apache.cloudstack.api.command.user.vm.DeployVMCmd,jobstatus:0,jobprocstatus:0,jobresultcode:0,jobinstancetype:VirtualMachine,jobinstanceid:a0b03a69-6468-4957-855a-da5d6541452f,created:2014-09-17T07:30:36+,jobid:9edd5afa-ade4-414b-9c84-ae045162140c}
}
2014-09-17 07:30:36,821 INFO [a.c.c.a.ApiServer]
(catalina-exec-13:ctx-70aa613c ctx-d326566c ctx-1b289a9f) (userId=2 accountId=2
sessionId=null) 10.220.135.94 -- GET
endip=10.223.1.100apiKey=d-PIiwVeP_F-GpoQ0a8eSAnon806DSJGS9L34BPW3jmsAQz2LUNePLC9XQ-ILIMcDrGMSzQmMk8xrbfrRkpyXwname=SharedNetwork-Allnetworkofferingid=4dc8bedc-58e5-47ef-b462-8c13b18765e4startip=10.223.1.2vlan=4001zoneid=6c748d63-12c2-48c3-b84e-e81ff63ea441netmask=255.255.255.0acltype=Domaindisplaytext=SharedNetwork-Allsignature=NSWuzSOrbpLs9ggT6A3lf7SzXQs%3Dcommand=createNetworkresponse=jsongateway=10.223.1.1
530 Provider SecurityGroupProvider is either not enabled or doesn't support
service SecurityGroup in physical network id=200
Root cause for this issue , is we query for networkoffering with
name=DefaultSharedNetworkOffering which results in returning 2 entries ,
DefaultSharedNetworkOffering and DefaultSharedNetworkOfferingWithSGService.
The script ends up picking the network offering of
DefaultSharedNetworkOfferingWithSGService
2014-09-17 07:30:36,653 INFO [a.c.c.a.ApiServer] (catalina-exec-9:ctx-d64b7593
ctx-f74a4a25 ctx-f14b10c9) (userId=2 accountId=2 sessionId=null) 10.220.135.94
-- GET
response=jsonapiKey=d-PIiwVeP_F-GpoQ0a8eSAnon806DSJGS9L34BPW3jmsAQz2LUNePLC9XQ-ILIMcDrGMSzQmMk8xrbfrRkpyXwcommand=listNetworkOfferingsname=DefaultSharedNetworkOfferingsignature=djKbBqXshW0SNBHMJjDnldyk7Ls%3D
200 { listnetworkofferingsresponse : { count:2 ,networkoffering : [
{id:4dc8bedc-58e5-47ef-b462-8c13b18765e4,name:DefaultSharedNetworkOfferingWithSGService,displaytext:Offering
for Shared Security group enabled
networks,traffictype:Guest,isdefault:true,specifyvlan:true,conservemode:true,specifyipranges:true,availability:Optional,networkrate:200,state:Enabled,guestiptype:Shared,serviceofferingid:caf28ce7-1a81-4767-9e64-c0b16700beed,service:[{name:Dhcp,provider:[{name:VirtualRouter}]},{name:SecurityGroup,provider:[{name:SecurityGroupProvider}]},{name:Dns,provider:[{name:VirtualRouter}]},{name:UserData,provider:[{name:VirtualRouter}]}],forvpc:false,ispersistent:false,egressdefaultpolicy:false,supportsstrechedl2subnet:false},
{id:09d13c2a-4cd7-4700-a092-3192605c29cb,name:DefaultSharedNetworkOffering,displaytext:Offering
for Shared
networks,traffictype:Guest,isdefault:true,specifyvlan:true,conservemode:true,specifyipranges:true,availability:Optional,networkrate:200,state:Enabled,guestiptype:Shared,serviceofferingid:caf28ce7-1a81-4767-9e64-c0b16700beed,service:[{name:Dhcp,provider:[{name:VirtualRouter}]},{name:Dns,provider:[{name:VirtualRouter}]},{name:UserData,provider:[{name:VirtualRouter}]}],forvpc:false,ispersistent:false,egressdefaultpolicy:false,supportsstrechedl2subnet:false}
] } }
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-7585) Automation - Fix test_acl_sharednetwork.py and test_acl_sharednetwork_deployVM-impersonation.py to pick Shared Network network offering when creating networks.
[
https://issues.apache.org/jira/browse/CLOUDSTACK-7585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14139587#comment-14139587
]
Sangeetha Hariharan commented on CLOUDSTACK-7585:
-
Fixed test scripts to use additional parameter displayText=Offering for Shared
networks when listing Network offerings,so that it returns only default shared
network offering.
Automation - Fix test_acl_sharednetwork.py and
test_acl_sharednetwork_deployVM-impersonation.py to pick Shared Network
network offering when creating networks.
-
Key: CLOUDSTACK-7585
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7585
Project: CloudStack
Issue Type: Bug
Security Level: Public(Anyone can view this level - this is the
default.)
Components: Test
Affects Versions: 4.5.0
Environment: test_acl_sharednetwork.py and
test_acl_sharednetwork_deployVM-impersonation.py cases executed against
simulator build in advanced zone set up.
Reporter: Sangeetha Hariharan
Fix For: 4.5.0
Automation - Fix test_acl_sharednetwork.py and
test_acl_sharednetwork_deployVM-impersonation.py to pick Shared Network
network offering when creating networks.
Attempting to create shared network on the advanced zone set up fails with
following exception since the script tried to create network with shared
network with securitygroup enabled network offering , when the real intent
was to create network with shared network.
2014-09-17 07:30:36,714 INFO [a.c.c.a.ApiServer]
(catalina-exec-4:ctx-371aa034 ctx-671b4b25 ctx-6c06fff3) (userId=566
accountId=621 sessionId=null) 10.220.135.94 -- GET
jobid=9edd5afa-ade4-414b-9c84-ae045162140capiKey=1Qwx85LkDHJa5pbSN6BZwGrP-GyVSkzkG70wWLzaostLbopRqtgR-vpR9GMwohyfvt4wzldxj1QizAsjcrqDTAcommand=queryAsyncJobResultresponse=jsonsignature=kwsOpv9uEajw1D5rC1rvKAl3mXU%3D
200 { queryasyncjobresultresponse :
{accountid:dfb8610d-1488-4e73-8d6d-75dabebc4891,userid:1898cb06-16c9-4a6c-976e-9e7dfa933550,cmd:org.apache.cloudstack.api.command.user.vm.DeployVMCmd,jobstatus:0,jobprocstatus:0,jobresultcode:0,jobinstancetype:VirtualMachine,jobinstanceid:a0b03a69-6468-4957-855a-da5d6541452f,created:2014-09-17T07:30:36+,jobid:9edd5afa-ade4-414b-9c84-ae045162140c}
}
2014-09-17 07:30:36,821 INFO [a.c.c.a.ApiServer]
(catalina-exec-13:ctx-70aa613c ctx-d326566c ctx-1b289a9f) (userId=2
accountId=2 sessionId=null) 10.220.135.94 -- GET
endip=10.223.1.100apiKey=d-PIiwVeP_F-GpoQ0a8eSAnon806DSJGS9L34BPW3jmsAQz2LUNePLC9XQ-ILIMcDrGMSzQmMk8xrbfrRkpyXwname=SharedNetwork-Allnetworkofferingid=4dc8bedc-58e5-47ef-b462-8c13b18765e4startip=10.223.1.2vlan=4001zoneid=6c748d63-12c2-48c3-b84e-e81ff63ea441netmask=255.255.255.0acltype=Domaindisplaytext=SharedNetwork-Allsignature=NSWuzSOrbpLs9ggT6A3lf7SzXQs%3Dcommand=createNetworkresponse=jsongateway=10.223.1.1
530 Provider SecurityGroupProvider is either not enabled or doesn't support
service SecurityGroup in physical network id=200
Root cause for this issue , is we query for networkoffering with
name=DefaultSharedNetworkOffering which results in returning 2 entries ,
DefaultSharedNetworkOffering and
DefaultSharedNetworkOfferingWithSGService. The script ends up picking the
network offering of DefaultSharedNetworkOfferingWithSGService
2014-09-17 07:30:36,653 INFO [a.c.c.a.ApiServer]
(catalina-exec-9:ctx-d64b7593 ctx-f74a4a25 ctx-f14b10c9) (userId=2
accountId=2 sessionId=null) 10.220.135.94 -- GET
response=jsonapiKey=d-PIiwVeP_F-GpoQ0a8eSAnon806DSJGS9L34BPW3jmsAQz2LUNePLC9XQ-ILIMcDrGMSzQmMk8xrbfrRkpyXwcommand=listNetworkOfferingsname=DefaultSharedNetworkOfferingsignature=djKbBqXshW0SNBHMJjDnldyk7Ls%3D
200 { listnetworkofferingsresponse : { count:2 ,networkoffering : [
{id:4dc8bedc-58e5-47ef-b462-8c13b18765e4,name:DefaultSharedNetworkOfferingWithSGService,displaytext:Offering
for Shared Security group enabled
networks,traffictype:Guest,isdefault:true,specifyvlan:true,conservemode:true,specifyipranges:true,availability:Optional,networkrate:200,state:Enabled,guestiptype:Shared,serviceofferingid:caf28ce7-1a81-4767-9e64-c0b16700beed,service:[{name:Dhcp,provider:[{name:VirtualRouter}]},{name:SecurityGroup,provider:[{name:SecurityGroupProvider}]},{name:Dns,provider:[{name:VirtualRouter}]},{name:UserData,provider:[{name:VirtualRouter}]}],forvpc:false,ispersistent:false,egressdefaultpolicy:false,supportsstrechedl2subnet:false},
{id:09d13c2a-4cd7-4700-a092-3192605c29cb,name:DefaultSharedNetworkOffering,displaytext:Offering
for Shared
[jira] [Commented] (CLOUDSTACK-6974) IAM-Root Admin - When listNetwork is used with listall=false (or no listall passed), all isoalted networks belonging to other users is listed.
[
https://issues.apache.org/jira/browse/CLOUDSTACK-6974?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14139770#comment-14139770
]
Sangeetha Hariharan commented on CLOUDSTACK-6974:
-
listNetwork() with listall=false and isrecursive=true results in returning all
the networks that the admin can see .
listNetwork() with listall=false and isrecursive=false/not passed results in
returning all the networks that the admin can see in the ROOT domain .
In both the above cases , listNetwork() with listall=false should return only
the networks that he can use (which is isolated networks that he created and
shared network that he has access to).
IAM-Root Admin - When listNetwork is used with listall=false (or no listall
passed), all isoalted networks belonging to other users is listed.
--
Key: CLOUDSTACK-6974
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6974
Project: CloudStack
Issue Type: Bug
Security Level: Public(Anyone can view this level - this is the
default.)
Affects Versions: 4.4.0
Environment: Build from 4.4-forward
Reporter: Sangeetha Hariharan
Root Admin - When listNetwork is used with listall=false (or no listall
passed) and isrecursive=true , all networks in the system are returned.
Steps to reproduce the problem:
Create multiple domains with few user and domain accounts in them.
Create isolated networks as each of these accounts.
Create an admin user under ROOT.
As this admin user, deploy a VM.
Use listNetwork with listall=false (or no listall passed) and
isrecursive=true to retrieve all the networks owned by this admin.
This results in all the networks in the system being returned.
Following is the API call that was made , that resulted in 15 networks being
fetched when it should have fetched only 1 isolated network and 1
shared network.
http://10.223.49.6:8080/client/api?apiKey=PB2CyeaqN0vfTodPzXV52OdE9YZLC8K-BrdLiEijWmq85nuAEfXVoAPxbzW0J5BgFAT-f5lnwDEgeOfp_boJAgisrecursive=trueresponse=jsonlistall=falsecommand=listNetworkssignature=l%2FNR4aBSnk7aAEDHhlsAvEXe7Cg%3D
Response: { listnetworksresponse : { count:15 ,network : [
{id:fb3b563c-5ba2-4f9a-aa65-82996f78f20e,name:SharedNetwork-Account,displaytext:SharedNetwork-Account,broadcastdomaintype:Vlan,traffictype:Guest,gateway:10.223.1.1,netmask:255.255.255.0,cidr:10.223.1.0/24,zoneid:b690dddf-5755-49ab-8a4d-0aff04fa39f7,zonename:BLR1,networkofferingid:1bec2c7f-d35d-4d33-a655-d3159be4a6ff,networkofferingname:DefaultSharedNetworkOfferingWithSGService,networkofferingdisplaytext:Offering
for Shared Security group enabled
networks,networkofferingconservemode:true,networkofferingavailability:Optional,issystem:false,state:Setup,related:fb3b563c-5ba2-4f9a-aa65-82996f78f20e,broadcasturi:vlan://153,dns1:4.2.2.2,type:Shared,vlan:153,acltype:Account,account:testD111A-TestNetworkList-RPNQIQ,domainid:b706ea33-fbf7-4167-a857-16f79f332cf3,domain:D111-A243U3,service:[
{name:UserData}
,{name:Dhcp,capability:[
{name:DhcpAccrossMultipleSubnets,value:true,canchooseservicecapability:false}
]},{ ...
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7567) Automate ACL test cases relating to depoying VM in shared network with different scopes - All/Domain/Domain with subdomain/Account for Admin, domain admin and regula
Sangeetha Hariharan created CLOUDSTACK-7567: --- Summary: Automate ACL test cases relating to depoying VM in shared network with different scopes - All/Domain/Domain with subdomain/Account for Admin, domain admin and regular users. Key: CLOUDSTACK-7567 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7567 Project: CloudStack Issue Type: Task Security Level: Public (Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Automate ACL test cases relating to impersonation when depoying VM in shared network. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (CLOUDSTACK-7567) Automate ACL test cases relating to depoying VM in shared network with different scopes - All/Domain/Domain with subdomain/Account for Admin, domain admin and regula
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7567?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-7567: Description: Automate ACL test cases relating to depoying VM in shared network with different scopes - All/Domain/Domain with subdomain/Account for Admin, domain admin and regular users. Automate ACL test cases relating to depoying VM in shared network with different scopes - All/Domain/Domain with subdomain/Account for Admin, domain admin and regular users. - Key: CLOUDSTACK-7567 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7567 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Automate ACL test cases relating to depoying VM in shared network with different scopes - All/Domain/Domain with subdomain/Account for Admin, domain admin and regular users. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (CLOUDSTACK-7567) Automate ACL test cases relating to depoying VM in shared network with different scopes - All/Domain/Domain with subdomain/Account for Admin, domain admin and regula
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7567?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-7567: Description: (was: Automate ACL test cases relating to impersonation when depoying VM in shared network.) Automate ACL test cases relating to depoying VM in shared network with different scopes - All/Domain/Domain with subdomain/Account for Admin, domain admin and regular users. - Key: CLOUDSTACK-7567 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7567 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7551) Automate ACL test cases relating to impersonation when depoying VM in shared network.
Sangeetha Hariharan created CLOUDSTACK-7551: --- Summary: Automate ACL test cases relating to impersonation when depoying VM in shared network. Key: CLOUDSTACK-7551 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7551 Project: CloudStack Issue Type: Task Security Level: Public (Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to listVolumes() -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (CLOUDSTACK-7551) Automate ACL test cases relating to impersonation when depoying VM in shared network.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7551?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-7551: Description: Automate ACL test cases relating to impersonation when depoying VM in shared network. (was: [Automation] - Automate ACL test cases relating to listVolumes()) Automate ACL test cases relating to impersonation when depoying VM in shared network. -- Key: CLOUDSTACK-7551 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7551 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Automate ACL test cases relating to impersonation when depoying VM in shared network. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Assigned] (CLOUDSTACK-7514) Automation] - Automate ACL test cases relating to listSnapshots()
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7514?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan reassigned CLOUDSTACK-7514: --- Assignee: Sangeetha Hariharan Automation] - Automate ACL test cases relating to listSnapshots() - Key: CLOUDSTACK-7514 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7514 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Assignee: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to listSnapshots() -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7523) java.lang.NullPointerException when listing accounts.
Sangeetha Hariharan created CLOUDSTACK-7523: --- Summary: java.lang.NullPointerException when listing accounts. Key: CLOUDSTACK-7523 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7523 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.5.0 Environment: Build from master Reporter: Sangeetha Hariharan Assignee: frank zhang Priority: Critical Fix For: 4.5.0 Deploy a fresh Management server. After this try to list Accounts , by going to Accounts tab in UI. There is no entries returned and the UI keeps spinning. listAccounts() fail with return code - 530 . 2014-09-09 12:38:59,932 INFO [a.c.c.a.ApiServer] (catalina-exec-18:ctx-0c561c21 ctx-dcbc1d59) (userId=2 accountId=2 sessionId=600DA8E1BD8DC8B8DF75DD5B5FC9E7E9) 10.215.3.17 -- GET command=listAccountsresponse=jsonsessionkey=2%2Bf%2BWC0FhPn6j%2BiLp3mj2POhdsY%3DlistAll=truepage=1pagesize=20_=1410305103203 530 null Following exception seen in management server logs: 2014-09-09 08:39:22,417 DEBUG [c.c.a.ApiServlet] (catalina-exec-7:ctx-d2a3ffdc) ===START=== 10.216.50.29 -- GET command=listAccountsresponse=jsonsessionkey=XkWSjL0e3Xe3ckgR5jW2CsSYOeA%3DlistAll=truepage=1pagesize=20_=1410290672605 2014-09-09 08:39:22,832 ERROR [c.c.a.ApiServer] (catalina-exec-7:ctx-d2a3ffdc ctx-9db713ee) unhandled exception executing api command: [Ljava.lang.String;@1a1bdce4 java.lang.NullPointerException at com.cloud.api.query.dao.AccountJoinDaoImpl.setResourceLimits(AccountJoinDaoImpl.java:144) at com.cloud.api.query.dao.AccountJoinDaoImpl.newAccountResponse(AccountJoinDaoImpl.java:79) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at com.cloud.utils.db.TransactionContextInterceptor.invoke(TransactionContextInterceptor.java:34) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161) at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at com.sun.proxy.$Proxy111.newAccountResponse(Unknown Source) at com.cloud.api.ApiDBUtils.newAccountResponse(ApiDBUtils.java:1788) at com.cloud.api.query.ViewResponseHelper.createAccountResponse(ViewResponseHelper.java:353) at com.cloud.api.query.QueryManagerImpl.searchForAccounts(QueryManagerImpl.java:1835) at org.apache.cloudstack.api.command.user.account.ListAccountsCmd.execute(ListAccountsCmd.java:93) at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:141) at com.cloud.api.ApiServer.queueCommand(ApiServer.java:694) at com.cloud.api.ApiServer.handleRequest(ApiServer.java:517) at com.cloud.api.ApiServlet.processRequestInContext(ApiServlet.java:273) at com.cloud.api.ApiServlet$1.run(ApiServlet.java:117) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53) at com.cloud.api.ApiServlet.processRequest(ApiServlet.java:114) at com.cloud.api.ApiServlet.doGet(ApiServlet.java:76) at javax.servlet.http.HttpServlet.service(HttpServlet.java:617) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at
[jira] [Created] (CLOUDSTACK-7514) Automation] - Automate ACL test cases relating to listSnapshots()
Sangeetha Hariharan created CLOUDSTACK-7514: --- Summary: Automation] - Automate ACL test cases relating to listSnapshots() Key: CLOUDSTACK-7514 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7514 Project: CloudStack Issue Type: Task Security Level: Public (Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to listVolumes() -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (CLOUDSTACK-7514) Automation] - Automate ACL test cases relating to listSnapshots()
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7514?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-7514: Description: [Automation] - Automate ACL test cases relating to listSnapshots() (was: [Automation] - Automate ACL test cases relating to listVolumes()) Automation] - Automate ACL test cases relating to listSnapshots() - Key: CLOUDSTACK-7514 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7514 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to listSnapshots() -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (CLOUDSTACK-7492) [Automation] - Automate ACL test cases relating to listVolume()
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7492?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-7492: Description: [Automation] - Automate ACL test cases relating to listVolumes() (was: [Automation] - Automate ACL test cases relating to listVirtualMachines()) [Automation] - Automate ACL test cases relating to listVolume() --- Key: CLOUDSTACK-7492 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7492 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to listVolumes() -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7492) [Automation] - Automate ACL test cases relating to listVolume()
Sangeetha Hariharan created CLOUDSTACK-7492: --- Summary: [Automation] - Automate ACL test cases relating to listVolume() Key: CLOUDSTACK-7492 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7492 Project: CloudStack Issue Type: Task Security Level: Public (Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to listVirtualMachines() -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (CLOUDSTACK-7492) [Automation] - Automate ACL test cases relating to listVolumes()
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7492?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-7492: Summary: [Automation] - Automate ACL test cases relating to listVolumes() (was: [Automation] - Automate ACL test cases relating to listVolume()) [Automation] - Automate ACL test cases relating to listVolumes() Key: CLOUDSTACK-7492 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7492 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to listVolumes() -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-7391) [Automation] Fix the script test_host_high_availability.py - Error Message: suitablehost should not be None
[
https://issues.apache.org/jira/browse/CLOUDSTACK-7391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14122208#comment-14122208
]
Sangeetha Hariharan commented on CLOUDSTACK-7391:
-
This is an issue with test scripts where listHosts() API call needs to called
with VM id , so that the suitableformigration parameter is set to true for
hosts.
This is already tracked in https://issues.apache.org/jira/browse/CLOUDSTACK-7391
[Automation] Fix the script test_host_high_availability.py - Error Message:
suitablehost should not be None
---
Key: CLOUDSTACK-7391
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7391
Project: CloudStack
Issue Type: Test
Security Level: Public(Anyone can view this level - this is the
default.)
Components: Automation, Test
Affects Versions: 4.5.0
Reporter: Chandan Purushothama
Assignee: Gaurav Aradhye
Fix For: 4.5.0
==
Client Code:
==
def test_03_cant_migrate_vm_to_host_with_ha_positive(self):
Verify you can not migrate VMs to hosts with an ha.tag (positive)
.
.
.
vm = vms[0]
self.debug(Deployed VM on host: %s % vm.hostid)
#Find out a Suitable host for VM migration
list_hosts_response = list_hosts(
self.apiclient, *BUG: Query the list of hosts with vm id. Only
then the response will have list of suitable and non-suitable hosts. Else
suitableforMigration is not returned in the response*
)
self.assertEqual(
isinstance(list_hosts_response, list),
True,
The listHosts API returned the invalid list
)
self.assertNotEqual(
len(list_hosts_response),
0,
The listHosts returned nothing.
)
suitableHost = None
for host in list_hosts_response:
if host.suitableformigration == True and host.hostid != vm.hostid:
suitableHost = host
break
self.assertTrue(suitableHost is not None, suitablehost should not be
None)
*Error Message: suitablehost should not be None*
{code}
Cmd : listHosts===
requests.packages.urllib3.connectionpool: INFO: Starting new HTTP connection
(1): 10.220.135.39
requests.packages.urllib3.connectionpool: DEBUG: GET
/client/api?apiKey=NpffyWZkfwK7gPcNpx28Ohv6K56ftl57A409SyokqHjJ2ZNe3AvvF3F0teTETeIIqrtlcWpQOooM3cQyPveGXwcommand=listHostsresponse=jsonsignature=gh2gh3mSzQNAcfMdspqc9v1JE3U%3D
HTTP/1.1 200 3708
test_03_cant_migrate_vm_to_host_with_ha_positive
(integration.component.maint.test_host_high_availability.TestHostHighAvailability):
DEBUG: Response : [{name : u's-2-VM', created : u'2014-08-20T04:31:37+',
ipaddress : u'10.220.136.107', islocalstorageactive : False, podid :
u'027c1e45-5867-40f8-8ad9-685b5eb63dd2', resourcestate : u'Enabled', zoneid :
u'f2acfe0c-c8c8-4353-8f97-a3e0f14d6357', state : u'Up', version :
u'4.5.0-SNAPSHOT', managementserverid : 231707544610094, podname :
u'XenRT-Zone-0-Pod-0', id : u'bb004159-d510-42b4-bfd5-878140a11f78',
lastpinged : u'1970-01-16T22:04:57+', type : u'SecondaryStorageVM',
events : u'AgentDisconnected; PingTimeout; Remove; ShutdownRequested;
AgentConnected; HostDown; ManagementServerDown; Ping; StartAgentRebalance',
zonename : u'XenRT-Zone-0'}, {name : u'v-1-VM', created :
u'2014-08-20T04:31:37+', ipaddress : u'10.220.136.105',
islocalstorageactive : False, podid :
u'027c1e45-5867-40f8-8ad9-685b5eb63dd2', resourcestate : u'Enabled', zoneid :
u'f2acfe0c-c8c8-4353-8f97-a3e0f14d6357', state : u'Up', version :
u'4.5.0-SNAPSHOT', managementserverid : 231707544610094, podname :
u'XenRT-Zone-0-Pod-0', id : u'f328a0d1-f4cb-4486-9550-dd46c403c3ed',
lastpinged : u'1970-01-16T22:04:57+', type : u'ConsoleProxy', events :
u'AgentDisconnected; PingTimeout; Remove; ShutdownRequested; AgentConnected;
HostDown; ManagementServerDown; Ping; StartAgentRebalance', zonename :
u'XenRT-Zone-0'}, {cpuwithoverprovisioning : u'28800.0', version :
u'4.5.0-SNAPSHOT', memorytotal : 31073792896, zoneid :
u'f2acfe0c-c8c8-4353-8f97-a3e0f14d6357', cpunumber : 12, managementserverid :
231707544610094, cpuallocated : u'2.08%', memoryused : 4211653, id :
u'1f5f180e-3eb1-4a6a-92f8-8df71df57962', cpuused : u'0.03%',
hypervisorversion : u'6.2.0', clusterid :
u'af55ad36-15c8-424b-916b-db1550aae5ff', capabilities : u'xen-3.0-x86_64 ,
xen-3.0-x86_32p , hvm-3.0-x86_32 , hvm-3.0-x86_32p , hvm-3.0-x86_64', state :
u'Up', memoryallocated : 268435456, networkkbswrite : 5383, cpuspeed : 2400,
cpusockets : 2, type : u'Routing', events : u'AgentDisconnected; PingTimeout;
Remove;
[jira] [Issue Comment Deleted] (CLOUDSTACK-7391) [Automation] Fix the script test_host_high_availability.py - Error Message: suitablehost should not be None
[
https://issues.apache.org/jira/browse/CLOUDSTACK-7391?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sangeetha Hariharan updated CLOUDSTACK-7391:
Comment: was deleted
(was: This is an issue with test scripts where listHosts() API call needs to
called with VM id , so that the suitableformigration parameter is set to
true for hosts.
This is already tracked in https://issues.apache.org/jira/browse/CLOUDSTACK-7391
)
[Automation] Fix the script test_host_high_availability.py - Error Message:
suitablehost should not be None
---
Key: CLOUDSTACK-7391
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7391
Project: CloudStack
Issue Type: Test
Security Level: Public(Anyone can view this level - this is the
default.)
Components: Automation, Test
Affects Versions: 4.5.0
Reporter: Chandan Purushothama
Assignee: Gaurav Aradhye
Fix For: 4.5.0
==
Client Code:
==
def test_03_cant_migrate_vm_to_host_with_ha_positive(self):
Verify you can not migrate VMs to hosts with an ha.tag (positive)
.
.
.
vm = vms[0]
self.debug(Deployed VM on host: %s % vm.hostid)
#Find out a Suitable host for VM migration
list_hosts_response = list_hosts(
self.apiclient, *BUG: Query the list of hosts with vm id. Only
then the response will have list of suitable and non-suitable hosts. Else
suitableforMigration is not returned in the response*
)
self.assertEqual(
isinstance(list_hosts_response, list),
True,
The listHosts API returned the invalid list
)
self.assertNotEqual(
len(list_hosts_response),
0,
The listHosts returned nothing.
)
suitableHost = None
for host in list_hosts_response:
if host.suitableformigration == True and host.hostid != vm.hostid:
suitableHost = host
break
self.assertTrue(suitableHost is not None, suitablehost should not be
None)
*Error Message: suitablehost should not be None*
{code}
Cmd : listHosts===
requests.packages.urllib3.connectionpool: INFO: Starting new HTTP connection
(1): 10.220.135.39
requests.packages.urllib3.connectionpool: DEBUG: GET
/client/api?apiKey=NpffyWZkfwK7gPcNpx28Ohv6K56ftl57A409SyokqHjJ2ZNe3AvvF3F0teTETeIIqrtlcWpQOooM3cQyPveGXwcommand=listHostsresponse=jsonsignature=gh2gh3mSzQNAcfMdspqc9v1JE3U%3D
HTTP/1.1 200 3708
test_03_cant_migrate_vm_to_host_with_ha_positive
(integration.component.maint.test_host_high_availability.TestHostHighAvailability):
DEBUG: Response : [{name : u's-2-VM', created : u'2014-08-20T04:31:37+',
ipaddress : u'10.220.136.107', islocalstorageactive : False, podid :
u'027c1e45-5867-40f8-8ad9-685b5eb63dd2', resourcestate : u'Enabled', zoneid :
u'f2acfe0c-c8c8-4353-8f97-a3e0f14d6357', state : u'Up', version :
u'4.5.0-SNAPSHOT', managementserverid : 231707544610094, podname :
u'XenRT-Zone-0-Pod-0', id : u'bb004159-d510-42b4-bfd5-878140a11f78',
lastpinged : u'1970-01-16T22:04:57+', type : u'SecondaryStorageVM',
events : u'AgentDisconnected; PingTimeout; Remove; ShutdownRequested;
AgentConnected; HostDown; ManagementServerDown; Ping; StartAgentRebalance',
zonename : u'XenRT-Zone-0'}, {name : u'v-1-VM', created :
u'2014-08-20T04:31:37+', ipaddress : u'10.220.136.105',
islocalstorageactive : False, podid :
u'027c1e45-5867-40f8-8ad9-685b5eb63dd2', resourcestate : u'Enabled', zoneid :
u'f2acfe0c-c8c8-4353-8f97-a3e0f14d6357', state : u'Up', version :
u'4.5.0-SNAPSHOT', managementserverid : 231707544610094, podname :
u'XenRT-Zone-0-Pod-0', id : u'f328a0d1-f4cb-4486-9550-dd46c403c3ed',
lastpinged : u'1970-01-16T22:04:57+', type : u'ConsoleProxy', events :
u'AgentDisconnected; PingTimeout; Remove; ShutdownRequested; AgentConnected;
HostDown; ManagementServerDown; Ping; StartAgentRebalance', zonename :
u'XenRT-Zone-0'}, {cpuwithoverprovisioning : u'28800.0', version :
u'4.5.0-SNAPSHOT', memorytotal : 31073792896, zoneid :
u'f2acfe0c-c8c8-4353-8f97-a3e0f14d6357', cpunumber : 12, managementserverid :
231707544610094, cpuallocated : u'2.08%', memoryused : 4211653, id :
u'1f5f180e-3eb1-4a6a-92f8-8df71df57962', cpuused : u'0.03%',
hypervisorversion : u'6.2.0', clusterid :
u'af55ad36-15c8-424b-916b-db1550aae5ff', capabilities : u'xen-3.0-x86_64 ,
xen-3.0-x86_32p , hvm-3.0-x86_32 , hvm-3.0-x86_32p , hvm-3.0-x86_64', state :
u'Up', memoryallocated : 268435456, networkkbswrite : 5383, cpuspeed : 2400,
cpusockets : 2, type : u'Routing', events : u'AgentDisconnected; PingTimeout;
Remove; ShutdownRequested;
[jira] [Created] (CLOUDSTACK-7471) Regular user is allowed to deleteNetwork/RestartNetwork that does not belong to him.He is also able to deploy Vm for other users.
Sangeetha Hariharan created CLOUDSTACK-7471:
---
Summary: Regular user is allowed to deleteNetwork/RestartNetwork
that does not belong to him.He is also able to deploy Vm for other users.
Key: CLOUDSTACK-7471
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7471
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: Management Server
Affects Versions: 4.5.0
Environment: build from master
Reporter: Sangeetha Hariharan
Assignee: Min Chen
Scenario 1 :
Regular user is allowed to delete networks that belong to other users
Create a regular user - d1-a in Domain - d1.
Create another regular user - d1-b in Domain - d1.
As user d1-a , create a network.
As user d1-b , delete network that belongs to d1-a.
We expect this to not succeed.
But we are allowed to do this.
Snippet from apilog indicating AccountId- 92 is attempting the restart network.
2014-08-29 06:59:57,912 INFO [a.c.c.a.ApiServer] (catalina-exec-23:ctx-05f928b8
ctx-c081eb69) (userId=92 accountId=92 sessionId=DC
A599AA77169CA107BA0AADA19667F7) 10.215.3.6 – GET
command=deleteNetworkid=2f2cc737-ba0f-4806-a81b-92a5749cfe7bresponse=jsonsessi
onkey=NHvM0k5Rg%2FQspJg2g0YnQP%2Fhq34%3D 200 { deletenetworkresponse :
{jobid:05daf212-1aa7-4885-b133-2645a6ceb7df}
}
Snippet from DB indicating that the owner of network is account_id=89 .
mysql select account_id,domain_id from networks where
uuid=2f2cc737-ba0f-4806-a81b-92a5749cfe7b;
-+
account_id domain_id
-+
89 37
-+
1 row in set (0.00 sec)
Snippet from management server logs indicating success:
2014-08-29 06:59:57,911 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl]
(catalina-exec-23:ctx-05f928b8 ctx-c081eb69) submit async job-995,
details: AsyncJobVO {id:995, userId: 92, accountId: 92, instanceType: None,
instanceId: null, cmd: org.apache.cloudstack.api.comman
d.user.network.DeleteNetworkCmd, cmdInfo:
{response:json,id:2f2cc737-ba0f-4806-a81b-92a5749cfe7b,sessionkey:NHvM0k5Rg/Qs
pJg2g0YnQP/hq34\u003d,ctxDetails:
{\com.cloud.network.Network\:\2f2cc737-ba0f-4806-a81b-92a5749cfe7b\}
,cmdEventType:NETW
ORK.DELETE,ctxUserId:92,httpmethod:GET,uuid:2f2cc737-ba0f-4806-a81b-92a5749cfe7b,ctxAccountId:92,ctxStartEventId
:3020}, cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0,
result: null, initMsid: 82324189320212, completeMsid
: null, lastUpdated: null, lastPolled: null, created: null}
2014-08-29 06:59:57,912 DEBUG [c.c.a.ApiServlet] (catalina-exec-23:ctx-05f928b8
ctx-c081eb69) ===END=== 10.215.3.6 – GET command
=deleteNetworkid=2f2cc737-ba0f-4806-a81b-92a5749cfe7bresponse=jsonsessionkey=NHvM0k5Rg%2FQspJg2g0YnQP%2Fhq34%3D
2014-08-29 06:59:57,934 DEBUG [o.a.c.e.o.NetworkOrchestrator]
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Network is al
ready shutdown: Ntwk[390|Guest|8]
2014-08-29 06:59:57,937 DEBUG [c.c.n.r.RulesManagerImpl]
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Releasing 0 port f
orwarding rules for network id=390
2014-08-29 06:59:57,938 DEBUG [c.c.n.r.RulesManagerImpl]
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Releasing 0 static
nat rules for network id=390
2014-08-29 06:59:57,939 DEBUG [c.c.n.r.RulesManagerImpl]
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) There are no port
forwarding rules to apply for network id=390
2014-08-29 06:59:57,940 DEBUG [c.c.n.r.RulesManagerImpl]
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) There are no stati
c nat rules to apply for network id=390
2014-08-29 06:59:57,941 DEBUG [c.c.n.r.RulesManagerImpl]
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Successfully relea
sed rules for network id=390 and # of rules now = 0
2014-08-29 06:59:57,941 DEBUG [o.a.c.e.o.NetworkOrchestrator]
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Successfully
cleaned up portForwarding/staticNat rules for network id=390
2014-08-29 06:59:57,942 DEBUG [c.c.n.l.LoadBalancingRulesManagerImpl]
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Found
0 lb rules to cleanup
2014-08-29 06:59:57,942 DEBUG [o.a.c.e.o.NetworkOrchestrator]
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Successfully
cleaned up load balancing rules for network id=390
2014-08-29 06:59:57,949 DEBUG [c.c.n.f.FirewallManagerImpl]
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Releasing 0 firewall
rules for network id=390
2014-08-29 06:59:57,950 DEBUG [c.c.n.f.FirewallManagerImpl]
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) There are no firewall
rules to apply
2014-08-29 06:59:57,950 DEBUG [c.c.n.f.FirewallManagerImpl]
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Successfully released
firewall rules for network id=390 and # of rules now = 0
2014-08-29 06:59:57,955 DEBUG
[jira] [Assigned] (CLOUDSTACK-7033) [Automation] - Automate ACL test cases relating to isolate Network for deleteNetwork() api..
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7033?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan reassigned CLOUDSTACK-7033: --- Assignee: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to isolate Network for deleteNetwork() api.. Key: CLOUDSTACK-7033 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7033 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Assignee: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to isolate Network for deleteNetwork() api -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-7033) [Automation] - Automate ACL test cases relating to isolate Network for deleteNetwork() api..
Sangeetha Hariharan created CLOUDSTACK-7033: --- Summary: [Automation] - Automate ACL test cases relating to isolate Network for deleteNetwork() api.. Key: CLOUDSTACK-7033 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7033 Project: CloudStack Issue Type: Task Security Level: Public (Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to isolate Network for deleteNetwork() api -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-7034) [Automation] - Automate ACL test cases relating to listVirtualMachines()
Sangeetha Hariharan created CLOUDSTACK-7034: --- Summary: [Automation] - Automate ACL test cases relating to listVirtualMachines() Key: CLOUDSTACK-7034 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7034 Project: CloudStack Issue Type: Task Security Level: Public (Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to listVirtualMachines() -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-7035) [Automation] - Automate ACL test cases relating to listNetworks() for isolated and shared networks.
Sangeetha Hariharan created CLOUDSTACK-7035: --- Summary: [Automation] - Automate ACL test cases relating to listNetworks() for isolated and shared networks. Key: CLOUDSTACK-7035 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7035 Project: CloudStack Issue Type: Task Security Level: Public (Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to listNetworks() for isolated and shared networks -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-7002) [Automation] - Automate ACL test cases relating to isolate Network for createNetwork(), restartNetwork() and deploying Vms in a isolated network.
Sangeetha Hariharan created CLOUDSTACK-7002: --- Summary: [Automation] - Automate ACL test cases relating to isolate Network for createNetwork(), restartNetwork() and deploying Vms in a isolated network. Key: CLOUDSTACK-7002 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7002 Project: CloudStack Issue Type: Task Security Level: Public (Anyone can view this level - this is the default.) Components: Automation Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Assignee: Sangeetha Hariharan Fix For: 4.4.0 [Automation] - Automate ACL test cases relating to isolate Network for createNetwork(), restartNetwork() and deploying Vms in a isolated network. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Resolved] (CLOUDSTACK-7002) [Automation] - Automate ACL test cases relating to isolate Network for createNetwork(), restartNetwork() and deploying Vms in a isolated network.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7002?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan resolved CLOUDSTACK-7002. - Resolution: Fixed Automated 33 test cases relating to access checks for createNetwork(), deploying VM in an isolated network and restarNetwork. Author: Sangeetha sangeetha.hariha...@citrix.com Date: Thu Jun 26 13:40:53 2014 -0700 This test suite contains test cases relating to access checks for createNetwork(), deploying VM in an isolated.. commit 9c2e6f5ed45522ff68131556028f3fb4ff91ee90 Review for this patch is tracked in https://reviews.apache.org/r/22709/ Test results: # Validate that Admin should be able to create network for himslef ... === TestName: test_01_createNetwork_admin | Status : SUCCESS === ok # Validate that Admin should be able to create network for users in his domain ... === TestName: test_02_createNetwork_admin_foruserinsamedomain | Status : SUCCESS === ok # Validate that Admin should be able to create network for users in his sub domain ... === TestName: test_03_createNetwork_admin_foruserinotherdomain | Status : SUCCESS === ok # Validate that Domain admin should be able to create network for himslef ... === TestName: test_04_createNetwork_domaindmin | Status : SUCCESS === ok # Validate that Domain admin should be able to create network for users in his domain ... === TestName: test_05_createNetwork_domaindmin_foruserinsamedomain | Status : SUCCESS === ok # Validate that Domain admin should be able to create network for users in his sub domain ... === TestName: test_06_createNetwork_domaindmin_foruserinsubdomain | Status : SUCCESS === ok # Validate that Domain admin should not be able to create network for users in his sub domain ... === TestName: test_07_createNetwork_domaindmin_forcrossdomainuser | Status : SUCCESS === ok # Validate that Regular should be able to create network for himslef ... === TestName: test_08_createNetwork_user | Status : SUCCESS === ok # Validate that Regular user should NOT be able to create network for users in his domain ... === TestName: test_09_createNetwork_user_foruserinsamedomain | Status : SUCCESS === ok # Validate that Domain admin should be NOT be able to create network for users in other domains ... === TestName: test_10_createNetwork_user_foruserinotherdomain | Status : SUCCESS === ok # Validate that Admin should be able to deploy VM in the networks he owns ... === TestName: test_11_deployvm_admin | Status : SUCCESS === ok # Validate that Admin should be able to deploy Vm for users in his domain ... === TestName: test_12_deployvm_admin_foruserinsamedomain | Status : SUCCESS === ok # Validate that Admin should not be able deploy VM for a user in a network that does not belong to the user ... === TestName: test_13_1_deployvm_admin_foruserinotherdomain_crossnetwork | Status : SUCCESS === ok # Validate that Domain admin should be able to deploy vm for himslef ... === TestName: test_14_deployvm_domaindmin | Status : SUCCESS === ok # Validate that Domain admin should be able to deploy vm for users in his domain ... === TestName: test_15_deployvm_domaindmin_foruserinsamedomain | Status : SUCCESS === ok # Validate that Domain admin should be able to deploy vm for users in his sub domain ... === TestName: test_16_deployvm_domaindmin_foruserinsubdomain | Status : SUCCESS === ok # Validate that Domain admin should not be able deploy VM for a user in a network that does not belong to the user ... === TestName: test_17_1_deployvm_domainadmin_foruserinotherdomain_crossnetwork | Status : SUCCESS === ok # Validate that Domain admin should not be able allowed to deploy vm for users not in his sub domain ... === TestName: test_17_deployvm_domaindmin_forcrossdomainuser | Status : SUCCESS === ok # Validate that Regular should be able to deploy vm for himslef ... === TestName: test_18_deployvm_user | Status : SUCCESS === ok # Validate that Regular user should NOT be able to deploy vm for users in his domain ... === TestName: test_19_deployvm_user_foruserinsamedomain | Status : SUCCESS === ok #Validate that User should not be able deploy VM in a network that does not belong to him ... === TestName: test_20_1_deployvm_user_incrossnetwork | Status : SUCCESS === ok # Validate that Regular user should NOT be able to deploy vm for users in his domain ... === TestName: test_20_deployvm_user_foruserincrossdomain | Status : SUCCESS === ok #Validate that Admin should be able to restart network for networks he owns ... === TestName: test_21_restartNetwork_admin | Status : SUCCESS === ok # Validate that Admin should be able to restart network for users in his domain ... === TestName: test_22_restartNetwork_admin_foruserinsamedomain | Status : SUCCESS === ok # Validate that Admin should be able to restart network for users in his sub domain ... === TestName:
[jira] [Created] (CLOUDSTACK-6973) IAM - listNetworks - When Domain Admin calls listNetwork with listall=false , isolated networks belonging to other users in the domain is also listed. Edit
Sangeetha Hariharan created CLOUDSTACK-6973:
---
Summary: IAM - listNetworks - When Domain Admin calls listNetwork
with listall=false , isolated networks belonging to other users in the domain
is also listed. Edit Comment Assign More Resolve Issue
Close Issue Export
Key: CLOUDSTACK-6973
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6973
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: Management Server
Affects Versions: 4.4.0
Environment: Build from 4.4-forward
Reporter: Sangeetha Hariharan
IAM - listNetworks - When Domain Admin calls listNetwork with listall=false ,
isolated networks belonging to other users in the domain is also listed.
Steps to reproduce the problem:
Domain D1 - has user d1 (domain admin), d1a and d1b regular users.
Each user has a isolated network that he owns.
Calling listNetworks() with no parameters (or listall=false) , results in
isolated networks owned by other regular users in the domain to be listed.
As domain admin d1 , when I listed istNetworks() with no parameters (or
listall=false) , i see the isolated networks owned by d1a and d1b regular users
listed:
-
id account_nameuuidtypedomain_id state removed
cleanup_needed network_domain default_zone_id default
-
1 system 2c320fc2-d1eb-11e3-907f-4adf980f94141 1 enabled
NULL0 NULLNULL1
2 admin 2c324dfc-d1eb-11e3-907f-4adf980f94141 1 enabled
NULL0 NULLNULL1
3 testD1-TestNetworkList-0SNBP5 53144728-76db-427a-ab96-5a6901e31a5e
2 2 enabled NULL0 NULLNULL0
4 testD1A-TestNetworkList-0Y3W33 196cc54c-4f4f-4bff-91ee-e084395eb388
0 2 enabled NULL0 NULLNULL0
5 testD1B-TestNetworkList-KOGK49 52d34195-f6be-482d-b8cb-effaf9d3bcc4
0 2 enabled NULL0 NULLNULL0
List call response:
2014-05-02 07:38:19,152 INFO [a.c.c.a.ApiServer] (catalina-exec-10:ctx-4d9ac3c7
ctx-d8785a9c ctx-aa28872f) (userId=3 accountId=3 ses
sionId=null) 10.223.56.66 – GET
apiKey=ASspPltVyUxiuOKQLuyfJnsS_zezNXRjZPfZsdjAXpJMUnu7r75Zn9dqk7p_eL1PrATjDbDanUN3uGsGbsCcwgrespon
se=jsonlistall=falsecommand=listNetworkssignature=s9FYHRWmLi2E7LeQDhXcyi%2Fu0J0%3D
200 { listnetworksresponse : { count:5 ,ne
twork : [
{id:53a9ddfa-ab63-4f87-bdd0-e368e7fd11ca,name:testD1B-TestNetworkList-KOGK49-network,displaytext:testD1B-TestN
etworkList-KOGK49-network,broadcastdomaintype:Vlan,traffictype:Guest,gateway:10.1.1.1,netmask:255.255.255.0,cidr:
10.1.1.0/24,zoneid:b690dddf-5755-49ab-8a4d-0aff04fa39f7,zonename:BLR1,networkofferingid:fc25eb7b-d884-4cc3-acbb-a321817a3
567,networkofferingname:DefaultIsolatedNetworkOfferingWithSourceNatService,networkofferingdisplaytext:Offering
for Isolated n
etworks with Source Nat service
enabled,networkofferingconservemode:true,networkofferingavailability:Required,issystem:false
,state:Implemented,related:53a9ddfa-ab63-4f87-bdd0-e368e7fd11ca,dns1:4.2.2.2,type:Isolated,acltype:Account,accou
nt:testD1B-TestNetworkList-KOGK49,domainid:3abd56e8-97da-40f9-b6f5-33fd5b28b43e,domain:D1-R549ZO,service:[
{name:PortF orwarding}
,
{name:UserData}
,{name:Firewall,capability:[
{name:MultipleIps,value:true,canchooseservicecapability:fa lse}
,
{name:SupportedEgressProtocols,value:tcp,udp,icmp,
all,canchooseservicecapability:false}
,
{name:SupportedProtocols,
value:tcp,udp,icmp,canchooseservicecapability:false}
,
{name:SupportedTrafficDirection,value:ingress, egress,canchoosese
rvicecapability:false}
,
{name:TrafficStatistics,value:per public
ip,canchooseservicecapability:false}
]},{name:Lb,capab
ility:[{name:AutoScaleCounters,value:[
{\methodname\:\cpu\,\paramlist\:[]}
,
{\methodname\:\memory\,\paramlist\:[]}
]
,canchooseservicecapability:false},
{name:SupportedLBIsolation,value:dedicated,canchooseservicecapability:false}
,
{name:
SupportedLbAlgorithms,value:roundrobin,leastconn,source,canchooseservicecapability:false}
,
{name:LbSchemes,value:Public ,canchooseservicecapability:false}
,
{name:SupportedProtocols,value:tcp,
udp,canchooseservicecapability:false}
,{name:Su
pportedStickinessMethods,value:[{\methodname\:\LbCookie\,\paramlist\:[
{\paramname\:\cookie-name\,\required\:false,\i
sflag\:false,\description\:\ \}
,
{\paramname\:\mode\,\required\:false,\isflag\:false,\description\:\
\}
,
[jira] [Updated] (CLOUDSTACK-6973) IAM - listNetworks - When Domain Admin calls listNetwork with listall=false , isolated networks belonging to other users in the domain is also listed.
[
https://issues.apache.org/jira/browse/CLOUDSTACK-6973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sangeetha Hariharan updated CLOUDSTACK-6973:
Summary: IAM - listNetworks - When Domain Admin calls listNetwork with
listall=false , isolated networks belonging to other users in the domain is
also listed. (was: IAM - listNetworks - When Domain Admin calls listNetwork
with listall=false , isolated networks belonging to other users in the domain
is also listed. Edit Comment Assign More Resolve Issue
Close Issue Export)
IAM - listNetworks - When Domain Admin calls listNetwork with listall=false ,
isolated networks belonging to other users in the domain is also listed.
--
Key: CLOUDSTACK-6973
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6973
Project: CloudStack
Issue Type: Bug
Security Level: Public(Anyone can view this level - this is the
default.)
Components: Management Server
Affects Versions: 4.4.0
Environment: Build from 4.4-forward
Reporter: Sangeetha Hariharan
IAM - listNetworks - When Domain Admin calls listNetwork with listall=false ,
isolated networks belonging to other users in the domain is also listed.
Steps to reproduce the problem:
Domain D1 - has user d1 (domain admin), d1a and d1b regular users.
Each user has a isolated network that he owns.
Calling listNetworks() with no parameters (or listall=false) , results in
isolated networks owned by other regular users in the domain to be listed.
As domain admin d1 , when I listed istNetworks() with no parameters (or
listall=false) , i see the isolated networks owned by d1a and d1b regular
users listed:
-
idaccount_nameuuidtypedomain_id state removed
cleanup_needed network_domain default_zone_id default
-
1 system 2c320fc2-d1eb-11e3-907f-4adf980f94141 1 enabled
NULL0 NULLNULL1
2 admin 2c324dfc-d1eb-11e3-907f-4adf980f94141 1 enabled
NULL0 NULLNULL1
3 testD1-TestNetworkList-0SNBP5 53144728-76db-427a-ab96-5a6901e31a5e
2 2 enabled NULL0 NULLNULL0
4 testD1A-TestNetworkList-0Y3W33 196cc54c-4f4f-4bff-91ee-e084395eb388
0 2 enabled NULL0 NULLNULL0
5 testD1B-TestNetworkList-KOGK49 52d34195-f6be-482d-b8cb-effaf9d3bcc4
0 2 enabled NULL0 NULLNULL0
List call response:
2014-05-02 07:38:19,152 INFO [a.c.c.a.ApiServer]
(catalina-exec-10:ctx-4d9ac3c7 ctx-d8785a9c ctx-aa28872f) (userId=3
accountId=3 ses
sionId=null) 10.223.56.66 – GET
apiKey=ASspPltVyUxiuOKQLuyfJnsS_zezNXRjZPfZsdjAXpJMUnu7r75Zn9dqk7p_eL1PrATjDbDanUN3uGsGbsCcwgrespon
se=jsonlistall=falsecommand=listNetworkssignature=s9FYHRWmLi2E7LeQDhXcyi%2Fu0J0%3D
200 { listnetworksresponse : { count:5 ,ne
twork : [
{id:53a9ddfa-ab63-4f87-bdd0-e368e7fd11ca,name:testD1B-TestNetworkList-KOGK49-network,displaytext:testD1B-TestN
etworkList-KOGK49-network,broadcastdomaintype:Vlan,traffictype:Guest,gateway:10.1.1.1,netmask:255.255.255.0,cidr:
10.1.1.0/24,zoneid:b690dddf-5755-49ab-8a4d-0aff04fa39f7,zonename:BLR1,networkofferingid:fc25eb7b-d884-4cc3-acbb-a321817a3
567,networkofferingname:DefaultIsolatedNetworkOfferingWithSourceNatService,networkofferingdisplaytext:Offering
for Isolated n
etworks with Source Nat service
enabled,networkofferingconservemode:true,networkofferingavailability:Required,issystem:false
,state:Implemented,related:53a9ddfa-ab63-4f87-bdd0-e368e7fd11ca,dns1:4.2.2.2,type:Isolated,acltype:Account,accou
nt:testD1B-TestNetworkList-KOGK49,domainid:3abd56e8-97da-40f9-b6f5-33fd5b28b43e,domain:D1-R549ZO,service:[
{name:PortF orwarding}
,
{name:UserData}
,{name:Firewall,capability:[
{name:MultipleIps,value:true,canchooseservicecapability:fa lse}
,
{name:SupportedEgressProtocols,value:tcp,udp,icmp,
all,canchooseservicecapability:false}
,
{name:SupportedProtocols,
value:tcp,udp,icmp,canchooseservicecapability:false}
,
{name:SupportedTrafficDirection,value:ingress, egress,canchoosese
rvicecapability:false}
,
{name:TrafficStatistics,value:per public
ip,canchooseservicecapability:false}
]},{name:Lb,capab
ility:[{name:AutoScaleCounters,value:[
{\methodname\:\cpu\,\paramlist\:[]}
,
[jira] [Created] (CLOUDSTACK-6974) IAM-Root Admin - When listNetwork is used with listall=false (or no listall passed), all isoalted networks belonging to other users is listed.
Sangeetha Hariharan created CLOUDSTACK-6974:
---
Summary: IAM-Root Admin - When listNetwork is used with
listall=false (or no listall passed), all isoalted networks belonging to other
users is listed.
Key: CLOUDSTACK-6974
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6974
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Affects Versions: 4.4.0
Environment: Build from 4.4-forward
Reporter: Sangeetha Hariharan
Root Admin - When listNetwork is used with listall=false (or no listall passed)
and isrecursive=true , all networks in the system are returned.
Steps to reproduce the problem:
Create multiple domains with few user and domain accounts in them.
Create isolated networks as each of these accounts.
Create an admin user under ROOT.
As this admin user, deploy a VM.
Use listNetwork with listall=false (or no listall passed) and isrecursive=true
to retrieve all the networks owned by this admin.
This results in all the networks in the system being returned.
Following is the API call that was made , that resulted in 15 networks being
fetched when it should have fetched only 1 isolated network and 1
shared network.
http://10.223.49.6:8080/client/api?apiKey=PB2CyeaqN0vfTodPzXV52OdE9YZLC8K-BrdLiEijWmq85nuAEfXVoAPxbzW0J5BgFAT-f5lnwDEgeOfp_boJAgisrecursive=trueresponse=jsonlistall=falsecommand=listNetworkssignature=l%2FNR4aBSnk7aAEDHhlsAvEXe7Cg%3D
Response: { listnetworksresponse : { count:15 ,network : [
{id:fb3b563c-5ba2-4f9a-aa65-82996f78f20e,name:SharedNetwork-Account,displaytext:SharedNetwork-Account,broadcastdomaintype:Vlan,traffictype:Guest,gateway:10.223.1.1,netmask:255.255.255.0,cidr:10.223.1.0/24,zoneid:b690dddf-5755-49ab-8a4d-0aff04fa39f7,zonename:BLR1,networkofferingid:1bec2c7f-d35d-4d33-a655-d3159be4a6ff,networkofferingname:DefaultSharedNetworkOfferingWithSGService,networkofferingdisplaytext:Offering
for Shared Security group enabled
networks,networkofferingconservemode:true,networkofferingavailability:Optional,issystem:false,state:Setup,related:fb3b563c-5ba2-4f9a-aa65-82996f78f20e,broadcasturi:vlan://153,dns1:4.2.2.2,type:Shared,vlan:153,acltype:Account,account:testD111A-TestNetworkList-RPNQIQ,domainid:b706ea33-fbf7-4167-a857-16f79f332cf3,domain:D111-A243U3,service:[
{name:UserData}
,{name:Dhcp,capability:[
{name:DhcpAccrossMultipleSubnets,value:true,canchooseservicecapability:false}
]},{ ...
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Created] (CLOUDSTACK-6937) IAM - ROOT admin - Not able to list network owned by accounts under any domain by passing uuid.
Sangeetha Hariharan created CLOUDSTACK-6937: --- Summary: IAM - ROOT admin - Not able to list network owned by accounts under any domain by passing uuid. Key: CLOUDSTACK-6937 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6937 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.4.0 Environment: Build from 4.4-forward Reporter: Sangeetha Hariharan IAM - ROOT admin - Not able to list network owned by accounts under any domain by passing uuid. Create a domain d1 and deploy a vm as an account under this domain. As ROOT admin , try to listNetwork of this VM by passing uuid of the network. Empyt result is returned. when listall=true is passed along with id parameter , then we are able to list the network. http://10.223.49.6:8080/client/api?command=listNetworksid=decebcd9-58f9-40b1-b4c4-bc554457f3d7response=jsonsessionkey=WGOtz0CAa5c57Imzm2iY8caUVYg%3D This returns empty list. When passed with listall=true then network is listed: http://10.223.49.6:8080/client/api?command=listNetworksid=decebcd9-58f9-40b1-b4c4-bc554457f3d7response=jsonsessionkey=WGOtz0CAa5c57Imzm2iY8caUVYg%3D%20%3E%3E%201010.223.49.6:8080/client/api?command=listNetworksid=decebcd9-58f9-40b1-b4c4-bc554457f3d7response=jsonsessionkey=WGOtz0CAa5c57Imzm2iY8caUVYg=listall=true -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6939) IAM - DomainAdmin - Not able to listNetwork belonging to a subdomain by passing uuid.
Sangeetha Hariharan created CLOUDSTACK-6939:
---
Summary: IAM - DomainAdmin - Not able to listNetwork belonging to
a subdomain by passing uuid.
Key: CLOUDSTACK-6939
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6939
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: Management Server
Affects Versions: 4.4.0
Environment: Build from 4.4-forward
Reporter: Sangeetha Hariharan
IAM - DomainAdmin - Not able to listNetwork belonging to a subdomain by passing
uuid.
Steps to reproduce the problem:
Create a domain D1 with domain admin user - d1
Create a subdomain D1/D11 with regular user - d11a.
As d11a user , create an isolated network.
As domain admin d1 , use listNetworks() command to list network of d11a by
passing id paramater.
listNetwork() returns empty list.
When i pass listall=true parameter along with uuid parameter , then I am able
to get the list.
When empty result is returned:
2014-05-02 14:40:54,273 INFO [a.c.c.a.ApiServer] (catalina-exec-19:ctx-7b012c50
ctx-d447137f) (userId=14 acc
ountId=14 sessionId=0662CF854C84368E87A0D1E1283323A4) 10.215.2.8 – GET
command=listNetworksid=323c350f-8345
-493e-bc50-5b9592fe4ab3response=jsonsessionkey=B2T%2FRltf8yQnVVqLXpbocOU4HyE%3D_=1399080286519
200 { list
networksresponse : { } }
with listall=true parameter , network is being listed:
2014-05-02 14:41:08,454 INFO [a.c.c.a.ApiServer] (catalina-exec-8:ctx-4cccd2f8
ctx-c091216f) (userId=14 acco
untId=14 sessionId=0662CF854C84368E87A0D1E1283323A4) 10.215.2.8 – GET
command=listNetworksid=323c350f-8345-
493e-bc50-5b9592fe4ab3response=jsonsessionkey=B2T%2FRltf8yQnVVqLXpbocOU4HyE%3D_=1399080286519listall=true
200 { listnetworksresponse : { count:1 ,network : [
{id:323c350f-8345-493e-bc50-5b9592fe4ab3,nam
e:testD11-TestNetworkList-OPXQKG-network,displaytext:testD11-TestNetworkList-OPXQKG-network,broadcast
domaintype:Vlan,traffictype:Guest,gateway:10.1.1.1,netmask:255.255.255.0,cidr:10.1.1.0/24,
zoneid:b690dddf-5755-49ab-8a4d-0aff04fa39f7,zonename:BLR1,networkofferingid:fc25eb7b-d884-4cc3-acb
b-a321817a3567,networkofferingname:DefaultIsolatedNetworkOfferingWithSourceNatService,networkofferingdi
splaytext:Offering for Isolated networks with Source Nat service
enabled,networkofferingconservemode:tru
e,networkofferingavailability:Required,issystem:false,state:Implemented,related:323c350f-8345-49
3e-bc50-5b9592fe4ab3,dns1:4.2.2.2,type:Isolated,acltype:Account,account:testD11-TestNetworkLi
st-OPXQKG,domainid:63282e89-0798-456b-9f1d-a234af5fb046,domain:D11-BVD36X,service:[
{name:PortFo rwarding}
,
{name:UserData}
,{name:Firewall,capability:[
{name:MultipleIps,value:true,canchoo seservicecapability:false}
,
{name:SupportedEgressProtocols,value:tcp,udp,icmp,
all,canchooseservicec apability:false}
,
{name:SupportedProtocols,value:tcp,udp,icmp,canchooseservicecapability:false}
,
{name:SupportedTrafficDirection,value:ingress,
egress,canchooseservicecapability:false}
,
{name:TrafficStatistics,value:per public
ip,canchooseservicecapability:false}
]},{name:Lb,capability:[{name:AutoScaleCounters,value:[
{\methodname\:\cpu\,\paramlist\:[]}
,
{\methodname\:\memory\,\paramlist\:[]}
],canchooseservicecapability:false},
{name:SupportedLBIsolation,value:dedicated,canchooseservicecapability:false}
,
{name:SupportedLbAlgorithms,value:roundrobin,leastconn,source,canchooseservicecapability:false}
,
{name:LbSchemes,value:Public,canchooseservicecapability:false}
,
{name:SupportedProtocols,value:tcp,
udp,canchooseservicecapability:false}
,{name:SupportedStickinessMethods,value:[{\methodname\:\LbCookie\,\paramlist\:[
{\paramname\:\cookie-name\,\required\:false,\isflag\:false,\description\:\
\}
,
{\paramname\:\mode\,\required\:false,\isflag\:false,\description\:\
\}
,
{\paramname\:\nocache\,\required\:false,\isflag\:true,\description\:\
\}
,
{\paramname\:\indirect\,\required\:false,\isflag\:true,\description\:\
\}
,
{\paramname\:\postonly\,\required\:false,\isflag\:true,\description\:\
\}
,{\paramname\:\domain\,\required\:false,\isflag\:false,
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Closed] (CLOUDSTACK-6742) listVolumes - As regularuser , able to list Vms and volumes of other users.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6742?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-6742. --- Tested with latest build from 4.4 (after IAM revert). As regular users, we are able to list only the vms and volumes that belong to this account. listVolumes - As regularuser , able to list Vms and volumes of other users. --- Key: CLOUDSTACK-6742 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6742 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Assignee: Min Chen Priority: Critical Fix For: 4.4.0 listVolumes - As regularuser , able to list Vms of other users and as domain admin , able to list Vms from other domains. Steps to reproduce the problem: Had a set up with 2 domains having few users accounts in each domain. Deploy Vms as each of these users. As any user , we are able to list Vms and volumes that belong to all other users including ROOT admin and domain Admin users. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Closed] (CLOUDSTACK-6745) DomainAdmin is not able to deploy Vm for users in his domain/subdomain.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6745?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-6745. --- Tested with latest build from 4.4-forward branch. DomainAdmin is able to deploy Vm for users in his domain/subdomain by passing their account name and domain Id in account and domainId parameter. DomainAdmin is not able to deploy Vm for users in his domain/subdomain. --- Key: CLOUDSTACK-6745 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6745 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Assignee: Min Chen Priority: Critical Fix For: 4.4.0 DomainAdmin is not able to deploy Vm for users in his domain/subdomain. Steps to reproduce the problem: Create a domain d1. Create a regular user - d1a Deploy a VM as user d1a Create a domain admin user - d1 As d1 , try to deploy a VM for user - d1a in the isolated network he owns by passing asccount and domainId of d1a. API fails with the following exception: Unable to use network with id= b40ce153-83c6-41f3-905b-90ce22c9ac24, permission denied 2014-05-21 13:58:48,162 INFO [a.c.c.a.ApiServer] (catalina-exec-17:ctx-8541fadf ctx-4320442b) (userId=387 accountId=387 sessionId=D51FD2C904EB65D7E1577D9ABAF5AACA) 10.215.2.8 -- GET command=deployVirtualMachineresponse=jsonsessionkey=nEX1TsH7YWMyu7cvElRHR73m8Lc%3Dzoneid=749f7a5f-7a47-4357-bc67-1704936b58eatemplateid=90869df6-e02a-11e3-ac31-4adf980f9414hypervisor=Simulatorserviceofferingid=da56f514-c13d-4c4d-902d-a9342f7e8dc3networkids=b40ce153-83c6-41f3-905b-90ce22c9ac24displayname=test123name=test123_=1400719259855account=test-dom1domainid=b83c7d69-6536-478c-a756-b3d89ac9298a 531 Unable to use network with id= b40ce153-83c6-41f3-905b-90ce22c9ac24, permission denied Management server logs: 2014-05-21 13:58:48,140 DEBUG [c.c.a.ApiServlet] (catalina-exec-17:ctx-8541fadf) ===START=== 10.215.2.8 -- GET command=deployVirtualMachi neresponse=jsonsessionkey=nEX1TsH7YWMyu7cvElRHR73m8Lc%3Dzoneid=749f7a5f-7a47-4357-bc67-1704936b58eatemplateid=90869df6-e02a-11e3-ac31-4 adf980f9414hypervisor=Simulatorserviceofferingid=da56f514-c13d-4c4d-902d-a9342f7e8dc3networkids=b40ce153-83c6-41f3-905b-90ce22c9ac24dis playname=test123name=test123_=1400719259855account=test-dom1domainid=b83c7d69-6536-478c-a756-b3d89ac9298a 2014-05-21 13:58:48,143 DEBUG [o.a.c.a.BaseCmd] (catalina-exec-17:ctx-8541fadf ctx-4320442b) Ignoring paremeter displayvm as the caller is not authorized to pass it in 2014-05-21 13:58:48,144 DEBUG [o.a.c.a.BaseCmd] (catalina-exec-17:ctx-8541fadf ctx-4320442b) Ignoring paremeter deploymentplanner as the ca ller is not authorized to pass it in 2014-05-21 13:58:48,153 DEBUG [c.c.u.AccountManagerImpl] (catalina-exec-17:ctx-8541fadf ctx-4320442b) Access to Acct[5afd4de2-2a81-4c40-b7e 7-b5cb139551c1-test-dom1] granted to Acct[f1f9a82e-f931-4f59-bf93-ae83b6e773e6-dom1-admin] by DomainChecker 2014-05-21 13:58:48,156 DEBUG [c.c.u.AccountManagerImpl] (catalina-exec-17:ctx-8541fadf ctx-4320442b) Access to Acct[5afd4de2-2a81-4c40-b7e 7-b5cb139551c1-test-dom1] granted to Acct[f1f9a82e-f931-4f59-bf93-ae83b6e773e6-dom1-admin] by DomainChecker 2014-05-21 13:58:48,161 INFO [c.c.a.ApiServer] (catalina-exec-17:ctx-8541fadf ctx-4320442b) PermissionDenied: Unable to use network with i d= b40ce153-83c6-41f3-905b-90ce22c9ac24, permission denied on objs: [] 2014-05-21 13:58:48,162 DEBUG [c.c.a.ApiServlet] (catalina-exec-17:ctx-8541fadf ctx-4320442b) ===END=== 10.215.2.8 -- GET command=deployV irtualMachineresponse=jsonsessionkey=nEX1TsH7YWMyu7cvElRHR73m8Lc%3Dzoneid=749f7a5f-7a47-4357-bc67-1704936b58eatemplateid=90869df6-e02a- 11e3-ac31-4adf980f9414hypervisor=Simulatorserviceofferingid=da56f514-c13d-4c4d-902d-a9342f7e8dc3networkids=b40ce153-83c6-41f3-905b-90ce2 2c9ac24displayname=test123name=test123_=1400719259855account=test-dom1domainid=b83c7d69-6536-478c-a756-b3d89ac9298a -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Closed] (CLOUDSTACK-6581) IAM - Shared Network -Root Admin user is allowed to deploy VM in a shared network that is scoped for a specific domain/account.
[
https://issues.apache.org/jira/browse/CLOUDSTACK-6581?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sangeetha Hariharan closed CLOUDSTACK-6581.
---
Tested with latest build form 4.4-forward ( after IAM revert) :
ROOT admin is not able to deploy Vms in shared networks with scope domain/
account (dedicated to a particular domain / account).
API throws the following error when ROOT admin tries to deploy a VM in an
account specific shared network.
{ deployvirtualmachineresponse :
{uuidList:[],errorcode:531,cserrorcode:4365,errortext:Unable to use
network with id= 89215c78-1526-4d54-9021-8f49d6c991e3, permission denied} }
API throws the following error when ROOT admin tries to deploy a VM in a domain
specific shared network.
{ deployvirtualmachineresponse :
{uuidList:[],errorcode:531,cserrorcode:4365,errortext:Shared network
id=768a1a01-2caa-4d49-93db-ccba42619cb0 is not available in domain id=1} }
IAM - Shared Network -Root Admin user is allowed to deploy VM in a shared
network that is scoped for a specific domain/account.
---
Key: CLOUDSTACK-6581
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6581
Project: CloudStack
Issue Type: Bug
Security Level: Public(Anyone can view this level - this is the
default.)
Components: IAM
Affects Versions: 4.4.0
Environment: Build from 4.4
Reporter: Sangeetha Hariharan
Assignee: Prachi Damle
Priority: Critical
Fix For: 4.4.0
IAM - Shared Network -Root Admin user is allowed to deploy VM in a shared
network that is scoped for a specific domain/account.
Steps to reproduce the problem:
Create a admin account for ROOT domain.
Create a domain d1 with account a1.
Create a shared network for domain d1 with sub domain access set to true.
Create a shared network for domain d1 with sub domain access set to false.
Create a shared network for account a1 d1 with sub domain access set to false.
As ROOT admin , try to deploy a VM in the above created shared networks.
Vm deployment succeeds.
Expected Result:
ROOT admin should not be allowed to deploy VMs in shared networks that are
scoped for a specific domain/account.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Closed] (CLOUDSTACK-6569) IAM - Regular user is able to listNetworks of another user in the same domain , by passing account and domainId.
[
https://issues.apache.org/jira/browse/CLOUDSTACK-6569?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sangeetha Hariharan closed CLOUDSTACK-6569.
---
Tested with latest build from 4.4-forward (after IAM revert)
Regular user is not allowed to list network of other accounts in the same
domain:
2014-06-12 10:28:52,820 INFO [a.c.c.a.ApiServer] (catalina-exec-5:ctx-08e8e4b8
ctx-ec14d52d) (userId=7 accountId=7 sessionId=05A235CFC99FACA027D130666C218B1C)
10.216.50.29 -- GET
command=listNetworksresponse=jsonsessionkey=ZILTwOXY%2BZYac8MZdC%2BthwzVpHE%3DlistAll=truepage=1pagesize=20account=d1-sandomainid=a35f9e43-1707-4ea8-b776-e6e4e75b8fff
531 Acct[9489582f-092e-44a4-bc97-5ab7c0a3d30b-d1-san2] does not have
permission to operate with resource
Acct[f83f6755-7c50-4557-8cbc-5d0b9410f4fe-d1-san]
IAM - Regular user is able to listNetworks of another user in the same domain
, by passing account and domainId.
-
Key: CLOUDSTACK-6569
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6569
Project: CloudStack
Issue Type: Bug
Security Level: Public(Anyone can view this level - this is the
default.)
Components: IAM
Affects Versions: 4.4.0
Environment: Build from 4.4
Reporter: Sangeetha Hariharan
Assignee: Min Chen
Priority: Critical
Fix For: 4.4.0
Regular user is able to listNetworks of another user in the same domain , by
passing account and domainId.
Domain - d1.
3 users in this domain , testd1 - domainadmin , testd1a and testd1b regular
users.
Each of the users have 1 isolated network.
As testd1a , tried to list network of testd1b by passing account and
domainId. ListNetwork returns testd1b's isolated network.
2014-05-02 10:21:29,090 INFO [a.c.c.a.ApiServer]
(catalina-exec-15:ctx-bbcf35b4 ctx-f1b42d4e) (userId=4 accountId=4
sessionId=AE73B9C62BB908DE5DE16655DAD0CB75) 10.215.2.8 -- GET
command=listNetworksresponse=jsonsessionkey=vHQRHlttApujok8Jf73KKKww5XM%3DlistAll=truepage=1pagesize=20domainid=3abd56e8-97da-40f9-b6f5-33fd5b28b43eresponse=jsonaccount=testD1B-TestNetworkList-KOGK49
200 { listnetworksresponse : { count:4 ,network : [
{id:53a9ddfa-ab63-4f87-bdd0-e368e7fd11ca,name:testD1B-TestNetworkList-KOGK49-network,displaytext:testD1B-TestNetworkList-KOGK49-network,broadcastdomaintype:Vlan,traffictype:Guest,gateway:10.1.1.1,netmask:255.255.255.0,cidr:10.1.1.0/24,zoneid:b690dddf-5755-49ab-8a4d-0aff04fa39f7,zonename:BLR1,networkofferingid:fc25eb7b-d884-4cc3-acbb-a321817a3567,networkofferingname:DefaultIsolatedNetworkOfferingWithSourceNatService,networkofferingdisplaytext:Offering
for Isolated networks with Source Nat service
enabled,networkofferingconservemode:true,networkofferingavailability:Required,issystem:false,state:Implemented,related:53a9ddfa-ab63-4f87-bdd0-e368e7fd11ca,dns1:4.2.2.2,type:Isolated,acltype:Account,account:testD1B-TestNetworkList-KOGK49,domainid:3abd56e8-97da-40f9-b6f5-33fd5b28b43e,domain:D1-R549ZO,service:[{name:PortForwarding},{name:UserData},{name:Firewall,capability:[{name:MultipleIps,value:true,canchooseservicecapability:false},{name:SupportedEgressProtocols,value:tcp,udp,icmp,
all,canchooseservicecapability:false},{name:SupportedProtocols,value:tcp,udp,icmp,canchooseservicecapability:false},{name:SupportedTrafficDirection,value:ingress,
egress,canchooseservicecapability:false},{name:TrafficStatistics,value:per
public
ip,canchooseservicecapability:false}]},{name:Lb,capability:[{name:AutoScaleCounters,value:[{\methodname\:\cpu\,\paramlist\:[]},{\methodname\:\memory\,\paramlist\:[]}],canchooseservicecapability:false},{name:SupportedLBIsolation,value:dedicated,canchooseservicecapability:false},{name:SupportedLbAlgorithms,value:roundrobin,leastconn,source,canchooseservicecapability:false},{name:LbSchemes,value:Public,canchooseservicecapability:false},{name:SupportedProtocols,value:tcp,
udp,canchooseservicecapability:false},{name:SupportedStickinessMethods,value:[{\methodname\:\LbCookie\,\paramlist\:[{\paramname\:\cookie-name\,\required\:false,\isflag\:false,\description\:\
\},{\paramname\:\mode\,\required\:false,\isflag\:false,\description\:\
\},{\paramname\:\nocache\,\required\:false,\isflag\:true,\description\:\
\},{\paramname\:\indirect\,\required\:false,\isflag\:true,\description\:\
\},{\paramname\:\postonly\,\required\:false,\isflag\:true,\description\:\
\},{\paramname\:\domain\,\required\:false,\isflag\:false,\description\:\
\}],\description\:\This is loadbalancer cookie based stickiness
method.\},{\methodname\:\AppCookie\,\paramlist\:[{\paramname\:\cookie-name\,\required\:false,\isflag\:false,\description\:\
\},{\paramname\:\length\,\required\:false,\isflag\:false,\description\:\
[jira] [Closed] (CLOUDSTACK-6533) IAM - Templates - Public templates do not have permissions to be used by ROOT group.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6533?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-6533. --- Tested with latest build from 4.4-forward (after IAM revert) ROOT admin is able to see and use templates(for VM deployment) that are owned by regular users and is marked as Public. IAM - Templates - Public templates do not have permissions to be used by ROOT group. Key: CLOUDSTACK-6533 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6533 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Assignee: Min Chen Priority: Critical Fix For: 4.4.0 IAM - Templates - Public templates do not have permissions to be used by ROOT group. As regular user create a public template. In iam_policy_permission policy we do not have permission for Admin group. mysql select * from iam_policy_permission where scope_id = 206; +--+---+---++--+--+-++---+-+-+ | id | policy_id | action| resource_type | scope_id | scope| access_type | permission | recursive | removed | created | +--+---+---++--+--+-++---+-+-+ | 4949 | 3 | listTemplates | VirtualMachineTemplate | 206 | RESOURCE | UseEntry| Allow | 0 | NULL| 2014-04-29 11:03:52 | | 4950 | 1 | listTemplates | VirtualMachineTemplate | 206 | RESOURCE | UseEntry| Allow | 0 | NULL| 2014-04-29 11:03:52 | mysql select * from vm_template where id=206; +-+--++--++--+--+-+--+-++-+-++--+-+-+---+-+--+-+-+-+-++--+--+-++--+-+--+ | id | unique_name | name | uuid | public | featured | type | hvm | bits | url | format | created | removed | account_id | checksum | display_text| enable_password | enable_sshkey | guest_os_id | bootable | prepopulate | cross_zones | extractable | hypervisor_type | source_template_id | template_tag | sort_key | size| state | update_count | updated | dynamically_scalable | +-+--++--++--+--+-+--+-++-+-++--+-+-+---+-+--+-+-+-+-++--+--+-++--+-+--+ | 206 | 206-318-179129bc-531f-31fe-a21d-23a8aa7b666f | Public_featured_d2a-G3GJQW | 265192c9-88d3-41d4-b435-6d3c3e5d256a | 1 | 1 | USER | 1 | 64 | http://10.223.110.232:/test.vhd | VHD| 2014-04-29 11:03:52 | NULL|318 | NULL | public and feature Template | 0 | 0 | 12 |1 | 0 | 0 | 1 | Simulator | NULL | NULL |0 | 5242880 | Active |0 | NULL| 0 | +-+--++--++--+--+-+--+-++-+-++--+-+-+---+-+--+-+-+-+-++--+--+-++--+-+--+ 1 row in set (0.00 sec) Inspite of not having the required permissions to use the template , admin is able to use this template for vm deployment. Root cause
[jira] [Closed] (CLOUDSTACK-6517) IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have UseEntry permission for IpAddress.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6517?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-6517. --- Testing with latest build from 4.4-forward (after IAM revert): Steps to reproduce the problem: As regular user , on a network he owns , acquire an ip address. As admin , try to create a PF rule on this ip address without passing account and domainId. http://10.223.49.6:8080/client/api?command=createPortForwardingRuleresponse=jsonsessionkey=kFu73ky%2BPuW%2BBz9dkcSBIHyXwkM%3Dipaddressid=0817bae5-c672-4ea7-a2cd-ce163d3a8727privateport=22privateendport=22publicport=22publicendport=22protocol=tcpvirtualmachineid=308450de-d4be-4c91-9067-b3826e85e9b2openfirewall=falsenetworkid=9fd8bcef-c140-4061-adc0-5c24c5f7dc69_=1402609388398 This succeeds . This is the desired behavior. Closing this issue. IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have UseEntry permission for IpAddress. --- Key: CLOUDSTACK-6517 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6517 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Assignee: Prachi Damle Fix For: 4.4.0 IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have UseEntry permission for IpAddress. Steps to reproduce the problem: As regular user , on a network he owns , acquire an ip address. As admin , try to create a PF rule on this ip address without passing account and domainId. Creating PF rule succeeds. Since Admin has only ListEntry permission for IpAddress owned by other users , we expect this api call to fail. mysql select * from iam_policy_permission where resource_type = 'IpAddress' and policy_id=2; +--+---+---+---+--+-+--++---+-+-+ | id | policy_id | action| resource_type | scope_id | scope | access_type | permission | recursive | removed | created | +--+---+---+---+--+-+--++---+-+-+ | 1840 | 2 | listPublicIpAddresses | IpAddress | -1 | ALL | ListEntry| Allow | 0 | NULL| 2014-04-22 18:31:03 | | 1841 | 2 | listPublicIpAddresses | IpAddress | -1 | ACCOUNT | UseEntry | Allow | 0 | NULL| 2014-04-22 18:31:03 | Admin should be allowed to do this only , when he passes account and domainId of the regular user is passed. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Closed] (CLOUDSTACK-6512) IAM - Not able to list shared networks in the Vm deployment flow.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6512?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-6512. --- Tested with latest build from 4.4-forward (after IAM revert): Have shared networks created with scope as domain and account. Using UI , Log in as a user who has access to both the account specific and domain specific shared network. Try to deploy a VM. Network list shown as part of VM deployment , has both the shared networks listed: Following is the API call made for listing networks: http://10.223.49.6:8080/client/api?command=listNetworksresponse=jsonsessionkey=WRY5kiZ461rcInw5KRwr59dPh8U%3DzoneId=8374d5ac-e559-4a36-88cd-ddc32990659ecanusefordeploy=truedomainid=0c61d5a9-59bd-4f61-97ec-6078acd6e231account=d11-san_=1402609700920 Deploying Vms in these shared networks also succeed. Closing this issue. IAM - Not able to list shared networks in the Vm deployment flow. - Key: CLOUDSTACK-6512 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6512 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4. Reporter: Sangeetha Hariharan Assignee: Min Chen Priority: Critical Fix For: 4.4.0 IAM - Not able to list shared networks in the Vm deployment flow. Steps to reproduce the problem: Create a shared network that is domain specific / account specific. Log in as the account which should have access to this shared network. Using UI , try to deploy a VM using this shared network. shared network is not displayed in the list of networks. This is the call made by UI: http://10.223.49.6:8080/client/api?command=listNetworksresponse=jsonsessionkey=Enn1TgriYaANFQ%2BDKJR7T2Jc9l0%3DzoneId=fdd0ce43-41b8-49ef-9e59-70ead27bda4ccanusefordeploy=truedomainid=a59a0ce2-b5aa-4460-ade8-91d26e048bc4account=testD1_=1398446574911 When Networks are listed using the network tab , then we see the shared network being listed. Following API call without the domainid and account paramater is able to return the shared network. http://10.223.49.6:8080/client/api?command=listNetworksresponse=jsonsessionkey=Enn1TgriYaANFQ%2BDKJR7T2Jc9l0%3DlistAll=truepage=1pagesize=20_=1398446422647 -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Closed] (CLOUDSTACK-6501) IAM - DomainAdmin - When listVirtualMachines is used with listall=true and account and domainId , Vms owned by the account account is not listed.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6501?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-6501. --- Tested with latest build from 4.4-forward (after IAM revert): As DomainAdmin , when listVirtualMachines is used with listall=true and account and domainId , we are able to list all the Vms owned by the account. Closing this issue. IAM - DomainAdmin - When listVirtualMachines is used with listall=true and account and domainId , Vms owned by the account account is not listed. -- Key: CLOUDSTACK-6501 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6501 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Assignee: Min Chen Priority: Critical Fix For: 4.4.0 IAM - DomainAdmin - When listVirtualMachines is used with listall=true and account and domainId , Vms owned by the account is not listed. Steps to reproduce the problem: Set up: Pre Reqs: Admin - Creates object Domain Admin for d1 - D1 - Creates object - d1 Domain Admin for d1 - D1/D11 User account for d1 - D1/D111 - Creates object - d111a Domain Admin for d1 - D1/D12 Domain Admin for d2 - D2 - Creates object -d2 User Account in domain D1 - userD1-1 - Creates object -d1a User Account in domain D1 - userD1-2 - Creates object - d1b Domain Account in domain D1/D11 - D11 - Creates object - d11 User Account in domain D1/D11 - userD1-a - Creates object - d11a User Account in domain D1/D11 - userD1-a - Creates object - d11b User Account in domain D1/D12- userD1-b - Creates object - d12a User Account in domain D1/D12 - userD-a - Creates object - d12b As domain admin account D1 , try to list all the Vms for d11 (domain admin user) using account and domainId parameters. Expected Result: Vm owned by the account that is passed in account/domainId parameter. Actual Result: Empty set is returned. GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=0e8d9d60-c39a-4304-b048-1e63500d0d30account=testD11listAll=trueisrecursive=trueapiKey=bW1FEJkIERji0cWRNQqvmWOgOINjMeBggyoPsMjN9_Qnvq-QtC6L4ORqmbdfQ-XtUYQdSoJIniZrHK3_oi9pcQsignature=5qLgaWzslWKSz%2FXbVSK0zdj%2B49I%3D \n\n current Time: Thu Apr 24 14:43:18 PDT 2014 ?xml version=1.0 encoding=UTF-8?listvirtualmachinesresponse cloud-stack-version=4.4.0-SNAPSHOT/listvirtualmachinesresponseConnection to 10.223.49.6 8080 port [tcp/webcache] succeeded! Response Time(in secs) : 0 current Time: Thu Apr 24 14:43:18 PDT 2014 -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Closed] (CLOUDSTACK-6349) IAM - No error message presented to the user , when invalid password is provided.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6349?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-6349. --- Tested with latest build from 4.4-forward ( after IAM revert) When regular user tries to log in with invalid password, following error message is presented to the user: Invalid username or password IAM - No error message presented to the user , when invalid password is provided. - Key: CLOUDSTACK-6349 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6349 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4. Reporter: Sangeetha Hariharan Assignee: Prachi Damle Priority: Critical Fix For: 4.4.0 Try to log in as regular user , by providing invalid username/password. User is not presented with any error message: apilog.log: 2014-04-07 10:51:15,849 INFO [a.c.c.a.ApiServer] (catalina-exec-6:ctx-5511ac44) 10.215.3.0 -- POST command=login domain=/ unknown exception writing api response Management server log: 2014-04-07 10:47:28,001 DEBUG [c.c.a.ApiServlet] (catalina-exec-3:ctx-845578ba) ===START=== 10.215.3.0 -- POST 2014-04-07 10:47:28,003 DEBUG [c.c.u.AccountManagerImpl] (catalina-exec-3:ctx-845578ba) Attempting to log in user: test in domain 1 2014-04-07 10:47:28,003 DEBUG [c.c.s.a.SHA256SaltedUserAuthenticator] (catalina-exec-3:ctx-845578ba) Retrieving user: test 2014-04-07 10:47:28,005 DEBUG [c.c.s.a.MD5UserAuthenticator] (catalina-exec-3:ctx-845578ba) Retrieving user: test 2014-04-07 10:47:28,009 DEBUG [c.c.s.a.MD5UserAuthenticator] (catalina-exec-3:ctx-845578ba) Password does not match 2014-04-07 10:47:28,012 DEBUG [c.c.s.a.PlainTextUserAuthenticator] (catalina-exec-3:ctx-845578ba) Retrieving user: test 2014-04-07 10:47:28,016 DEBUG [c.c.s.a.PlainTextUserAuthenticator] (catalina-exec-3:ctx-845578ba) Password does not match 2014-04-07 10:47:28,016 DEBUG [c.c.u.AccountManagerImpl] (catalina-exec-3:ctx-845578ba) Unable to authenticate user with username test in domain 1 2014-04-07 10:47:28,019 ERROR [c.c.a.ApiServlet] (catalina-exec-3:ctx-845578ba) unknown exception writing api response com.cloud.exception.InvalidParameterValueException: Caller cannot be passed as NULL to IAM! at org.apache.cloudstack.iam.RoleBasedEntityAccessChecker.checkAccess(RoleBasedEntityAccessChecker.java:67) at com.cloud.user.AccountManagerImpl.isRootAdmin(AccountManagerImpl.java:371) at com.cloud.user.AccountManagerImpl.isInternalAccount(AccountManagerImpl.java:420) at com.cloud.user.AccountManagerImpl.getUserAccount(AccountManagerImpl.java:2045) at com.cloud.user.AccountManagerImpl.authenticateUser(AccountManagerImpl.java:1871) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at $Proxy99.authenticateUser(Unknown Source) at com.cloud.api.ApiServer.loginUser(ApiServer.java:850) at com.cloud.api.ApiServlet.processRequestInContext(ApiServlet.java:231) at com.cloud.api.ApiServlet.access$000(ApiServlet.java:54) at com.cloud.api.ApiServlet$1.run(ApiServlet.java:118) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53) at com.cloud.api.ApiServlet.processRequest(ApiServlet.java:115) at com.cloud.api.ApiServlet.doPost(ApiServlet.java:82)
[jira] [Closed] (CLOUDSTACK-6348) IAM - Regular User is not able to change password.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6348?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-6348. --- Tested with latest build from 4.4-forward ( after IAM revert) Regular user is able to change his password successfully. IAM - Regular User is not able to change password. -- Key: CLOUDSTACK-6348 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6348 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Assignee: Prachi Damle Priority: Critical Fix For: 4.4.0 Steps to reproduce the problem: As regular user , try to change password. Following error message is presented to the user: Acct[eb54ae7f-c932-4513-aab6-984f03f9df41-test] does not have permission to access resource Acct[eb54ae7f-c932-4513-aab6-984f03f9df41-test] Management server log: 2014-04-07 10:43:58,185 DEBUG [c.c.a.ApiServlet] (catalina-exec-4:ctx-3b2e2f03) ===START=== 10.215.3.0 -- POST command=updateUserresponse=jsonsessionkey=P7c7ohM5rOC6mJLLima8CXlOAho%3D 2014-04-07 10:43:58,204 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker] (catalina-exec-4:ctx-3b2e2f03 ctx-8030779f) Account Acct[eb54ae7f-c932-4513-aab6-984f03f9df41-test] does not have permission to access resource Acct[eb54ae7f-c932-4513-aab6-984f03f9df41-test] for access type: OperateEntry 2014-04-07 10:43:58,211 INFO [c.c.a.ApiServer] (catalina-exec-4:ctx-3b2e2f03 ctx-8030779f) PermissionDenied: Acct[eb54ae7f-c932-4513-aab6-984f03f9df41-test] does not have permission to access resource Acct[eb54ae7f-c932-4513-aab6-984f03f9df41-test] on objs: [] 2014-04-07 10:43:58,212 DEBUG [c.c.a.ApiServlet] (catalina-exec-4:ctx-3b2e2f03 ctx-8030779f) ===END=== 10.215.3.0 -- POST command=updateUserresponse=jsonsessionkey=P7c7ohM5rOC6mJLLima8CXlOAho%3D -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Closed] (CLOUDSTACK-6468) IAM - Templates - Admin user is not allowed to edit template and set isExtractable() paramater.
[
https://issues.apache.org/jira/browse/CLOUDSTACK-6468?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sangeetha Hariharan closed CLOUDSTACK-6468.
---
Tested with latest build from 4.4-forward ( after IAM revert):
Admin is able to set the isFeatured flag for templates that are owned by
regular users.
IAM - Templates - Admin user is not allowed to edit template and set
isExtractable() paramater.
---
Key: CLOUDSTACK-6468
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6468
Project: CloudStack
Issue Type: Bug
Security Level: Public(Anyone can view this level - this is the
default.)
Components: IAM
Affects Versions: 4.4.0
Reporter: Sangeetha Hariharan
Assignee: Min Chen
Fix For: 4.4.0
IAM - Templates - Admin user is not allowed to edit template and set
isExtractable() paramater.
From UI , As admin , tried to update the isFeatured() flag to true for a
template that was created by regular user.
This fails with Only ROOT admins are allowed to modify this attribute.
http://10.223.49.6:8080/client/api?command=updateTemplatePermissionsresponse=jsonsessionkey=1WTLpcX%2FCiA4QLBY3RZTTB0ceaE%3Did=851cfe02-d91f-4226-b325-b48a09d2a2afispublic=falseisfeatured=trueisextractable=true_=1398114267369
{ updatetemplatepermissionsresponse :
{uuidList:[],errorcode:431,cserrorcode:4350,errortext:Only ROOT
admins are allowed to modify this attribute.} }
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Closed] (CLOUDSTACK-6381) IAM - DomainAdmin - When listVirtualMachines is used with listall=true (with out passing isrecursive falg) , all Vms from the subdomain are also listed.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6381?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-6381. --- Tested with latest build from 4.4-forward ( after IAM revert) Only when domainId is passed to list commands , isrecursive() flag is considered. In all other cases , it is defaulted to true. This behavior is as expected. Closing this issue. IAM - DomainAdmin - When listVirtualMachines is used with listall=true (with out passing isrecursive falg) , all Vms from the subdomain are also listed. Key: CLOUDSTACK-6381 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6381 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4. Reporter: Sangeetha Hariharan Assignee: Min Chen Priority: Critical Fix For: 4.4.0 IAM - DomainAdmin - When listVirtualMachines is used with listall=true (with out passing isrecursive falg) , all Vms from the subdomain are also listed. Set up: Pre Reqs: Admin - Creates object Domain Admin for d1 - D1 - Creates object - d1 Domain Admin for d1 - D1/D11 User account for d1 - D1/D111 - Creates object - d111a Domain Admin for d1 - D1/D12 Domain Admin for d2 - D2 - Creates object -d2 User Account in domain D1 - userD1-1 - Creates object -d1a User Account in domain D1 - userD1-2 - Creates object - d1b User Account in domain D1/D11 - userD1-a - Creates object - d11a User Account in domain D1/D11 - userD1-a - Creates object - d11b User Account in domain D1/D12- userD1-b - Creates object - d12a User Account in domain D1/D12 - userD-a - Creates object - d12b As domain admin - D1 , i tried to listVistualMachines passing listAll=true parameter (no isrecurssive parameter). Expected result: only all the Vms that belong to this domain should be listed , which should be 3 Vms , d1,d1a and d1b. But I see 8 Vms being returned , which also includes the Vms in the domain, d12 and d111. GET http://10.223.49.6/client/api?command=listVirtualMachineslistAll=trueapiKey=Hv0VKnmBjXhyRMKZ7ixI51gG-iqHqRVTp1xCCLU2-gTnZwhuUNWsa4zZLYZWWLD5lEhvwe05tJKJVa9NeS5REwsignature=cDqQMD6qlKeiz2g40pSOYqJKqoE%3D \n\n ?xml version=1.0 encoding=UTF-8?listvirtualmachinesresponse cloud-stack-version=4.4.0-SNAPSHOTcount8/countvirtualmachineid22193996-12f9-46ff-91cd-3d409f7f8c60/idnamed11a/namedisplaynamed11a/displaynameaccounttestD11A-TestVMList-3385RP/accountdomainid0a0f7c09-2f1a-4939-94ce-88388e197949/domainiddomainD11-UFBXGQ/domaincreated2014-04-10T09:01:37-0400/createdstateRunning/statehaenablefalse/haenablezoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenametemplateide65cdfa0-c019-11e3-907f-4adf980f9414/templateidtemplatenameCentOS 5.3(64-bit) no GUI (Simulator)/templatenametemplatedisplaytextCentOS 5.3(64-bit) no GUI (Simulator)/templatedisplaytextpasswordenabledfalse/passwordenabledserviceofferingid49dee9f8-a49a-414d-b8b2-b0d59b5981f0/serviceofferingidserviceofferingnameSmall Instance/serviceofferingnamecpunumber1/cpunumbercpuspeed100/cpuspeedmemory128/memorycpuused10%/cpuusednetworkkbsread10190848/networkkbsreadnetworkkbswrite5095424/networkkbswriteguestoside5eba5c4-c019-11e3-907f-4adf980f9414/guestosidrootdeviceid0/rootdeviceidrootdevicetypeROOT/rootdevicetypenicida1c079e5-ae0f-4470-b0ed-26895fbcf14d/idnetworkidf1cf7cfb-c354-47c4-854e-af329c54d77e/networkidnetworknametestD11A-TestVMList-3385RP-network/networknamenetmask255.255.255.0/netmaskgateway10.1.1.1/gatewayipaddress10.1.1.217/ipaddressisolationurivlan://1071/isolationuribroadcasturivlan://1071/broadcasturitraffictypeGuest/traffictypetypeIsolated/typeisdefaulttrue/isdefaultmacaddress02:00:06:7b:00:01/macaddress/nichypervisorSimulator/hypervisorisdynamicallyscalablefalse/isdynamicallyscalableostypeid11/ostypeid/virtualmachinevirtualmachineid660a829f-5265-44c3-aa92-957d8bbec8e2/idnamed1a/namedisplaynamed1b/displaynameaccounttestD1B-TestVMList-CB23CT/accountdomainiddc4bf103-27bf-4292-99aa-dc91fa23ee04/domainiddomainD1-NN5QWT/domaincreated2014-04-10T09:01:32-0400/createdstateRunning/statehaenablefalse/haenablezoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenametemplateide65cdfa0-c019-11e3-907f-4adf980f9414/templateidtemplatenameCentOS 5.3(64-bit) no GUI (Simulator)/templatenametemplatedisplaytextCentOS 5.3(64-bit) no GUI (Simulator)/templatedisplaytextpasswordenabledfalse/passwordenabledserviceofferingid49dee9f8-a49a-414d-b8b2-b0d59b5981f0/serviceofferingidserviceofferingnameSmall
[jira] [Closed] (CLOUDSTACK-6429) IAM - As admin , When listAll=false is used to list all Vms under a subdomain , all Vms (even those that are not in this subdmain) are listed.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6429?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-6429. --- IAM - As admin , When listAll=false is used to list all Vms under a subdomain , all Vms (even those that are not in this subdmain) are listed. -- Key: CLOUDSTACK-6429 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6429 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Assignee: Min Chen Priority: Critical Fix For: 4.4.0 IAM - As admin , When listAll=false is used to list all Vms under a subdomain , all Vms (even those that are not in this subdmain) are listed. Steps to reproduce the problem: Set up: Pre Reqs: Admin - Creates object Domain Admin for d1 - D1 - Creates object - d1 Domain Admin for d1 - D1/D11 User account for d1 - D1/D111 - Creates object - d111a Domain Admin for d1 - D1/D12 Domain Admin for d2 - D2 - Creates object -d2 User Account in domain D1 - userD1-1 - Creates object -d1a User Account in domain D1 - userD1-2 - Creates object - d1b User Account in domain D1/D11 - userD1-a - Creates object - d11a User Account in domain D1/D11 - userD1-a - Creates object - d11b User Account in domain D1/D12- userD1-b - Creates object - d12a User Account in domain D1/D12 - userD-a - Creates object - d12b As ROOT admin , tried to list all the Vms for domain - d1/d11 , this results in all the Vms (even those that are not in this subdmain) being listed. All the following API calls as Admin when trying to list Vms from domain - d1/d11 , results in 11 Vms which is all the Vms in the cluouds. GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0listAll=falseapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=1S3PA2HyPP70jnv5FiKSp%2FXfqw4%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0listAll=falseisrecursive=falseapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=FtoJ8isO896ZkqLJH5YzVjodFdg%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0listAll=falseisrecursive=trueapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=4HHrtJo1Cx3yqjdIHUFi43kqZ3E%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0isrecursive=falseapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=A6kJuc9XDIp6f9Ha8Bp9Ig3Xigg%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0isrecursive=trueapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=S04gwOtMs0%2F00CV4I1Q7pbCCC08%3D \n\n -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (CLOUDSTACK-6429) IAM - As admin , When listAll=false is used to list all Vms under a subdomain , all Vms (even those that are not in this subdmain) are listed.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6429?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14030165#comment-14030165 ] Sangeetha Hariharan commented on CLOUDSTACK-6429: - Testing with latest build from 4.4-forward (after IAM revert): As admin , When listAll=false is used to list all Vms under a subdomain , all Vms in the subdomain are only listed. Closing this issue. IAM - As admin , When listAll=false is used to list all Vms under a subdomain , all Vms (even those that are not in this subdmain) are listed. -- Key: CLOUDSTACK-6429 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6429 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Assignee: Min Chen Priority: Critical Fix For: 4.4.0 IAM - As admin , When listAll=false is used to list all Vms under a subdomain , all Vms (even those that are not in this subdmain) are listed. Steps to reproduce the problem: Set up: Pre Reqs: Admin - Creates object Domain Admin for d1 - D1 - Creates object - d1 Domain Admin for d1 - D1/D11 User account for d1 - D1/D111 - Creates object - d111a Domain Admin for d1 - D1/D12 Domain Admin for d2 - D2 - Creates object -d2 User Account in domain D1 - userD1-1 - Creates object -d1a User Account in domain D1 - userD1-2 - Creates object - d1b User Account in domain D1/D11 - userD1-a - Creates object - d11a User Account in domain D1/D11 - userD1-a - Creates object - d11b User Account in domain D1/D12- userD1-b - Creates object - d12a User Account in domain D1/D12 - userD-a - Creates object - d12b As ROOT admin , tried to list all the Vms for domain - d1/d11 , this results in all the Vms (even those that are not in this subdmain) being listed. All the following API calls as Admin when trying to list Vms from domain - d1/d11 , results in 11 Vms which is all the Vms in the cluouds. GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0listAll=falseapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=1S3PA2HyPP70jnv5FiKSp%2FXfqw4%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0listAll=falseisrecursive=falseapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=FtoJ8isO896ZkqLJH5YzVjodFdg%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0listAll=falseisrecursive=trueapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=4HHrtJo1Cx3yqjdIHUFi43kqZ3E%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0isrecursive=falseapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=A6kJuc9XDIp6f9Ha8Bp9Ig3Xigg%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0isrecursive=trueapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=S04gwOtMs0%2F00CV4I1Q7pbCCC08%3D \n\n -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6891) [Automation] - port 8096 is being used when executing the suite when admin’s keys are not generated before execution of the suite.
Sangeetha Hariharan created CLOUDSTACK-6891: --- Summary: [Automation] - port 8096 is being used when executing the suite when admin’s keys are not generated before execution of the suite. Key: CLOUDSTACK-6891 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6891 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Environment: Marvin builds from 4.4-forward branch Reporter: Sangeetha Hariharan port 8096 is being used for the entire suite in the following scenario: api/secret key is not present for the admin user and as part of executing a test suite , we generate the secret and api key for admin user.This happens when the very first test suite is executed after the setup is created and admin’s keys are not generated yet. In __createApiClient method of cloudstackTestClient.py , mgmt_details.port is not set explicitly to “8080” , when there is a need to generate the keys. In such cases , we default to using port “8096” which is defined as part of the configuration file. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6742) listVolumes - As regularuser , able to list Vms and volumes of other users.
Sangeetha Hariharan created CLOUDSTACK-6742: --- Summary: listVolumes - As regularuser , able to list Vms and volumes of other users. Key: CLOUDSTACK-6742 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6742 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 listVolumes - As regularuser , able to list Vms of other users and as domain admin , able to list Vms from other domains. Steps to reproduce the problem: Had a set up with 2 domains having few users accounts in each domain. Deploy Vms as each of these users. As any user , we are able to list Vms that belong to all other users including ROOT admin and domain Admin users. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (CLOUDSTACK-6742) listVolumes - As regularuser , able to list Vms and volumes of other users.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6742?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-6742: Description: listVolumes - As regularuser , able to list Vms of other users and as domain admin , able to list Vms from other domains. Steps to reproduce the problem: Had a set up with 2 domains having few users accounts in each domain. Deploy Vms as each of these users. As any user , we are able to list Vms and volumes that belong to all other users including ROOT admin and domain Admin users. was: listVolumes - As regularuser , able to list Vms of other users and as domain admin , able to list Vms from other domains. Steps to reproduce the problem: Had a set up with 2 domains having few users accounts in each domain. Deploy Vms as each of these users. As any user , we are able to list Vms that belong to all other users including ROOT admin and domain Admin users. listVolumes - As regularuser , able to list Vms and volumes of other users. --- Key: CLOUDSTACK-6742 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6742 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 listVolumes - As regularuser , able to list Vms of other users and as domain admin , able to list Vms from other domains. Steps to reproduce the problem: Had a set up with 2 domains having few users accounts in each domain. Deploy Vms as each of these users. As any user , we are able to list Vms and volumes that belong to all other users including ROOT admin and domain Admin users. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6745) DomainAdmin is not able to deploy Vm for users in his domain/subdomain.
Sangeetha Hariharan created CLOUDSTACK-6745: --- Summary: DomainAdmin is not able to deploy Vm for users in his domain/subdomain. Key: CLOUDSTACK-6745 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6745 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 DomainAdmin is not able to deploy Vm for users in his domain/subdomain. Steps to reproduce the problem: Create a domain d1. Create a regular user - d1a Deploy a VM as user d1a Create a domain admin user - d1 As d1 , try to deploy a VM for user - d1a in the isolated network he owns by passing asccount and domainId of d1a. API fails with the following exception: Unable to use network with id= b40ce153-83c6-41f3-905b-90ce22c9ac24, permission denied 2014-05-21 13:58:48,162 INFO [a.c.c.a.ApiServer] (catalina-exec-17:ctx-8541fadf ctx-4320442b) (userId=387 accountId=387 sessionId=D51FD2C904EB65D7E1577D9ABAF5AACA) 10.215.2.8 -- GET command=deployVirtualMachineresponse=jsonsessionkey=nEX1TsH7YWMyu7cvElRHR73m8Lc%3Dzoneid=749f7a5f-7a47-4357-bc67-1704936b58eatemplateid=90869df6-e02a-11e3-ac31-4adf980f9414hypervisor=Simulatorserviceofferingid=da56f514-c13d-4c4d-902d-a9342f7e8dc3networkids=b40ce153-83c6-41f3-905b-90ce22c9ac24displayname=test123name=test123_=1400719259855account=test-dom1domainid=b83c7d69-6536-478c-a756-b3d89ac9298a 531 Unable to use network with id= b40ce153-83c6-41f3-905b-90ce22c9ac24, permission denied Management server logs: 2014-05-21 13:58:48,140 DEBUG [c.c.a.ApiServlet] (catalina-exec-17:ctx-8541fadf) ===START=== 10.215.2.8 -- GET command=deployVirtualMachi neresponse=jsonsessionkey=nEX1TsH7YWMyu7cvElRHR73m8Lc%3Dzoneid=749f7a5f-7a47-4357-bc67-1704936b58eatemplateid=90869df6-e02a-11e3-ac31-4 adf980f9414hypervisor=Simulatorserviceofferingid=da56f514-c13d-4c4d-902d-a9342f7e8dc3networkids=b40ce153-83c6-41f3-905b-90ce22c9ac24dis playname=test123name=test123_=1400719259855account=test-dom1domainid=b83c7d69-6536-478c-a756-b3d89ac9298a 2014-05-21 13:58:48,143 DEBUG [o.a.c.a.BaseCmd] (catalina-exec-17:ctx-8541fadf ctx-4320442b) Ignoring paremeter displayvm as the caller is not authorized to pass it in 2014-05-21 13:58:48,144 DEBUG [o.a.c.a.BaseCmd] (catalina-exec-17:ctx-8541fadf ctx-4320442b) Ignoring paremeter deploymentplanner as the ca ller is not authorized to pass it in 2014-05-21 13:58:48,153 DEBUG [c.c.u.AccountManagerImpl] (catalina-exec-17:ctx-8541fadf ctx-4320442b) Access to Acct[5afd4de2-2a81-4c40-b7e 7-b5cb139551c1-test-dom1] granted to Acct[f1f9a82e-f931-4f59-bf93-ae83b6e773e6-dom1-admin] by DomainChecker 2014-05-21 13:58:48,156 DEBUG [c.c.u.AccountManagerImpl] (catalina-exec-17:ctx-8541fadf ctx-4320442b) Access to Acct[5afd4de2-2a81-4c40-b7e 7-b5cb139551c1-test-dom1] granted to Acct[f1f9a82e-f931-4f59-bf93-ae83b6e773e6-dom1-admin] by DomainChecker 2014-05-21 13:58:48,161 INFO [c.c.a.ApiServer] (catalina-exec-17:ctx-8541fadf ctx-4320442b) PermissionDenied: Unable to use network with i d= b40ce153-83c6-41f3-905b-90ce22c9ac24, permission denied on objs: [] 2014-05-21 13:58:48,162 DEBUG [c.c.a.ApiServlet] (catalina-exec-17:ctx-8541fadf ctx-4320442b) ===END=== 10.215.2.8 -- GET command=deployV irtualMachineresponse=jsonsessionkey=nEX1TsH7YWMyu7cvElRHR73m8Lc%3Dzoneid=749f7a5f-7a47-4357-bc67-1704936b58eatemplateid=90869df6-e02a- 11e3-ac31-4adf980f9414hypervisor=Simulatorserviceofferingid=da56f514-c13d-4c4d-902d-a9342f7e8dc3networkids=b40ce153-83c6-41f3-905b-90ce2 2c9ac24displayname=test123name=test123_=1400719259855account=test-dom1domainid=b83c7d69-6536-478c-a756-b3d89ac9298a -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (CLOUDSTACK-6745) DomainAdmin is not able to deploy Vm for users in his domain/subdomain.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14005502#comment-14005502 ] Sangeetha Hariharan commented on CLOUDSTACK-6745: - This issue is also seen when Domain admin tries to deploy a VM for a regular user in his domain in a shared network with scope Domain/Account. DomainAdmin is not able to deploy Vm for users in his domain/subdomain. --- Key: CLOUDSTACK-6745 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6745 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 DomainAdmin is not able to deploy Vm for users in his domain/subdomain. Steps to reproduce the problem: Create a domain d1. Create a regular user - d1a Deploy a VM as user d1a Create a domain admin user - d1 As d1 , try to deploy a VM for user - d1a in the isolated network he owns by passing asccount and domainId of d1a. API fails with the following exception: Unable to use network with id= b40ce153-83c6-41f3-905b-90ce22c9ac24, permission denied 2014-05-21 13:58:48,162 INFO [a.c.c.a.ApiServer] (catalina-exec-17:ctx-8541fadf ctx-4320442b) (userId=387 accountId=387 sessionId=D51FD2C904EB65D7E1577D9ABAF5AACA) 10.215.2.8 -- GET command=deployVirtualMachineresponse=jsonsessionkey=nEX1TsH7YWMyu7cvElRHR73m8Lc%3Dzoneid=749f7a5f-7a47-4357-bc67-1704936b58eatemplateid=90869df6-e02a-11e3-ac31-4adf980f9414hypervisor=Simulatorserviceofferingid=da56f514-c13d-4c4d-902d-a9342f7e8dc3networkids=b40ce153-83c6-41f3-905b-90ce22c9ac24displayname=test123name=test123_=1400719259855account=test-dom1domainid=b83c7d69-6536-478c-a756-b3d89ac9298a 531 Unable to use network with id= b40ce153-83c6-41f3-905b-90ce22c9ac24, permission denied Management server logs: 2014-05-21 13:58:48,140 DEBUG [c.c.a.ApiServlet] (catalina-exec-17:ctx-8541fadf) ===START=== 10.215.2.8 -- GET command=deployVirtualMachi neresponse=jsonsessionkey=nEX1TsH7YWMyu7cvElRHR73m8Lc%3Dzoneid=749f7a5f-7a47-4357-bc67-1704936b58eatemplateid=90869df6-e02a-11e3-ac31-4 adf980f9414hypervisor=Simulatorserviceofferingid=da56f514-c13d-4c4d-902d-a9342f7e8dc3networkids=b40ce153-83c6-41f3-905b-90ce22c9ac24dis playname=test123name=test123_=1400719259855account=test-dom1domainid=b83c7d69-6536-478c-a756-b3d89ac9298a 2014-05-21 13:58:48,143 DEBUG [o.a.c.a.BaseCmd] (catalina-exec-17:ctx-8541fadf ctx-4320442b) Ignoring paremeter displayvm as the caller is not authorized to pass it in 2014-05-21 13:58:48,144 DEBUG [o.a.c.a.BaseCmd] (catalina-exec-17:ctx-8541fadf ctx-4320442b) Ignoring paremeter deploymentplanner as the ca ller is not authorized to pass it in 2014-05-21 13:58:48,153 DEBUG [c.c.u.AccountManagerImpl] (catalina-exec-17:ctx-8541fadf ctx-4320442b) Access to Acct[5afd4de2-2a81-4c40-b7e 7-b5cb139551c1-test-dom1] granted to Acct[f1f9a82e-f931-4f59-bf93-ae83b6e773e6-dom1-admin] by DomainChecker 2014-05-21 13:58:48,156 DEBUG [c.c.u.AccountManagerImpl] (catalina-exec-17:ctx-8541fadf ctx-4320442b) Access to Acct[5afd4de2-2a81-4c40-b7e 7-b5cb139551c1-test-dom1] granted to Acct[f1f9a82e-f931-4f59-bf93-ae83b6e773e6-dom1-admin] by DomainChecker 2014-05-21 13:58:48,161 INFO [c.c.a.ApiServer] (catalina-exec-17:ctx-8541fadf ctx-4320442b) PermissionDenied: Unable to use network with i d= b40ce153-83c6-41f3-905b-90ce22c9ac24, permission denied on objs: [] 2014-05-21 13:58:48,162 DEBUG [c.c.a.ApiServlet] (catalina-exec-17:ctx-8541fadf ctx-4320442b) ===END=== 10.215.2.8 -- GET command=deployV irtualMachineresponse=jsonsessionkey=nEX1TsH7YWMyu7cvElRHR73m8Lc%3Dzoneid=749f7a5f-7a47-4357-bc67-1704936b58eatemplateid=90869df6-e02a- 11e3-ac31-4adf980f9414hypervisor=Simulatorserviceofferingid=da56f514-c13d-4c4d-902d-a9342f7e8dc3networkids=b40ce153-83c6-41f3-905b-90ce2 2c9ac24displayname=test123name=test123_=1400719259855account=test-dom1domainid=b83c7d69-6536-478c-a756-b3d89ac9298a -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6584) IAM - Deletion of domain fails.
Sangeetha Hariharan created CLOUDSTACK-6584: --- Summary: IAM - Deletion of domain fails. Key: CLOUDSTACK-6584 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6584 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 IAM - Deletion of domain fails. Created the following set of domains: ROOT d1 d1/d11 d1/d11/d111 d2 Shared networks were created for domain d11 Shared networks were created for an account under domain d111. Accounts are created under each of the domains. Deploy Vms as these accounts using the shared networks. I delete all the accounts which resulted in all the Vms being Expunged. Now I tried to delete the domain - d1 (D1-PM76WG) which always fails with force delete option. Following exception seen in management server logs: 61-ExposeInvocationInterceptor.invoke:91-ReflectiveMethodInvocation.proceed:172-JdkDynamicAopProxy.invoke:204-$Proxy47.remove:-1-DomainManagerImpl.cleanupDomain:443-DomainM anagerImpl.deleteDomain:272-DomainManagerImpl.deleteDomain:257 2014-05-06 11:03:30,586 ERROR [c.c.u.DomainManagerImpl] (API-Job-Executor-15:job-733 ctx-343d4b67) Exception deleting domain with id 112 com.cloud.utils.exception.CloudRuntimeException: Failed to clean up domain resources and sub domains, delete failed on domain D1-PM76WG (id: 112). at com.cloud.user.DomainManagerImpl.deleteDomain(DomainManagerImpl.java:274) at com.cloud.user.DomainManagerImpl.deleteDomain(DomainManagerImpl.java:257) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at org.apache.cloudstack.network.contrail.management.EventUtils$EventInterceptor.invoke(EventUtils.java:106) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161) at com.cloud.event.ActionEventInterceptor.invoke(ActionEventInterceptor.java:51) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161) at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at com.sun.proxy.$Proxy110.deleteDomain(Unknown Source) at org.apache.cloudstack.region.RegionManagerImpl.deleteDomain(RegionManagerImpl.java:242) at org.apache.cloudstack.region.RegionServiceImpl.deleteDomain(RegionServiceImpl.java:169) at org.apache.cloudstack.api.command.admin.domain.DeleteDomainCmd.execute(DeleteDomainCmd.java:103) at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:119) at com.cloud.api.ApiAsyncJobDispatcher.runJob(ApiAsyncJobDispatcher.java:108) at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.runInContext(AsyncJobManagerImpl.java:495) at org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:49) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53) at org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:46) at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.run(AsyncJobManagerImpl.java:452) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at
[jira] [Updated] (CLOUDSTACK-6584) IAM - Deletion of domain fails.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6584?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-6584: Attachment: logs.rar IAM - Deletion of domain fails. --- Key: CLOUDSTACK-6584 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6584 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 Attachments: logs.rar IAM - Deletion of domain fails. Created the following set of domains: ROOT d1 d1/d11 d1/d11/d111 d2 Shared networks were created for domain d11 Shared networks were created for an account under domain d111. Accounts are created under each of the domains. Deploy Vms as these accounts using the shared networks. I delete all the accounts which resulted in all the Vms being Expunged. Now I tried to delete the domain - d1 (D1-PM76WG) which always fails with force delete option. Following exception seen in management server logs: 61-ExposeInvocationInterceptor.invoke:91-ReflectiveMethodInvocation.proceed:172-JdkDynamicAopProxy.invoke:204-$Proxy47.remove:-1-DomainManagerImpl.cleanupDomain:443-DomainM anagerImpl.deleteDomain:272-DomainManagerImpl.deleteDomain:257 2014-05-06 11:03:30,586 ERROR [c.c.u.DomainManagerImpl] (API-Job-Executor-15:job-733 ctx-343d4b67) Exception deleting domain with id 112 com.cloud.utils.exception.CloudRuntimeException: Failed to clean up domain resources and sub domains, delete failed on domain D1-PM76WG (id: 112). at com.cloud.user.DomainManagerImpl.deleteDomain(DomainManagerImpl.java:274) at com.cloud.user.DomainManagerImpl.deleteDomain(DomainManagerImpl.java:257) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at org.apache.cloudstack.network.contrail.management.EventUtils$EventInterceptor.invoke(EventUtils.java:106) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161) at com.cloud.event.ActionEventInterceptor.invoke(ActionEventInterceptor.java:51) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161) at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at com.sun.proxy.$Proxy110.deleteDomain(Unknown Source) at org.apache.cloudstack.region.RegionManagerImpl.deleteDomain(RegionManagerImpl.java:242) at org.apache.cloudstack.region.RegionServiceImpl.deleteDomain(RegionServiceImpl.java:169) at org.apache.cloudstack.api.command.admin.domain.DeleteDomainCmd.execute(DeleteDomainCmd.java:103) at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:119) at com.cloud.api.ApiAsyncJobDispatcher.runJob(ApiAsyncJobDispatcher.java:108) at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.runInContext(AsyncJobManagerImpl.java:495) at org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:49) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53) at org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:46) at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.run(AsyncJobManagerImpl.java:452) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
[jira] [Created] (CLOUDSTACK-6581) IAM - Shared Network -Root Admin user is allowed to deploy VM in a shared network that is scoped for a specific domain/account.
Sangeetha Hariharan created CLOUDSTACK-6581: --- Summary: IAM - Shared Network -Root Admin user is allowed to deploy VM in a shared network that is scoped for a specific domain/account. Key: CLOUDSTACK-6581 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6581 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 IAM - Shared Network -Root Admin user is allowed to deploy VM in a shared network that is scoped for a specific domain/account. Steps to reproduce the problem: Create a admin account for ROOT domain. Create a domain d1 with account a1. Create a shared network for domain d1 with sub domain access set to true. Create a shared network for domain d1 with sub domain access set to false. Create a shared network for account a1 d1 with sub domain access set to false. As ROOT admin , try to deploy a VM in the above created shared networks. Vm deployment succeeds. Expected Result: ROOT admin should not be allowed to deploy VMs in shared networks that are scoped for a specific domain/account. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6569) IAM - Regular user is able to listNetworks of another user in the same domain , by passing account and domainId.
Sangeetha Hariharan created CLOUDSTACK-6569:
---
Summary: IAM - Regular user is able to listNetworks of another
user in the same domain , by passing account and domainId.
Key: CLOUDSTACK-6569
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6569
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: IAM
Affects Versions: 4.4.0
Environment: Build from 4.4
Reporter: Sangeetha Hariharan
Priority: Critical
Fix For: 4.4.0
Regular user is able to listNetworks of another user in the same domain , by
passing account and domainId.
Domain - d1.
3 users in this domain , testd1 - domainadmin , testd1a and testd1b regular
users.
Each of the users have 1 isolated network.
As testd1a , tried to list network of testd1b by passing account and domainId.
ListNetwork returns testd1b's isolated network.
2014-05-02 10:21:29,090 INFO [a.c.c.a.ApiServer]
(catalina-exec-15:ctx-bbcf35b4 ctx-f1b42d4e) (userId=4 accountId=4
sessionId=AE73B9C62BB908DE5DE16655DAD0CB75) 10.215.2.8 -- GET
command=listNetworksresponse=jsonsessionkey=vHQRHlttApujok8Jf73KKKww5XM%3DlistAll=truepage=1pagesize=20domainid=3abd56e8-97da-40f9-b6f5-33fd5b28b43eresponse=jsonaccount=testD1B-TestNetworkList-KOGK49
200 { listnetworksresponse : { count:4 ,network : [
{id:53a9ddfa-ab63-4f87-bdd0-e368e7fd11ca,name:testD1B-TestNetworkList-KOGK49-network,displaytext:testD1B-TestNetworkList-KOGK49-network,broadcastdomaintype:Vlan,traffictype:Guest,gateway:10.1.1.1,netmask:255.255.255.0,cidr:10.1.1.0/24,zoneid:b690dddf-5755-49ab-8a4d-0aff04fa39f7,zonename:BLR1,networkofferingid:fc25eb7b-d884-4cc3-acbb-a321817a3567,networkofferingname:DefaultIsolatedNetworkOfferingWithSourceNatService,networkofferingdisplaytext:Offering
for Isolated networks with Source Nat service
enabled,networkofferingconservemode:true,networkofferingavailability:Required,issystem:false,state:Implemented,related:53a9ddfa-ab63-4f87-bdd0-e368e7fd11ca,dns1:4.2.2.2,type:Isolated,acltype:Account,account:testD1B-TestNetworkList-KOGK49,domainid:3abd56e8-97da-40f9-b6f5-33fd5b28b43e,domain:D1-R549ZO,service:[{name:PortForwarding},{name:UserData},{name:Firewall,capability:[{name:MultipleIps,value:true,canchooseservicecapability:false},{name:SupportedEgressProtocols,value:tcp,udp,icmp,
all,canchooseservicecapability:false},{name:SupportedProtocols,value:tcp,udp,icmp,canchooseservicecapability:false},{name:SupportedTrafficDirection,value:ingress,
egress,canchooseservicecapability:false},{name:TrafficStatistics,value:per
public
ip,canchooseservicecapability:false}]},{name:Lb,capability:[{name:AutoScaleCounters,value:[{\methodname\:\cpu\,\paramlist\:[]},{\methodname\:\memory\,\paramlist\:[]}],canchooseservicecapability:false},{name:SupportedLBIsolation,value:dedicated,canchooseservicecapability:false},{name:SupportedLbAlgorithms,value:roundrobin,leastconn,source,canchooseservicecapability:false},{name:LbSchemes,value:Public,canchooseservicecapability:false},{name:SupportedProtocols,value:tcp,
udp,canchooseservicecapability:false},{name:SupportedStickinessMethods,value:[{\methodname\:\LbCookie\,\paramlist\:[{\paramname\:\cookie-name\,\required\:false,\isflag\:false,\description\:\
\},{\paramname\:\mode\,\required\:false,\isflag\:false,\description\:\
\},{\paramname\:\nocache\,\required\:false,\isflag\:true,\description\:\
\},{\paramname\:\indirect\,\required\:false,\isflag\:true,\description\:\
\},{\paramname\:\postonly\,\required\:false,\isflag\:true,\description\:\
\},{\paramname\:\domain\,\required\:false,\isflag\:false,\description\:\
\}],\description\:\This is loadbalancer cookie based stickiness
method.\},{\methodname\:\AppCookie\,\paramlist\:[{\paramname\:\cookie-name\,\required\:false,\isflag\:false,\description\:\
\},{\paramname\:\length\,\required\:false,\isflag\:false,\description\:\
\},{\paramname\:\holdtime\,\required\:false,\isflag\:false,\description\:\
\},{\paramname\:\request-learn\,\required\:false,\isflag\:true,\description\:\
\},{\paramname\:\prefix\,\required\:false,\isflag\:true,\description\:\
\},{\paramname\:\mode\,\required\:false,\isflag\:false,\description\:\
\}],\description\:\This is App session based sticky method. Define session
stickiness on an existing application cookie. It can be used only for a
specific http
traffic\},{\methodname\:\SourceBased\,\paramlist\:[{\paramname\:\tablesize\,\required\:false,\isflag\:false,\description\:\
\},{\paramname\:\expire\,\required\:false,\isflag\:false,\description\:\
\}],\description\:\This is source based Stickiness method, it can be used
for any type of
[jira] [Created] (CLOUDSTACK-6558) IAM - Admin user is able to deploy VM in a regular user's Security Group.
Sangeetha Hariharan created CLOUDSTACK-6558: --- Summary: IAM - Admin user is able to deploy VM in a regular user's Security Group. Key: CLOUDSTACK-6558 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6558 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 IAM - Admin user is able to deploy VM in a regular user's Security Group. Steps to reproduce the problem: Basic Zone set up: As regular user , create a Security group. As admin , try to deploy a VM using this security group. Admin is allowed to deploy a VM using this security group. Expected Result: Admin should not be allowed to deploy a VM using regular user's security group. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6532) Affinity Groups - As admin user, not able to list all affinity groups available for regular users by passing account and domainId paramater.
Sangeetha Hariharan created CLOUDSTACK-6532:
---
Summary: Affinity Groups - As admin user, not able to list all
affinity groups available for regular users by passing account and domainId
paramater.
Key: CLOUDSTACK-6532
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6532
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: IAM
Affects Versions: 4.4.0
Environment: Build from 4.4
Reporter: Sangeetha Hariharan
Fix For: 4.4.0
Create an anti-affinity group as regular user.
As admin user, try to list all affinity groups available for regular users by
passing account and domainId parameter.
http://10.223.49.6:8080/client/api?command=listAffinityGroupsresponse=jsonsessionkey=okCw58hoD%2BrUSZ9NO5LKHz6ie9U%3D_=1398792364257account=testD1A-TestVMList-U27DEVdomainId=71dcc0ac-c230-4e96-97ad-6e4f3ddc53cf
No affinity group is listed.
As regular user:
{ listaffinitygroupsresponse : { count:1 ,affinitygroup : [
{id:bee9a7c5-3124-46b6-b258-893c8c9cc244,name:test-123,description:test-123,account:testD1A-TestVMList-U27DEV,domainid:71dcc0ac-c230-4e96-97ad-6e4f3ddc53cf,domain:D1-19BDAN,type:host
anti-affinity} ] } }
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Updated] (CLOUDSTACK-6532) Affinity Groups - As admin user, not able to list all affinity groups available for regular users by passing account and domainId paramater.
[
https://issues.apache.org/jira/browse/CLOUDSTACK-6532?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sangeetha Hariharan updated CLOUDSTACK-6532:
Priority: Critical (was: Major)
Affinity Groups - As admin user, not able to list all affinity groups
available for regular users by passing account and domainId paramater.
Key: CLOUDSTACK-6532
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6532
Project: CloudStack
Issue Type: Bug
Security Level: Public(Anyone can view this level - this is the
default.)
Components: IAM
Affects Versions: 4.4.0
Environment: Build from 4.4
Reporter: Sangeetha Hariharan
Priority: Critical
Fix For: 4.4.0
Create an anti-affinity group as regular user.
As admin user, try to list all affinity groups available for regular users by
passing account and domainId parameter.
http://10.223.49.6:8080/client/api?command=listAffinityGroupsresponse=jsonsessionkey=okCw58hoD%2BrUSZ9NO5LKHz6ie9U%3D_=1398792364257account=testD1A-TestVMList-U27DEVdomainId=71dcc0ac-c230-4e96-97ad-6e4f3ddc53cf
No affinity group is listed.
As regular user:
{ listaffinitygroupsresponse : { count:1 ,affinitygroup : [
{id:bee9a7c5-3124-46b6-b258-893c8c9cc244,name:test-123,description:test-123,account:testD1A-TestVMList-U27DEV,domainid:71dcc0ac-c230-4e96-97ad-6e4f3ddc53cf,domain:D1-19BDAN,type:host
anti-affinity} ] } }
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Created] (CLOUDSTACK-6533) IAM - Templates - Public templates do not have permissions to be used by ROOT group.
Sangeetha Hariharan created CLOUDSTACK-6533: --- Summary: IAM - Templates - Public templates do not have permissions to be used by ROOT group. Key: CLOUDSTACK-6533 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6533 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 IAM - Templates - Public templates do not have permissions to be used by ROOT group. As regular user create a public template. In iam_policy_permission policy we do not have permission for Admin group. mysql select * from iam_policy_permission where scope_id = 206; +--+---+---++--+--+-++---+-+-+ | id | policy_id | action| resource_type | scope_id | scope | access_type | permission | recursive | removed | created | +--+---+---++--+--+-++---+-+-+ | 4949 | 3 | listTemplates | VirtualMachineTemplate | 206 | RESOURCE | UseEntry| Allow | 0 | NULL| 2014-04-29 11:03:52 | | 4950 | 1 | listTemplates | VirtualMachineTemplate | 206 | RESOURCE | UseEntry| Allow | 0 | NULL| 2014-04-29 11:03:52 | mysql select * from vm_template where id=206; +-+--++--++--+--+-+--+-++-+-++--+-+-+---+-+--+-+-+-+-++--+--+-++--+-+--+ | id | unique_name | name | uuid | public | featured | type | hvm | bits | url | format | created | removed | account_id | checksum | display_text| enable_password | enable_sshkey | guest_os_id | bootable | prepopulate | cross_zones | extractable | hypervisor_type | source_template_id | template_tag | sort_key | size| state | update_count | updated | dynamically_scalable | +-+--++--++--+--+-+--+-++-+-++--+-+-+---+-+--+-+-+-+-++--+--+-++--+-+--+ | 206 | 206-318-179129bc-531f-31fe-a21d-23a8aa7b666f | Public_featured_d2a-G3GJQW | 265192c9-88d3-41d4-b435-6d3c3e5d256a | 1 | 1 | USER | 1 | 64 | http://10.223.110.232:/test.vhd | VHD| 2014-04-29 11:03:52 | NULL|318 | NULL | public and feature Template | 0 | 0 | 12 |1 | 0 | 0 | 1 | Simulator | NULL | NULL |0 | 5242880 | Active |0 | NULL| 0 | +-+--++--++--+--+-+--+-++-+-++--+-+-+---+-+--+-+-+-+-++--+--+-++--+-+--+ 1 row in set (0.00 sec) Inspite of not having the required permissions to use the template , admin is able to use this template for vm deployment. Root cause for this bug is similar to bug - Bug CLOUDSTACK-6517 The same behavior is also observed for default templates: mysql select * from iam_policy_permission where scope_id = 111; +--+---+---++--+--+-++---+-+-+ | id | policy_id | action| resource_type | scope_id | scope | access_type |
[jira] [Created] (CLOUDSTACK-6512) IAM - Not able to list shared networks in the Vm deployment flow.
Sangeetha Hariharan created CLOUDSTACK-6512: --- Summary: IAM - Not able to list shared networks in the Vm deployment flow. Key: CLOUDSTACK-6512 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6512 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.4.0 Environment: Build from 4.4. Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 IAM - Not able to list shared networks in the Vm deployment flow. Steps to reproduce the problem: Create a shared network that is domain specific / account specific. Log in as the account which should have access to this shared network. Using UI , try to deploy a VM using this shared network. shared network is not displayed in the list of networks. This is the call made by UI: http://10.223.49.6:8080/client/api?command=listNetworksresponse=jsonsessionkey=Enn1TgriYaANFQ%2BDKJR7T2Jc9l0%3DzoneId=fdd0ce43-41b8-49ef-9e59-70ead27bda4ccanusefordeploy=truedomainid=a59a0ce2-b5aa-4460-ade8-91d26e048bc4account=testD1_=1398446574911 When Networks are listed using the network tab , then we see the shared network being listed. Following API call without the domainid and account paramater is able to return the shared network. http://10.223.49.6:8080/client/api?command=listNetworksresponse=jsonsessionkey=Enn1TgriYaANFQ%2BDKJR7T2Jc9l0%3DlistAll=truepage=1pagesize=20_=1398446422647 -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6513) IAM - Templates - When tenplatefilter=shared
Sangeetha Hariharan created CLOUDSTACK-6513: --- Summary: IAM - Templates - When tenplatefilter=shared Key: CLOUDSTACK-6513 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6513 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Reporter: Sangeetha Hariharan -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (CLOUDSTACK-6513) IAM - Templates - When templates are listed with templatefilter=shared is used , we see public templates also being included in the list.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6513?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-6513: Component/s: IAM Description: IAM - Templates - When templates are listed with templatefilter=shared is used , we see public templates also being included in the list. Steps to reproduce the problem: As user1 , Create a private template and a public template. Grant access to the private template for user2 using updateTemplatePermissions. As user2 , list templates with templatefilter=shared. This returns both public and the the shared template. GET http://10.223.49.6/client/api?command=listTemplatespagesize=100page=1listAll=truetemplatefilter=sharedapiKey=SrgUY-U-nUl4qsOyn409kCjA2jC7dR5ReIV9SjdnmzLOn3c0Fm-vZbDSpkldUjuqLAXt5ShodtXYOgRB5NCnJQsignature=WBO8ll9nyjiB29aVq%2FpUsEQrthM%3D \n\n ?xml version=1.0 encoding=UTF-8?listtemplatesresponse cloud-stack-version=4.4.0-SNAPSHOTcount6/counttemplateida2065bcc-7139-46b0-ac15-db7d3ff7dd75/idnamePublic_featured_d1a-TP7TPK/namedisplaytextpublic and feature Template/displaytextispublictrue/ispubliccreated2014-04-21T13:50:35-0400/createdisreadytrue/isreadypasswordenabledfalse/passwordenabledformatVHD/formatisfeaturedtrue/isfeaturedcrossZonesfalse/crossZonesostypeide5ebce64-c019-11e3-907f-4adf980f9414/ostypeidostypenameCentOS 5.3 (64-bit)/ostypenameaccounttesttemplateD1A/accountzoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenamesize5242880/sizetemplatetypeUSER/templatetypehypervisorSimulator/hypervisordomainD1/domaindomainid691ab662-6793-42a0-96e6-3b31a2c4e52d/domainidisextractabletrue/isextractablesshkeyenabledfalse/sshkeyenabledisdynamicallyscalablefalse/isdynamicallyscalable/templatetemplateidce1635dc-1fcb-4f60-8d2f-d1129a3771ce/idnamePublic_not_featured_d2a-NPYFSN/namedisplaytextpublic and not feature Template/displaytextispublictrue/ispubliccreated2014-04-21T13:50:36-0400/createdisreadytrue/isreadypasswordenabledfalse/passwordenabledformatVHD/formatisfeaturedfalse/isfeaturedcrossZonesfalse/crossZonesostypeide5ebce64-c019-11e3-907f-4adf980f9414/ostypeidostypenameCentOS 5.3 (64-bit)/ostypenameaccounttesttemplateD2/accountzoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenamesize5242880/sizetemplatetypeUSER/templatetypehypervisorSimulator/hypervisordomainD2/domaindomainid18222e53-7221-4d6f-9a76-8f59869f24b2/domainidisextractabletrue/isextractablesshkeyenabledfalse/sshkeyenabledisdynamicallyscalablefalse/isdynamicallyscalable/templatetemplateid223e0c09-e18e-4188-9d8e-7ff2e2305547/idnamePrivate_featured_d1-E9PQHO/namedisplaytextprivate and featured Template/displaytextispublicfalse/ispubliccreated2014-04-21T13:50:36-0400/createdisreadytrue/isreadypasswordenabledfalse/passwordenabledformatVHD/formatisfeaturedtrue/isfeaturedcrossZonesfalse/crossZonesostypeide5ebce64-c019-11e3-907f-4adf980f9414/ostypeidostypenameCentOS 5.3 (64-bit)/ostypenameaccounttesttemplateD1A/accountzoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenamesize5242880/sizetemplatetypeUSER/templatetypehypervisorSimulator/hypervisordomainD1/domaindomainid691ab662-6793-42a0-96e6-3b31a2c4e52d/domainidisextractabletrue/isextractablesshkeyenabledfalse/sshkeyenabledisdynamicallyscalablefalse/isdynamicallyscalable/templatetemplateida7b69a5e-4cb3-45fa-b3e7-dab3a6b73e45/idnamePublic_not_featured_d1a-XOCR05/namedisplaytextpublic and not feature Template/displaytextispublictrue/ispubliccreated2014-04-21T13:50:35-0400/createdisreadytrue/isreadypasswordenabledfalse/passwordenabledformatVHD/formatisfeaturedfalse/isfeaturedcrossZonesfalse/crossZonesostypeide5ebce64-c019-11e3-907f-4adf980f9414/ostypeidostypenameCentOS 5.3 (64-bit)/ostypenameaccounttesttemplateD1A/accountzoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenamesize5242880/sizetemplatetypeUSER/templatetypehypervisorSimulator/hypervisordomainD1/domaindomainid691ab662-6793-42a0-96e6-3b31a2c4e52d/domainidisextractabletrue/isextractablesshkeyenabledfalse/sshkeyenabledisdynamicallyscalablefalse/isdynamicallyscalable/templatetemplateide65cdfa0-c019-11e3-907f-4adf980f9414/idnameCentOS 5.3(64-bit) no GUI (Simulator)/namedisplaytextCentOS 5.3(64-bit) no GUI (Simulator)/displaytextispublictrue/ispubliccreated2014-04-09T15:15:54-0400/createdisreadytrue/isreadypasswordenabledfalse/passwordenabledformatVHD/formatisfeaturedtrue/isfeaturedcrossZonestrue/crossZonesostypeide5eba5c4-c019-11e3-907f-4adf980f9414/ostypeidostypenameCentOS 5.3
[jira] [Updated] (CLOUDSTACK-6512) IAM - Not able to list shared networks in the Vm deployment flow.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6512?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-6512: Component/s: (was: Management Server) IAM IAM - Not able to list shared networks in the Vm deployment flow. - Key: CLOUDSTACK-6512 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6512 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4. Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 IAM - Not able to list shared networks in the Vm deployment flow. Steps to reproduce the problem: Create a shared network that is domain specific / account specific. Log in as the account which should have access to this shared network. Using UI , try to deploy a VM using this shared network. shared network is not displayed in the list of networks. This is the call made by UI: http://10.223.49.6:8080/client/api?command=listNetworksresponse=jsonsessionkey=Enn1TgriYaANFQ%2BDKJR7T2Jc9l0%3DzoneId=fdd0ce43-41b8-49ef-9e59-70ead27bda4ccanusefordeploy=truedomainid=a59a0ce2-b5aa-4460-ade8-91d26e048bc4account=testD1_=1398446574911 When Networks are listed using the network tab , then we see the shared network being listed. Following API call without the domainid and account paramater is able to return the shared network. http://10.223.49.6:8080/client/api?command=listNetworksresponse=jsonsessionkey=Enn1TgriYaANFQ%2BDKJR7T2Jc9l0%3DlistAll=truepage=1pagesize=20_=1398446422647 -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (CLOUDSTACK-6513) IAM - Templates - When templates are listed with templatefilter=shared is used , we see public templates also being included in the list.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6513?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-6513: Priority: Critical (was: Major) IAM - Templates - When templates are listed with templatefilter=shared is used , we see public templates also being included in the list. --- Key: CLOUDSTACK-6513 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6513 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 IAM - Templates - When templates are listed with templatefilter=shared is used , we see public templates also being included in the list. Steps to reproduce the problem: As user1 , Create a private template and a public template. Grant access to the private template for user2 using updateTemplatePermissions. As user2 , list templates with templatefilter=shared. This returns both public and the the shared template. GET http://10.223.49.6/client/api?command=listTemplatespagesize=100page=1listAll=truetemplatefilter=sharedapiKey=SrgUY-U-nUl4qsOyn409kCjA2jC7dR5ReIV9SjdnmzLOn3c0Fm-vZbDSpkldUjuqLAXt5ShodtXYOgRB5NCnJQsignature=WBO8ll9nyjiB29aVq%2FpUsEQrthM%3D \n\n ?xml version=1.0 encoding=UTF-8?listtemplatesresponse cloud-stack-version=4.4.0-SNAPSHOTcount6/counttemplateida2065bcc-7139-46b0-ac15-db7d3ff7dd75/idnamePublic_featured_d1a-TP7TPK/namedisplaytextpublic and feature Template/displaytextispublictrue/ispubliccreated2014-04-21T13:50:35-0400/createdisreadytrue/isreadypasswordenabledfalse/passwordenabledformatVHD/formatisfeaturedtrue/isfeaturedcrossZonesfalse/crossZonesostypeide5ebce64-c019-11e3-907f-4adf980f9414/ostypeidostypenameCentOS 5.3 (64-bit)/ostypenameaccounttesttemplateD1A/accountzoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenamesize5242880/sizetemplatetypeUSER/templatetypehypervisorSimulator/hypervisordomainD1/domaindomainid691ab662-6793-42a0-96e6-3b31a2c4e52d/domainidisextractabletrue/isextractablesshkeyenabledfalse/sshkeyenabledisdynamicallyscalablefalse/isdynamicallyscalable/templatetemplateidce1635dc-1fcb-4f60-8d2f-d1129a3771ce/idnamePublic_not_featured_d2a-NPYFSN/namedisplaytextpublic and not feature Template/displaytextispublictrue/ispubliccreated2014-04-21T13:50:36-0400/createdisreadytrue/isreadypasswordenabledfalse/passwordenabledformatVHD/formatisfeaturedfalse/isfeaturedcrossZonesfalse/crossZonesostypeide5ebce64-c019-11e3-907f-4adf980f9414/ostypeidostypenameCentOS 5.3 (64-bit)/ostypenameaccounttesttemplateD2/accountzoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenamesize5242880/sizetemplatetypeUSER/templatetypehypervisorSimulator/hypervisordomainD2/domaindomainid18222e53-7221-4d6f-9a76-8f59869f24b2/domainidisextractabletrue/isextractablesshkeyenabledfalse/sshkeyenabledisdynamicallyscalablefalse/isdynamicallyscalable/templatetemplateid223e0c09-e18e-4188-9d8e-7ff2e2305547/idnamePrivate_featured_d1-E9PQHO/namedisplaytextprivate and featured Template/displaytextispublicfalse/ispubliccreated2014-04-21T13:50:36-0400/createdisreadytrue/isreadypasswordenabledfalse/passwordenabledformatVHD/formatisfeaturedtrue/isfeaturedcrossZonesfalse/crossZonesostypeide5ebce64-c019-11e3-907f-4adf980f9414/ostypeidostypenameCentOS 5.3 (64-bit)/ostypenameaccounttesttemplateD1A/accountzoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenamesize5242880/sizetemplatetypeUSER/templatetypehypervisorSimulator/hypervisordomainD1/domaindomainid691ab662-6793-42a0-96e6-3b31a2c4e52d/domainidisextractabletrue/isextractablesshkeyenabledfalse/sshkeyenabledisdynamicallyscalablefalse/isdynamicallyscalable/templatetemplateida7b69a5e-4cb3-45fa-b3e7-dab3a6b73e45/idnamePublic_not_featured_d1a-XOCR05/namedisplaytextpublic and not feature Template/displaytextispublictrue/ispubliccreated2014-04-21T13:50:35-0400/createdisreadytrue/isreadypasswordenabledfalse/passwordenabledformatVHD/formatisfeaturedfalse/isfeaturedcrossZonesfalse/crossZonesostypeide5ebce64-c019-11e3-907f-4adf980f9414/ostypeidostypenameCentOS 5.3 (64-bit)/ostypenameaccounttesttemplateD1A/accountzoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenamesize5242880/sizetemplatetypeUSER/templatetypehypervisorSimulator/hypervisordomainD1/domaindomainid691ab662-6793-42a0-96e6-3b31a2c4e52d/domainidisextractabletrue/isextractablesshkeyenabledfalse/sshkeyenabledisdynamicallyscalablefalse/isdynamicallyscalable/templatetemplateide65cdfa0-c019-11e3-907f-4adf980f9414/idnameCentOS 5.3(64-bit) no
[jira] [Created] (CLOUDSTACK-6517) IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have UseEntry permission for IpAddress.
Sangeetha Hariharan created CLOUDSTACK-6517: --- Summary: IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have UseEntry permission for IpAddress. Key: CLOUDSTACK-6517 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6517 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Fix For: 4.4.0 IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have UseEntry permission for IpAddress. Steps to reproduce the problem: As regular user , on a network he owns , acquire an ip address. As admin , try to create a PF rule on this ip address without passing account and domainId. Creating PF rule succeeds. Since Admin has only ListEntry permission for IpAddress owned by other users , we expect this api call to fail. mysql select * from iam_policy_permission where resource_type = 'IpAddress' and policy_id=2; +--+---+---+---+--+-+--++---+-+-+ | id | policy_id | action| resource_type | scope_id | scope | access_type | permission | recursive | removed | created | +--+---+---+---+--+-+--++---+-+-+ | 1840 | 2 | listPublicIpAddresses | IpAddress | -1 | ALL | ListEntry| Allow | 0 | NULL| 2014-04-22 18:31:03 | | 1841 | 2 | listPublicIpAddresses | IpAddress | -1 | ACCOUNT | UseEntry | Allow | 0 | NULL| 2014-04-22 18:31:03 | Admin should be allowed to do this only , when he passes account and domainId of the regular user is passed. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6501) IAM - DomainAdmin - When listVirtualMachines is used with listall=true and account and domainId , Vms owned by the account account is not listed.
Sangeetha Hariharan created CLOUDSTACK-6501: --- Summary: IAM - DomainAdmin - When listVirtualMachines is used with listall=true and account and domainId , Vms owned by the account account is not listed. Key: CLOUDSTACK-6501 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6501 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 IAM - DomainAdmin - When listVirtualMachines is used with listall=true and account and domainId , Vms owned by the account is not listed. Steps to reproduce the problem: Set up: Pre Reqs: Admin - Creates object Domain Admin for d1 - D1 - Creates object - d1 Domain Admin for d1 - D1/D11 User account for d1 - D1/D111 - Creates object - d111a Domain Admin for d1 - D1/D12 Domain Admin for d2 - D2 - Creates object -d2 User Account in domain D1 - userD1-1 - Creates object -d1a User Account in domain D1 - userD1-2 - Creates object - d1b Domain Account in domain D1/D11 - D11 - Creates object - d11 User Account in domain D1/D11 - userD1-a - Creates object - d11a User Account in domain D1/D11 - userD1-a - Creates object - d11b User Account in domain D1/D12- userD1-b - Creates object - d12a User Account in domain D1/D12 - userD-a - Creates object - d12b As domain admin account D1 , try to list all the Vms for d11 (domain admin user) using account and domainId parameters. Expected Result: Vm owned by the account that is passed in account/domainId parameter. Actual Result: Empty set is returned. GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=0e8d9d60-c39a-4304-b048-1e63500d0d30account=testD11listAll=trueisrecursive=trueapiKey=bW1FEJkIERji0cWRNQqvmWOgOINjMeBggyoPsMjN9_Qnvq-QtC6L4ORqmbdfQ-XtUYQdSoJIniZrHK3_oi9pcQsignature=5qLgaWzslWKSz%2FXbVSK0zdj%2B49I%3D \n\n current Time: Thu Apr 24 14:43:18 PDT 2014 ?xml version=1.0 encoding=UTF-8?listvirtualmachinesresponse cloud-stack-version=4.4.0-SNAPSHOT/listvirtualmachinesresponseConnection to 10.223.49.6 8080 port [tcp/webcache] succeeded! Response Time(in secs) : 0 current Time: Thu Apr 24 14:43:18 PDT 2014 -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6474) IAM - Not able to list shared networks that is created with scope=all
Sangeetha Hariharan created CLOUDSTACK-6474:
---
Summary: IAM - Not able to list shared networks that is created
with scope=all
Key: CLOUDSTACK-6474
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6474
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: IAM
Affects Versions: 4.4.0
Environment: Build from 4.4
Reporter: Sangeetha Hariharan
Priority: Critical
Fix For: 4.4.0
IAM - Not able to list shared networks that is created with scope=all
Steps to reproduce the problem:
As admin , create a shared network with scope=all.
As regular user , tried to list networks. No shared network is returned.
http://10.223.49.6:8080/client/api?command=listNetworksresponse=jsonsessionkey=wOwS556QDduN5hRqHf1PU3gPBEw%3DlistAll=truepage=1pagesize=20_=1398206302627
listnetworksresponse : { } }
As admin user , I am able to list this network:
http://10.223.49.6:8080/client/api?command=listNetworksresponse=jsonsessionkey=58UVhAXG49kJHSOENDGphnXDEh4%3DlistAll=truepage=1pagesize=20_=1398206454900
{ listnetworksresponse : { count:3 ,network : [
{id:65324d0a-5571-4e96-aebe-89d45fbabc72,name:test-domain,displaytext:test-domain,broadcastdomaintype:Vlan,traffictype:Guest,gateway:10.223.1.1,netmask:255.255.255.0,cidr:10.223.1.0/24,zoneid:75d61334-ff70-49c3-99ed-3af702cd51d7,zonename:BLR1,networkofferingid:564de11f-a786-44cf-a729-c4683a12dfe0,networkofferingname:DefaultSharedNetworkOfferingWithSGService,networkofferingdisplaytext:Offering
for Shared Security group enabled
networks,networkofferingconservemode:true,networkofferingavailability:Optional,issystem:false,state:Setup,related:65324d0a-5571-4e96-aebe-89d45fbabc72,broadcasturi:vlan://501,dns1:4.2.2.2,type:Shared,vlan:501,acltype:Domain,subdomainaccess:false,domainid:691ab662-6793-42a0-96e6-3b31a2c4e52d,domain:D1,service:[{name:UserData},{name:Dns,capability:[{name:AllowDnsSuffixModification,value:true,canchooseservicecapability:false}]},{name:Dhcp,capability:[{name:DhcpAccrossMultipleSubnets,value:true,canchooseservicecapability:false}]},{name:SecurityGroup}],networkdomain:cs1cloud.internal,physicalnetworkid:3856a5bc-8509-4a7f-a92e-86146cbc6bc1,restartrequired:false,specifyipranges:true,canusefordeploy:true,ispersistent:false,tags:[],displaynetwork:true,strechedl2subnet:false},
{id:49146336-bf81-4861-a2bd-5c92efc14cff,name:test,displaytext:test,broadcastdomaintype:Vlan,traffictype:Guest,gateway:10.223.1.1,netmask:255.255.255.0,cidr:10.223.1.0/24,zoneid:75d61334-ff70-49c3-99ed-3af702cd51d7,zonename:BLR1,networkofferingid:564de11f-a786-44cf-a729-c4683a12dfe0,networkofferingname:DefaultSharedNetworkOfferingWithSGService,networkofferingdisplaytext:Offering
for Shared Security group enabled
networks,networkofferingconservemode:true,networkofferingavailability:Optional,issystem:false,state:Setup,related:49146336-bf81-4861-a2bd-5c92efc14cff,broadcasturi:vlan://500,dns1:4.2.2.2,type:Shared,vlan:500,acltype:Domain,subdomainaccess:true,domainid:e5e2ad7a-c019-11e3-907f-4adf980f9414,domain:ROOT,service:[{name:UserData},{name:Dns,capability:[{name:AllowDnsSuffixModification,value:true,canchooseservicecapability:false}]},{name:Dhcp,capability:[{name:DhcpAccrossMultipleSubnets,value:true,canchooseservicecapability:false}]},{name:SecurityGroup}],networkdomain:cs1cloud.internal,physicalnetworkid:3856a5bc-8509-4a7f-a92e-86146cbc6bc1,restartrequired:false,specifyipranges:true,canusefordeploy:true,ispersistent:false,tags:[],displaynetwork:true,strechedl2subnet:false},
{id:aee03e51-468e-4311-aebc-827d9a43adf0,name:test,displaytext:test,broadcastdomaintype:Vlan,traffictype:Guest,gateway:10.1.1.1,netmask:255.255.255.0,cidr:10.1.1.0/24,zoneid:75d61334-ff70-49c3-99ed-3af702cd51d7,zonename:BLR1,networkofferingid:987d8feb-73b5-4f01-9152-6680a31bc60a,networkofferingname:DefaultIsolatedNetworkOfferingWithSourceNatService,networkofferingdisplaytext:Offering
for Isolated networks with Source Nat service
enabled,networkofferingconservemode:true,networkofferingavailability:Required,issystem:false,state:Implemented,related:aee03e51-468e-4311-aebc-827d9a43adf0,broadcasturi:vlan://1,dns1:4.2.2.2,type:Isolated,vlan:1,acltype:Account,account:admin,domainid:e5e2ad7a-c019-11e3-907f-4adf980f9414,domain:ROOT,service:[{name:SourceNat,capability:[{name:SupportedSourceNatTypes,value:peraccount,canchooseservicecapability:false},{name:RedundantRouter,value:true,canchooseservicecapability:false}]},{name:Firewall,capability:[{name:SupportedTrafficDirection,value:ingress,
egress,canchooseservicecapability:false},{name:SupportedProtocols,value:tcp,udp,icmp,canchooseservicecapability:false},{name:TrafficStatistics,value:per
public
[jira] [Created] (CLOUDSTACK-6468) IAM - Templates - Admin user is not allowed to edit template and set isExtractable() paramater.
Sangeetha Hariharan created CLOUDSTACK-6468:
---
Summary: IAM - Templates - Admin user is not allowed to edit
template and set isExtractable() paramater.
Key: CLOUDSTACK-6468
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6468
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: IAM
Affects Versions: 4.4.0
Reporter: Sangeetha Hariharan
Fix For: 4.4.0
IAM - Templates - Admin user is not allowed to edit template and set
isExtractable() paramater.
From UI , As admin , tried to update the isFeatured() flag to true for a
template that was created by regular user.
This fails with Only ROOT admins are allowed to modify this attribute.
http://10.223.49.6:8080/client/api?command=updateTemplatePermissionsresponse=jsonsessionkey=1WTLpcX%2FCiA4QLBY3RZTTB0ceaE%3Did=851cfe02-d91f-4226-b325-b48a09d2a2afispublic=falseisfeatured=trueisextractable=true_=1398114267369
{ updatetemplatepermissionsresponse :
{uuidList:[],errorcode:431,cserrorcode:4350,errortext:Only ROOT admins
are allowed to modify this attribute.} }
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Created] (CLOUDSTACK-6458) IAM - When a domain is deleted , the group created for this domian is not removed.
Sangeetha Hariharan created CLOUDSTACK-6458: --- Summary: IAM - When a domain is deleted , the group created for this domian is not removed. Key: CLOUDSTACK-6458 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6458 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Fix For: 4.4.0 IAM - When a domain is deleted , the group created for this domian is not removed. Steps to reproduce the problem: Create a domain. Notice that as part of domain creation , an IAM group specific to this domain is created. Delete this domain. IAM group specific to this domain is not marked as being removed in the iam_group table. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (CLOUDSTACK-6381) IAM - DomainAdmin - When listVirtualMachines is used with listall=true (with out passing isrecursive falg) , all Vms from the subdomain are also listed.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6381?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-6381: Component/s: (was: Management Server) IAM IAM - DomainAdmin - When listVirtualMachines is used with listall=true (with out passing isrecursive falg) , all Vms from the subdomain are also listed. Key: CLOUDSTACK-6381 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6381 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4. Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 IAM - DomainAdmin - When listVirtualMachines is used with listall=true (with out passing isrecursive falg) , all Vms from the subdomain are also listed. Set up: Pre Reqs: Admin - Creates object Domain Admin for d1 - D1 - Creates object - d1 Domain Admin for d1 - D1/D11 User account for d1 - D1/D111 - Creates object - d111a Domain Admin for d1 - D1/D12 Domain Admin for d2 - D2 - Creates object -d2 User Account in domain D1 - userD1-1 - Creates object -d1a User Account in domain D1 - userD1-2 - Creates object - d1b User Account in domain D1/D11 - userD1-a - Creates object - d11a User Account in domain D1/D11 - userD1-a - Creates object - d11b User Account in domain D1/D12- userD1-b - Creates object - d12a User Account in domain D1/D12 - userD-a - Creates object - d12b As domain admin - D1 , i tried to listVistualMachines passing listAll=true parameter (no isrecurssive parameter). Expected result: only all the Vms that belong to this domain should be listed , which should be 3 Vms , d1,d1a and d1b. But I see 8 Vms being returned , which also includes the Vms in the domain, d12 and d111. GET http://10.223.49.6/client/api?command=listVirtualMachineslistAll=trueapiKey=Hv0VKnmBjXhyRMKZ7ixI51gG-iqHqRVTp1xCCLU2-gTnZwhuUNWsa4zZLYZWWLD5lEhvwe05tJKJVa9NeS5REwsignature=cDqQMD6qlKeiz2g40pSOYqJKqoE%3D \n\n ?xml version=1.0 encoding=UTF-8?listvirtualmachinesresponse cloud-stack-version=4.4.0-SNAPSHOTcount8/countvirtualmachineid22193996-12f9-46ff-91cd-3d409f7f8c60/idnamed11a/namedisplaynamed11a/displaynameaccounttestD11A-TestVMList-3385RP/accountdomainid0a0f7c09-2f1a-4939-94ce-88388e197949/domainiddomainD11-UFBXGQ/domaincreated2014-04-10T09:01:37-0400/createdstateRunning/statehaenablefalse/haenablezoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenametemplateide65cdfa0-c019-11e3-907f-4adf980f9414/templateidtemplatenameCentOS 5.3(64-bit) no GUI (Simulator)/templatenametemplatedisplaytextCentOS 5.3(64-bit) no GUI (Simulator)/templatedisplaytextpasswordenabledfalse/passwordenabledserviceofferingid49dee9f8-a49a-414d-b8b2-b0d59b5981f0/serviceofferingidserviceofferingnameSmall Instance/serviceofferingnamecpunumber1/cpunumbercpuspeed100/cpuspeedmemory128/memorycpuused10%/cpuusednetworkkbsread10190848/networkkbsreadnetworkkbswrite5095424/networkkbswriteguestoside5eba5c4-c019-11e3-907f-4adf980f9414/guestosidrootdeviceid0/rootdeviceidrootdevicetypeROOT/rootdevicetypenicida1c079e5-ae0f-4470-b0ed-26895fbcf14d/idnetworkidf1cf7cfb-c354-47c4-854e-af329c54d77e/networkidnetworknametestD11A-TestVMList-3385RP-network/networknamenetmask255.255.255.0/netmaskgateway10.1.1.1/gatewayipaddress10.1.1.217/ipaddressisolationurivlan://1071/isolationuribroadcasturivlan://1071/broadcasturitraffictypeGuest/traffictypetypeIsolated/typeisdefaulttrue/isdefaultmacaddress02:00:06:7b:00:01/macaddress/nichypervisorSimulator/hypervisorisdynamicallyscalablefalse/isdynamicallyscalableostypeid11/ostypeid/virtualmachinevirtualmachineid660a829f-5265-44c3-aa92-957d8bbec8e2/idnamed1a/namedisplaynamed1b/displaynameaccounttestD1B-TestVMList-CB23CT/accountdomainiddc4bf103-27bf-4292-99aa-dc91fa23ee04/domainiddomainD1-NN5QWT/domaincreated2014-04-10T09:01:32-0400/createdstateRunning/statehaenablefalse/haenablezoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenametemplateide65cdfa0-c019-11e3-907f-4adf980f9414/templateidtemplatenameCentOS 5.3(64-bit) no GUI (Simulator)/templatenametemplatedisplaytextCentOS 5.3(64-bit) no GUI (Simulator)/templatedisplaytextpasswordenabledfalse/passwordenabledserviceofferingid49dee9f8-a49a-414d-b8b2-b0d59b5981f0/serviceofferingidserviceofferingnameSmall
[jira] [Updated] (CLOUDSTACK-6429) IAM - As admin , When listAll=false is used to list all Vms under a subdomain , all Vms (even those that are not in this subdmain) are listed.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6429?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-6429: Component/s: (was: Management Server) IAM IAM - As admin , When listAll=false is used to list all Vms under a subdomain , all Vms (even those that are not in this subdmain) are listed. -- Key: CLOUDSTACK-6429 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6429 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Assignee: Min Chen Priority: Critical Fix For: 4.4.0 IAM - As admin , When listAll=false is used to list all Vms under a subdomain , all Vms (even those that are not in this subdmain) are listed. Steps to reproduce the problem: Set up: Pre Reqs: Admin - Creates object Domain Admin for d1 - D1 - Creates object - d1 Domain Admin for d1 - D1/D11 User account for d1 - D1/D111 - Creates object - d111a Domain Admin for d1 - D1/D12 Domain Admin for d2 - D2 - Creates object -d2 User Account in domain D1 - userD1-1 - Creates object -d1a User Account in domain D1 - userD1-2 - Creates object - d1b User Account in domain D1/D11 - userD1-a - Creates object - d11a User Account in domain D1/D11 - userD1-a - Creates object - d11b User Account in domain D1/D12- userD1-b - Creates object - d12a User Account in domain D1/D12 - userD-a - Creates object - d12b As ROOT admin , tried to list all the Vms for domain - d1/d11 , this results in all the Vms (even those that are not in this subdmain) being listed. All the following API calls as Admin when trying to list Vms from domain - d1/d11 , results in 11 Vms which is all the Vms in the cluouds. GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0listAll=falseapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=1S3PA2HyPP70jnv5FiKSp%2FXfqw4%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0listAll=falseisrecursive=falseapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=FtoJ8isO896ZkqLJH5YzVjodFdg%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0listAll=falseisrecursive=trueapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=4HHrtJo1Cx3yqjdIHUFi43kqZ3E%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0isrecursive=falseapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=A6kJuc9XDIp6f9Ha8Bp9Ig3Xigg%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0isrecursive=trueapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=S04gwOtMs0%2F00CV4I1Q7pbCCC08%3D \n\n -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (CLOUDSTACK-6350) IAM - Listing of VM using uuid when owner account of this Vm is deleted results is VM not being returned.But list VM with listAll=true is able to return this VM.
[
https://issues.apache.org/jira/browse/CLOUDSTACK-6350?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sangeetha Hariharan updated CLOUDSTACK-6350:
Component/s: IAM
IAM - Listing of VM using uuid when owner account of this Vm is deleted
results is VM not being returned.But list VM with listAll=true is able to
return this VM.
-
Key: CLOUDSTACK-6350
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6350
Project: CloudStack
Issue Type: Bug
Security Level: Public(Anyone can view this level - this is the
default.)
Components: IAM
Environment: Build from 4.4
Reporter: Sangeetha Hariharan
Assignee: Min Chen
Priority: Critical
Attachments: cloud-dmp.rar
IAM - Listing of VM using uuid when owner account of this Vm is deleted
results is VM not being returned.But list VM with listAll=true is able to
return this VM.
Steps that lead to the problem:
Had few Domains and sub domains created.
Accounts were created in these Domains and sub domains
Had Vms deployed as these accounts.
Tried to delete all the accounts (Except admin account).
After this , tried to delete all Domains (Except ROOT).
I see that all Accouts have been deleted.
But some of the Vms remained in Running state.
I am able to list all these Vms using listAll=true as admin :
http://10.223.49.6:8080/client/api?command=listVirtualMachinesresponse=jsonsessionkey=os3e6ZwGKaaRRkpMyoi1nl9ttsI%3DlistAll=truepage=1pagesize=20_=1396909849873
{ listvirtualmachinesresponse : { count:7 ,virtualmachine : [
{id:9a0a4d1b-7918-4d9a-86b0-a72b0a378c07,name:d12b,displayname:d12b,account:testD12B-TestVMDeploy-2U21LA,domainid:5314248a-0419-4e0f-9a63-b663abbbce5b,domain:D12-G39UMB,created:2014-04-07T09:55:28-0400,state:Running,haenable:false,zoneid:24ea97ba-f26f-40d2-9bda-538abffb8181,zonename:BLR1,hostid:c404603f-8a1a-495f-9278-3c988ff9833b,hostname:SimulatedAgent.2fda14b6-647e-492b-a6ab-7e809d56d41a,templateid:62114ed8-b9df-11e3-a5ee-4adf980f9414,templatename:CentOS
5.3(64-bit) no GUI (Simulator),templatedisplaytext:CentOS 5.3(64-bit) no
GUI
(Simulator),passwordenabled:false,serviceofferingid:fa7bb82d-4f3b-43e6-ac8c-a87419cd78d9,serviceofferingname:Small
Instance,cpunumber:1,cpuspeed:100,memory:128,cpuused:10%,networkkbsread:2916352,networkkbswrite:1458176,guestosid:292dc664-b9df-11e3-a5ee-4adf980f9414,rootdeviceid:0,rootdevicetype:ROOT,securitygroup:[],nic:[{id:3d24baa0-13be-456d-b43d-f003dba13444,networkid:22e12e93-84b5-4298-bec2-405f114ac19b,networkname:testD12B-TestVMDeploy-2U21LA-network,netmask:255.255.255.0,gateway:10.1.1.1,ipaddress:10.1.1.187,isolationuri:vlan://2150,broadcasturi:vlan://2150,traffictype:Guest,type:Isolated,isdefault:true,macaddress:02:00:50:44:00:01}],hypervisor:Simulator,instancename:i-156-263-VM,tags:[],affinitygroup:[],displayvm:true,isdynamicallyscalable:false,ostypeid:11},
{id:5f620fd0-054f-484a-b3d0-5fa30861272e,name:d12a,displayname:d12a,account:testD12A-TestVMDeploy-DLBXEJ,domainid:5314248a-0419-4e0f-9a63-b663abbbce5b,domain:D12-G39UMB,created:2014-04-07T09:55:23-0400,state:Running,haenable:false,zoneid:24ea97ba-f26f-40d2-9bda-538abffb8181,zonename:BLR1,hostid:8c5fe6d4-d5c4-4eb1-b286-9f498a8a9626,hostname:SimulatedAgent.656f464b-f058-4416-afb8-ab5b12e59128,templateid:62114ed8-b9df-11e3-a5ee-4adf980f9414,templatename:CentOS
5.3(64-bit) no GUI (Simulator),templatedisplaytext:CentOS 5.3(64-bit) no
GUI
(Simulator),passwordenabled:false,serviceofferingid:fa7bb82d-4f3b-43e6-ac8c-a87419cd78d9,serviceofferingname:Small
Instance,cpunumber:1,cpuspeed:100,memory:128,cpuused:10%,networkkbsread:2916352,networkkbswrite:1458176,guestosid:292dc664-b9df-11e3-a5ee-4adf980f9414,rootdeviceid:0,rootdevicetype:ROOT,securitygroup:[],nic:[{id:ab72b85e-ca4a-4fd1-bed4-265e232d3689,networkid:bf0a3fca-1997-4345-8f94-1a680ff88db4,networkname:testD12A-TestVMDeploy-DLBXEJ-network,netmask:255.255.255.0,gateway:10.1.1.1,ipaddress:10.1.1.207,isolationuri:vlan://1964,broadcasturi:vlan://1964,traffictype:Guest,type:Isolated,isdefault:true,macaddress:02:00:00:b7:00:01}],hypervisor:Simulator,instancename:i-155-261-VM,tags:[],affinitygroup:[],displayvm:true,isdynamicallyscalable:false,ostypeid:11},
{id:e532616f-9746-46af-b645-c5c094681e47,name:d11b,displayname:d11b,account:testD11B-TestVMDeploy-T05ADJ,domainid:11e13385-da60-48a1-8718-cac576651f80,domain:D11-EA5P3E,created:2014-04-07T09:55:17-0400,state:Running,haenable:false,zoneid:24ea97ba-f26f-40d2-9bda-538abffb8181,zonename:BLR1,hostid:eca1522a-381b-436d-8cfd-b1b542ffa88f,hostname:SimulatedAgent.4244557f-5aaf-4ea3-bb84-eac6633537f8,templateid:62114ed8-b9df-11e3-a5ee-4adf980f9414,templatename:CentOS
[jira] [Updated] (CLOUDSTACK-6349) IAM - No error message presented to the user , when invalid password is provided.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6349?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-6349: Component/s: (was: Management Server) IAM IAM - No error message presented to the user , when invalid password is provided. - Key: CLOUDSTACK-6349 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6349 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4. Reporter: Sangeetha Hariharan Assignee: Prachi Damle Priority: Critical Fix For: 4.4.0 Try to log in as regular user , by providing invalid username/password. User is not presented with any error message: apilog.log: 2014-04-07 10:51:15,849 INFO [a.c.c.a.ApiServer] (catalina-exec-6:ctx-5511ac44) 10.215.3.0 -- POST command=login domain=/ unknown exception writing api response Management server log: 2014-04-07 10:47:28,001 DEBUG [c.c.a.ApiServlet] (catalina-exec-3:ctx-845578ba) ===START=== 10.215.3.0 -- POST 2014-04-07 10:47:28,003 DEBUG [c.c.u.AccountManagerImpl] (catalina-exec-3:ctx-845578ba) Attempting to log in user: test in domain 1 2014-04-07 10:47:28,003 DEBUG [c.c.s.a.SHA256SaltedUserAuthenticator] (catalina-exec-3:ctx-845578ba) Retrieving user: test 2014-04-07 10:47:28,005 DEBUG [c.c.s.a.MD5UserAuthenticator] (catalina-exec-3:ctx-845578ba) Retrieving user: test 2014-04-07 10:47:28,009 DEBUG [c.c.s.a.MD5UserAuthenticator] (catalina-exec-3:ctx-845578ba) Password does not match 2014-04-07 10:47:28,012 DEBUG [c.c.s.a.PlainTextUserAuthenticator] (catalina-exec-3:ctx-845578ba) Retrieving user: test 2014-04-07 10:47:28,016 DEBUG [c.c.s.a.PlainTextUserAuthenticator] (catalina-exec-3:ctx-845578ba) Password does not match 2014-04-07 10:47:28,016 DEBUG [c.c.u.AccountManagerImpl] (catalina-exec-3:ctx-845578ba) Unable to authenticate user with username test in domain 1 2014-04-07 10:47:28,019 ERROR [c.c.a.ApiServlet] (catalina-exec-3:ctx-845578ba) unknown exception writing api response com.cloud.exception.InvalidParameterValueException: Caller cannot be passed as NULL to IAM! at org.apache.cloudstack.iam.RoleBasedEntityAccessChecker.checkAccess(RoleBasedEntityAccessChecker.java:67) at com.cloud.user.AccountManagerImpl.isRootAdmin(AccountManagerImpl.java:371) at com.cloud.user.AccountManagerImpl.isInternalAccount(AccountManagerImpl.java:420) at com.cloud.user.AccountManagerImpl.getUserAccount(AccountManagerImpl.java:2045) at com.cloud.user.AccountManagerImpl.authenticateUser(AccountManagerImpl.java:1871) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at $Proxy99.authenticateUser(Unknown Source) at com.cloud.api.ApiServer.loginUser(ApiServer.java:850) at com.cloud.api.ApiServlet.processRequestInContext(ApiServlet.java:231) at com.cloud.api.ApiServlet.access$000(ApiServlet.java:54) at com.cloud.api.ApiServlet$1.run(ApiServlet.java:118) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53) at com.cloud.api.ApiServlet.processRequest(ApiServlet.java:115) at com.cloud.api.ApiServlet.doPost(ApiServlet.java:82) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) at
[jira] [Updated] (CLOUDSTACK-6348) IAM - Regular User is not able to change password.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6348?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-6348: Component/s: (was: Management Server) IAM IAM - Regular User is not able to change password. -- Key: CLOUDSTACK-6348 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6348 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Assignee: Prachi Damle Priority: Critical Fix For: 4.4.0 Steps to reproduce the problem: As regular user , try to change password. Following error message is presented to the user: Acct[eb54ae7f-c932-4513-aab6-984f03f9df41-test] does not have permission to access resource Acct[eb54ae7f-c932-4513-aab6-984f03f9df41-test] Management server log: 2014-04-07 10:43:58,185 DEBUG [c.c.a.ApiServlet] (catalina-exec-4:ctx-3b2e2f03) ===START=== 10.215.3.0 -- POST command=updateUserresponse=jsonsessionkey=P7c7ohM5rOC6mJLLima8CXlOAho%3D 2014-04-07 10:43:58,204 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker] (catalina-exec-4:ctx-3b2e2f03 ctx-8030779f) Account Acct[eb54ae7f-c932-4513-aab6-984f03f9df41-test] does not have permission to access resource Acct[eb54ae7f-c932-4513-aab6-984f03f9df41-test] for access type: OperateEntry 2014-04-07 10:43:58,211 INFO [c.c.a.ApiServer] (catalina-exec-4:ctx-3b2e2f03 ctx-8030779f) PermissionDenied: Acct[eb54ae7f-c932-4513-aab6-984f03f9df41-test] does not have permission to access resource Acct[eb54ae7f-c932-4513-aab6-984f03f9df41-test] on objs: [] 2014-04-07 10:43:58,212 DEBUG [c.c.a.ApiServlet] (catalina-exec-4:ctx-3b2e2f03 ctx-8030779f) ===END=== 10.215.3.0 -- POST command=updateUserresponse=jsonsessionkey=P7c7ohM5rOC6mJLLima8CXlOAho%3D -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6429) IAM - As admin , When listAll=false is used to list all Vms under a subdomain , all Vms (even those that are not in this subdmain) are listed.
Sangeetha Hariharan created CLOUDSTACK-6429: --- Summary: IAM - As admin , When listAll=false is used to list all Vms under a subdomain , all Vms (even those that are not in this subdmain) are listed. Key: CLOUDSTACK-6429 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6429 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 IAM - As admin , When listAll=false is used to list all Vms under a subdomain , all Vms (even those that are not in this subdmain) are listed. Steps to reproduce the problem: Set up: Pre Reqs: Admin - Creates object Domain Admin for d1 - D1 - Creates object - d1 Domain Admin for d1 - D1/D11 User account for d1 - D1/D111 - Creates object - d111a Domain Admin for d1 - D1/D12 Domain Admin for d2 - D2 - Creates object -d2 User Account in domain D1 - userD1-1 - Creates object -d1a User Account in domain D1 - userD1-2 - Creates object - d1b User Account in domain D1/D11 - userD1-a - Creates object - d11a User Account in domain D1/D11 - userD1-a - Creates object - d11b User Account in domain D1/D12- userD1-b - Creates object - d12a User Account in domain D1/D12 - userD-a - Creates object - d12b As ROOT admin , tried to list all the Vms for domain - d1/d11 , this results in all the Vms (even those that are not in this subdmain) being listed. All the following API calls as Admin when trying to list Vms from domain - d1/d11 , results in 11 Vms which is all the Vms in the cluouds. GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0listAll=falseapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=1S3PA2HyPP70jnv5FiKSp%2FXfqw4%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0listAll=falseisrecursive=falseapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=FtoJ8isO896ZkqLJH5YzVjodFdg%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0listAll=falseisrecursive=trueapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=4HHrtJo1Cx3yqjdIHUFi43kqZ3E%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0isrecursive=falseapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=A6kJuc9XDIp6f9Ha8Bp9Ig3Xigg%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0isrecursive=trueapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=S04gwOtMs0%2F00CV4I1Q7pbCCC08%3D \n\n -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (CLOUDSTACK-6381) IAM - DomainAdmin - When listVirtualMachines is used with listall=true (with out passing isrecursive falg) , all Vms from the subdomain are also listed.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6381?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13967339#comment-13967339 ] Sangeetha Hariharan commented on CLOUDSTACK-6381: - The same issue is also seen when using listVirtualMachines with listall=true and passing domainId and account parameter when testing with a domain account. IAM - DomainAdmin - When listVirtualMachines is used with listall=true (with out passing isrecursive falg) , all Vms from the subdomain are also listed. Key: CLOUDSTACK-6381 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6381 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.4.0 Environment: Build from 4.4. Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 IAM - DomainAdmin - When listVirtualMachines is used with listall=true (with out passing isrecursive falg) , all Vms from the subdomain are also listed. Set up: Pre Reqs: Admin - Creates object Domain Admin for d1 - D1 - Creates object - d1 Domain Admin for d1 - D1/D11 User account for d1 - D1/D111 - Creates object - d111a Domain Admin for d1 - D1/D12 Domain Admin for d2 - D2 - Creates object -d2 User Account in domain D1 - userD1-1 - Creates object -d1a User Account in domain D1 - userD1-2 - Creates object - d1b User Account in domain D1/D11 - userD1-a - Creates object - d11a User Account in domain D1/D11 - userD1-a - Creates object - d11b User Account in domain D1/D12- userD1-b - Creates object - d12a User Account in domain D1/D12 - userD-a - Creates object - d12b As domain admin - D1 , i tried to listVistualMachines passing listAll=true parameter (no isrecurssive parameter). Expected result: only all the Vms that belong to this domain should be listed , which should be 3 Vms , d1,d1a and d1b. But I see 8 Vms being returned , which also includes the Vms in the domain, d12 and d111. GET http://10.223.49.6/client/api?command=listVirtualMachineslistAll=trueapiKey=Hv0VKnmBjXhyRMKZ7ixI51gG-iqHqRVTp1xCCLU2-gTnZwhuUNWsa4zZLYZWWLD5lEhvwe05tJKJVa9NeS5REwsignature=cDqQMD6qlKeiz2g40pSOYqJKqoE%3D \n\n ?xml version=1.0 encoding=UTF-8?listvirtualmachinesresponse cloud-stack-version=4.4.0-SNAPSHOTcount8/countvirtualmachineid22193996-12f9-46ff-91cd-3d409f7f8c60/idnamed11a/namedisplaynamed11a/displaynameaccounttestD11A-TestVMList-3385RP/accountdomainid0a0f7c09-2f1a-4939-94ce-88388e197949/domainiddomainD11-UFBXGQ/domaincreated2014-04-10T09:01:37-0400/createdstateRunning/statehaenablefalse/haenablezoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenametemplateide65cdfa0-c019-11e3-907f-4adf980f9414/templateidtemplatenameCentOS 5.3(64-bit) no GUI (Simulator)/templatenametemplatedisplaytextCentOS 5.3(64-bit) no GUI (Simulator)/templatedisplaytextpasswordenabledfalse/passwordenabledserviceofferingid49dee9f8-a49a-414d-b8b2-b0d59b5981f0/serviceofferingidserviceofferingnameSmall Instance/serviceofferingnamecpunumber1/cpunumbercpuspeed100/cpuspeedmemory128/memorycpuused10%/cpuusednetworkkbsread10190848/networkkbsreadnetworkkbswrite5095424/networkkbswriteguestoside5eba5c4-c019-11e3-907f-4adf980f9414/guestosidrootdeviceid0/rootdeviceidrootdevicetypeROOT/rootdevicetypenicida1c079e5-ae0f-4470-b0ed-26895fbcf14d/idnetworkidf1cf7cfb-c354-47c4-854e-af329c54d77e/networkidnetworknametestD11A-TestVMList-3385RP-network/networknamenetmask255.255.255.0/netmaskgateway10.1.1.1/gatewayipaddress10.1.1.217/ipaddressisolationurivlan://1071/isolationuribroadcasturivlan://1071/broadcasturitraffictypeGuest/traffictypetypeIsolated/typeisdefaulttrue/isdefaultmacaddress02:00:06:7b:00:01/macaddress/nichypervisorSimulator/hypervisorisdynamicallyscalablefalse/isdynamicallyscalableostypeid11/ostypeid/virtualmachinevirtualmachineid660a829f-5265-44c3-aa92-957d8bbec8e2/idnamed1a/namedisplaynamed1b/displaynameaccounttestD1B-TestVMList-CB23CT/accountdomainiddc4bf103-27bf-4292-99aa-dc91fa23ee04/domainiddomainD1-NN5QWT/domaincreated2014-04-10T09:01:32-0400/createdstateRunning/statehaenablefalse/haenablezoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenametemplateide65cdfa0-c019-11e3-907f-4adf980f9414/templateidtemplatenameCentOS 5.3(64-bit) no GUI (Simulator)/templatenametemplatedisplaytextCentOS 5.3(64-bit) no GUI (Simulator)/templatedisplaytextpasswordenabledfalse/passwordenabledserviceofferingid49dee9f8-a49a-414d-b8b2-b0d59b5981f0/serviceofferingidserviceofferingnameSmall
