[jira] [Reopened] (CLOUDSTACK-5578) KVM - Network down - When the host looses network connectivity , it is not able to fence itself.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-5578?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan reopened CLOUDSTACK-5578: - Hi Kishan, This is a problem that KVM host is not able to reboot itself which is the expected behavior. The host is attempting to reboot which fails . Is it possible to make the host forcefully reboot in such cases? Thanks Sangeetha KVM - Network down - When the host looses network connectivity , it is not able to fence itself. Key: CLOUDSTACK-5578 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5578 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.2.0 Environment: Build from 4.3 Reporter: Sangeetha Hariharan Assignee: Kishan Kavala Priority: Critical Fix For: 4.5.0 Attachments: DisconnectedHost.png, kvm-hostdisconnect.rar KVM - Network down - When the host looses network connectivity , it is not able to fence itself. Steps to reproduce the problem: Set up - Advanced zone with 2 Rhel 6.3 hosts in cluster. Deploy ~10 Vms. Simulate network disconnect on the host ( ifdown em1) Host gets marked as Down and all the Vms gets HA-ed to the other host. On the KVM host which lost connectivity , attempt to shutdown itself fails. It was not able to umount the primary store. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7891) Fix failure in integration.component.test_escalations_instances.TestInstances/test_15_revert_vm_to_snapshot.
Sangeetha Hariharan created CLOUDSTACK-7891: --- Summary: Fix failure in integration.component.test_escalations_instances.TestInstances/test_15_revert_vm_to_snapshot. Key: CLOUDSTACK-7891 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7891 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Test Reporter: Sangeetha Hariharan Fix failure in integration.component.test_escalations_instances.TestInstances/test_15_revert_vm_to_snapshot. Following exception seen when this test case is executed: Disallowed failure integration.component.test_escalations_instances.TestInstances/test_15_revert_vm_to_snapshot: RevertToVMSnapshotCmd failed: VM Snapshot revert not allowed. This will result in VM state change. You can revert running VM to disk and memor -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7772) [Automation] - Fix test failure for ntegration.component.test_escalations_instances.TestInstances.test_15_revert_vm_to_snapshot
Sangeetha Hariharan created CLOUDSTACK-7772: --- Summary: [Automation] - Fix test failure for ntegration.component.test_escalations_instances.TestInstances.test_15_revert_vm_to_snapshot Key: CLOUDSTACK-7772 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7772 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Environment: Build from master Reporter: Sangeetha Hariharan Fix test failure for integration.component.test_escalations_instances.TestInstances.test_15_revert_vm_to_snapshot. reverting snapshot fails with following exception: Job failed: {jobprocstatus : 0, created : u'2014-10-22T08:43:54+', cmd : u'org.apache.cloudstack.api.command.user.vmsnapshot.RevertToVMSnapshotCmd', userid : u'507aefe6-8aae-49c3-974d-30a45c5bc79d', jobstatus : 2, jobid : u'51d73ace-1e7a-425d-b17d-05d675bbfe01', jobresultcode : 530, jobresulttype : u'object', jobresult : {errorcode : 530, errortext : u'VM Snapshot revert not allowed. This will result in VM state change. You can revert running VM to disk and memory type snapshot and stopped VM to disk type snapshot'}, accountid : u'ae6ef7e5-217f-494e-857d-ecd53653faf9'} Root cause is CS does not support for reverting Vms in Running state to a diskonly snapshot. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (CLOUDSTACK-7772) [Automation] - Fix test failure for integration.component.test_escalations_instances.TestInstances.test_15_revert_vm_to_snapshot
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7772?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-7772: Summary: [Automation] - Fix test failure for integration.component.test_escalations_instances.TestInstances.test_15_revert_vm_to_snapshot (was: [Automation] - Fix test failure for ntegration.component.test_escalations_instances.TestInstances.test_15_revert_vm_to_snapshot) [Automation] - Fix test failure for integration.component.test_escalations_instances.TestInstances.test_15_revert_vm_to_snapshot - Key: CLOUDSTACK-7772 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7772 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Environment: Build from master Reporter: Sangeetha Hariharan Fix test failure for integration.component.test_escalations_instances.TestInstances.test_15_revert_vm_to_snapshot. reverting snapshot fails with following exception: Job failed: {jobprocstatus : 0, created : u'2014-10-22T08:43:54+', cmd : u'org.apache.cloudstack.api.command.user.vmsnapshot.RevertToVMSnapshotCmd', userid : u'507aefe6-8aae-49c3-974d-30a45c5bc79d', jobstatus : 2, jobid : u'51d73ace-1e7a-425d-b17d-05d675bbfe01', jobresultcode : 530, jobresulttype : u'object', jobresult : {errorcode : 530, errortext : u'VM Snapshot revert not allowed. This will result in VM state change. You can revert running VM to disk and memory type snapshot and stopped VM to disk type snapshot'}, accountid : u'ae6ef7e5-217f-494e-857d-ecd53653faf9'} Root cause is CS does not support for reverting Vms in Running state to a diskonly snapshot. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7762) [Automation] - Fix test failure for test_02_revert_vm_snapshots in smoke/test_vm_snapshots.py
Sangeetha Hariharan created CLOUDSTACK-7762: --- Summary: [Automation] - Fix test failure for test_02_revert_vm_snapshots in smoke/test_vm_snapshots.py Key: CLOUDSTACK-7762 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7762 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Test Affects Versions: 4.5.0 Environment: Build from master Reporter: Sangeetha Hariharan Fix For: 4.5.0 test_02_revert_vm_snapshots in smoke/test_vm_snapshots.py fails in BVT runs with the following exception: 2014-10-20 16:41:00,497 INFO [o.a.c.f.j.i.AsyncJobMonitor] (API-Job-Executor-120:ctx-83b738d9 job-459) Add job-459 into job monitoring 2014-10-20 16:41:00,497 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (API-Job-Executor-120:ctx-83b738d9 job-459) Executing AsyncJobVO {id:459, userId: 2, accountId: 2, instanceType: None, instanceId: null, cmd: org.apache.cloudstack.api.command.admin.vmsnapshot.RevertToVMSnapshotCmdByAdmin, cmdInfo: {response:json,ctxDetails:{\com.cloud.vm.snapshot.VMSnapshot\:\12280973-a1e4-43e3-80b3-3afacd607909\},cmdEventType:VMSNAPSHOT.REVERTTO,ctxUserId:2,httpmethod:GET,vmsnapshotid:12280973-a1e4-43e3-80b3-3afacd607909,ctxAccountId:2,ctxStartEventId:1406,apiKey:aJwkScf5ziRwz8gKQ9HB0Ce6hSsTJTUtmUDUQ_U2teV3vVmuLQRLad8xqAgr7CrFOEQbywdVpKSt2yC_ORXLYg,signature:cYBxgg8eBfktovmCaHYox2xoTE8\u003d}, cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result: null, initMsid: 11489258594360, completeMsid: null, lastUpdated: null, lastPolled: null, created: null} 2014-10-20 16:41:00,529 ERROR [c.c.a.ApiAsyncJobDispatcher] (API-Job-Executor-120:ctx-83b738d9 job-459) Unexpected exception while executing org.apache.cloudstack.api.command.admin.vmsnapshot.RevertToVMSnapshotCmdByAdmin com.cloud.exception.InvalidParameterValueException: VM Snapshot revert not allowed. This will result in VM state change. You can revert running VM to disk and memory type snapshot and stopped VM to disk type snapshot at com.cloud.vm.snapshot.VMSnapshotManagerImpl.revertToSnapshot(VMSnapshotManagerImpl.java:581) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (CLOUDSTACK-7746) Baremetal related script erros seen on router console
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7746?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-7746: Assignee: (was: Rayees Namathponnan) Baremetal related script erros seen on router console - Key: CLOUDSTACK-7746 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7746 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.5.0 Environment: Build from master Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.5.0 Attachments: router.png Baremetal related script erros seen on router console. Advanced zone set up with 3 xenserver hosts in a cluster. When logging into the console view of router , following script errors are seen: /opt/cloud/bin/baremetal-vr.py:159: SyntaxWarning : name 'server' is assigned to before glocal declaration. .. Attached is the screen shot -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Assigned] (CLOUDSTACK-7746) Baremetal related script erros seen on router console
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7746?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan reassigned CLOUDSTACK-7746: --- Assignee: Rayees Namathponnan Baremetal related script erros seen on router console - Key: CLOUDSTACK-7746 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7746 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.5.0 Environment: Build from master Reporter: Sangeetha Hariharan Assignee: Rayees Namathponnan Priority: Critical Fix For: 4.5.0 Attachments: router.png Baremetal related script erros seen on router console. Advanced zone set up with 3 xenserver hosts in a cluster. When logging into the console view of router , following script errors are seen: /opt/cloud/bin/baremetal-vr.py:159: SyntaxWarning : name 'server' is assigned to before glocal declaration. .. Attached is the screen shot -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7742) Xenserver HA - SSVM failing to start since it is running out of management ip address
Sangeetha Hariharan created CLOUDSTACK-7742: --- Summary: Xenserver HA - SSVM failing to start since it is running out of management ip address Key: CLOUDSTACK-7742 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7742 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.5.0 Environment: Build from master Reporter: Sangeetha Hariharan HA - SSVM failing to start since it is running out of management ip address Set up: Cluster with 3 Xenserver hosts. I am executing host HA scenarios where host is being brought down ( or simulating contol path network failure / storage network failure). After couple of such scenarios , i see that the SSVM fails to start as part of HA the reason being running out of management nic: management server logs: 014-10-16 12:15:44,311 DEBUG [c.c.u.d.T.Transaction] (Work-Job-Executor-106:ctx-323991ca job-771/job-943 ctx-3a2e9ed6) Rolling back the transaction: Time = 1 Name = Work-Job-Executor-106; called by -TransactionLegacy.rollback:902-DataCenterIpAddressDaoImpl.takeIpAddress:61-GeneratedMethodAccessor493.invoke:-1-DelegatingMethodAccessorImpl.invoke:43-Method.invoke:606-AopUtils.invokeJoinpointUsingReflection:317-ReflectiveMethodInvocation.invokeJoinpoint:183-ReflectiveMethodInvocation.proceed:150-TransactionContextInterceptor.invoke:34-ReflectiveMethodInvocation.proceed:161-ExposeInvocationInterceptor.invoke:91-ReflectiveMethodInvocation.proceed:172 2014-10-16 12:15:44,312 INFO [c.c.v.VirtualMachineManagerImpl] (Work-Job-Executor-106:ctx-323991ca job-771/job-943 ctx-3a2e9ed6) Insufficient capacity com.cloud.exception.InsufficientAddressCapacityException: Unable to get a management ip addressScope=interface com.cloud.dc.Pod; id=1 at com.cloud.network.guru.PodBasedNetworkGuru.reserve(PodBasedNetworkGuru.java:123) at com.cloud.network.guru.StorageNetworkGuru.reserve(StorageNetworkGuru.java:122) at org.apache.cloudstack.engine.orchestration.NetworkOrchestrator.prepareNic(NetworkOrchestrator.java:1338) at org.apache.cloudstack.engine.orchestration.NetworkOrchestrator.prepare(NetworkOrchestrator.java:1309) at com.cloud.vm.VirtualMachineManagerImpl.orchestrateStart(VirtualMachineManagerImpl.java:970) at com.cloud.vm.VirtualMachineManagerImpl.orchestrateStart(VirtualMachineManagerImpl.java:4590) at sun.reflect.GeneratedMethodAccessor210.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at com.cloud.vm.VmWorkJobHandlerProxy.handleVmWorkJob(VmWorkJobHandlerProxy.java:107) at com.cloud.vm.VirtualMachineManagerImpl.handleVmWorkJob(VirtualMachineManagerImpl.java:4746) at com.cloud.vm.VmWorkJobDispatcher.runJob(VmWorkJobDispatcher.java:102) at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.runInContext(AsyncJobManagerImpl.java:513) at org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:49) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53) at org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:46) at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.run(AsyncJobManagerImpl.java:470) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) 2014-10-16 12:15:44,324 DEBUG [c.c.v.VirtualMachineManagerImpl] (Work-Job-Executor-106:ctx-323991ca job-771/job-943 ctx-3a2e9ed6) Cleaning up resources for the vm VM[SecondaryStorageVm|s-115-VM] in Starting state There are 2 issues here: 1. Some of the SSVMs that are in destroyed state still have not released the management Ips back to the freepool. 2. Some of these destroyed SSVMs have 2 management ip addresses associated with it . why is this the case? 3. I still see 1 management ip address that is free , but SSVM is still not able to come up. mysql select id,name,state from vm_instance where id in (1,7,18,71); ++-+---+ | id | name| state
[jira] [Updated] (CLOUDSTACK-7742) Xenserver HA - SSVM failing to start since it is running out of management ip address
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7742?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-7742: Attachment: ssvm-fail.rar Xenserver HA - SSVM failing to start since it is running out of management ip address -- Key: CLOUDSTACK-7742 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7742 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.5.0 Environment: Build from master Reporter: Sangeetha Hariharan Attachments: ssvm-fail.rar HA - SSVM failing to start since it is running out of management ip address Set up: Cluster with 3 Xenserver hosts. I am executing host HA scenarios where host is being brought down ( or simulating contol path network failure / storage network failure). After couple of such scenarios , i see that the SSVM fails to start as part of HA the reason being running out of management nic: management server logs: 014-10-16 12:15:44,311 DEBUG [c.c.u.d.T.Transaction] (Work-Job-Executor-106:ctx-323991ca job-771/job-943 ctx-3a2e9ed6) Rolling back the transaction: Time = 1 Name = Work-Job-Executor-106; called by -TransactionLegacy.rollback:902-DataCenterIpAddressDaoImpl.takeIpAddress:61-GeneratedMethodAccessor493.invoke:-1-DelegatingMethodAccessorImpl.invoke:43-Method.invoke:606-AopUtils.invokeJoinpointUsingReflection:317-ReflectiveMethodInvocation.invokeJoinpoint:183-ReflectiveMethodInvocation.proceed:150-TransactionContextInterceptor.invoke:34-ReflectiveMethodInvocation.proceed:161-ExposeInvocationInterceptor.invoke:91-ReflectiveMethodInvocation.proceed:172 2014-10-16 12:15:44,312 INFO [c.c.v.VirtualMachineManagerImpl] (Work-Job-Executor-106:ctx-323991ca job-771/job-943 ctx-3a2e9ed6) Insufficient capacity com.cloud.exception.InsufficientAddressCapacityException: Unable to get a management ip addressScope=interface com.cloud.dc.Pod; id=1 at com.cloud.network.guru.PodBasedNetworkGuru.reserve(PodBasedNetworkGuru.java:123) at com.cloud.network.guru.StorageNetworkGuru.reserve(StorageNetworkGuru.java:122) at org.apache.cloudstack.engine.orchestration.NetworkOrchestrator.prepareNic(NetworkOrchestrator.java:1338) at org.apache.cloudstack.engine.orchestration.NetworkOrchestrator.prepare(NetworkOrchestrator.java:1309) at com.cloud.vm.VirtualMachineManagerImpl.orchestrateStart(VirtualMachineManagerImpl.java:970) at com.cloud.vm.VirtualMachineManagerImpl.orchestrateStart(VirtualMachineManagerImpl.java:4590) at sun.reflect.GeneratedMethodAccessor210.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at com.cloud.vm.VmWorkJobHandlerProxy.handleVmWorkJob(VmWorkJobHandlerProxy.java:107) at com.cloud.vm.VirtualMachineManagerImpl.handleVmWorkJob(VirtualMachineManagerImpl.java:4746) at com.cloud.vm.VmWorkJobDispatcher.runJob(VmWorkJobDispatcher.java:102) at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.runInContext(AsyncJobManagerImpl.java:513) at org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:49) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53) at org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:46) at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.run(AsyncJobManagerImpl.java:470) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) 2014-10-16 12:15:44,324 DEBUG [c.c.v.VirtualMachineManagerImpl] (Work-Job-Executor-106:ctx-323991ca job-771/job-943 ctx-3a2e9ed6) Cleaning up resources for the vm VM[SecondaryStorageVm|s-115-VM] in Starting state There are 2 issues here: 1. Some of the SSVMs that are in destroyed state still have not released the management Ips back to the freepool. 2.
[jira] [Updated] (CLOUDSTACK-7742) Xenserver HA - SSVM failing to start since it is running out of management ip address
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7742?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-7742: Description: HA - SSVM failing to start since it is running out of management ip address Set up: Cluster with 3 Xenserver hosts. I am executing host HA scenarios where host is being brought down ( or simulating contol path network failure / storage network failure). After couple of such scenarios , i see that the SSVM fails to start as part of HA the reason being running out of management nic: management server logs: 014-10-16 12:15:44,311 DEBUG [c.c.u.d.T.Transaction] (Work-Job-Executor-106:ctx-323991ca job-771/job-943 ctx-3a2e9ed6) Rolling back the transaction: Time = 1 Name = Work-Job-Executor-106; called by -TransactionLegacy.rollback:902-DataCenterIpAddressDaoImpl.takeIpAddress:61-GeneratedMethodAccessor493.invoke:-1-DelegatingMethodAccessorImpl.invoke:43-Method.invoke:606-AopUtils.invokeJoinpointUsingReflection:317-ReflectiveMethodInvocation.invokeJoinpoint:183-ReflectiveMethodInvocation.proceed:150-TransactionContextInterceptor.invoke:34-ReflectiveMethodInvocation.proceed:161-ExposeInvocationInterceptor.invoke:91-ReflectiveMethodInvocation.proceed:172 2014-10-16 12:15:44,312 INFO [c.c.v.VirtualMachineManagerImpl] (Work-Job-Executor-106:ctx-323991ca job-771/job-943 ctx-3a2e9ed6) Insufficient capacity com.cloud.exception.InsufficientAddressCapacityException: Unable to get a management ip addressScope=interface com.cloud.dc.Pod; id=1 at com.cloud.network.guru.PodBasedNetworkGuru.reserve(PodBasedNetworkGuru.java:123) at com.cloud.network.guru.StorageNetworkGuru.reserve(StorageNetworkGuru.java:122) at org.apache.cloudstack.engine.orchestration.NetworkOrchestrator.prepareNic(NetworkOrchestrator.java:1338) at org.apache.cloudstack.engine.orchestration.NetworkOrchestrator.prepare(NetworkOrchestrator.java:1309) at com.cloud.vm.VirtualMachineManagerImpl.orchestrateStart(VirtualMachineManagerImpl.java:970) at com.cloud.vm.VirtualMachineManagerImpl.orchestrateStart(VirtualMachineManagerImpl.java:4590) at sun.reflect.GeneratedMethodAccessor210.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at com.cloud.vm.VmWorkJobHandlerProxy.handleVmWorkJob(VmWorkJobHandlerProxy.java:107) at com.cloud.vm.VirtualMachineManagerImpl.handleVmWorkJob(VirtualMachineManagerImpl.java:4746) at com.cloud.vm.VmWorkJobDispatcher.runJob(VmWorkJobDispatcher.java:102) at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.runInContext(AsyncJobManagerImpl.java:513) at org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:49) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53) at org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:46) at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.run(AsyncJobManagerImpl.java:470) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) 2014-10-16 12:15:44,324 DEBUG [c.c.v.VirtualMachineManagerImpl] (Work-Job-Executor-106:ctx-323991ca job-771/job-943 ctx-3a2e9ed6) Cleaning up resources for the vm VM[SecondaryStorageVm|s-115-VM] in Starting state There are 2 issues here: 1. Some of the SSVMs that are in destroyed state still have not released the management Ips back to the freepool of management ip address. 2. When CPVM is stopped , seems like the ipaddress associated with it has not been released to the freepool of management ip address. mysql select id,name,state from vm_instance where id in (1,7,18,71); ++-+---+ | id | name| state | ++-+---+ | 1 | v-1-VM | Running | | 7 | s-7-VM | Destroyed | | 18 | s-18-VM | Destroyed | | 71 | s-71-VM | Destroyed | ++-+---+ 4 rows in set (0.00 sec) mysql select instance_id from nics where id in (select nic_id from op_dc_ip_address_alloc where taken is not null); +-+ | instance_id | +-+ | 1 | | 7 | |
[jira] [Updated] (CLOUDSTACK-7746) Baremetal related script erros seen on router console
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7746?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-7746: Attachment: router.png Baremetal related script erros seen on router console - Key: CLOUDSTACK-7746 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7746 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.5.0 Environment: Build from master Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.5.0 Attachments: router.png Baremetal related script erros seen on router console. Advanced zone set up with 3 xenserver hosts in a cluster. When logging into the console view of router , following script errors are seen: /opt/cloud/bin/baremetal-vr.py:159: SyntaxWarning : name 'server' is assigned to before glocal declaration. .. Attached is the screen shot -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7732) [Automation] - Automate organization States Test Cases relating to enabling/disabling of zone,pod,host and cluster.
Sangeetha Hariharan created CLOUDSTACK-7732: --- Summary: [Automation] - Automate organization States Test Cases relating to enabling/disabling of zone,pod,host and cluster. Key: CLOUDSTACK-7732 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7732 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Test Affects Versions: 4.5.0 Reporter: Sangeetha Hariharan Fix For: 4.5.0 [Automation] - Automate organization States Test Cases relating to enabling/disabling of zone,pod,host and cluster -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (CLOUDSTACK-7733) Admin/Regular User is not allowed to stop/start Vms that are running on disabled hosts.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7733?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-7733: Priority: Critical (was: Major) Admin/Regular User is not allowed to stop/start Vms that are running on disabled hosts. --- Key: CLOUDSTACK-7733 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7733 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.5.0 Environment: Build from master Reporter: Sangeetha Hariharan Priority: Critical Steps to reproduce the problem: Deploy a Vm in a host say host1 using a service offering that has hosttags that matches with host1. Disable host. As admin , stop this VM. Now try to start the VM. This fails with job failed due to exception Unable to create a deployment for VM[User|i-20-63-VM {jobprocstatus : 0, created : u'2014-10-15T08:21:04-0400', jobresult : {errorcode : 530, errortext : u'Job failed due to exception Unable to create a deployment for VM[User|i-20-63-VM]'}, cmd : u'org.apache.cloudstack.api.command.admin.vm.StartVMCmdByAdmin', userid : u'f3d01d86-93bb-4ec7-a249-f1dc59ba33a1', jobstatus : 2, jobid : u'fbe3432d-f90c-49d7-a5ea-f1e65e88aae7', jobresultcode : 530, jobinstanceid : u'c9987836-8d76-4a55-bdce-6ef81c4cf51d', jobresulttype : u'object', jobinstancetype : u'VirtualMachine', accountid : u'54b7a442-2b1f-4df9-b3cc-14a4d8537a74'} Management server logs indicating that Vms cannot be started on the last host Id , when the host is disabled: 2014-10-15 09:37:24,480 DEBUG [c.c.d.DeploymentPlanningManagerImpl] (Work-Job-Executor-79:ctx-746fc d6f job-558/job-559 ctx-246fb1a1) Trying to allocate a host and storage pools from dc:1, pod:1,clus ter:2, requested cpu: 100, requested ram: 134217728 2014-10-15 09:37:24,480 DEBUG [c.c.d.DeploymentPlanningManagerImpl] (Work-Job-Executor-79:ctx-746fcd6f job-558/job-559 ctx-246fb1a1) Is ROOT volume READY (pool already allocated)?: Yes 2014-10-15 09:37:24,480 DEBUG [c.c.d.DeploymentPlanningManagerImpl] (Work-Job-Executor-79:ctx-746fcd6f job-558/job-559 ctx-246fb1a1) This VM has last host_id specified, trying to choose the same host: 4 2014-10-15 09:37:24,484 DEBUG [c.c.d.DeploymentPlanningManagerImpl] (Work-Job-Executor-79:ctx-746fcd6f job-558/job-559 ctx-246fb1a1) The last host of this VM is not UP or is not enabled, host status is: Up, host resource state is: Disabled 2014-10-15 09:37:24,484 DEBUG [c.c.d.DeploymentPlanningManagerImpl] (Work-Job-Executor-79:ctx-746fcd6f job-558/job-559 ctx-246fb1a1) Cannot choose the last host to deploy this VM -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-7697) HA - No alerts being generated when SSVM/CPVM is being HA-ed to a different hosts.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14167295#comment-14167295 ] Sangeetha Hariharan commented on CLOUDSTACK-7697: - When HA of SSVM and CPVM is being done , we see the agent state from Alert-Up. HA - No alerts being generated when SSVM/CPVM is being HA-ed to a different hosts. -- Key: CLOUDSTACK-7697 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7697 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.5.0 Environment: Build from 4.5 Reporter: Sangeetha Hariharan Fix For: 4.5.0 HA - No alerts being generated when SSVM/CPVM is being HA-ed to a different hosts. Steps to reproduce the problem: Zone with 1 cluster having 2 hosts. Bring down master host where SSVM and CPVM is running. All user Vms , SSVM and CPVM running in this host is HA-ed to another host. There is no Alert being generated for SSVM and CPVM being detected as being stopped . Also there are no events/alerts being generated for all the user Vms that were detected as being stopped and started in a different host. Should we expect events/alerts being generated for these as well ? mysql select * from alert; ++--+--++++-++-+-+--+--++ | id | uuid | type | cluster_id | pod_id | data_center_id | subject | sent_count | created | last_sent | resolved | archived | name | ++--+--++++-++-+-+--+--++ | 1 | aeef592e-3bb4-431e-911d-16280bf8a8ad | 14 | NULL | 0 | 0 | Management network CIDR is not configured originally. Set it default to 10.223.130.0/24 | 1 | 2014-10-09 22:19:14 | 2014-10-09 22:19:14 | NULL |0 | ALERT.MANAGEMENT | | 2 | 1a0bb67d-9346-4078-a80d-e6669116e7fd | 14 | NULL | 0 | 0 | Management server node 10.223.130.101 is up | 1 | 2014-10-09 22:19:16 | 2014-10-09 22:19:16 | NULL |0 | ALERT.MANAGEMENT | | 3 | 5c37924e-50cd-413f-a37a-ac275dbc46f9 | 13 | NULL | 0 | 0 | No usage server process running | 1 | 2014-10-09 23:19:14 | 2014-10-09 23:19:14 | NULL |0 | ALERT.USAGE| | 4 | 4d1b8b64-f59a-4405-a244-14e054297f04 |2 | 1 | 1 | 1 | System Alert: Low Available Storage in cluster cluster1 pod pod1 of availability zone zone1 | 1 | 2014-10-09 23:39:44 | 2014-10-09 23:39:44 | NULL |0 | ALERT.STORAGE | | 5 | aaf9bb96-799c-40d0-a652-96566c7ff47a |7 | NULL | 1 | 1 | Host is down, name: Rack3Host20.lab.vmops.com (id:1), availability zone: zone1, pod: pod1 | 1 | 2014-10-10 15:05:41 | 2014-10-10 15:05:41 | NULL |0 | ALERT.COMPUTE.HOST | ++--+--++++-++-+-+--+--++ 5 rows in set (0.00 sec) mysql -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7629) addBaremetalRct() API call is not available in cloudstackAPI library in marvin.
Sangeetha Hariharan created CLOUDSTACK-7629: --- Summary: addBaremetalRct() API call is not available in cloudstackAPI library in marvin. Key: CLOUDSTACK-7629 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7629 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.5.0 Reporter: Sangeetha Hariharan Assignee: frank zhang Fix For: 4.5.0 addBaremetalRct() API call is not available in cloudstackAPI library in marvin. When a new API call is added , we expect the python libraries for this API to be available as part of cloudstackAPI in marvin. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7618) Baremetal - AddHost() API docs should include parameters - cpunumber,cpuspeed,memory,hostmac
Sangeetha Hariharan created CLOUDSTACK-7618: --- Summary: Baremetal - AddHost() API docs should include parameters - cpunumber,cpuspeed,memory,hostmac Key: CLOUDSTACK-7618 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7618 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.5.0 Reporter: Sangeetha Hariharan Fix For: 4.5.0 Baremetal - AddHost() API docs should include parameters - cpunumber,cpuspeed,memory,hostmac. When adding a baremetal host , following 4 parameters are supported for addHost() API call - cpunumber,cpuspeed,memory,hostmac. API docs should include information about these parameters. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Assigned] (CLOUDSTACK-7618) Baremetal - AddHost() API docs should include parameters - cpunumber,cpuspeed,memory,hostmac
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7618?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan reassigned CLOUDSTACK-7618: --- Assignee: frank zhang Baremetal - AddHost() API docs should include parameters - cpunumber,cpuspeed,memory,hostmac Key: CLOUDSTACK-7618 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7618 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.5.0 Reporter: Sangeetha Hariharan Assignee: frank zhang Fix For: 4.5.0 Baremetal - AddHost() API docs should include parameters - cpunumber,cpuspeed,memory,hostmac. When adding a baremetal host , following 4 parameters are supported for addHost() API call - cpunumber,cpuspeed,memory,hostmac. API docs should include information about these parameters. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7619) Baremetal - Have an out of the box Isolated network offering with PXE DHCP services provided by VR slong with all other services from default isolated network offe
Sangeetha Hariharan created CLOUDSTACK-7619: --- Summary: Baremetal - Have an out of the box Isolated network offering with PXE DHCP services provided by VR slong with all other services from default isolated network offering for baremetal instances. Key: CLOUDSTACK-7619 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7619 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Affects Versions: 4.5.0 Reporter: Sangeetha Hariharan Assignee: frank zhang Fix For: 4.5.0 Baremetal - Have an out of the box Isolated network offering with PXE DHCP services provided by VR slong with all other services from default isolated network offering for baremetal instances. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Closed] (CLOUDSTACK-7567) Automate ACL test cases relating to depoying VM in shared network with different scopes - All/Domain/Domain with subdomain/Account for Admin, domain admin and regular
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7567?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-7567. --- Resolution: Fixed Automate ACL test cases relating to depoying VM in shared network with different scopes - All/Domain/Domain with subdomain/Account for Admin, domain admin and regular users. - Key: CLOUDSTACK-7567 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7567 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Automate ACL test cases relating to depoying VM in shared network with different scopes - All/Domain/Domain with subdomain/Account for Admin, domain admin and regular users. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Closed] (CLOUDSTACK-7585) Automation - Fix test_acl_sharednetwork.py and test_acl_sharednetwork_deployVM-impersonation.py to pick Shared Network network offering when creating networks.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7585?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-7585. --- Resolution: Fixed Automation - Fix test_acl_sharednetwork.py and test_acl_sharednetwork_deployVM-impersonation.py to pick Shared Network network offering when creating networks. - Key: CLOUDSTACK-7585 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7585 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Test Affects Versions: 4.5.0 Environment: test_acl_sharednetwork.py and test_acl_sharednetwork_deployVM-impersonation.py cases executed against simulator build in advanced zone set up. Reporter: Sangeetha Hariharan Fix For: 4.5.0 Automation - Fix test_acl_sharednetwork.py and test_acl_sharednetwork_deployVM-impersonation.py to pick Shared Network network offering when creating networks. Attempting to create shared network on the advanced zone set up fails with following exception since the script tried to create network with shared network with securitygroup enabled network offering , when the real intent was to create network with shared network. 2014-09-17 07:30:36,714 INFO [a.c.c.a.ApiServer] (catalina-exec-4:ctx-371aa034 ctx-671b4b25 ctx-6c06fff3) (userId=566 accountId=621 sessionId=null) 10.220.135.94 -- GET jobid=9edd5afa-ade4-414b-9c84-ae045162140capiKey=1Qwx85LkDHJa5pbSN6BZwGrP-GyVSkzkG70wWLzaostLbopRqtgR-vpR9GMwohyfvt4wzldxj1QizAsjcrqDTAcommand=queryAsyncJobResultresponse=jsonsignature=kwsOpv9uEajw1D5rC1rvKAl3mXU%3D 200 { queryasyncjobresultresponse : {accountid:dfb8610d-1488-4e73-8d6d-75dabebc4891,userid:1898cb06-16c9-4a6c-976e-9e7dfa933550,cmd:org.apache.cloudstack.api.command.user.vm.DeployVMCmd,jobstatus:0,jobprocstatus:0,jobresultcode:0,jobinstancetype:VirtualMachine,jobinstanceid:a0b03a69-6468-4957-855a-da5d6541452f,created:2014-09-17T07:30:36+,jobid:9edd5afa-ade4-414b-9c84-ae045162140c} } 2014-09-17 07:30:36,821 INFO [a.c.c.a.ApiServer] (catalina-exec-13:ctx-70aa613c ctx-d326566c ctx-1b289a9f) (userId=2 accountId=2 sessionId=null) 10.220.135.94 -- GET endip=10.223.1.100apiKey=d-PIiwVeP_F-GpoQ0a8eSAnon806DSJGS9L34BPW3jmsAQz2LUNePLC9XQ-ILIMcDrGMSzQmMk8xrbfrRkpyXwname=SharedNetwork-Allnetworkofferingid=4dc8bedc-58e5-47ef-b462-8c13b18765e4startip=10.223.1.2vlan=4001zoneid=6c748d63-12c2-48c3-b84e-e81ff63ea441netmask=255.255.255.0acltype=Domaindisplaytext=SharedNetwork-Allsignature=NSWuzSOrbpLs9ggT6A3lf7SzXQs%3Dcommand=createNetworkresponse=jsongateway=10.223.1.1 530 Provider SecurityGroupProvider is either not enabled or doesn't support service SecurityGroup in physical network id=200 Root cause for this issue , is we query for networkoffering with name=DefaultSharedNetworkOffering which results in returning 2 entries , DefaultSharedNetworkOffering and DefaultSharedNetworkOfferingWithSGService. The script ends up picking the network offering of DefaultSharedNetworkOfferingWithSGService 2014-09-17 07:30:36,653 INFO [a.c.c.a.ApiServer] (catalina-exec-9:ctx-d64b7593 ctx-f74a4a25 ctx-f14b10c9) (userId=2 accountId=2 sessionId=null) 10.220.135.94 -- GET response=jsonapiKey=d-PIiwVeP_F-GpoQ0a8eSAnon806DSJGS9L34BPW3jmsAQz2LUNePLC9XQ-ILIMcDrGMSzQmMk8xrbfrRkpyXwcommand=listNetworkOfferingsname=DefaultSharedNetworkOfferingsignature=djKbBqXshW0SNBHMJjDnldyk7Ls%3D 200 { listnetworkofferingsresponse : { count:2 ,networkoffering : [ {id:4dc8bedc-58e5-47ef-b462-8c13b18765e4,name:DefaultSharedNetworkOfferingWithSGService,displaytext:Offering for Shared Security group enabled networks,traffictype:Guest,isdefault:true,specifyvlan:true,conservemode:true,specifyipranges:true,availability:Optional,networkrate:200,state:Enabled,guestiptype:Shared,serviceofferingid:caf28ce7-1a81-4767-9e64-c0b16700beed,service:[{name:Dhcp,provider:[{name:VirtualRouter}]},{name:SecurityGroup,provider:[{name:SecurityGroupProvider}]},{name:Dns,provider:[{name:VirtualRouter}]},{name:UserData,provider:[{name:VirtualRouter}]}],forvpc:false,ispersistent:false,egressdefaultpolicy:false,supportsstrechedl2subnet:false}, {id:09d13c2a-4cd7-4700-a092-3192605c29cb,name:DefaultSharedNetworkOffering,displaytext:Offering for Shared
[jira] [Closed] (CLOUDSTACK-7551) Automate ACL test cases relating to impersonation when depoying VM in shared network.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7551?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-7551. --- Resolution: Fixed Automate ACL test cases relating to impersonation when depoying VM in shared network. -- Key: CLOUDSTACK-7551 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7551 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Automate ACL test cases relating to impersonation when depoying VM in shared network. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7587) Automation - Add simulator_only attribute to acl related test cases.
Sangeetha Hariharan created CLOUDSTACK-7587: --- Summary: Automation - Add simulator_only attribute to acl related test cases. Key: CLOUDSTACK-7587 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7587 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Reporter: Sangeetha Hariharan Automation - Add simulator_only attribute to acl related test cases. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Closed] (CLOUDSTACK-7587) Automation - Add simulator_only attribute to acl related test cases.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7587?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-7587. --- Resolution: Fixed Automation - Add simulator_only attribute to acl related test cases. Key: CLOUDSTACK-7587 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7587 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Reporter: Sangeetha Hariharan Automation - Add simulator_only attribute to acl related test cases. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Closed] (CLOUDSTACK-7514) Automation] - Automate ACL test cases relating to listSnapshots()
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7514?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-7514. --- Resolution: Fixed Automation] - Automate ACL test cases relating to listSnapshots() - Key: CLOUDSTACK-7514 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7514 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Assignee: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to listSnapshots() -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Resolved] (CLOUDSTACK-7033) [Automation] - Automate ACL test cases relating to isolate Network for deleteNetwork() api..
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7033?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan resolved CLOUDSTACK-7033. - Resolution: Fixed [Automation] - Automate ACL test cases relating to isolate Network for deleteNetwork() api.. Key: CLOUDSTACK-7033 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7033 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Assignee: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to isolate Network for deleteNetwork() api -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Closed] (CLOUDSTACK-7033) [Automation] - Automate ACL test cases relating to isolate Network for deleteNetwork() api..
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7033?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-7033. --- [Automation] - Automate ACL test cases relating to isolate Network for deleteNetwork() api.. Key: CLOUDSTACK-7033 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7033 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Assignee: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to isolate Network for deleteNetwork() api -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Closed] (CLOUDSTACK-7034) [Automation] - Automate ACL test cases relating to listVirtualMachines()
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7034?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-7034. --- Resolution: Fixed [Automation] - Automate ACL test cases relating to listVirtualMachines() Key: CLOUDSTACK-7034 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7034 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to listVirtualMachines() -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7585) Automation - Fix test_acl_sharednetwork.py and test_acl_sharednetwork_deployVM-impersonation.py to pick Shared Network network offering when creating networks.
Sangeetha Hariharan created CLOUDSTACK-7585: --- Summary: Automation - Fix test_acl_sharednetwork.py and test_acl_sharednetwork_deployVM-impersonation.py to pick Shared Network network offering when creating networks. Key: CLOUDSTACK-7585 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7585 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Test Affects Versions: 4.5.0 Environment: test_acl_sharednetwork.py and test_acl_sharednetwork_deployVM-impersonation.py cases executed against simulator build in advanced zone set up. Reporter: Sangeetha Hariharan Fix For: 4.5.0 Automation - Fix test_acl_sharednetwork.py and test_acl_sharednetwork_deployVM-impersonation.py to pick Shared Network network offering when creating networks. Attempting to create shared network on the advanced zone set up fails with following exception since the script tried to create network with shared network with securitygroup enabled network offering , when the real intent was to create network with shared network. 2014-09-17 07:30:36,714 INFO [a.c.c.a.ApiServer] (catalina-exec-4:ctx-371aa034 ctx-671b4b25 ctx-6c06fff3) (userId=566 accountId=621 sessionId=null) 10.220.135.94 -- GET jobid=9edd5afa-ade4-414b-9c84-ae045162140capiKey=1Qwx85LkDHJa5pbSN6BZwGrP-GyVSkzkG70wWLzaostLbopRqtgR-vpR9GMwohyfvt4wzldxj1QizAsjcrqDTAcommand=queryAsyncJobResultresponse=jsonsignature=kwsOpv9uEajw1D5rC1rvKAl3mXU%3D 200 { queryasyncjobresultresponse : {accountid:dfb8610d-1488-4e73-8d6d-75dabebc4891,userid:1898cb06-16c9-4a6c-976e-9e7dfa933550,cmd:org.apache.cloudstack.api.command.user.vm.DeployVMCmd,jobstatus:0,jobprocstatus:0,jobresultcode:0,jobinstancetype:VirtualMachine,jobinstanceid:a0b03a69-6468-4957-855a-da5d6541452f,created:2014-09-17T07:30:36+,jobid:9edd5afa-ade4-414b-9c84-ae045162140c} } 2014-09-17 07:30:36,821 INFO [a.c.c.a.ApiServer] (catalina-exec-13:ctx-70aa613c ctx-d326566c ctx-1b289a9f) (userId=2 accountId=2 sessionId=null) 10.220.135.94 -- GET endip=10.223.1.100apiKey=d-PIiwVeP_F-GpoQ0a8eSAnon806DSJGS9L34BPW3jmsAQz2LUNePLC9XQ-ILIMcDrGMSzQmMk8xrbfrRkpyXwname=SharedNetwork-Allnetworkofferingid=4dc8bedc-58e5-47ef-b462-8c13b18765e4startip=10.223.1.2vlan=4001zoneid=6c748d63-12c2-48c3-b84e-e81ff63ea441netmask=255.255.255.0acltype=Domaindisplaytext=SharedNetwork-Allsignature=NSWuzSOrbpLs9ggT6A3lf7SzXQs%3Dcommand=createNetworkresponse=jsongateway=10.223.1.1 530 Provider SecurityGroupProvider is either not enabled or doesn't support service SecurityGroup in physical network id=200 Root cause for this issue , is we query for networkoffering with name=DefaultSharedNetworkOffering which results in returning 2 entries , DefaultSharedNetworkOffering and DefaultSharedNetworkOfferingWithSGService. The script ends up picking the network offering of DefaultSharedNetworkOfferingWithSGService 2014-09-17 07:30:36,653 INFO [a.c.c.a.ApiServer] (catalina-exec-9:ctx-d64b7593 ctx-f74a4a25 ctx-f14b10c9) (userId=2 accountId=2 sessionId=null) 10.220.135.94 -- GET response=jsonapiKey=d-PIiwVeP_F-GpoQ0a8eSAnon806DSJGS9L34BPW3jmsAQz2LUNePLC9XQ-ILIMcDrGMSzQmMk8xrbfrRkpyXwcommand=listNetworkOfferingsname=DefaultSharedNetworkOfferingsignature=djKbBqXshW0SNBHMJjDnldyk7Ls%3D 200 { listnetworkofferingsresponse : { count:2 ,networkoffering : [ {id:4dc8bedc-58e5-47ef-b462-8c13b18765e4,name:DefaultSharedNetworkOfferingWithSGService,displaytext:Offering for Shared Security group enabled networks,traffictype:Guest,isdefault:true,specifyvlan:true,conservemode:true,specifyipranges:true,availability:Optional,networkrate:200,state:Enabled,guestiptype:Shared,serviceofferingid:caf28ce7-1a81-4767-9e64-c0b16700beed,service:[{name:Dhcp,provider:[{name:VirtualRouter}]},{name:SecurityGroup,provider:[{name:SecurityGroupProvider}]},{name:Dns,provider:[{name:VirtualRouter}]},{name:UserData,provider:[{name:VirtualRouter}]}],forvpc:false,ispersistent:false,egressdefaultpolicy:false,supportsstrechedl2subnet:false}, {id:09d13c2a-4cd7-4700-a092-3192605c29cb,name:DefaultSharedNetworkOffering,displaytext:Offering for Shared networks,traffictype:Guest,isdefault:true,specifyvlan:true,conservemode:true,specifyipranges:true,availability:Optional,networkrate:200,state:Enabled,guestiptype:Shared,serviceofferingid:caf28ce7-1a81-4767-9e64-c0b16700beed,service:[{name:Dhcp,provider:[{name:VirtualRouter}]},{name:Dns,provider:[{name:VirtualRouter}]},{name:UserData,provider:[{name:VirtualRouter}]}],forvpc:false,ispersistent:false,egressdefaultpolicy:false,supportsstrechedl2subnet:false} ] } } -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-7585) Automation - Fix test_acl_sharednetwork.py and test_acl_sharednetwork_deployVM-impersonation.py to pick Shared Network network offering when creating networks.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14139587#comment-14139587 ] Sangeetha Hariharan commented on CLOUDSTACK-7585: - Fixed test scripts to use additional parameter displayText=Offering for Shared networks when listing Network offerings,so that it returns only default shared network offering. Automation - Fix test_acl_sharednetwork.py and test_acl_sharednetwork_deployVM-impersonation.py to pick Shared Network network offering when creating networks. - Key: CLOUDSTACK-7585 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7585 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Test Affects Versions: 4.5.0 Environment: test_acl_sharednetwork.py and test_acl_sharednetwork_deployVM-impersonation.py cases executed against simulator build in advanced zone set up. Reporter: Sangeetha Hariharan Fix For: 4.5.0 Automation - Fix test_acl_sharednetwork.py and test_acl_sharednetwork_deployVM-impersonation.py to pick Shared Network network offering when creating networks. Attempting to create shared network on the advanced zone set up fails with following exception since the script tried to create network with shared network with securitygroup enabled network offering , when the real intent was to create network with shared network. 2014-09-17 07:30:36,714 INFO [a.c.c.a.ApiServer] (catalina-exec-4:ctx-371aa034 ctx-671b4b25 ctx-6c06fff3) (userId=566 accountId=621 sessionId=null) 10.220.135.94 -- GET jobid=9edd5afa-ade4-414b-9c84-ae045162140capiKey=1Qwx85LkDHJa5pbSN6BZwGrP-GyVSkzkG70wWLzaostLbopRqtgR-vpR9GMwohyfvt4wzldxj1QizAsjcrqDTAcommand=queryAsyncJobResultresponse=jsonsignature=kwsOpv9uEajw1D5rC1rvKAl3mXU%3D 200 { queryasyncjobresultresponse : {accountid:dfb8610d-1488-4e73-8d6d-75dabebc4891,userid:1898cb06-16c9-4a6c-976e-9e7dfa933550,cmd:org.apache.cloudstack.api.command.user.vm.DeployVMCmd,jobstatus:0,jobprocstatus:0,jobresultcode:0,jobinstancetype:VirtualMachine,jobinstanceid:a0b03a69-6468-4957-855a-da5d6541452f,created:2014-09-17T07:30:36+,jobid:9edd5afa-ade4-414b-9c84-ae045162140c} } 2014-09-17 07:30:36,821 INFO [a.c.c.a.ApiServer] (catalina-exec-13:ctx-70aa613c ctx-d326566c ctx-1b289a9f) (userId=2 accountId=2 sessionId=null) 10.220.135.94 -- GET endip=10.223.1.100apiKey=d-PIiwVeP_F-GpoQ0a8eSAnon806DSJGS9L34BPW3jmsAQz2LUNePLC9XQ-ILIMcDrGMSzQmMk8xrbfrRkpyXwname=SharedNetwork-Allnetworkofferingid=4dc8bedc-58e5-47ef-b462-8c13b18765e4startip=10.223.1.2vlan=4001zoneid=6c748d63-12c2-48c3-b84e-e81ff63ea441netmask=255.255.255.0acltype=Domaindisplaytext=SharedNetwork-Allsignature=NSWuzSOrbpLs9ggT6A3lf7SzXQs%3Dcommand=createNetworkresponse=jsongateway=10.223.1.1 530 Provider SecurityGroupProvider is either not enabled or doesn't support service SecurityGroup in physical network id=200 Root cause for this issue , is we query for networkoffering with name=DefaultSharedNetworkOffering which results in returning 2 entries , DefaultSharedNetworkOffering and DefaultSharedNetworkOfferingWithSGService. The script ends up picking the network offering of DefaultSharedNetworkOfferingWithSGService 2014-09-17 07:30:36,653 INFO [a.c.c.a.ApiServer] (catalina-exec-9:ctx-d64b7593 ctx-f74a4a25 ctx-f14b10c9) (userId=2 accountId=2 sessionId=null) 10.220.135.94 -- GET response=jsonapiKey=d-PIiwVeP_F-GpoQ0a8eSAnon806DSJGS9L34BPW3jmsAQz2LUNePLC9XQ-ILIMcDrGMSzQmMk8xrbfrRkpyXwcommand=listNetworkOfferingsname=DefaultSharedNetworkOfferingsignature=djKbBqXshW0SNBHMJjDnldyk7Ls%3D 200 { listnetworkofferingsresponse : { count:2 ,networkoffering : [ {id:4dc8bedc-58e5-47ef-b462-8c13b18765e4,name:DefaultSharedNetworkOfferingWithSGService,displaytext:Offering for Shared Security group enabled networks,traffictype:Guest,isdefault:true,specifyvlan:true,conservemode:true,specifyipranges:true,availability:Optional,networkrate:200,state:Enabled,guestiptype:Shared,serviceofferingid:caf28ce7-1a81-4767-9e64-c0b16700beed,service:[{name:Dhcp,provider:[{name:VirtualRouter}]},{name:SecurityGroup,provider:[{name:SecurityGroupProvider}]},{name:Dns,provider:[{name:VirtualRouter}]},{name:UserData,provider:[{name:VirtualRouter}]}],forvpc:false,ispersistent:false,egressdefaultpolicy:false,supportsstrechedl2subnet:false}, {id:09d13c2a-4cd7-4700-a092-3192605c29cb,name:DefaultSharedNetworkOffering,displaytext:Offering for Shared
[jira] [Commented] (CLOUDSTACK-6974) IAM-Root Admin - When listNetwork is used with listall=false (or no listall passed), all isoalted networks belonging to other users is listed.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6974?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14139770#comment-14139770 ] Sangeetha Hariharan commented on CLOUDSTACK-6974: - listNetwork() with listall=false and isrecursive=true results in returning all the networks that the admin can see . listNetwork() with listall=false and isrecursive=false/not passed results in returning all the networks that the admin can see in the ROOT domain . In both the above cases , listNetwork() with listall=false should return only the networks that he can use (which is isolated networks that he created and shared network that he has access to). IAM-Root Admin - When listNetwork is used with listall=false (or no listall passed), all isoalted networks belonging to other users is listed. -- Key: CLOUDSTACK-6974 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6974 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Affects Versions: 4.4.0 Environment: Build from 4.4-forward Reporter: Sangeetha Hariharan Root Admin - When listNetwork is used with listall=false (or no listall passed) and isrecursive=true , all networks in the system are returned. Steps to reproduce the problem: Create multiple domains with few user and domain accounts in them. Create isolated networks as each of these accounts. Create an admin user under ROOT. As this admin user, deploy a VM. Use listNetwork with listall=false (or no listall passed) and isrecursive=true to retrieve all the networks owned by this admin. This results in all the networks in the system being returned. Following is the API call that was made , that resulted in 15 networks being fetched when it should have fetched only 1 isolated network and 1 shared network. http://10.223.49.6:8080/client/api?apiKey=PB2CyeaqN0vfTodPzXV52OdE9YZLC8K-BrdLiEijWmq85nuAEfXVoAPxbzW0J5BgFAT-f5lnwDEgeOfp_boJAgisrecursive=trueresponse=jsonlistall=falsecommand=listNetworkssignature=l%2FNR4aBSnk7aAEDHhlsAvEXe7Cg%3D Response: { listnetworksresponse : { count:15 ,network : [ {id:fb3b563c-5ba2-4f9a-aa65-82996f78f20e,name:SharedNetwork-Account,displaytext:SharedNetwork-Account,broadcastdomaintype:Vlan,traffictype:Guest,gateway:10.223.1.1,netmask:255.255.255.0,cidr:10.223.1.0/24,zoneid:b690dddf-5755-49ab-8a4d-0aff04fa39f7,zonename:BLR1,networkofferingid:1bec2c7f-d35d-4d33-a655-d3159be4a6ff,networkofferingname:DefaultSharedNetworkOfferingWithSGService,networkofferingdisplaytext:Offering for Shared Security group enabled networks,networkofferingconservemode:true,networkofferingavailability:Optional,issystem:false,state:Setup,related:fb3b563c-5ba2-4f9a-aa65-82996f78f20e,broadcasturi:vlan://153,dns1:4.2.2.2,type:Shared,vlan:153,acltype:Account,account:testD111A-TestNetworkList-RPNQIQ,domainid:b706ea33-fbf7-4167-a857-16f79f332cf3,domain:D111-A243U3,service:[ {name:UserData} ,{name:Dhcp,capability:[ {name:DhcpAccrossMultipleSubnets,value:true,canchooseservicecapability:false} ]},{ ... -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7567) Automate ACL test cases relating to depoying VM in shared network with different scopes - All/Domain/Domain with subdomain/Account for Admin, domain admin and regula
Sangeetha Hariharan created CLOUDSTACK-7567: --- Summary: Automate ACL test cases relating to depoying VM in shared network with different scopes - All/Domain/Domain with subdomain/Account for Admin, domain admin and regular users. Key: CLOUDSTACK-7567 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7567 Project: CloudStack Issue Type: Task Security Level: Public (Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Automate ACL test cases relating to impersonation when depoying VM in shared network. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (CLOUDSTACK-7567) Automate ACL test cases relating to depoying VM in shared network with different scopes - All/Domain/Domain with subdomain/Account for Admin, domain admin and regula
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7567?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-7567: Description: Automate ACL test cases relating to depoying VM in shared network with different scopes - All/Domain/Domain with subdomain/Account for Admin, domain admin and regular users. Automate ACL test cases relating to depoying VM in shared network with different scopes - All/Domain/Domain with subdomain/Account for Admin, domain admin and regular users. - Key: CLOUDSTACK-7567 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7567 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Automate ACL test cases relating to depoying VM in shared network with different scopes - All/Domain/Domain with subdomain/Account for Admin, domain admin and regular users. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (CLOUDSTACK-7567) Automate ACL test cases relating to depoying VM in shared network with different scopes - All/Domain/Domain with subdomain/Account for Admin, domain admin and regula
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7567?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-7567: Description: (was: Automate ACL test cases relating to impersonation when depoying VM in shared network.) Automate ACL test cases relating to depoying VM in shared network with different scopes - All/Domain/Domain with subdomain/Account for Admin, domain admin and regular users. - Key: CLOUDSTACK-7567 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7567 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7551) Automate ACL test cases relating to impersonation when depoying VM in shared network.
Sangeetha Hariharan created CLOUDSTACK-7551: --- Summary: Automate ACL test cases relating to impersonation when depoying VM in shared network. Key: CLOUDSTACK-7551 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7551 Project: CloudStack Issue Type: Task Security Level: Public (Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to listVolumes() -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (CLOUDSTACK-7551) Automate ACL test cases relating to impersonation when depoying VM in shared network.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7551?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-7551: Description: Automate ACL test cases relating to impersonation when depoying VM in shared network. (was: [Automation] - Automate ACL test cases relating to listVolumes()) Automate ACL test cases relating to impersonation when depoying VM in shared network. -- Key: CLOUDSTACK-7551 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7551 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Automate ACL test cases relating to impersonation when depoying VM in shared network. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Assigned] (CLOUDSTACK-7514) Automation] - Automate ACL test cases relating to listSnapshots()
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7514?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan reassigned CLOUDSTACK-7514: --- Assignee: Sangeetha Hariharan Automation] - Automate ACL test cases relating to listSnapshots() - Key: CLOUDSTACK-7514 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7514 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Assignee: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to listSnapshots() -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7523) java.lang.NullPointerException when listing accounts.
Sangeetha Hariharan created CLOUDSTACK-7523: --- Summary: java.lang.NullPointerException when listing accounts. Key: CLOUDSTACK-7523 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7523 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.5.0 Environment: Build from master Reporter: Sangeetha Hariharan Assignee: frank zhang Priority: Critical Fix For: 4.5.0 Deploy a fresh Management server. After this try to list Accounts , by going to Accounts tab in UI. There is no entries returned and the UI keeps spinning. listAccounts() fail with return code - 530 . 2014-09-09 12:38:59,932 INFO [a.c.c.a.ApiServer] (catalina-exec-18:ctx-0c561c21 ctx-dcbc1d59) (userId=2 accountId=2 sessionId=600DA8E1BD8DC8B8DF75DD5B5FC9E7E9) 10.215.3.17 -- GET command=listAccountsresponse=jsonsessionkey=2%2Bf%2BWC0FhPn6j%2BiLp3mj2POhdsY%3DlistAll=truepage=1pagesize=20_=1410305103203 530 null Following exception seen in management server logs: 2014-09-09 08:39:22,417 DEBUG [c.c.a.ApiServlet] (catalina-exec-7:ctx-d2a3ffdc) ===START=== 10.216.50.29 -- GET command=listAccountsresponse=jsonsessionkey=XkWSjL0e3Xe3ckgR5jW2CsSYOeA%3DlistAll=truepage=1pagesize=20_=1410290672605 2014-09-09 08:39:22,832 ERROR [c.c.a.ApiServer] (catalina-exec-7:ctx-d2a3ffdc ctx-9db713ee) unhandled exception executing api command: [Ljava.lang.String;@1a1bdce4 java.lang.NullPointerException at com.cloud.api.query.dao.AccountJoinDaoImpl.setResourceLimits(AccountJoinDaoImpl.java:144) at com.cloud.api.query.dao.AccountJoinDaoImpl.newAccountResponse(AccountJoinDaoImpl.java:79) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at com.cloud.utils.db.TransactionContextInterceptor.invoke(TransactionContextInterceptor.java:34) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161) at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at com.sun.proxy.$Proxy111.newAccountResponse(Unknown Source) at com.cloud.api.ApiDBUtils.newAccountResponse(ApiDBUtils.java:1788) at com.cloud.api.query.ViewResponseHelper.createAccountResponse(ViewResponseHelper.java:353) at com.cloud.api.query.QueryManagerImpl.searchForAccounts(QueryManagerImpl.java:1835) at org.apache.cloudstack.api.command.user.account.ListAccountsCmd.execute(ListAccountsCmd.java:93) at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:141) at com.cloud.api.ApiServer.queueCommand(ApiServer.java:694) at com.cloud.api.ApiServer.handleRequest(ApiServer.java:517) at com.cloud.api.ApiServlet.processRequestInContext(ApiServlet.java:273) at com.cloud.api.ApiServlet$1.run(ApiServlet.java:117) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53) at com.cloud.api.ApiServlet.processRequest(ApiServlet.java:114) at com.cloud.api.ApiServlet.doGet(ApiServlet.java:76) at javax.servlet.http.HttpServlet.service(HttpServlet.java:617) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at
[jira] [Created] (CLOUDSTACK-7514) Automation] - Automate ACL test cases relating to listSnapshots()
Sangeetha Hariharan created CLOUDSTACK-7514: --- Summary: Automation] - Automate ACL test cases relating to listSnapshots() Key: CLOUDSTACK-7514 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7514 Project: CloudStack Issue Type: Task Security Level: Public (Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to listVolumes() -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (CLOUDSTACK-7514) Automation] - Automate ACL test cases relating to listSnapshots()
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7514?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-7514: Description: [Automation] - Automate ACL test cases relating to listSnapshots() (was: [Automation] - Automate ACL test cases relating to listVolumes()) Automation] - Automate ACL test cases relating to listSnapshots() - Key: CLOUDSTACK-7514 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7514 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to listSnapshots() -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (CLOUDSTACK-7492) [Automation] - Automate ACL test cases relating to listVolume()
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7492?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-7492: Description: [Automation] - Automate ACL test cases relating to listVolumes() (was: [Automation] - Automate ACL test cases relating to listVirtualMachines()) [Automation] - Automate ACL test cases relating to listVolume() --- Key: CLOUDSTACK-7492 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7492 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to listVolumes() -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (CLOUDSTACK-7492) [Automation] - Automate ACL test cases relating to listVolume()
Sangeetha Hariharan created CLOUDSTACK-7492: --- Summary: [Automation] - Automate ACL test cases relating to listVolume() Key: CLOUDSTACK-7492 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7492 Project: CloudStack Issue Type: Task Security Level: Public (Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to listVirtualMachines() -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (CLOUDSTACK-7492) [Automation] - Automate ACL test cases relating to listVolumes()
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7492?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-7492: Summary: [Automation] - Automate ACL test cases relating to listVolumes() (was: [Automation] - Automate ACL test cases relating to listVolume()) [Automation] - Automate ACL test cases relating to listVolumes() Key: CLOUDSTACK-7492 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7492 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to listVolumes() -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CLOUDSTACK-7391) [Automation] Fix the script test_host_high_availability.py - Error Message: suitablehost should not be None
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14122208#comment-14122208 ] Sangeetha Hariharan commented on CLOUDSTACK-7391: - This is an issue with test scripts where listHosts() API call needs to called with VM id , so that the suitableformigration parameter is set to true for hosts. This is already tracked in https://issues.apache.org/jira/browse/CLOUDSTACK-7391 [Automation] Fix the script test_host_high_availability.py - Error Message: suitablehost should not be None --- Key: CLOUDSTACK-7391 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7391 Project: CloudStack Issue Type: Test Security Level: Public(Anyone can view this level - this is the default.) Components: Automation, Test Affects Versions: 4.5.0 Reporter: Chandan Purushothama Assignee: Gaurav Aradhye Fix For: 4.5.0 == Client Code: == def test_03_cant_migrate_vm_to_host_with_ha_positive(self): Verify you can not migrate VMs to hosts with an ha.tag (positive) . . . vm = vms[0] self.debug(Deployed VM on host: %s % vm.hostid) #Find out a Suitable host for VM migration list_hosts_response = list_hosts( self.apiclient, *BUG: Query the list of hosts with vm id. Only then the response will have list of suitable and non-suitable hosts. Else suitableforMigration is not returned in the response* ) self.assertEqual( isinstance(list_hosts_response, list), True, The listHosts API returned the invalid list ) self.assertNotEqual( len(list_hosts_response), 0, The listHosts returned nothing. ) suitableHost = None for host in list_hosts_response: if host.suitableformigration == True and host.hostid != vm.hostid: suitableHost = host break self.assertTrue(suitableHost is not None, suitablehost should not be None) *Error Message: suitablehost should not be None* {code} Cmd : listHosts=== requests.packages.urllib3.connectionpool: INFO: Starting new HTTP connection (1): 10.220.135.39 requests.packages.urllib3.connectionpool: DEBUG: GET /client/api?apiKey=NpffyWZkfwK7gPcNpx28Ohv6K56ftl57A409SyokqHjJ2ZNe3AvvF3F0teTETeIIqrtlcWpQOooM3cQyPveGXwcommand=listHostsresponse=jsonsignature=gh2gh3mSzQNAcfMdspqc9v1JE3U%3D HTTP/1.1 200 3708 test_03_cant_migrate_vm_to_host_with_ha_positive (integration.component.maint.test_host_high_availability.TestHostHighAvailability): DEBUG: Response : [{name : u's-2-VM', created : u'2014-08-20T04:31:37+', ipaddress : u'10.220.136.107', islocalstorageactive : False, podid : u'027c1e45-5867-40f8-8ad9-685b5eb63dd2', resourcestate : u'Enabled', zoneid : u'f2acfe0c-c8c8-4353-8f97-a3e0f14d6357', state : u'Up', version : u'4.5.0-SNAPSHOT', managementserverid : 231707544610094, podname : u'XenRT-Zone-0-Pod-0', id : u'bb004159-d510-42b4-bfd5-878140a11f78', lastpinged : u'1970-01-16T22:04:57+', type : u'SecondaryStorageVM', events : u'AgentDisconnected; PingTimeout; Remove; ShutdownRequested; AgentConnected; HostDown; ManagementServerDown; Ping; StartAgentRebalance', zonename : u'XenRT-Zone-0'}, {name : u'v-1-VM', created : u'2014-08-20T04:31:37+', ipaddress : u'10.220.136.105', islocalstorageactive : False, podid : u'027c1e45-5867-40f8-8ad9-685b5eb63dd2', resourcestate : u'Enabled', zoneid : u'f2acfe0c-c8c8-4353-8f97-a3e0f14d6357', state : u'Up', version : u'4.5.0-SNAPSHOT', managementserverid : 231707544610094, podname : u'XenRT-Zone-0-Pod-0', id : u'f328a0d1-f4cb-4486-9550-dd46c403c3ed', lastpinged : u'1970-01-16T22:04:57+', type : u'ConsoleProxy', events : u'AgentDisconnected; PingTimeout; Remove; ShutdownRequested; AgentConnected; HostDown; ManagementServerDown; Ping; StartAgentRebalance', zonename : u'XenRT-Zone-0'}, {cpuwithoverprovisioning : u'28800.0', version : u'4.5.0-SNAPSHOT', memorytotal : 31073792896, zoneid : u'f2acfe0c-c8c8-4353-8f97-a3e0f14d6357', cpunumber : 12, managementserverid : 231707544610094, cpuallocated : u'2.08%', memoryused : 4211653, id : u'1f5f180e-3eb1-4a6a-92f8-8df71df57962', cpuused : u'0.03%', hypervisorversion : u'6.2.0', clusterid : u'af55ad36-15c8-424b-916b-db1550aae5ff', capabilities : u'xen-3.0-x86_64 , xen-3.0-x86_32p , hvm-3.0-x86_32 , hvm-3.0-x86_32p , hvm-3.0-x86_64', state : u'Up', memoryallocated : 268435456, networkkbswrite : 5383, cpuspeed : 2400, cpusockets : 2, type : u'Routing', events : u'AgentDisconnected; PingTimeout; Remove;
[jira] [Issue Comment Deleted] (CLOUDSTACK-7391) [Automation] Fix the script test_host_high_availability.py - Error Message: suitablehost should not be None
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7391?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-7391: Comment: was deleted (was: This is an issue with test scripts where listHosts() API call needs to called with VM id , so that the suitableformigration parameter is set to true for hosts. This is already tracked in https://issues.apache.org/jira/browse/CLOUDSTACK-7391 ) [Automation] Fix the script test_host_high_availability.py - Error Message: suitablehost should not be None --- Key: CLOUDSTACK-7391 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7391 Project: CloudStack Issue Type: Test Security Level: Public(Anyone can view this level - this is the default.) Components: Automation, Test Affects Versions: 4.5.0 Reporter: Chandan Purushothama Assignee: Gaurav Aradhye Fix For: 4.5.0 == Client Code: == def test_03_cant_migrate_vm_to_host_with_ha_positive(self): Verify you can not migrate VMs to hosts with an ha.tag (positive) . . . vm = vms[0] self.debug(Deployed VM on host: %s % vm.hostid) #Find out a Suitable host for VM migration list_hosts_response = list_hosts( self.apiclient, *BUG: Query the list of hosts with vm id. Only then the response will have list of suitable and non-suitable hosts. Else suitableforMigration is not returned in the response* ) self.assertEqual( isinstance(list_hosts_response, list), True, The listHosts API returned the invalid list ) self.assertNotEqual( len(list_hosts_response), 0, The listHosts returned nothing. ) suitableHost = None for host in list_hosts_response: if host.suitableformigration == True and host.hostid != vm.hostid: suitableHost = host break self.assertTrue(suitableHost is not None, suitablehost should not be None) *Error Message: suitablehost should not be None* {code} Cmd : listHosts=== requests.packages.urllib3.connectionpool: INFO: Starting new HTTP connection (1): 10.220.135.39 requests.packages.urllib3.connectionpool: DEBUG: GET /client/api?apiKey=NpffyWZkfwK7gPcNpx28Ohv6K56ftl57A409SyokqHjJ2ZNe3AvvF3F0teTETeIIqrtlcWpQOooM3cQyPveGXwcommand=listHostsresponse=jsonsignature=gh2gh3mSzQNAcfMdspqc9v1JE3U%3D HTTP/1.1 200 3708 test_03_cant_migrate_vm_to_host_with_ha_positive (integration.component.maint.test_host_high_availability.TestHostHighAvailability): DEBUG: Response : [{name : u's-2-VM', created : u'2014-08-20T04:31:37+', ipaddress : u'10.220.136.107', islocalstorageactive : False, podid : u'027c1e45-5867-40f8-8ad9-685b5eb63dd2', resourcestate : u'Enabled', zoneid : u'f2acfe0c-c8c8-4353-8f97-a3e0f14d6357', state : u'Up', version : u'4.5.0-SNAPSHOT', managementserverid : 231707544610094, podname : u'XenRT-Zone-0-Pod-0', id : u'bb004159-d510-42b4-bfd5-878140a11f78', lastpinged : u'1970-01-16T22:04:57+', type : u'SecondaryStorageVM', events : u'AgentDisconnected; PingTimeout; Remove; ShutdownRequested; AgentConnected; HostDown; ManagementServerDown; Ping; StartAgentRebalance', zonename : u'XenRT-Zone-0'}, {name : u'v-1-VM', created : u'2014-08-20T04:31:37+', ipaddress : u'10.220.136.105', islocalstorageactive : False, podid : u'027c1e45-5867-40f8-8ad9-685b5eb63dd2', resourcestate : u'Enabled', zoneid : u'f2acfe0c-c8c8-4353-8f97-a3e0f14d6357', state : u'Up', version : u'4.5.0-SNAPSHOT', managementserverid : 231707544610094, podname : u'XenRT-Zone-0-Pod-0', id : u'f328a0d1-f4cb-4486-9550-dd46c403c3ed', lastpinged : u'1970-01-16T22:04:57+', type : u'ConsoleProxy', events : u'AgentDisconnected; PingTimeout; Remove; ShutdownRequested; AgentConnected; HostDown; ManagementServerDown; Ping; StartAgentRebalance', zonename : u'XenRT-Zone-0'}, {cpuwithoverprovisioning : u'28800.0', version : u'4.5.0-SNAPSHOT', memorytotal : 31073792896, zoneid : u'f2acfe0c-c8c8-4353-8f97-a3e0f14d6357', cpunumber : 12, managementserverid : 231707544610094, cpuallocated : u'2.08%', memoryused : 4211653, id : u'1f5f180e-3eb1-4a6a-92f8-8df71df57962', cpuused : u'0.03%', hypervisorversion : u'6.2.0', clusterid : u'af55ad36-15c8-424b-916b-db1550aae5ff', capabilities : u'xen-3.0-x86_64 , xen-3.0-x86_32p , hvm-3.0-x86_32 , hvm-3.0-x86_32p , hvm-3.0-x86_64', state : u'Up', memoryallocated : 268435456, networkkbswrite : 5383, cpuspeed : 2400, cpusockets : 2, type : u'Routing', events : u'AgentDisconnected; PingTimeout; Remove; ShutdownRequested;
[jira] [Created] (CLOUDSTACK-7471) Regular user is allowed to deleteNetwork/RestartNetwork that does not belong to him.He is also able to deploy Vm for other users.
Sangeetha Hariharan created CLOUDSTACK-7471: --- Summary: Regular user is allowed to deleteNetwork/RestartNetwork that does not belong to him.He is also able to deploy Vm for other users. Key: CLOUDSTACK-7471 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7471 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.5.0 Environment: build from master Reporter: Sangeetha Hariharan Assignee: Min Chen Scenario 1 : Regular user is allowed to delete networks that belong to other users Create a regular user - d1-a in Domain - d1. Create another regular user - d1-b in Domain - d1. As user d1-a , create a network. As user d1-b , delete network that belongs to d1-a. We expect this to not succeed. But we are allowed to do this. Snippet from apilog indicating AccountId- 92 is attempting the restart network. 2014-08-29 06:59:57,912 INFO [a.c.c.a.ApiServer] (catalina-exec-23:ctx-05f928b8 ctx-c081eb69) (userId=92 accountId=92 sessionId=DC A599AA77169CA107BA0AADA19667F7) 10.215.3.6 – GET command=deleteNetworkid=2f2cc737-ba0f-4806-a81b-92a5749cfe7bresponse=jsonsessi onkey=NHvM0k5Rg%2FQspJg2g0YnQP%2Fhq34%3D 200 { deletenetworkresponse : {jobid:05daf212-1aa7-4885-b133-2645a6ceb7df} } Snippet from DB indicating that the owner of network is account_id=89 . mysql select account_id,domain_id from networks where uuid=2f2cc737-ba0f-4806-a81b-92a5749cfe7b; -+ account_id domain_id -+ 89 37 -+ 1 row in set (0.00 sec) Snippet from management server logs indicating success: 2014-08-29 06:59:57,911 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (catalina-exec-23:ctx-05f928b8 ctx-c081eb69) submit async job-995, details: AsyncJobVO {id:995, userId: 92, accountId: 92, instanceType: None, instanceId: null, cmd: org.apache.cloudstack.api.comman d.user.network.DeleteNetworkCmd, cmdInfo: {response:json,id:2f2cc737-ba0f-4806-a81b-92a5749cfe7b,sessionkey:NHvM0k5Rg/Qs pJg2g0YnQP/hq34\u003d,ctxDetails: {\com.cloud.network.Network\:\2f2cc737-ba0f-4806-a81b-92a5749cfe7b\} ,cmdEventType:NETW ORK.DELETE,ctxUserId:92,httpmethod:GET,uuid:2f2cc737-ba0f-4806-a81b-92a5749cfe7b,ctxAccountId:92,ctxStartEventId :3020}, cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result: null, initMsid: 82324189320212, completeMsid : null, lastUpdated: null, lastPolled: null, created: null} 2014-08-29 06:59:57,912 DEBUG [c.c.a.ApiServlet] (catalina-exec-23:ctx-05f928b8 ctx-c081eb69) ===END=== 10.215.3.6 – GET command =deleteNetworkid=2f2cc737-ba0f-4806-a81b-92a5749cfe7bresponse=jsonsessionkey=NHvM0k5Rg%2FQspJg2g0YnQP%2Fhq34%3D 2014-08-29 06:59:57,934 DEBUG [o.a.c.e.o.NetworkOrchestrator] (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Network is al ready shutdown: Ntwk[390|Guest|8] 2014-08-29 06:59:57,937 DEBUG [c.c.n.r.RulesManagerImpl] (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Releasing 0 port f orwarding rules for network id=390 2014-08-29 06:59:57,938 DEBUG [c.c.n.r.RulesManagerImpl] (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Releasing 0 static nat rules for network id=390 2014-08-29 06:59:57,939 DEBUG [c.c.n.r.RulesManagerImpl] (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) There are no port forwarding rules to apply for network id=390 2014-08-29 06:59:57,940 DEBUG [c.c.n.r.RulesManagerImpl] (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) There are no stati c nat rules to apply for network id=390 2014-08-29 06:59:57,941 DEBUG [c.c.n.r.RulesManagerImpl] (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Successfully relea sed rules for network id=390 and # of rules now = 0 2014-08-29 06:59:57,941 DEBUG [o.a.c.e.o.NetworkOrchestrator] (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Successfully cleaned up portForwarding/staticNat rules for network id=390 2014-08-29 06:59:57,942 DEBUG [c.c.n.l.LoadBalancingRulesManagerImpl] (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Found 0 lb rules to cleanup 2014-08-29 06:59:57,942 DEBUG [o.a.c.e.o.NetworkOrchestrator] (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Successfully cleaned up load balancing rules for network id=390 2014-08-29 06:59:57,949 DEBUG [c.c.n.f.FirewallManagerImpl] (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Releasing 0 firewall rules for network id=390 2014-08-29 06:59:57,950 DEBUG [c.c.n.f.FirewallManagerImpl] (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) There are no firewall rules to apply 2014-08-29 06:59:57,950 DEBUG [c.c.n.f.FirewallManagerImpl] (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Successfully released firewall rules for network id=390 and # of rules now = 0 2014-08-29 06:59:57,955 DEBUG
[jira] [Assigned] (CLOUDSTACK-7033) [Automation] - Automate ACL test cases relating to isolate Network for deleteNetwork() api..
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7033?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan reassigned CLOUDSTACK-7033: --- Assignee: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to isolate Network for deleteNetwork() api.. Key: CLOUDSTACK-7033 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7033 Project: CloudStack Issue Type: Task Security Level: Public(Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Assignee: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to isolate Network for deleteNetwork() api -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-7033) [Automation] - Automate ACL test cases relating to isolate Network for deleteNetwork() api..
Sangeetha Hariharan created CLOUDSTACK-7033: --- Summary: [Automation] - Automate ACL test cases relating to isolate Network for deleteNetwork() api.. Key: CLOUDSTACK-7033 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7033 Project: CloudStack Issue Type: Task Security Level: Public (Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to isolate Network for deleteNetwork() api -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-7034) [Automation] - Automate ACL test cases relating to listVirtualMachines()
Sangeetha Hariharan created CLOUDSTACK-7034: --- Summary: [Automation] - Automate ACL test cases relating to listVirtualMachines() Key: CLOUDSTACK-7034 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7034 Project: CloudStack Issue Type: Task Security Level: Public (Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to listVirtualMachines() -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-7035) [Automation] - Automate ACL test cases relating to listNetworks() for isolated and shared networks.
Sangeetha Hariharan created CLOUDSTACK-7035: --- Summary: [Automation] - Automate ACL test cases relating to listNetworks() for isolated and shared networks. Key: CLOUDSTACK-7035 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7035 Project: CloudStack Issue Type: Task Security Level: Public (Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan [Automation] - Automate ACL test cases relating to listNetworks() for isolated and shared networks -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-7002) [Automation] - Automate ACL test cases relating to isolate Network for createNetwork(), restartNetwork() and deploying Vms in a isolated network.
Sangeetha Hariharan created CLOUDSTACK-7002: --- Summary: [Automation] - Automate ACL test cases relating to isolate Network for createNetwork(), restartNetwork() and deploying Vms in a isolated network. Key: CLOUDSTACK-7002 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7002 Project: CloudStack Issue Type: Task Security Level: Public (Anyone can view this level - this is the default.) Components: Automation Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Assignee: Sangeetha Hariharan Fix For: 4.4.0 [Automation] - Automate ACL test cases relating to isolate Network for createNetwork(), restartNetwork() and deploying Vms in a isolated network. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Resolved] (CLOUDSTACK-7002) [Automation] - Automate ACL test cases relating to isolate Network for createNetwork(), restartNetwork() and deploying Vms in a isolated network.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-7002?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan resolved CLOUDSTACK-7002. - Resolution: Fixed Automated 33 test cases relating to access checks for createNetwork(), deploying VM in an isolated network and restarNetwork. Author: Sangeetha sangeetha.hariha...@citrix.com Date: Thu Jun 26 13:40:53 2014 -0700 This test suite contains test cases relating to access checks for createNetwork(), deploying VM in an isolated.. commit 9c2e6f5ed45522ff68131556028f3fb4ff91ee90 Review for this patch is tracked in https://reviews.apache.org/r/22709/ Test results: # Validate that Admin should be able to create network for himslef ... === TestName: test_01_createNetwork_admin | Status : SUCCESS === ok # Validate that Admin should be able to create network for users in his domain ... === TestName: test_02_createNetwork_admin_foruserinsamedomain | Status : SUCCESS === ok # Validate that Admin should be able to create network for users in his sub domain ... === TestName: test_03_createNetwork_admin_foruserinotherdomain | Status : SUCCESS === ok # Validate that Domain admin should be able to create network for himslef ... === TestName: test_04_createNetwork_domaindmin | Status : SUCCESS === ok # Validate that Domain admin should be able to create network for users in his domain ... === TestName: test_05_createNetwork_domaindmin_foruserinsamedomain | Status : SUCCESS === ok # Validate that Domain admin should be able to create network for users in his sub domain ... === TestName: test_06_createNetwork_domaindmin_foruserinsubdomain | Status : SUCCESS === ok # Validate that Domain admin should not be able to create network for users in his sub domain ... === TestName: test_07_createNetwork_domaindmin_forcrossdomainuser | Status : SUCCESS === ok # Validate that Regular should be able to create network for himslef ... === TestName: test_08_createNetwork_user | Status : SUCCESS === ok # Validate that Regular user should NOT be able to create network for users in his domain ... === TestName: test_09_createNetwork_user_foruserinsamedomain | Status : SUCCESS === ok # Validate that Domain admin should be NOT be able to create network for users in other domains ... === TestName: test_10_createNetwork_user_foruserinotherdomain | Status : SUCCESS === ok # Validate that Admin should be able to deploy VM in the networks he owns ... === TestName: test_11_deployvm_admin | Status : SUCCESS === ok # Validate that Admin should be able to deploy Vm for users in his domain ... === TestName: test_12_deployvm_admin_foruserinsamedomain | Status : SUCCESS === ok # Validate that Admin should not be able deploy VM for a user in a network that does not belong to the user ... === TestName: test_13_1_deployvm_admin_foruserinotherdomain_crossnetwork | Status : SUCCESS === ok # Validate that Domain admin should be able to deploy vm for himslef ... === TestName: test_14_deployvm_domaindmin | Status : SUCCESS === ok # Validate that Domain admin should be able to deploy vm for users in his domain ... === TestName: test_15_deployvm_domaindmin_foruserinsamedomain | Status : SUCCESS === ok # Validate that Domain admin should be able to deploy vm for users in his sub domain ... === TestName: test_16_deployvm_domaindmin_foruserinsubdomain | Status : SUCCESS === ok # Validate that Domain admin should not be able deploy VM for a user in a network that does not belong to the user ... === TestName: test_17_1_deployvm_domainadmin_foruserinotherdomain_crossnetwork | Status : SUCCESS === ok # Validate that Domain admin should not be able allowed to deploy vm for users not in his sub domain ... === TestName: test_17_deployvm_domaindmin_forcrossdomainuser | Status : SUCCESS === ok # Validate that Regular should be able to deploy vm for himslef ... === TestName: test_18_deployvm_user | Status : SUCCESS === ok # Validate that Regular user should NOT be able to deploy vm for users in his domain ... === TestName: test_19_deployvm_user_foruserinsamedomain | Status : SUCCESS === ok #Validate that User should not be able deploy VM in a network that does not belong to him ... === TestName: test_20_1_deployvm_user_incrossnetwork | Status : SUCCESS === ok # Validate that Regular user should NOT be able to deploy vm for users in his domain ... === TestName: test_20_deployvm_user_foruserincrossdomain | Status : SUCCESS === ok #Validate that Admin should be able to restart network for networks he owns ... === TestName: test_21_restartNetwork_admin | Status : SUCCESS === ok # Validate that Admin should be able to restart network for users in his domain ... === TestName: test_22_restartNetwork_admin_foruserinsamedomain | Status : SUCCESS === ok # Validate that Admin should be able to restart network for users in his sub domain ... === TestName:
[jira] [Created] (CLOUDSTACK-6973) IAM - listNetworks - When Domain Admin calls listNetwork with listall=false , isolated networks belonging to other users in the domain is also listed. Edit
Sangeetha Hariharan created CLOUDSTACK-6973: --- Summary: IAM - listNetworks - When Domain Admin calls listNetwork with listall=false , isolated networks belonging to other users in the domain is also listed. Edit Comment Assign More Resolve Issue Close Issue Export Key: CLOUDSTACK-6973 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6973 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.4.0 Environment: Build from 4.4-forward Reporter: Sangeetha Hariharan IAM - listNetworks - When Domain Admin calls listNetwork with listall=false , isolated networks belonging to other users in the domain is also listed. Steps to reproduce the problem: Domain D1 - has user d1 (domain admin), d1a and d1b regular users. Each user has a isolated network that he owns. Calling listNetworks() with no parameters (or listall=false) , results in isolated networks owned by other regular users in the domain to be listed. As domain admin d1 , when I listed istNetworks() with no parameters (or listall=false) , i see the isolated networks owned by d1a and d1b regular users listed: - id account_nameuuidtypedomain_id state removed cleanup_needed network_domain default_zone_id default - 1 system 2c320fc2-d1eb-11e3-907f-4adf980f94141 1 enabled NULL0 NULLNULL1 2 admin 2c324dfc-d1eb-11e3-907f-4adf980f94141 1 enabled NULL0 NULLNULL1 3 testD1-TestNetworkList-0SNBP5 53144728-76db-427a-ab96-5a6901e31a5e 2 2 enabled NULL0 NULLNULL0 4 testD1A-TestNetworkList-0Y3W33 196cc54c-4f4f-4bff-91ee-e084395eb388 0 2 enabled NULL0 NULLNULL0 5 testD1B-TestNetworkList-KOGK49 52d34195-f6be-482d-b8cb-effaf9d3bcc4 0 2 enabled NULL0 NULLNULL0 List call response: 2014-05-02 07:38:19,152 INFO [a.c.c.a.ApiServer] (catalina-exec-10:ctx-4d9ac3c7 ctx-d8785a9c ctx-aa28872f) (userId=3 accountId=3 ses sionId=null) 10.223.56.66 – GET apiKey=ASspPltVyUxiuOKQLuyfJnsS_zezNXRjZPfZsdjAXpJMUnu7r75Zn9dqk7p_eL1PrATjDbDanUN3uGsGbsCcwgrespon se=jsonlistall=falsecommand=listNetworkssignature=s9FYHRWmLi2E7LeQDhXcyi%2Fu0J0%3D 200 { listnetworksresponse : { count:5 ,ne twork : [ {id:53a9ddfa-ab63-4f87-bdd0-e368e7fd11ca,name:testD1B-TestNetworkList-KOGK49-network,displaytext:testD1B-TestN etworkList-KOGK49-network,broadcastdomaintype:Vlan,traffictype:Guest,gateway:10.1.1.1,netmask:255.255.255.0,cidr: 10.1.1.0/24,zoneid:b690dddf-5755-49ab-8a4d-0aff04fa39f7,zonename:BLR1,networkofferingid:fc25eb7b-d884-4cc3-acbb-a321817a3 567,networkofferingname:DefaultIsolatedNetworkOfferingWithSourceNatService,networkofferingdisplaytext:Offering for Isolated n etworks with Source Nat service enabled,networkofferingconservemode:true,networkofferingavailability:Required,issystem:false ,state:Implemented,related:53a9ddfa-ab63-4f87-bdd0-e368e7fd11ca,dns1:4.2.2.2,type:Isolated,acltype:Account,accou nt:testD1B-TestNetworkList-KOGK49,domainid:3abd56e8-97da-40f9-b6f5-33fd5b28b43e,domain:D1-R549ZO,service:[ {name:PortF orwarding} , {name:UserData} ,{name:Firewall,capability:[ {name:MultipleIps,value:true,canchooseservicecapability:fa lse} , {name:SupportedEgressProtocols,value:tcp,udp,icmp, all,canchooseservicecapability:false} , {name:SupportedProtocols, value:tcp,udp,icmp,canchooseservicecapability:false} , {name:SupportedTrafficDirection,value:ingress, egress,canchoosese rvicecapability:false} , {name:TrafficStatistics,value:per public ip,canchooseservicecapability:false} ]},{name:Lb,capab ility:[{name:AutoScaleCounters,value:[ {\methodname\:\cpu\,\paramlist\:[]} , {\methodname\:\memory\,\paramlist\:[]} ] ,canchooseservicecapability:false}, {name:SupportedLBIsolation,value:dedicated,canchooseservicecapability:false} , {name: SupportedLbAlgorithms,value:roundrobin,leastconn,source,canchooseservicecapability:false} , {name:LbSchemes,value:Public ,canchooseservicecapability:false} , {name:SupportedProtocols,value:tcp, udp,canchooseservicecapability:false} ,{name:Su pportedStickinessMethods,value:[{\methodname\:\LbCookie\,\paramlist\:[ {\paramname\:\cookie-name\,\required\:false,\i sflag\:false,\description\:\ \} , {\paramname\:\mode\,\required\:false,\isflag\:false,\description\:\ \} ,
[jira] [Updated] (CLOUDSTACK-6973) IAM - listNetworks - When Domain Admin calls listNetwork with listall=false , isolated networks belonging to other users in the domain is also listed.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-6973: Summary: IAM - listNetworks - When Domain Admin calls listNetwork with listall=false , isolated networks belonging to other users in the domain is also listed. (was: IAM - listNetworks - When Domain Admin calls listNetwork with listall=false , isolated networks belonging to other users in the domain is also listed. Edit Comment Assign More Resolve Issue Close Issue Export) IAM - listNetworks - When Domain Admin calls listNetwork with listall=false , isolated networks belonging to other users in the domain is also listed. -- Key: CLOUDSTACK-6973 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6973 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.4.0 Environment: Build from 4.4-forward Reporter: Sangeetha Hariharan IAM - listNetworks - When Domain Admin calls listNetwork with listall=false , isolated networks belonging to other users in the domain is also listed. Steps to reproduce the problem: Domain D1 - has user d1 (domain admin), d1a and d1b regular users. Each user has a isolated network that he owns. Calling listNetworks() with no parameters (or listall=false) , results in isolated networks owned by other regular users in the domain to be listed. As domain admin d1 , when I listed istNetworks() with no parameters (or listall=false) , i see the isolated networks owned by d1a and d1b regular users listed: - idaccount_nameuuidtypedomain_id state removed cleanup_needed network_domain default_zone_id default - 1 system 2c320fc2-d1eb-11e3-907f-4adf980f94141 1 enabled NULL0 NULLNULL1 2 admin 2c324dfc-d1eb-11e3-907f-4adf980f94141 1 enabled NULL0 NULLNULL1 3 testD1-TestNetworkList-0SNBP5 53144728-76db-427a-ab96-5a6901e31a5e 2 2 enabled NULL0 NULLNULL0 4 testD1A-TestNetworkList-0Y3W33 196cc54c-4f4f-4bff-91ee-e084395eb388 0 2 enabled NULL0 NULLNULL0 5 testD1B-TestNetworkList-KOGK49 52d34195-f6be-482d-b8cb-effaf9d3bcc4 0 2 enabled NULL0 NULLNULL0 List call response: 2014-05-02 07:38:19,152 INFO [a.c.c.a.ApiServer] (catalina-exec-10:ctx-4d9ac3c7 ctx-d8785a9c ctx-aa28872f) (userId=3 accountId=3 ses sionId=null) 10.223.56.66 – GET apiKey=ASspPltVyUxiuOKQLuyfJnsS_zezNXRjZPfZsdjAXpJMUnu7r75Zn9dqk7p_eL1PrATjDbDanUN3uGsGbsCcwgrespon se=jsonlistall=falsecommand=listNetworkssignature=s9FYHRWmLi2E7LeQDhXcyi%2Fu0J0%3D 200 { listnetworksresponse : { count:5 ,ne twork : [ {id:53a9ddfa-ab63-4f87-bdd0-e368e7fd11ca,name:testD1B-TestNetworkList-KOGK49-network,displaytext:testD1B-TestN etworkList-KOGK49-network,broadcastdomaintype:Vlan,traffictype:Guest,gateway:10.1.1.1,netmask:255.255.255.0,cidr: 10.1.1.0/24,zoneid:b690dddf-5755-49ab-8a4d-0aff04fa39f7,zonename:BLR1,networkofferingid:fc25eb7b-d884-4cc3-acbb-a321817a3 567,networkofferingname:DefaultIsolatedNetworkOfferingWithSourceNatService,networkofferingdisplaytext:Offering for Isolated n etworks with Source Nat service enabled,networkofferingconservemode:true,networkofferingavailability:Required,issystem:false ,state:Implemented,related:53a9ddfa-ab63-4f87-bdd0-e368e7fd11ca,dns1:4.2.2.2,type:Isolated,acltype:Account,accou nt:testD1B-TestNetworkList-KOGK49,domainid:3abd56e8-97da-40f9-b6f5-33fd5b28b43e,domain:D1-R549ZO,service:[ {name:PortF orwarding} , {name:UserData} ,{name:Firewall,capability:[ {name:MultipleIps,value:true,canchooseservicecapability:fa lse} , {name:SupportedEgressProtocols,value:tcp,udp,icmp, all,canchooseservicecapability:false} , {name:SupportedProtocols, value:tcp,udp,icmp,canchooseservicecapability:false} , {name:SupportedTrafficDirection,value:ingress, egress,canchoosese rvicecapability:false} , {name:TrafficStatistics,value:per public ip,canchooseservicecapability:false} ]},{name:Lb,capab ility:[{name:AutoScaleCounters,value:[ {\methodname\:\cpu\,\paramlist\:[]} ,
[jira] [Created] (CLOUDSTACK-6974) IAM-Root Admin - When listNetwork is used with listall=false (or no listall passed), all isoalted networks belonging to other users is listed.
Sangeetha Hariharan created CLOUDSTACK-6974: --- Summary: IAM-Root Admin - When listNetwork is used with listall=false (or no listall passed), all isoalted networks belonging to other users is listed. Key: CLOUDSTACK-6974 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6974 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Affects Versions: 4.4.0 Environment: Build from 4.4-forward Reporter: Sangeetha Hariharan Root Admin - When listNetwork is used with listall=false (or no listall passed) and isrecursive=true , all networks in the system are returned. Steps to reproduce the problem: Create multiple domains with few user and domain accounts in them. Create isolated networks as each of these accounts. Create an admin user under ROOT. As this admin user, deploy a VM. Use listNetwork with listall=false (or no listall passed) and isrecursive=true to retrieve all the networks owned by this admin. This results in all the networks in the system being returned. Following is the API call that was made , that resulted in 15 networks being fetched when it should have fetched only 1 isolated network and 1 shared network. http://10.223.49.6:8080/client/api?apiKey=PB2CyeaqN0vfTodPzXV52OdE9YZLC8K-BrdLiEijWmq85nuAEfXVoAPxbzW0J5BgFAT-f5lnwDEgeOfp_boJAgisrecursive=trueresponse=jsonlistall=falsecommand=listNetworkssignature=l%2FNR4aBSnk7aAEDHhlsAvEXe7Cg%3D Response: { listnetworksresponse : { count:15 ,network : [ {id:fb3b563c-5ba2-4f9a-aa65-82996f78f20e,name:SharedNetwork-Account,displaytext:SharedNetwork-Account,broadcastdomaintype:Vlan,traffictype:Guest,gateway:10.223.1.1,netmask:255.255.255.0,cidr:10.223.1.0/24,zoneid:b690dddf-5755-49ab-8a4d-0aff04fa39f7,zonename:BLR1,networkofferingid:1bec2c7f-d35d-4d33-a655-d3159be4a6ff,networkofferingname:DefaultSharedNetworkOfferingWithSGService,networkofferingdisplaytext:Offering for Shared Security group enabled networks,networkofferingconservemode:true,networkofferingavailability:Optional,issystem:false,state:Setup,related:fb3b563c-5ba2-4f9a-aa65-82996f78f20e,broadcasturi:vlan://153,dns1:4.2.2.2,type:Shared,vlan:153,acltype:Account,account:testD111A-TestNetworkList-RPNQIQ,domainid:b706ea33-fbf7-4167-a857-16f79f332cf3,domain:D111-A243U3,service:[ {name:UserData} ,{name:Dhcp,capability:[ {name:DhcpAccrossMultipleSubnets,value:true,canchooseservicecapability:false} ]},{ ... -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6937) IAM - ROOT admin - Not able to list network owned by accounts under any domain by passing uuid.
Sangeetha Hariharan created CLOUDSTACK-6937: --- Summary: IAM - ROOT admin - Not able to list network owned by accounts under any domain by passing uuid. Key: CLOUDSTACK-6937 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6937 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.4.0 Environment: Build from 4.4-forward Reporter: Sangeetha Hariharan IAM - ROOT admin - Not able to list network owned by accounts under any domain by passing uuid. Create a domain d1 and deploy a vm as an account under this domain. As ROOT admin , try to listNetwork of this VM by passing uuid of the network. Empyt result is returned. when listall=true is passed along with id parameter , then we are able to list the network. http://10.223.49.6:8080/client/api?command=listNetworksid=decebcd9-58f9-40b1-b4c4-bc554457f3d7response=jsonsessionkey=WGOtz0CAa5c57Imzm2iY8caUVYg%3D This returns empty list. When passed with listall=true then network is listed: http://10.223.49.6:8080/client/api?command=listNetworksid=decebcd9-58f9-40b1-b4c4-bc554457f3d7response=jsonsessionkey=WGOtz0CAa5c57Imzm2iY8caUVYg%3D%20%3E%3E%201010.223.49.6:8080/client/api?command=listNetworksid=decebcd9-58f9-40b1-b4c4-bc554457f3d7response=jsonsessionkey=WGOtz0CAa5c57Imzm2iY8caUVYg=listall=true -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6939) IAM - DomainAdmin - Not able to listNetwork belonging to a subdomain by passing uuid.
Sangeetha Hariharan created CLOUDSTACK-6939: --- Summary: IAM - DomainAdmin - Not able to listNetwork belonging to a subdomain by passing uuid. Key: CLOUDSTACK-6939 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6939 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.4.0 Environment: Build from 4.4-forward Reporter: Sangeetha Hariharan IAM - DomainAdmin - Not able to listNetwork belonging to a subdomain by passing uuid. Steps to reproduce the problem: Create a domain D1 with domain admin user - d1 Create a subdomain D1/D11 with regular user - d11a. As d11a user , create an isolated network. As domain admin d1 , use listNetworks() command to list network of d11a by passing id paramater. listNetwork() returns empty list. When i pass listall=true parameter along with uuid parameter , then I am able to get the list. When empty result is returned: 2014-05-02 14:40:54,273 INFO [a.c.c.a.ApiServer] (catalina-exec-19:ctx-7b012c50 ctx-d447137f) (userId=14 acc ountId=14 sessionId=0662CF854C84368E87A0D1E1283323A4) 10.215.2.8 – GET command=listNetworksid=323c350f-8345 -493e-bc50-5b9592fe4ab3response=jsonsessionkey=B2T%2FRltf8yQnVVqLXpbocOU4HyE%3D_=1399080286519 200 { list networksresponse : { } } with listall=true parameter , network is being listed: 2014-05-02 14:41:08,454 INFO [a.c.c.a.ApiServer] (catalina-exec-8:ctx-4cccd2f8 ctx-c091216f) (userId=14 acco untId=14 sessionId=0662CF854C84368E87A0D1E1283323A4) 10.215.2.8 – GET command=listNetworksid=323c350f-8345- 493e-bc50-5b9592fe4ab3response=jsonsessionkey=B2T%2FRltf8yQnVVqLXpbocOU4HyE%3D_=1399080286519listall=true 200 { listnetworksresponse : { count:1 ,network : [ {id:323c350f-8345-493e-bc50-5b9592fe4ab3,nam e:testD11-TestNetworkList-OPXQKG-network,displaytext:testD11-TestNetworkList-OPXQKG-network,broadcast domaintype:Vlan,traffictype:Guest,gateway:10.1.1.1,netmask:255.255.255.0,cidr:10.1.1.0/24, zoneid:b690dddf-5755-49ab-8a4d-0aff04fa39f7,zonename:BLR1,networkofferingid:fc25eb7b-d884-4cc3-acb b-a321817a3567,networkofferingname:DefaultIsolatedNetworkOfferingWithSourceNatService,networkofferingdi splaytext:Offering for Isolated networks with Source Nat service enabled,networkofferingconservemode:tru e,networkofferingavailability:Required,issystem:false,state:Implemented,related:323c350f-8345-49 3e-bc50-5b9592fe4ab3,dns1:4.2.2.2,type:Isolated,acltype:Account,account:testD11-TestNetworkLi st-OPXQKG,domainid:63282e89-0798-456b-9f1d-a234af5fb046,domain:D11-BVD36X,service:[ {name:PortFo rwarding} , {name:UserData} ,{name:Firewall,capability:[ {name:MultipleIps,value:true,canchoo seservicecapability:false} , {name:SupportedEgressProtocols,value:tcp,udp,icmp, all,canchooseservicec apability:false} , {name:SupportedProtocols,value:tcp,udp,icmp,canchooseservicecapability:false} , {name:SupportedTrafficDirection,value:ingress, egress,canchooseservicecapability:false} , {name:TrafficStatistics,value:per public ip,canchooseservicecapability:false} ]},{name:Lb,capability:[{name:AutoScaleCounters,value:[ {\methodname\:\cpu\,\paramlist\:[]} , {\methodname\:\memory\,\paramlist\:[]} ],canchooseservicecapability:false}, {name:SupportedLBIsolation,value:dedicated,canchooseservicecapability:false} , {name:SupportedLbAlgorithms,value:roundrobin,leastconn,source,canchooseservicecapability:false} , {name:LbSchemes,value:Public,canchooseservicecapability:false} , {name:SupportedProtocols,value:tcp, udp,canchooseservicecapability:false} ,{name:SupportedStickinessMethods,value:[{\methodname\:\LbCookie\,\paramlist\:[ {\paramname\:\cookie-name\,\required\:false,\isflag\:false,\description\:\ \} , {\paramname\:\mode\,\required\:false,\isflag\:false,\description\:\ \} , {\paramname\:\nocache\,\required\:false,\isflag\:true,\description\:\ \} , {\paramname\:\indirect\,\required\:false,\isflag\:true,\description\:\ \} , {\paramname\:\postonly\,\required\:false,\isflag\:true,\description\:\ \} ,{\paramname\:\domain\,\required\:false,\isflag\:false, -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Closed] (CLOUDSTACK-6742) listVolumes - As regularuser , able to list Vms and volumes of other users.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6742?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-6742. --- Tested with latest build from 4.4 (after IAM revert). As regular users, we are able to list only the vms and volumes that belong to this account. listVolumes - As regularuser , able to list Vms and volumes of other users. --- Key: CLOUDSTACK-6742 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6742 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Assignee: Min Chen Priority: Critical Fix For: 4.4.0 listVolumes - As regularuser , able to list Vms of other users and as domain admin , able to list Vms from other domains. Steps to reproduce the problem: Had a set up with 2 domains having few users accounts in each domain. Deploy Vms as each of these users. As any user , we are able to list Vms and volumes that belong to all other users including ROOT admin and domain Admin users. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Closed] (CLOUDSTACK-6745) DomainAdmin is not able to deploy Vm for users in his domain/subdomain.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6745?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-6745. --- Tested with latest build from 4.4-forward branch. DomainAdmin is able to deploy Vm for users in his domain/subdomain by passing their account name and domain Id in account and domainId parameter. DomainAdmin is not able to deploy Vm for users in his domain/subdomain. --- Key: CLOUDSTACK-6745 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6745 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Assignee: Min Chen Priority: Critical Fix For: 4.4.0 DomainAdmin is not able to deploy Vm for users in his domain/subdomain. Steps to reproduce the problem: Create a domain d1. Create a regular user - d1a Deploy a VM as user d1a Create a domain admin user - d1 As d1 , try to deploy a VM for user - d1a in the isolated network he owns by passing asccount and domainId of d1a. API fails with the following exception: Unable to use network with id= b40ce153-83c6-41f3-905b-90ce22c9ac24, permission denied 2014-05-21 13:58:48,162 INFO [a.c.c.a.ApiServer] (catalina-exec-17:ctx-8541fadf ctx-4320442b) (userId=387 accountId=387 sessionId=D51FD2C904EB65D7E1577D9ABAF5AACA) 10.215.2.8 -- GET command=deployVirtualMachineresponse=jsonsessionkey=nEX1TsH7YWMyu7cvElRHR73m8Lc%3Dzoneid=749f7a5f-7a47-4357-bc67-1704936b58eatemplateid=90869df6-e02a-11e3-ac31-4adf980f9414hypervisor=Simulatorserviceofferingid=da56f514-c13d-4c4d-902d-a9342f7e8dc3networkids=b40ce153-83c6-41f3-905b-90ce22c9ac24displayname=test123name=test123_=1400719259855account=test-dom1domainid=b83c7d69-6536-478c-a756-b3d89ac9298a 531 Unable to use network with id= b40ce153-83c6-41f3-905b-90ce22c9ac24, permission denied Management server logs: 2014-05-21 13:58:48,140 DEBUG [c.c.a.ApiServlet] (catalina-exec-17:ctx-8541fadf) ===START=== 10.215.2.8 -- GET command=deployVirtualMachi neresponse=jsonsessionkey=nEX1TsH7YWMyu7cvElRHR73m8Lc%3Dzoneid=749f7a5f-7a47-4357-bc67-1704936b58eatemplateid=90869df6-e02a-11e3-ac31-4 adf980f9414hypervisor=Simulatorserviceofferingid=da56f514-c13d-4c4d-902d-a9342f7e8dc3networkids=b40ce153-83c6-41f3-905b-90ce22c9ac24dis playname=test123name=test123_=1400719259855account=test-dom1domainid=b83c7d69-6536-478c-a756-b3d89ac9298a 2014-05-21 13:58:48,143 DEBUG [o.a.c.a.BaseCmd] (catalina-exec-17:ctx-8541fadf ctx-4320442b) Ignoring paremeter displayvm as the caller is not authorized to pass it in 2014-05-21 13:58:48,144 DEBUG [o.a.c.a.BaseCmd] (catalina-exec-17:ctx-8541fadf ctx-4320442b) Ignoring paremeter deploymentplanner as the ca ller is not authorized to pass it in 2014-05-21 13:58:48,153 DEBUG [c.c.u.AccountManagerImpl] (catalina-exec-17:ctx-8541fadf ctx-4320442b) Access to Acct[5afd4de2-2a81-4c40-b7e 7-b5cb139551c1-test-dom1] granted to Acct[f1f9a82e-f931-4f59-bf93-ae83b6e773e6-dom1-admin] by DomainChecker 2014-05-21 13:58:48,156 DEBUG [c.c.u.AccountManagerImpl] (catalina-exec-17:ctx-8541fadf ctx-4320442b) Access to Acct[5afd4de2-2a81-4c40-b7e 7-b5cb139551c1-test-dom1] granted to Acct[f1f9a82e-f931-4f59-bf93-ae83b6e773e6-dom1-admin] by DomainChecker 2014-05-21 13:58:48,161 INFO [c.c.a.ApiServer] (catalina-exec-17:ctx-8541fadf ctx-4320442b) PermissionDenied: Unable to use network with i d= b40ce153-83c6-41f3-905b-90ce22c9ac24, permission denied on objs: [] 2014-05-21 13:58:48,162 DEBUG [c.c.a.ApiServlet] (catalina-exec-17:ctx-8541fadf ctx-4320442b) ===END=== 10.215.2.8 -- GET command=deployV irtualMachineresponse=jsonsessionkey=nEX1TsH7YWMyu7cvElRHR73m8Lc%3Dzoneid=749f7a5f-7a47-4357-bc67-1704936b58eatemplateid=90869df6-e02a- 11e3-ac31-4adf980f9414hypervisor=Simulatorserviceofferingid=da56f514-c13d-4c4d-902d-a9342f7e8dc3networkids=b40ce153-83c6-41f3-905b-90ce2 2c9ac24displayname=test123name=test123_=1400719259855account=test-dom1domainid=b83c7d69-6536-478c-a756-b3d89ac9298a -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Closed] (CLOUDSTACK-6581) IAM - Shared Network -Root Admin user is allowed to deploy VM in a shared network that is scoped for a specific domain/account.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6581?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-6581. --- Tested with latest build form 4.4-forward ( after IAM revert) : ROOT admin is not able to deploy Vms in shared networks with scope domain/ account (dedicated to a particular domain / account). API throws the following error when ROOT admin tries to deploy a VM in an account specific shared network. { deployvirtualmachineresponse : {uuidList:[],errorcode:531,cserrorcode:4365,errortext:Unable to use network with id= 89215c78-1526-4d54-9021-8f49d6c991e3, permission denied} } API throws the following error when ROOT admin tries to deploy a VM in a domain specific shared network. { deployvirtualmachineresponse : {uuidList:[],errorcode:531,cserrorcode:4365,errortext:Shared network id=768a1a01-2caa-4d49-93db-ccba42619cb0 is not available in domain id=1} } IAM - Shared Network -Root Admin user is allowed to deploy VM in a shared network that is scoped for a specific domain/account. --- Key: CLOUDSTACK-6581 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6581 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Assignee: Prachi Damle Priority: Critical Fix For: 4.4.0 IAM - Shared Network -Root Admin user is allowed to deploy VM in a shared network that is scoped for a specific domain/account. Steps to reproduce the problem: Create a admin account for ROOT domain. Create a domain d1 with account a1. Create a shared network for domain d1 with sub domain access set to true. Create a shared network for domain d1 with sub domain access set to false. Create a shared network for account a1 d1 with sub domain access set to false. As ROOT admin , try to deploy a VM in the above created shared networks. Vm deployment succeeds. Expected Result: ROOT admin should not be allowed to deploy VMs in shared networks that are scoped for a specific domain/account. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Closed] (CLOUDSTACK-6569) IAM - Regular user is able to listNetworks of another user in the same domain , by passing account and domainId.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6569?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-6569. --- Tested with latest build from 4.4-forward (after IAM revert) Regular user is not allowed to list network of other accounts in the same domain: 2014-06-12 10:28:52,820 INFO [a.c.c.a.ApiServer] (catalina-exec-5:ctx-08e8e4b8 ctx-ec14d52d) (userId=7 accountId=7 sessionId=05A235CFC99FACA027D130666C218B1C) 10.216.50.29 -- GET command=listNetworksresponse=jsonsessionkey=ZILTwOXY%2BZYac8MZdC%2BthwzVpHE%3DlistAll=truepage=1pagesize=20account=d1-sandomainid=a35f9e43-1707-4ea8-b776-e6e4e75b8fff 531 Acct[9489582f-092e-44a4-bc97-5ab7c0a3d30b-d1-san2] does not have permission to operate with resource Acct[f83f6755-7c50-4557-8cbc-5d0b9410f4fe-d1-san] IAM - Regular user is able to listNetworks of another user in the same domain , by passing account and domainId. - Key: CLOUDSTACK-6569 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6569 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Assignee: Min Chen Priority: Critical Fix For: 4.4.0 Regular user is able to listNetworks of another user in the same domain , by passing account and domainId. Domain - d1. 3 users in this domain , testd1 - domainadmin , testd1a and testd1b regular users. Each of the users have 1 isolated network. As testd1a , tried to list network of testd1b by passing account and domainId. ListNetwork returns testd1b's isolated network. 2014-05-02 10:21:29,090 INFO [a.c.c.a.ApiServer] (catalina-exec-15:ctx-bbcf35b4 ctx-f1b42d4e) (userId=4 accountId=4 sessionId=AE73B9C62BB908DE5DE16655DAD0CB75) 10.215.2.8 -- GET command=listNetworksresponse=jsonsessionkey=vHQRHlttApujok8Jf73KKKww5XM%3DlistAll=truepage=1pagesize=20domainid=3abd56e8-97da-40f9-b6f5-33fd5b28b43eresponse=jsonaccount=testD1B-TestNetworkList-KOGK49 200 { listnetworksresponse : { count:4 ,network : [ {id:53a9ddfa-ab63-4f87-bdd0-e368e7fd11ca,name:testD1B-TestNetworkList-KOGK49-network,displaytext:testD1B-TestNetworkList-KOGK49-network,broadcastdomaintype:Vlan,traffictype:Guest,gateway:10.1.1.1,netmask:255.255.255.0,cidr:10.1.1.0/24,zoneid:b690dddf-5755-49ab-8a4d-0aff04fa39f7,zonename:BLR1,networkofferingid:fc25eb7b-d884-4cc3-acbb-a321817a3567,networkofferingname:DefaultIsolatedNetworkOfferingWithSourceNatService,networkofferingdisplaytext:Offering for Isolated networks with Source Nat service enabled,networkofferingconservemode:true,networkofferingavailability:Required,issystem:false,state:Implemented,related:53a9ddfa-ab63-4f87-bdd0-e368e7fd11ca,dns1:4.2.2.2,type:Isolated,acltype:Account,account:testD1B-TestNetworkList-KOGK49,domainid:3abd56e8-97da-40f9-b6f5-33fd5b28b43e,domain:D1-R549ZO,service:[{name:PortForwarding},{name:UserData},{name:Firewall,capability:[{name:MultipleIps,value:true,canchooseservicecapability:false},{name:SupportedEgressProtocols,value:tcp,udp,icmp, all,canchooseservicecapability:false},{name:SupportedProtocols,value:tcp,udp,icmp,canchooseservicecapability:false},{name:SupportedTrafficDirection,value:ingress, egress,canchooseservicecapability:false},{name:TrafficStatistics,value:per public ip,canchooseservicecapability:false}]},{name:Lb,capability:[{name:AutoScaleCounters,value:[{\methodname\:\cpu\,\paramlist\:[]},{\methodname\:\memory\,\paramlist\:[]}],canchooseservicecapability:false},{name:SupportedLBIsolation,value:dedicated,canchooseservicecapability:false},{name:SupportedLbAlgorithms,value:roundrobin,leastconn,source,canchooseservicecapability:false},{name:LbSchemes,value:Public,canchooseservicecapability:false},{name:SupportedProtocols,value:tcp, udp,canchooseservicecapability:false},{name:SupportedStickinessMethods,value:[{\methodname\:\LbCookie\,\paramlist\:[{\paramname\:\cookie-name\,\required\:false,\isflag\:false,\description\:\ \},{\paramname\:\mode\,\required\:false,\isflag\:false,\description\:\ \},{\paramname\:\nocache\,\required\:false,\isflag\:true,\description\:\ \},{\paramname\:\indirect\,\required\:false,\isflag\:true,\description\:\ \},{\paramname\:\postonly\,\required\:false,\isflag\:true,\description\:\ \},{\paramname\:\domain\,\required\:false,\isflag\:false,\description\:\ \}],\description\:\This is loadbalancer cookie based stickiness method.\},{\methodname\:\AppCookie\,\paramlist\:[{\paramname\:\cookie-name\,\required\:false,\isflag\:false,\description\:\ \},{\paramname\:\length\,\required\:false,\isflag\:false,\description\:\
[jira] [Closed] (CLOUDSTACK-6533) IAM - Templates - Public templates do not have permissions to be used by ROOT group.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6533?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-6533. --- Tested with latest build from 4.4-forward (after IAM revert) ROOT admin is able to see and use templates(for VM deployment) that are owned by regular users and is marked as Public. IAM - Templates - Public templates do not have permissions to be used by ROOT group. Key: CLOUDSTACK-6533 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6533 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Assignee: Min Chen Priority: Critical Fix For: 4.4.0 IAM - Templates - Public templates do not have permissions to be used by ROOT group. As regular user create a public template. In iam_policy_permission policy we do not have permission for Admin group. mysql select * from iam_policy_permission where scope_id = 206; +--+---+---++--+--+-++---+-+-+ | id | policy_id | action| resource_type | scope_id | scope| access_type | permission | recursive | removed | created | +--+---+---++--+--+-++---+-+-+ | 4949 | 3 | listTemplates | VirtualMachineTemplate | 206 | RESOURCE | UseEntry| Allow | 0 | NULL| 2014-04-29 11:03:52 | | 4950 | 1 | listTemplates | VirtualMachineTemplate | 206 | RESOURCE | UseEntry| Allow | 0 | NULL| 2014-04-29 11:03:52 | mysql select * from vm_template where id=206; +-+--++--++--+--+-+--+-++-+-++--+-+-+---+-+--+-+-+-+-++--+--+-++--+-+--+ | id | unique_name | name | uuid | public | featured | type | hvm | bits | url | format | created | removed | account_id | checksum | display_text| enable_password | enable_sshkey | guest_os_id | bootable | prepopulate | cross_zones | extractable | hypervisor_type | source_template_id | template_tag | sort_key | size| state | update_count | updated | dynamically_scalable | +-+--++--++--+--+-+--+-++-+-++--+-+-+---+-+--+-+-+-+-++--+--+-++--+-+--+ | 206 | 206-318-179129bc-531f-31fe-a21d-23a8aa7b666f | Public_featured_d2a-G3GJQW | 265192c9-88d3-41d4-b435-6d3c3e5d256a | 1 | 1 | USER | 1 | 64 | http://10.223.110.232:/test.vhd | VHD| 2014-04-29 11:03:52 | NULL|318 | NULL | public and feature Template | 0 | 0 | 12 |1 | 0 | 0 | 1 | Simulator | NULL | NULL |0 | 5242880 | Active |0 | NULL| 0 | +-+--++--++--+--+-+--+-++-+-++--+-+-+---+-+--+-+-+-+-++--+--+-++--+-+--+ 1 row in set (0.00 sec) Inspite of not having the required permissions to use the template , admin is able to use this template for vm deployment. Root cause
[jira] [Closed] (CLOUDSTACK-6517) IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have UseEntry permission for IpAddress.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6517?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-6517. --- Testing with latest build from 4.4-forward (after IAM revert): Steps to reproduce the problem: As regular user , on a network he owns , acquire an ip address. As admin , try to create a PF rule on this ip address without passing account and domainId. http://10.223.49.6:8080/client/api?command=createPortForwardingRuleresponse=jsonsessionkey=kFu73ky%2BPuW%2BBz9dkcSBIHyXwkM%3Dipaddressid=0817bae5-c672-4ea7-a2cd-ce163d3a8727privateport=22privateendport=22publicport=22publicendport=22protocol=tcpvirtualmachineid=308450de-d4be-4c91-9067-b3826e85e9b2openfirewall=falsenetworkid=9fd8bcef-c140-4061-adc0-5c24c5f7dc69_=1402609388398 This succeeds . This is the desired behavior. Closing this issue. IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have UseEntry permission for IpAddress. --- Key: CLOUDSTACK-6517 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6517 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Assignee: Prachi Damle Fix For: 4.4.0 IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have UseEntry permission for IpAddress. Steps to reproduce the problem: As regular user , on a network he owns , acquire an ip address. As admin , try to create a PF rule on this ip address without passing account and domainId. Creating PF rule succeeds. Since Admin has only ListEntry permission for IpAddress owned by other users , we expect this api call to fail. mysql select * from iam_policy_permission where resource_type = 'IpAddress' and policy_id=2; +--+---+---+---+--+-+--++---+-+-+ | id | policy_id | action| resource_type | scope_id | scope | access_type | permission | recursive | removed | created | +--+---+---+---+--+-+--++---+-+-+ | 1840 | 2 | listPublicIpAddresses | IpAddress | -1 | ALL | ListEntry| Allow | 0 | NULL| 2014-04-22 18:31:03 | | 1841 | 2 | listPublicIpAddresses | IpAddress | -1 | ACCOUNT | UseEntry | Allow | 0 | NULL| 2014-04-22 18:31:03 | Admin should be allowed to do this only , when he passes account and domainId of the regular user is passed. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Closed] (CLOUDSTACK-6512) IAM - Not able to list shared networks in the Vm deployment flow.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6512?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-6512. --- Tested with latest build from 4.4-forward (after IAM revert): Have shared networks created with scope as domain and account. Using UI , Log in as a user who has access to both the account specific and domain specific shared network. Try to deploy a VM. Network list shown as part of VM deployment , has both the shared networks listed: Following is the API call made for listing networks: http://10.223.49.6:8080/client/api?command=listNetworksresponse=jsonsessionkey=WRY5kiZ461rcInw5KRwr59dPh8U%3DzoneId=8374d5ac-e559-4a36-88cd-ddc32990659ecanusefordeploy=truedomainid=0c61d5a9-59bd-4f61-97ec-6078acd6e231account=d11-san_=1402609700920 Deploying Vms in these shared networks also succeed. Closing this issue. IAM - Not able to list shared networks in the Vm deployment flow. - Key: CLOUDSTACK-6512 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6512 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4. Reporter: Sangeetha Hariharan Assignee: Min Chen Priority: Critical Fix For: 4.4.0 IAM - Not able to list shared networks in the Vm deployment flow. Steps to reproduce the problem: Create a shared network that is domain specific / account specific. Log in as the account which should have access to this shared network. Using UI , try to deploy a VM using this shared network. shared network is not displayed in the list of networks. This is the call made by UI: http://10.223.49.6:8080/client/api?command=listNetworksresponse=jsonsessionkey=Enn1TgriYaANFQ%2BDKJR7T2Jc9l0%3DzoneId=fdd0ce43-41b8-49ef-9e59-70ead27bda4ccanusefordeploy=truedomainid=a59a0ce2-b5aa-4460-ade8-91d26e048bc4account=testD1_=1398446574911 When Networks are listed using the network tab , then we see the shared network being listed. Following API call without the domainid and account paramater is able to return the shared network. http://10.223.49.6:8080/client/api?command=listNetworksresponse=jsonsessionkey=Enn1TgriYaANFQ%2BDKJR7T2Jc9l0%3DlistAll=truepage=1pagesize=20_=1398446422647 -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Closed] (CLOUDSTACK-6501) IAM - DomainAdmin - When listVirtualMachines is used with listall=true and account and domainId , Vms owned by the account account is not listed.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6501?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-6501. --- Tested with latest build from 4.4-forward (after IAM revert): As DomainAdmin , when listVirtualMachines is used with listall=true and account and domainId , we are able to list all the Vms owned by the account. Closing this issue. IAM - DomainAdmin - When listVirtualMachines is used with listall=true and account and domainId , Vms owned by the account account is not listed. -- Key: CLOUDSTACK-6501 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6501 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Assignee: Min Chen Priority: Critical Fix For: 4.4.0 IAM - DomainAdmin - When listVirtualMachines is used with listall=true and account and domainId , Vms owned by the account is not listed. Steps to reproduce the problem: Set up: Pre Reqs: Admin - Creates object Domain Admin for d1 - D1 - Creates object - d1 Domain Admin for d1 - D1/D11 User account for d1 - D1/D111 - Creates object - d111a Domain Admin for d1 - D1/D12 Domain Admin for d2 - D2 - Creates object -d2 User Account in domain D1 - userD1-1 - Creates object -d1a User Account in domain D1 - userD1-2 - Creates object - d1b Domain Account in domain D1/D11 - D11 - Creates object - d11 User Account in domain D1/D11 - userD1-a - Creates object - d11a User Account in domain D1/D11 - userD1-a - Creates object - d11b User Account in domain D1/D12- userD1-b - Creates object - d12a User Account in domain D1/D12 - userD-a - Creates object - d12b As domain admin account D1 , try to list all the Vms for d11 (domain admin user) using account and domainId parameters. Expected Result: Vm owned by the account that is passed in account/domainId parameter. Actual Result: Empty set is returned. GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=0e8d9d60-c39a-4304-b048-1e63500d0d30account=testD11listAll=trueisrecursive=trueapiKey=bW1FEJkIERji0cWRNQqvmWOgOINjMeBggyoPsMjN9_Qnvq-QtC6L4ORqmbdfQ-XtUYQdSoJIniZrHK3_oi9pcQsignature=5qLgaWzslWKSz%2FXbVSK0zdj%2B49I%3D \n\n current Time: Thu Apr 24 14:43:18 PDT 2014 ?xml version=1.0 encoding=UTF-8?listvirtualmachinesresponse cloud-stack-version=4.4.0-SNAPSHOT/listvirtualmachinesresponseConnection to 10.223.49.6 8080 port [tcp/webcache] succeeded! Response Time(in secs) : 0 current Time: Thu Apr 24 14:43:18 PDT 2014 -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Closed] (CLOUDSTACK-6349) IAM - No error message presented to the user , when invalid password is provided.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6349?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-6349. --- Tested with latest build from 4.4-forward ( after IAM revert) When regular user tries to log in with invalid password, following error message is presented to the user: Invalid username or password IAM - No error message presented to the user , when invalid password is provided. - Key: CLOUDSTACK-6349 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6349 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4. Reporter: Sangeetha Hariharan Assignee: Prachi Damle Priority: Critical Fix For: 4.4.0 Try to log in as regular user , by providing invalid username/password. User is not presented with any error message: apilog.log: 2014-04-07 10:51:15,849 INFO [a.c.c.a.ApiServer] (catalina-exec-6:ctx-5511ac44) 10.215.3.0 -- POST command=login domain=/ unknown exception writing api response Management server log: 2014-04-07 10:47:28,001 DEBUG [c.c.a.ApiServlet] (catalina-exec-3:ctx-845578ba) ===START=== 10.215.3.0 -- POST 2014-04-07 10:47:28,003 DEBUG [c.c.u.AccountManagerImpl] (catalina-exec-3:ctx-845578ba) Attempting to log in user: test in domain 1 2014-04-07 10:47:28,003 DEBUG [c.c.s.a.SHA256SaltedUserAuthenticator] (catalina-exec-3:ctx-845578ba) Retrieving user: test 2014-04-07 10:47:28,005 DEBUG [c.c.s.a.MD5UserAuthenticator] (catalina-exec-3:ctx-845578ba) Retrieving user: test 2014-04-07 10:47:28,009 DEBUG [c.c.s.a.MD5UserAuthenticator] (catalina-exec-3:ctx-845578ba) Password does not match 2014-04-07 10:47:28,012 DEBUG [c.c.s.a.PlainTextUserAuthenticator] (catalina-exec-3:ctx-845578ba) Retrieving user: test 2014-04-07 10:47:28,016 DEBUG [c.c.s.a.PlainTextUserAuthenticator] (catalina-exec-3:ctx-845578ba) Password does not match 2014-04-07 10:47:28,016 DEBUG [c.c.u.AccountManagerImpl] (catalina-exec-3:ctx-845578ba) Unable to authenticate user with username test in domain 1 2014-04-07 10:47:28,019 ERROR [c.c.a.ApiServlet] (catalina-exec-3:ctx-845578ba) unknown exception writing api response com.cloud.exception.InvalidParameterValueException: Caller cannot be passed as NULL to IAM! at org.apache.cloudstack.iam.RoleBasedEntityAccessChecker.checkAccess(RoleBasedEntityAccessChecker.java:67) at com.cloud.user.AccountManagerImpl.isRootAdmin(AccountManagerImpl.java:371) at com.cloud.user.AccountManagerImpl.isInternalAccount(AccountManagerImpl.java:420) at com.cloud.user.AccountManagerImpl.getUserAccount(AccountManagerImpl.java:2045) at com.cloud.user.AccountManagerImpl.authenticateUser(AccountManagerImpl.java:1871) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at $Proxy99.authenticateUser(Unknown Source) at com.cloud.api.ApiServer.loginUser(ApiServer.java:850) at com.cloud.api.ApiServlet.processRequestInContext(ApiServlet.java:231) at com.cloud.api.ApiServlet.access$000(ApiServlet.java:54) at com.cloud.api.ApiServlet$1.run(ApiServlet.java:118) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53) at com.cloud.api.ApiServlet.processRequest(ApiServlet.java:115) at com.cloud.api.ApiServlet.doPost(ApiServlet.java:82)
[jira] [Closed] (CLOUDSTACK-6348) IAM - Regular User is not able to change password.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6348?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-6348. --- Tested with latest build from 4.4-forward ( after IAM revert) Regular user is able to change his password successfully. IAM - Regular User is not able to change password. -- Key: CLOUDSTACK-6348 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6348 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Assignee: Prachi Damle Priority: Critical Fix For: 4.4.0 Steps to reproduce the problem: As regular user , try to change password. Following error message is presented to the user: Acct[eb54ae7f-c932-4513-aab6-984f03f9df41-test] does not have permission to access resource Acct[eb54ae7f-c932-4513-aab6-984f03f9df41-test] Management server log: 2014-04-07 10:43:58,185 DEBUG [c.c.a.ApiServlet] (catalina-exec-4:ctx-3b2e2f03) ===START=== 10.215.3.0 -- POST command=updateUserresponse=jsonsessionkey=P7c7ohM5rOC6mJLLima8CXlOAho%3D 2014-04-07 10:43:58,204 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker] (catalina-exec-4:ctx-3b2e2f03 ctx-8030779f) Account Acct[eb54ae7f-c932-4513-aab6-984f03f9df41-test] does not have permission to access resource Acct[eb54ae7f-c932-4513-aab6-984f03f9df41-test] for access type: OperateEntry 2014-04-07 10:43:58,211 INFO [c.c.a.ApiServer] (catalina-exec-4:ctx-3b2e2f03 ctx-8030779f) PermissionDenied: Acct[eb54ae7f-c932-4513-aab6-984f03f9df41-test] does not have permission to access resource Acct[eb54ae7f-c932-4513-aab6-984f03f9df41-test] on objs: [] 2014-04-07 10:43:58,212 DEBUG [c.c.a.ApiServlet] (catalina-exec-4:ctx-3b2e2f03 ctx-8030779f) ===END=== 10.215.3.0 -- POST command=updateUserresponse=jsonsessionkey=P7c7ohM5rOC6mJLLima8CXlOAho%3D -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Closed] (CLOUDSTACK-6468) IAM - Templates - Admin user is not allowed to edit template and set isExtractable() paramater.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6468?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-6468. --- Tested with latest build from 4.4-forward ( after IAM revert): Admin is able to set the isFeatured flag for templates that are owned by regular users. IAM - Templates - Admin user is not allowed to edit template and set isExtractable() paramater. --- Key: CLOUDSTACK-6468 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6468 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Assignee: Min Chen Fix For: 4.4.0 IAM - Templates - Admin user is not allowed to edit template and set isExtractable() paramater. From UI , As admin , tried to update the isFeatured() flag to true for a template that was created by regular user. This fails with Only ROOT admins are allowed to modify this attribute. http://10.223.49.6:8080/client/api?command=updateTemplatePermissionsresponse=jsonsessionkey=1WTLpcX%2FCiA4QLBY3RZTTB0ceaE%3Did=851cfe02-d91f-4226-b325-b48a09d2a2afispublic=falseisfeatured=trueisextractable=true_=1398114267369 { updatetemplatepermissionsresponse : {uuidList:[],errorcode:431,cserrorcode:4350,errortext:Only ROOT admins are allowed to modify this attribute.} } -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Closed] (CLOUDSTACK-6381) IAM - DomainAdmin - When listVirtualMachines is used with listall=true (with out passing isrecursive falg) , all Vms from the subdomain are also listed.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6381?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-6381. --- Tested with latest build from 4.4-forward ( after IAM revert) Only when domainId is passed to list commands , isrecursive() flag is considered. In all other cases , it is defaulted to true. This behavior is as expected. Closing this issue. IAM - DomainAdmin - When listVirtualMachines is used with listall=true (with out passing isrecursive falg) , all Vms from the subdomain are also listed. Key: CLOUDSTACK-6381 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6381 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4. Reporter: Sangeetha Hariharan Assignee: Min Chen Priority: Critical Fix For: 4.4.0 IAM - DomainAdmin - When listVirtualMachines is used with listall=true (with out passing isrecursive falg) , all Vms from the subdomain are also listed. Set up: Pre Reqs: Admin - Creates object Domain Admin for d1 - D1 - Creates object - d1 Domain Admin for d1 - D1/D11 User account for d1 - D1/D111 - Creates object - d111a Domain Admin for d1 - D1/D12 Domain Admin for d2 - D2 - Creates object -d2 User Account in domain D1 - userD1-1 - Creates object -d1a User Account in domain D1 - userD1-2 - Creates object - d1b User Account in domain D1/D11 - userD1-a - Creates object - d11a User Account in domain D1/D11 - userD1-a - Creates object - d11b User Account in domain D1/D12- userD1-b - Creates object - d12a User Account in domain D1/D12 - userD-a - Creates object - d12b As domain admin - D1 , i tried to listVistualMachines passing listAll=true parameter (no isrecurssive parameter). Expected result: only all the Vms that belong to this domain should be listed , which should be 3 Vms , d1,d1a and d1b. But I see 8 Vms being returned , which also includes the Vms in the domain, d12 and d111. GET http://10.223.49.6/client/api?command=listVirtualMachineslistAll=trueapiKey=Hv0VKnmBjXhyRMKZ7ixI51gG-iqHqRVTp1xCCLU2-gTnZwhuUNWsa4zZLYZWWLD5lEhvwe05tJKJVa9NeS5REwsignature=cDqQMD6qlKeiz2g40pSOYqJKqoE%3D \n\n ?xml version=1.0 encoding=UTF-8?listvirtualmachinesresponse cloud-stack-version=4.4.0-SNAPSHOTcount8/countvirtualmachineid22193996-12f9-46ff-91cd-3d409f7f8c60/idnamed11a/namedisplaynamed11a/displaynameaccounttestD11A-TestVMList-3385RP/accountdomainid0a0f7c09-2f1a-4939-94ce-88388e197949/domainiddomainD11-UFBXGQ/domaincreated2014-04-10T09:01:37-0400/createdstateRunning/statehaenablefalse/haenablezoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenametemplateide65cdfa0-c019-11e3-907f-4adf980f9414/templateidtemplatenameCentOS 5.3(64-bit) no GUI (Simulator)/templatenametemplatedisplaytextCentOS 5.3(64-bit) no GUI (Simulator)/templatedisplaytextpasswordenabledfalse/passwordenabledserviceofferingid49dee9f8-a49a-414d-b8b2-b0d59b5981f0/serviceofferingidserviceofferingnameSmall Instance/serviceofferingnamecpunumber1/cpunumbercpuspeed100/cpuspeedmemory128/memorycpuused10%/cpuusednetworkkbsread10190848/networkkbsreadnetworkkbswrite5095424/networkkbswriteguestoside5eba5c4-c019-11e3-907f-4adf980f9414/guestosidrootdeviceid0/rootdeviceidrootdevicetypeROOT/rootdevicetypenicida1c079e5-ae0f-4470-b0ed-26895fbcf14d/idnetworkidf1cf7cfb-c354-47c4-854e-af329c54d77e/networkidnetworknametestD11A-TestVMList-3385RP-network/networknamenetmask255.255.255.0/netmaskgateway10.1.1.1/gatewayipaddress10.1.1.217/ipaddressisolationurivlan://1071/isolationuribroadcasturivlan://1071/broadcasturitraffictypeGuest/traffictypetypeIsolated/typeisdefaulttrue/isdefaultmacaddress02:00:06:7b:00:01/macaddress/nichypervisorSimulator/hypervisorisdynamicallyscalablefalse/isdynamicallyscalableostypeid11/ostypeid/virtualmachinevirtualmachineid660a829f-5265-44c3-aa92-957d8bbec8e2/idnamed1a/namedisplaynamed1b/displaynameaccounttestD1B-TestVMList-CB23CT/accountdomainiddc4bf103-27bf-4292-99aa-dc91fa23ee04/domainiddomainD1-NN5QWT/domaincreated2014-04-10T09:01:32-0400/createdstateRunning/statehaenablefalse/haenablezoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenametemplateide65cdfa0-c019-11e3-907f-4adf980f9414/templateidtemplatenameCentOS 5.3(64-bit) no GUI (Simulator)/templatenametemplatedisplaytextCentOS 5.3(64-bit) no GUI (Simulator)/templatedisplaytextpasswordenabledfalse/passwordenabledserviceofferingid49dee9f8-a49a-414d-b8b2-b0d59b5981f0/serviceofferingidserviceofferingnameSmall
[jira] [Closed] (CLOUDSTACK-6429) IAM - As admin , When listAll=false is used to list all Vms under a subdomain , all Vms (even those that are not in this subdmain) are listed.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6429?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan closed CLOUDSTACK-6429. --- IAM - As admin , When listAll=false is used to list all Vms under a subdomain , all Vms (even those that are not in this subdmain) are listed. -- Key: CLOUDSTACK-6429 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6429 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Assignee: Min Chen Priority: Critical Fix For: 4.4.0 IAM - As admin , When listAll=false is used to list all Vms under a subdomain , all Vms (even those that are not in this subdmain) are listed. Steps to reproduce the problem: Set up: Pre Reqs: Admin - Creates object Domain Admin for d1 - D1 - Creates object - d1 Domain Admin for d1 - D1/D11 User account for d1 - D1/D111 - Creates object - d111a Domain Admin for d1 - D1/D12 Domain Admin for d2 - D2 - Creates object -d2 User Account in domain D1 - userD1-1 - Creates object -d1a User Account in domain D1 - userD1-2 - Creates object - d1b User Account in domain D1/D11 - userD1-a - Creates object - d11a User Account in domain D1/D11 - userD1-a - Creates object - d11b User Account in domain D1/D12- userD1-b - Creates object - d12a User Account in domain D1/D12 - userD-a - Creates object - d12b As ROOT admin , tried to list all the Vms for domain - d1/d11 , this results in all the Vms (even those that are not in this subdmain) being listed. All the following API calls as Admin when trying to list Vms from domain - d1/d11 , results in 11 Vms which is all the Vms in the cluouds. GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0listAll=falseapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=1S3PA2HyPP70jnv5FiKSp%2FXfqw4%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0listAll=falseisrecursive=falseapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=FtoJ8isO896ZkqLJH5YzVjodFdg%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0listAll=falseisrecursive=trueapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=4HHrtJo1Cx3yqjdIHUFi43kqZ3E%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0isrecursive=falseapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=A6kJuc9XDIp6f9Ha8Bp9Ig3Xigg%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0isrecursive=trueapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=S04gwOtMs0%2F00CV4I1Q7pbCCC08%3D \n\n -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (CLOUDSTACK-6429) IAM - As admin , When listAll=false is used to list all Vms under a subdomain , all Vms (even those that are not in this subdmain) are listed.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6429?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14030165#comment-14030165 ] Sangeetha Hariharan commented on CLOUDSTACK-6429: - Testing with latest build from 4.4-forward (after IAM revert): As admin , When listAll=false is used to list all Vms under a subdomain , all Vms in the subdomain are only listed. Closing this issue. IAM - As admin , When listAll=false is used to list all Vms under a subdomain , all Vms (even those that are not in this subdmain) are listed. -- Key: CLOUDSTACK-6429 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6429 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Assignee: Min Chen Priority: Critical Fix For: 4.4.0 IAM - As admin , When listAll=false is used to list all Vms under a subdomain , all Vms (even those that are not in this subdmain) are listed. Steps to reproduce the problem: Set up: Pre Reqs: Admin - Creates object Domain Admin for d1 - D1 - Creates object - d1 Domain Admin for d1 - D1/D11 User account for d1 - D1/D111 - Creates object - d111a Domain Admin for d1 - D1/D12 Domain Admin for d2 - D2 - Creates object -d2 User Account in domain D1 - userD1-1 - Creates object -d1a User Account in domain D1 - userD1-2 - Creates object - d1b User Account in domain D1/D11 - userD1-a - Creates object - d11a User Account in domain D1/D11 - userD1-a - Creates object - d11b User Account in domain D1/D12- userD1-b - Creates object - d12a User Account in domain D1/D12 - userD-a - Creates object - d12b As ROOT admin , tried to list all the Vms for domain - d1/d11 , this results in all the Vms (even those that are not in this subdmain) being listed. All the following API calls as Admin when trying to list Vms from domain - d1/d11 , results in 11 Vms which is all the Vms in the cluouds. GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0listAll=falseapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=1S3PA2HyPP70jnv5FiKSp%2FXfqw4%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0listAll=falseisrecursive=falseapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=FtoJ8isO896ZkqLJH5YzVjodFdg%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0listAll=falseisrecursive=trueapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=4HHrtJo1Cx3yqjdIHUFi43kqZ3E%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0isrecursive=falseapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=A6kJuc9XDIp6f9Ha8Bp9Ig3Xigg%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0isrecursive=trueapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=S04gwOtMs0%2F00CV4I1Q7pbCCC08%3D \n\n -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6891) [Automation] - port 8096 is being used when executing the suite when admin’s keys are not generated before execution of the suite.
Sangeetha Hariharan created CLOUDSTACK-6891: --- Summary: [Automation] - port 8096 is being used when executing the suite when admin’s keys are not generated before execution of the suite. Key: CLOUDSTACK-6891 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6891 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: marvin Affects Versions: 4.4.0 Environment: Marvin builds from 4.4-forward branch Reporter: Sangeetha Hariharan port 8096 is being used for the entire suite in the following scenario: api/secret key is not present for the admin user and as part of executing a test suite , we generate the secret and api key for admin user.This happens when the very first test suite is executed after the setup is created and admin’s keys are not generated yet. In __createApiClient method of cloudstackTestClient.py , mgmt_details.port is not set explicitly to “8080” , when there is a need to generate the keys. In such cases , we default to using port “8096” which is defined as part of the configuration file. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6742) listVolumes - As regularuser , able to list Vms and volumes of other users.
Sangeetha Hariharan created CLOUDSTACK-6742: --- Summary: listVolumes - As regularuser , able to list Vms and volumes of other users. Key: CLOUDSTACK-6742 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6742 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 listVolumes - As regularuser , able to list Vms of other users and as domain admin , able to list Vms from other domains. Steps to reproduce the problem: Had a set up with 2 domains having few users accounts in each domain. Deploy Vms as each of these users. As any user , we are able to list Vms that belong to all other users including ROOT admin and domain Admin users. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (CLOUDSTACK-6742) listVolumes - As regularuser , able to list Vms and volumes of other users.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6742?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-6742: Description: listVolumes - As regularuser , able to list Vms of other users and as domain admin , able to list Vms from other domains. Steps to reproduce the problem: Had a set up with 2 domains having few users accounts in each domain. Deploy Vms as each of these users. As any user , we are able to list Vms and volumes that belong to all other users including ROOT admin and domain Admin users. was: listVolumes - As regularuser , able to list Vms of other users and as domain admin , able to list Vms from other domains. Steps to reproduce the problem: Had a set up with 2 domains having few users accounts in each domain. Deploy Vms as each of these users. As any user , we are able to list Vms that belong to all other users including ROOT admin and domain Admin users. listVolumes - As regularuser , able to list Vms and volumes of other users. --- Key: CLOUDSTACK-6742 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6742 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 listVolumes - As regularuser , able to list Vms of other users and as domain admin , able to list Vms from other domains. Steps to reproduce the problem: Had a set up with 2 domains having few users accounts in each domain. Deploy Vms as each of these users. As any user , we are able to list Vms and volumes that belong to all other users including ROOT admin and domain Admin users. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6745) DomainAdmin is not able to deploy Vm for users in his domain/subdomain.
Sangeetha Hariharan created CLOUDSTACK-6745: --- Summary: DomainAdmin is not able to deploy Vm for users in his domain/subdomain. Key: CLOUDSTACK-6745 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6745 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 DomainAdmin is not able to deploy Vm for users in his domain/subdomain. Steps to reproduce the problem: Create a domain d1. Create a regular user - d1a Deploy a VM as user d1a Create a domain admin user - d1 As d1 , try to deploy a VM for user - d1a in the isolated network he owns by passing asccount and domainId of d1a. API fails with the following exception: Unable to use network with id= b40ce153-83c6-41f3-905b-90ce22c9ac24, permission denied 2014-05-21 13:58:48,162 INFO [a.c.c.a.ApiServer] (catalina-exec-17:ctx-8541fadf ctx-4320442b) (userId=387 accountId=387 sessionId=D51FD2C904EB65D7E1577D9ABAF5AACA) 10.215.2.8 -- GET command=deployVirtualMachineresponse=jsonsessionkey=nEX1TsH7YWMyu7cvElRHR73m8Lc%3Dzoneid=749f7a5f-7a47-4357-bc67-1704936b58eatemplateid=90869df6-e02a-11e3-ac31-4adf980f9414hypervisor=Simulatorserviceofferingid=da56f514-c13d-4c4d-902d-a9342f7e8dc3networkids=b40ce153-83c6-41f3-905b-90ce22c9ac24displayname=test123name=test123_=1400719259855account=test-dom1domainid=b83c7d69-6536-478c-a756-b3d89ac9298a 531 Unable to use network with id= b40ce153-83c6-41f3-905b-90ce22c9ac24, permission denied Management server logs: 2014-05-21 13:58:48,140 DEBUG [c.c.a.ApiServlet] (catalina-exec-17:ctx-8541fadf) ===START=== 10.215.2.8 -- GET command=deployVirtualMachi neresponse=jsonsessionkey=nEX1TsH7YWMyu7cvElRHR73m8Lc%3Dzoneid=749f7a5f-7a47-4357-bc67-1704936b58eatemplateid=90869df6-e02a-11e3-ac31-4 adf980f9414hypervisor=Simulatorserviceofferingid=da56f514-c13d-4c4d-902d-a9342f7e8dc3networkids=b40ce153-83c6-41f3-905b-90ce22c9ac24dis playname=test123name=test123_=1400719259855account=test-dom1domainid=b83c7d69-6536-478c-a756-b3d89ac9298a 2014-05-21 13:58:48,143 DEBUG [o.a.c.a.BaseCmd] (catalina-exec-17:ctx-8541fadf ctx-4320442b) Ignoring paremeter displayvm as the caller is not authorized to pass it in 2014-05-21 13:58:48,144 DEBUG [o.a.c.a.BaseCmd] (catalina-exec-17:ctx-8541fadf ctx-4320442b) Ignoring paremeter deploymentplanner as the ca ller is not authorized to pass it in 2014-05-21 13:58:48,153 DEBUG [c.c.u.AccountManagerImpl] (catalina-exec-17:ctx-8541fadf ctx-4320442b) Access to Acct[5afd4de2-2a81-4c40-b7e 7-b5cb139551c1-test-dom1] granted to Acct[f1f9a82e-f931-4f59-bf93-ae83b6e773e6-dom1-admin] by DomainChecker 2014-05-21 13:58:48,156 DEBUG [c.c.u.AccountManagerImpl] (catalina-exec-17:ctx-8541fadf ctx-4320442b) Access to Acct[5afd4de2-2a81-4c40-b7e 7-b5cb139551c1-test-dom1] granted to Acct[f1f9a82e-f931-4f59-bf93-ae83b6e773e6-dom1-admin] by DomainChecker 2014-05-21 13:58:48,161 INFO [c.c.a.ApiServer] (catalina-exec-17:ctx-8541fadf ctx-4320442b) PermissionDenied: Unable to use network with i d= b40ce153-83c6-41f3-905b-90ce22c9ac24, permission denied on objs: [] 2014-05-21 13:58:48,162 DEBUG [c.c.a.ApiServlet] (catalina-exec-17:ctx-8541fadf ctx-4320442b) ===END=== 10.215.2.8 -- GET command=deployV irtualMachineresponse=jsonsessionkey=nEX1TsH7YWMyu7cvElRHR73m8Lc%3Dzoneid=749f7a5f-7a47-4357-bc67-1704936b58eatemplateid=90869df6-e02a- 11e3-ac31-4adf980f9414hypervisor=Simulatorserviceofferingid=da56f514-c13d-4c4d-902d-a9342f7e8dc3networkids=b40ce153-83c6-41f3-905b-90ce2 2c9ac24displayname=test123name=test123_=1400719259855account=test-dom1domainid=b83c7d69-6536-478c-a756-b3d89ac9298a -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (CLOUDSTACK-6745) DomainAdmin is not able to deploy Vm for users in his domain/subdomain.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14005502#comment-14005502 ] Sangeetha Hariharan commented on CLOUDSTACK-6745: - This issue is also seen when Domain admin tries to deploy a VM for a regular user in his domain in a shared network with scope Domain/Account. DomainAdmin is not able to deploy Vm for users in his domain/subdomain. --- Key: CLOUDSTACK-6745 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6745 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 DomainAdmin is not able to deploy Vm for users in his domain/subdomain. Steps to reproduce the problem: Create a domain d1. Create a regular user - d1a Deploy a VM as user d1a Create a domain admin user - d1 As d1 , try to deploy a VM for user - d1a in the isolated network he owns by passing asccount and domainId of d1a. API fails with the following exception: Unable to use network with id= b40ce153-83c6-41f3-905b-90ce22c9ac24, permission denied 2014-05-21 13:58:48,162 INFO [a.c.c.a.ApiServer] (catalina-exec-17:ctx-8541fadf ctx-4320442b) (userId=387 accountId=387 sessionId=D51FD2C904EB65D7E1577D9ABAF5AACA) 10.215.2.8 -- GET command=deployVirtualMachineresponse=jsonsessionkey=nEX1TsH7YWMyu7cvElRHR73m8Lc%3Dzoneid=749f7a5f-7a47-4357-bc67-1704936b58eatemplateid=90869df6-e02a-11e3-ac31-4adf980f9414hypervisor=Simulatorserviceofferingid=da56f514-c13d-4c4d-902d-a9342f7e8dc3networkids=b40ce153-83c6-41f3-905b-90ce22c9ac24displayname=test123name=test123_=1400719259855account=test-dom1domainid=b83c7d69-6536-478c-a756-b3d89ac9298a 531 Unable to use network with id= b40ce153-83c6-41f3-905b-90ce22c9ac24, permission denied Management server logs: 2014-05-21 13:58:48,140 DEBUG [c.c.a.ApiServlet] (catalina-exec-17:ctx-8541fadf) ===START=== 10.215.2.8 -- GET command=deployVirtualMachi neresponse=jsonsessionkey=nEX1TsH7YWMyu7cvElRHR73m8Lc%3Dzoneid=749f7a5f-7a47-4357-bc67-1704936b58eatemplateid=90869df6-e02a-11e3-ac31-4 adf980f9414hypervisor=Simulatorserviceofferingid=da56f514-c13d-4c4d-902d-a9342f7e8dc3networkids=b40ce153-83c6-41f3-905b-90ce22c9ac24dis playname=test123name=test123_=1400719259855account=test-dom1domainid=b83c7d69-6536-478c-a756-b3d89ac9298a 2014-05-21 13:58:48,143 DEBUG [o.a.c.a.BaseCmd] (catalina-exec-17:ctx-8541fadf ctx-4320442b) Ignoring paremeter displayvm as the caller is not authorized to pass it in 2014-05-21 13:58:48,144 DEBUG [o.a.c.a.BaseCmd] (catalina-exec-17:ctx-8541fadf ctx-4320442b) Ignoring paremeter deploymentplanner as the ca ller is not authorized to pass it in 2014-05-21 13:58:48,153 DEBUG [c.c.u.AccountManagerImpl] (catalina-exec-17:ctx-8541fadf ctx-4320442b) Access to Acct[5afd4de2-2a81-4c40-b7e 7-b5cb139551c1-test-dom1] granted to Acct[f1f9a82e-f931-4f59-bf93-ae83b6e773e6-dom1-admin] by DomainChecker 2014-05-21 13:58:48,156 DEBUG [c.c.u.AccountManagerImpl] (catalina-exec-17:ctx-8541fadf ctx-4320442b) Access to Acct[5afd4de2-2a81-4c40-b7e 7-b5cb139551c1-test-dom1] granted to Acct[f1f9a82e-f931-4f59-bf93-ae83b6e773e6-dom1-admin] by DomainChecker 2014-05-21 13:58:48,161 INFO [c.c.a.ApiServer] (catalina-exec-17:ctx-8541fadf ctx-4320442b) PermissionDenied: Unable to use network with i d= b40ce153-83c6-41f3-905b-90ce22c9ac24, permission denied on objs: [] 2014-05-21 13:58:48,162 DEBUG [c.c.a.ApiServlet] (catalina-exec-17:ctx-8541fadf ctx-4320442b) ===END=== 10.215.2.8 -- GET command=deployV irtualMachineresponse=jsonsessionkey=nEX1TsH7YWMyu7cvElRHR73m8Lc%3Dzoneid=749f7a5f-7a47-4357-bc67-1704936b58eatemplateid=90869df6-e02a- 11e3-ac31-4adf980f9414hypervisor=Simulatorserviceofferingid=da56f514-c13d-4c4d-902d-a9342f7e8dc3networkids=b40ce153-83c6-41f3-905b-90ce2 2c9ac24displayname=test123name=test123_=1400719259855account=test-dom1domainid=b83c7d69-6536-478c-a756-b3d89ac9298a -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6584) IAM - Deletion of domain fails.
Sangeetha Hariharan created CLOUDSTACK-6584: --- Summary: IAM - Deletion of domain fails. Key: CLOUDSTACK-6584 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6584 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 IAM - Deletion of domain fails. Created the following set of domains: ROOT d1 d1/d11 d1/d11/d111 d2 Shared networks were created for domain d11 Shared networks were created for an account under domain d111. Accounts are created under each of the domains. Deploy Vms as these accounts using the shared networks. I delete all the accounts which resulted in all the Vms being Expunged. Now I tried to delete the domain - d1 (D1-PM76WG) which always fails with force delete option. Following exception seen in management server logs: 61-ExposeInvocationInterceptor.invoke:91-ReflectiveMethodInvocation.proceed:172-JdkDynamicAopProxy.invoke:204-$Proxy47.remove:-1-DomainManagerImpl.cleanupDomain:443-DomainM anagerImpl.deleteDomain:272-DomainManagerImpl.deleteDomain:257 2014-05-06 11:03:30,586 ERROR [c.c.u.DomainManagerImpl] (API-Job-Executor-15:job-733 ctx-343d4b67) Exception deleting domain with id 112 com.cloud.utils.exception.CloudRuntimeException: Failed to clean up domain resources and sub domains, delete failed on domain D1-PM76WG (id: 112). at com.cloud.user.DomainManagerImpl.deleteDomain(DomainManagerImpl.java:274) at com.cloud.user.DomainManagerImpl.deleteDomain(DomainManagerImpl.java:257) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at org.apache.cloudstack.network.contrail.management.EventUtils$EventInterceptor.invoke(EventUtils.java:106) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161) at com.cloud.event.ActionEventInterceptor.invoke(ActionEventInterceptor.java:51) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161) at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at com.sun.proxy.$Proxy110.deleteDomain(Unknown Source) at org.apache.cloudstack.region.RegionManagerImpl.deleteDomain(RegionManagerImpl.java:242) at org.apache.cloudstack.region.RegionServiceImpl.deleteDomain(RegionServiceImpl.java:169) at org.apache.cloudstack.api.command.admin.domain.DeleteDomainCmd.execute(DeleteDomainCmd.java:103) at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:119) at com.cloud.api.ApiAsyncJobDispatcher.runJob(ApiAsyncJobDispatcher.java:108) at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.runInContext(AsyncJobManagerImpl.java:495) at org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:49) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53) at org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:46) at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.run(AsyncJobManagerImpl.java:452) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at
[jira] [Updated] (CLOUDSTACK-6584) IAM - Deletion of domain fails.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6584?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-6584: Attachment: logs.rar IAM - Deletion of domain fails. --- Key: CLOUDSTACK-6584 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6584 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 Attachments: logs.rar IAM - Deletion of domain fails. Created the following set of domains: ROOT d1 d1/d11 d1/d11/d111 d2 Shared networks were created for domain d11 Shared networks were created for an account under domain d111. Accounts are created under each of the domains. Deploy Vms as these accounts using the shared networks. I delete all the accounts which resulted in all the Vms being Expunged. Now I tried to delete the domain - d1 (D1-PM76WG) which always fails with force delete option. Following exception seen in management server logs: 61-ExposeInvocationInterceptor.invoke:91-ReflectiveMethodInvocation.proceed:172-JdkDynamicAopProxy.invoke:204-$Proxy47.remove:-1-DomainManagerImpl.cleanupDomain:443-DomainM anagerImpl.deleteDomain:272-DomainManagerImpl.deleteDomain:257 2014-05-06 11:03:30,586 ERROR [c.c.u.DomainManagerImpl] (API-Job-Executor-15:job-733 ctx-343d4b67) Exception deleting domain with id 112 com.cloud.utils.exception.CloudRuntimeException: Failed to clean up domain resources and sub domains, delete failed on domain D1-PM76WG (id: 112). at com.cloud.user.DomainManagerImpl.deleteDomain(DomainManagerImpl.java:274) at com.cloud.user.DomainManagerImpl.deleteDomain(DomainManagerImpl.java:257) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at org.apache.cloudstack.network.contrail.management.EventUtils$EventInterceptor.invoke(EventUtils.java:106) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161) at com.cloud.event.ActionEventInterceptor.invoke(ActionEventInterceptor.java:51) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161) at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at com.sun.proxy.$Proxy110.deleteDomain(Unknown Source) at org.apache.cloudstack.region.RegionManagerImpl.deleteDomain(RegionManagerImpl.java:242) at org.apache.cloudstack.region.RegionServiceImpl.deleteDomain(RegionServiceImpl.java:169) at org.apache.cloudstack.api.command.admin.domain.DeleteDomainCmd.execute(DeleteDomainCmd.java:103) at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:119) at com.cloud.api.ApiAsyncJobDispatcher.runJob(ApiAsyncJobDispatcher.java:108) at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.runInContext(AsyncJobManagerImpl.java:495) at org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:49) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53) at org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:46) at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.run(AsyncJobManagerImpl.java:452) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
[jira] [Created] (CLOUDSTACK-6581) IAM - Shared Network -Root Admin user is allowed to deploy VM in a shared network that is scoped for a specific domain/account.
Sangeetha Hariharan created CLOUDSTACK-6581: --- Summary: IAM - Shared Network -Root Admin user is allowed to deploy VM in a shared network that is scoped for a specific domain/account. Key: CLOUDSTACK-6581 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6581 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 IAM - Shared Network -Root Admin user is allowed to deploy VM in a shared network that is scoped for a specific domain/account. Steps to reproduce the problem: Create a admin account for ROOT domain. Create a domain d1 with account a1. Create a shared network for domain d1 with sub domain access set to true. Create a shared network for domain d1 with sub domain access set to false. Create a shared network for account a1 d1 with sub domain access set to false. As ROOT admin , try to deploy a VM in the above created shared networks. Vm deployment succeeds. Expected Result: ROOT admin should not be allowed to deploy VMs in shared networks that are scoped for a specific domain/account. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6569) IAM - Regular user is able to listNetworks of another user in the same domain , by passing account and domainId.
Sangeetha Hariharan created CLOUDSTACK-6569: --- Summary: IAM - Regular user is able to listNetworks of another user in the same domain , by passing account and domainId. Key: CLOUDSTACK-6569 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6569 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 Regular user is able to listNetworks of another user in the same domain , by passing account and domainId. Domain - d1. 3 users in this domain , testd1 - domainadmin , testd1a and testd1b regular users. Each of the users have 1 isolated network. As testd1a , tried to list network of testd1b by passing account and domainId. ListNetwork returns testd1b's isolated network. 2014-05-02 10:21:29,090 INFO [a.c.c.a.ApiServer] (catalina-exec-15:ctx-bbcf35b4 ctx-f1b42d4e) (userId=4 accountId=4 sessionId=AE73B9C62BB908DE5DE16655DAD0CB75) 10.215.2.8 -- GET command=listNetworksresponse=jsonsessionkey=vHQRHlttApujok8Jf73KKKww5XM%3DlistAll=truepage=1pagesize=20domainid=3abd56e8-97da-40f9-b6f5-33fd5b28b43eresponse=jsonaccount=testD1B-TestNetworkList-KOGK49 200 { listnetworksresponse : { count:4 ,network : [ {id:53a9ddfa-ab63-4f87-bdd0-e368e7fd11ca,name:testD1B-TestNetworkList-KOGK49-network,displaytext:testD1B-TestNetworkList-KOGK49-network,broadcastdomaintype:Vlan,traffictype:Guest,gateway:10.1.1.1,netmask:255.255.255.0,cidr:10.1.1.0/24,zoneid:b690dddf-5755-49ab-8a4d-0aff04fa39f7,zonename:BLR1,networkofferingid:fc25eb7b-d884-4cc3-acbb-a321817a3567,networkofferingname:DefaultIsolatedNetworkOfferingWithSourceNatService,networkofferingdisplaytext:Offering for Isolated networks with Source Nat service enabled,networkofferingconservemode:true,networkofferingavailability:Required,issystem:false,state:Implemented,related:53a9ddfa-ab63-4f87-bdd0-e368e7fd11ca,dns1:4.2.2.2,type:Isolated,acltype:Account,account:testD1B-TestNetworkList-KOGK49,domainid:3abd56e8-97da-40f9-b6f5-33fd5b28b43e,domain:D1-R549ZO,service:[{name:PortForwarding},{name:UserData},{name:Firewall,capability:[{name:MultipleIps,value:true,canchooseservicecapability:false},{name:SupportedEgressProtocols,value:tcp,udp,icmp, all,canchooseservicecapability:false},{name:SupportedProtocols,value:tcp,udp,icmp,canchooseservicecapability:false},{name:SupportedTrafficDirection,value:ingress, egress,canchooseservicecapability:false},{name:TrafficStatistics,value:per public ip,canchooseservicecapability:false}]},{name:Lb,capability:[{name:AutoScaleCounters,value:[{\methodname\:\cpu\,\paramlist\:[]},{\methodname\:\memory\,\paramlist\:[]}],canchooseservicecapability:false},{name:SupportedLBIsolation,value:dedicated,canchooseservicecapability:false},{name:SupportedLbAlgorithms,value:roundrobin,leastconn,source,canchooseservicecapability:false},{name:LbSchemes,value:Public,canchooseservicecapability:false},{name:SupportedProtocols,value:tcp, udp,canchooseservicecapability:false},{name:SupportedStickinessMethods,value:[{\methodname\:\LbCookie\,\paramlist\:[{\paramname\:\cookie-name\,\required\:false,\isflag\:false,\description\:\ \},{\paramname\:\mode\,\required\:false,\isflag\:false,\description\:\ \},{\paramname\:\nocache\,\required\:false,\isflag\:true,\description\:\ \},{\paramname\:\indirect\,\required\:false,\isflag\:true,\description\:\ \},{\paramname\:\postonly\,\required\:false,\isflag\:true,\description\:\ \},{\paramname\:\domain\,\required\:false,\isflag\:false,\description\:\ \}],\description\:\This is loadbalancer cookie based stickiness method.\},{\methodname\:\AppCookie\,\paramlist\:[{\paramname\:\cookie-name\,\required\:false,\isflag\:false,\description\:\ \},{\paramname\:\length\,\required\:false,\isflag\:false,\description\:\ \},{\paramname\:\holdtime\,\required\:false,\isflag\:false,\description\:\ \},{\paramname\:\request-learn\,\required\:false,\isflag\:true,\description\:\ \},{\paramname\:\prefix\,\required\:false,\isflag\:true,\description\:\ \},{\paramname\:\mode\,\required\:false,\isflag\:false,\description\:\ \}],\description\:\This is App session based sticky method. Define session stickiness on an existing application cookie. It can be used only for a specific http traffic\},{\methodname\:\SourceBased\,\paramlist\:[{\paramname\:\tablesize\,\required\:false,\isflag\:false,\description\:\ \},{\paramname\:\expire\,\required\:false,\isflag\:false,\description\:\ \}],\description\:\This is source based Stickiness method, it can be used for any type of
[jira] [Created] (CLOUDSTACK-6558) IAM - Admin user is able to deploy VM in a regular user's Security Group.
Sangeetha Hariharan created CLOUDSTACK-6558: --- Summary: IAM - Admin user is able to deploy VM in a regular user's Security Group. Key: CLOUDSTACK-6558 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6558 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 IAM - Admin user is able to deploy VM in a regular user's Security Group. Steps to reproduce the problem: Basic Zone set up: As regular user , create a Security group. As admin , try to deploy a VM using this security group. Admin is allowed to deploy a VM using this security group. Expected Result: Admin should not be allowed to deploy a VM using regular user's security group. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6532) Affinity Groups - As admin user, not able to list all affinity groups available for regular users by passing account and domainId paramater.
Sangeetha Hariharan created CLOUDSTACK-6532: --- Summary: Affinity Groups - As admin user, not able to list all affinity groups available for regular users by passing account and domainId paramater. Key: CLOUDSTACK-6532 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6532 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Fix For: 4.4.0 Create an anti-affinity group as regular user. As admin user, try to list all affinity groups available for regular users by passing account and domainId parameter. http://10.223.49.6:8080/client/api?command=listAffinityGroupsresponse=jsonsessionkey=okCw58hoD%2BrUSZ9NO5LKHz6ie9U%3D_=1398792364257account=testD1A-TestVMList-U27DEVdomainId=71dcc0ac-c230-4e96-97ad-6e4f3ddc53cf No affinity group is listed. As regular user: { listaffinitygroupsresponse : { count:1 ,affinitygroup : [ {id:bee9a7c5-3124-46b6-b258-893c8c9cc244,name:test-123,description:test-123,account:testD1A-TestVMList-U27DEV,domainid:71dcc0ac-c230-4e96-97ad-6e4f3ddc53cf,domain:D1-19BDAN,type:host anti-affinity} ] } } -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (CLOUDSTACK-6532) Affinity Groups - As admin user, not able to list all affinity groups available for regular users by passing account and domainId paramater.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6532?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-6532: Priority: Critical (was: Major) Affinity Groups - As admin user, not able to list all affinity groups available for regular users by passing account and domainId paramater. Key: CLOUDSTACK-6532 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6532 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 Create an anti-affinity group as regular user. As admin user, try to list all affinity groups available for regular users by passing account and domainId parameter. http://10.223.49.6:8080/client/api?command=listAffinityGroupsresponse=jsonsessionkey=okCw58hoD%2BrUSZ9NO5LKHz6ie9U%3D_=1398792364257account=testD1A-TestVMList-U27DEVdomainId=71dcc0ac-c230-4e96-97ad-6e4f3ddc53cf No affinity group is listed. As regular user: { listaffinitygroupsresponse : { count:1 ,affinitygroup : [ {id:bee9a7c5-3124-46b6-b258-893c8c9cc244,name:test-123,description:test-123,account:testD1A-TestVMList-U27DEV,domainid:71dcc0ac-c230-4e96-97ad-6e4f3ddc53cf,domain:D1-19BDAN,type:host anti-affinity} ] } } -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6533) IAM - Templates - Public templates do not have permissions to be used by ROOT group.
Sangeetha Hariharan created CLOUDSTACK-6533: --- Summary: IAM - Templates - Public templates do not have permissions to be used by ROOT group. Key: CLOUDSTACK-6533 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6533 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 IAM - Templates - Public templates do not have permissions to be used by ROOT group. As regular user create a public template. In iam_policy_permission policy we do not have permission for Admin group. mysql select * from iam_policy_permission where scope_id = 206; +--+---+---++--+--+-++---+-+-+ | id | policy_id | action| resource_type | scope_id | scope | access_type | permission | recursive | removed | created | +--+---+---++--+--+-++---+-+-+ | 4949 | 3 | listTemplates | VirtualMachineTemplate | 206 | RESOURCE | UseEntry| Allow | 0 | NULL| 2014-04-29 11:03:52 | | 4950 | 1 | listTemplates | VirtualMachineTemplate | 206 | RESOURCE | UseEntry| Allow | 0 | NULL| 2014-04-29 11:03:52 | mysql select * from vm_template where id=206; +-+--++--++--+--+-+--+-++-+-++--+-+-+---+-+--+-+-+-+-++--+--+-++--+-+--+ | id | unique_name | name | uuid | public | featured | type | hvm | bits | url | format | created | removed | account_id | checksum | display_text| enable_password | enable_sshkey | guest_os_id | bootable | prepopulate | cross_zones | extractable | hypervisor_type | source_template_id | template_tag | sort_key | size| state | update_count | updated | dynamically_scalable | +-+--++--++--+--+-+--+-++-+-++--+-+-+---+-+--+-+-+-+-++--+--+-++--+-+--+ | 206 | 206-318-179129bc-531f-31fe-a21d-23a8aa7b666f | Public_featured_d2a-G3GJQW | 265192c9-88d3-41d4-b435-6d3c3e5d256a | 1 | 1 | USER | 1 | 64 | http://10.223.110.232:/test.vhd | VHD| 2014-04-29 11:03:52 | NULL|318 | NULL | public and feature Template | 0 | 0 | 12 |1 | 0 | 0 | 1 | Simulator | NULL | NULL |0 | 5242880 | Active |0 | NULL| 0 | +-+--++--++--+--+-+--+-++-+-++--+-+-+---+-+--+-+-+-+-++--+--+-++--+-+--+ 1 row in set (0.00 sec) Inspite of not having the required permissions to use the template , admin is able to use this template for vm deployment. Root cause for this bug is similar to bug - Bug CLOUDSTACK-6517 The same behavior is also observed for default templates: mysql select * from iam_policy_permission where scope_id = 111; +--+---+---++--+--+-++---+-+-+ | id | policy_id | action| resource_type | scope_id | scope | access_type |
[jira] [Created] (CLOUDSTACK-6512) IAM - Not able to list shared networks in the Vm deployment flow.
Sangeetha Hariharan created CLOUDSTACK-6512: --- Summary: IAM - Not able to list shared networks in the Vm deployment flow. Key: CLOUDSTACK-6512 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6512 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.4.0 Environment: Build from 4.4. Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 IAM - Not able to list shared networks in the Vm deployment flow. Steps to reproduce the problem: Create a shared network that is domain specific / account specific. Log in as the account which should have access to this shared network. Using UI , try to deploy a VM using this shared network. shared network is not displayed in the list of networks. This is the call made by UI: http://10.223.49.6:8080/client/api?command=listNetworksresponse=jsonsessionkey=Enn1TgriYaANFQ%2BDKJR7T2Jc9l0%3DzoneId=fdd0ce43-41b8-49ef-9e59-70ead27bda4ccanusefordeploy=truedomainid=a59a0ce2-b5aa-4460-ade8-91d26e048bc4account=testD1_=1398446574911 When Networks are listed using the network tab , then we see the shared network being listed. Following API call without the domainid and account paramater is able to return the shared network. http://10.223.49.6:8080/client/api?command=listNetworksresponse=jsonsessionkey=Enn1TgriYaANFQ%2BDKJR7T2Jc9l0%3DlistAll=truepage=1pagesize=20_=1398446422647 -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6513) IAM - Templates - When tenplatefilter=shared
Sangeetha Hariharan created CLOUDSTACK-6513: --- Summary: IAM - Templates - When tenplatefilter=shared Key: CLOUDSTACK-6513 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6513 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Reporter: Sangeetha Hariharan -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (CLOUDSTACK-6513) IAM - Templates - When templates are listed with templatefilter=shared is used , we see public templates also being included in the list.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6513?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-6513: Component/s: IAM Description: IAM - Templates - When templates are listed with templatefilter=shared is used , we see public templates also being included in the list. Steps to reproduce the problem: As user1 , Create a private template and a public template. Grant access to the private template for user2 using updateTemplatePermissions. As user2 , list templates with templatefilter=shared. This returns both public and the the shared template. GET http://10.223.49.6/client/api?command=listTemplatespagesize=100page=1listAll=truetemplatefilter=sharedapiKey=SrgUY-U-nUl4qsOyn409kCjA2jC7dR5ReIV9SjdnmzLOn3c0Fm-vZbDSpkldUjuqLAXt5ShodtXYOgRB5NCnJQsignature=WBO8ll9nyjiB29aVq%2FpUsEQrthM%3D \n\n ?xml version=1.0 encoding=UTF-8?listtemplatesresponse cloud-stack-version=4.4.0-SNAPSHOTcount6/counttemplateida2065bcc-7139-46b0-ac15-db7d3ff7dd75/idnamePublic_featured_d1a-TP7TPK/namedisplaytextpublic and feature Template/displaytextispublictrue/ispubliccreated2014-04-21T13:50:35-0400/createdisreadytrue/isreadypasswordenabledfalse/passwordenabledformatVHD/formatisfeaturedtrue/isfeaturedcrossZonesfalse/crossZonesostypeide5ebce64-c019-11e3-907f-4adf980f9414/ostypeidostypenameCentOS 5.3 (64-bit)/ostypenameaccounttesttemplateD1A/accountzoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenamesize5242880/sizetemplatetypeUSER/templatetypehypervisorSimulator/hypervisordomainD1/domaindomainid691ab662-6793-42a0-96e6-3b31a2c4e52d/domainidisextractabletrue/isextractablesshkeyenabledfalse/sshkeyenabledisdynamicallyscalablefalse/isdynamicallyscalable/templatetemplateidce1635dc-1fcb-4f60-8d2f-d1129a3771ce/idnamePublic_not_featured_d2a-NPYFSN/namedisplaytextpublic and not feature Template/displaytextispublictrue/ispubliccreated2014-04-21T13:50:36-0400/createdisreadytrue/isreadypasswordenabledfalse/passwordenabledformatVHD/formatisfeaturedfalse/isfeaturedcrossZonesfalse/crossZonesostypeide5ebce64-c019-11e3-907f-4adf980f9414/ostypeidostypenameCentOS 5.3 (64-bit)/ostypenameaccounttesttemplateD2/accountzoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenamesize5242880/sizetemplatetypeUSER/templatetypehypervisorSimulator/hypervisordomainD2/domaindomainid18222e53-7221-4d6f-9a76-8f59869f24b2/domainidisextractabletrue/isextractablesshkeyenabledfalse/sshkeyenabledisdynamicallyscalablefalse/isdynamicallyscalable/templatetemplateid223e0c09-e18e-4188-9d8e-7ff2e2305547/idnamePrivate_featured_d1-E9PQHO/namedisplaytextprivate and featured Template/displaytextispublicfalse/ispubliccreated2014-04-21T13:50:36-0400/createdisreadytrue/isreadypasswordenabledfalse/passwordenabledformatVHD/formatisfeaturedtrue/isfeaturedcrossZonesfalse/crossZonesostypeide5ebce64-c019-11e3-907f-4adf980f9414/ostypeidostypenameCentOS 5.3 (64-bit)/ostypenameaccounttesttemplateD1A/accountzoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenamesize5242880/sizetemplatetypeUSER/templatetypehypervisorSimulator/hypervisordomainD1/domaindomainid691ab662-6793-42a0-96e6-3b31a2c4e52d/domainidisextractabletrue/isextractablesshkeyenabledfalse/sshkeyenabledisdynamicallyscalablefalse/isdynamicallyscalable/templatetemplateida7b69a5e-4cb3-45fa-b3e7-dab3a6b73e45/idnamePublic_not_featured_d1a-XOCR05/namedisplaytextpublic and not feature Template/displaytextispublictrue/ispubliccreated2014-04-21T13:50:35-0400/createdisreadytrue/isreadypasswordenabledfalse/passwordenabledformatVHD/formatisfeaturedfalse/isfeaturedcrossZonesfalse/crossZonesostypeide5ebce64-c019-11e3-907f-4adf980f9414/ostypeidostypenameCentOS 5.3 (64-bit)/ostypenameaccounttesttemplateD1A/accountzoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenamesize5242880/sizetemplatetypeUSER/templatetypehypervisorSimulator/hypervisordomainD1/domaindomainid691ab662-6793-42a0-96e6-3b31a2c4e52d/domainidisextractabletrue/isextractablesshkeyenabledfalse/sshkeyenabledisdynamicallyscalablefalse/isdynamicallyscalable/templatetemplateide65cdfa0-c019-11e3-907f-4adf980f9414/idnameCentOS 5.3(64-bit) no GUI (Simulator)/namedisplaytextCentOS 5.3(64-bit) no GUI (Simulator)/displaytextispublictrue/ispubliccreated2014-04-09T15:15:54-0400/createdisreadytrue/isreadypasswordenabledfalse/passwordenabledformatVHD/formatisfeaturedtrue/isfeaturedcrossZonestrue/crossZonesostypeide5eba5c4-c019-11e3-907f-4adf980f9414/ostypeidostypenameCentOS 5.3
[jira] [Updated] (CLOUDSTACK-6512) IAM - Not able to list shared networks in the Vm deployment flow.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6512?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-6512: Component/s: (was: Management Server) IAM IAM - Not able to list shared networks in the Vm deployment flow. - Key: CLOUDSTACK-6512 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6512 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4. Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 IAM - Not able to list shared networks in the Vm deployment flow. Steps to reproduce the problem: Create a shared network that is domain specific / account specific. Log in as the account which should have access to this shared network. Using UI , try to deploy a VM using this shared network. shared network is not displayed in the list of networks. This is the call made by UI: http://10.223.49.6:8080/client/api?command=listNetworksresponse=jsonsessionkey=Enn1TgriYaANFQ%2BDKJR7T2Jc9l0%3DzoneId=fdd0ce43-41b8-49ef-9e59-70ead27bda4ccanusefordeploy=truedomainid=a59a0ce2-b5aa-4460-ade8-91d26e048bc4account=testD1_=1398446574911 When Networks are listed using the network tab , then we see the shared network being listed. Following API call without the domainid and account paramater is able to return the shared network. http://10.223.49.6:8080/client/api?command=listNetworksresponse=jsonsessionkey=Enn1TgriYaANFQ%2BDKJR7T2Jc9l0%3DlistAll=truepage=1pagesize=20_=1398446422647 -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (CLOUDSTACK-6513) IAM - Templates - When templates are listed with templatefilter=shared is used , we see public templates also being included in the list.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6513?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-6513: Priority: Critical (was: Major) IAM - Templates - When templates are listed with templatefilter=shared is used , we see public templates also being included in the list. --- Key: CLOUDSTACK-6513 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6513 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 IAM - Templates - When templates are listed with templatefilter=shared is used , we see public templates also being included in the list. Steps to reproduce the problem: As user1 , Create a private template and a public template. Grant access to the private template for user2 using updateTemplatePermissions. As user2 , list templates with templatefilter=shared. This returns both public and the the shared template. GET http://10.223.49.6/client/api?command=listTemplatespagesize=100page=1listAll=truetemplatefilter=sharedapiKey=SrgUY-U-nUl4qsOyn409kCjA2jC7dR5ReIV9SjdnmzLOn3c0Fm-vZbDSpkldUjuqLAXt5ShodtXYOgRB5NCnJQsignature=WBO8ll9nyjiB29aVq%2FpUsEQrthM%3D \n\n ?xml version=1.0 encoding=UTF-8?listtemplatesresponse cloud-stack-version=4.4.0-SNAPSHOTcount6/counttemplateida2065bcc-7139-46b0-ac15-db7d3ff7dd75/idnamePublic_featured_d1a-TP7TPK/namedisplaytextpublic and feature Template/displaytextispublictrue/ispubliccreated2014-04-21T13:50:35-0400/createdisreadytrue/isreadypasswordenabledfalse/passwordenabledformatVHD/formatisfeaturedtrue/isfeaturedcrossZonesfalse/crossZonesostypeide5ebce64-c019-11e3-907f-4adf980f9414/ostypeidostypenameCentOS 5.3 (64-bit)/ostypenameaccounttesttemplateD1A/accountzoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenamesize5242880/sizetemplatetypeUSER/templatetypehypervisorSimulator/hypervisordomainD1/domaindomainid691ab662-6793-42a0-96e6-3b31a2c4e52d/domainidisextractabletrue/isextractablesshkeyenabledfalse/sshkeyenabledisdynamicallyscalablefalse/isdynamicallyscalable/templatetemplateidce1635dc-1fcb-4f60-8d2f-d1129a3771ce/idnamePublic_not_featured_d2a-NPYFSN/namedisplaytextpublic and not feature Template/displaytextispublictrue/ispubliccreated2014-04-21T13:50:36-0400/createdisreadytrue/isreadypasswordenabledfalse/passwordenabledformatVHD/formatisfeaturedfalse/isfeaturedcrossZonesfalse/crossZonesostypeide5ebce64-c019-11e3-907f-4adf980f9414/ostypeidostypenameCentOS 5.3 (64-bit)/ostypenameaccounttesttemplateD2/accountzoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenamesize5242880/sizetemplatetypeUSER/templatetypehypervisorSimulator/hypervisordomainD2/domaindomainid18222e53-7221-4d6f-9a76-8f59869f24b2/domainidisextractabletrue/isextractablesshkeyenabledfalse/sshkeyenabledisdynamicallyscalablefalse/isdynamicallyscalable/templatetemplateid223e0c09-e18e-4188-9d8e-7ff2e2305547/idnamePrivate_featured_d1-E9PQHO/namedisplaytextprivate and featured Template/displaytextispublicfalse/ispubliccreated2014-04-21T13:50:36-0400/createdisreadytrue/isreadypasswordenabledfalse/passwordenabledformatVHD/formatisfeaturedtrue/isfeaturedcrossZonesfalse/crossZonesostypeide5ebce64-c019-11e3-907f-4adf980f9414/ostypeidostypenameCentOS 5.3 (64-bit)/ostypenameaccounttesttemplateD1A/accountzoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenamesize5242880/sizetemplatetypeUSER/templatetypehypervisorSimulator/hypervisordomainD1/domaindomainid691ab662-6793-42a0-96e6-3b31a2c4e52d/domainidisextractabletrue/isextractablesshkeyenabledfalse/sshkeyenabledisdynamicallyscalablefalse/isdynamicallyscalable/templatetemplateida7b69a5e-4cb3-45fa-b3e7-dab3a6b73e45/idnamePublic_not_featured_d1a-XOCR05/namedisplaytextpublic and not feature Template/displaytextispublictrue/ispubliccreated2014-04-21T13:50:35-0400/createdisreadytrue/isreadypasswordenabledfalse/passwordenabledformatVHD/formatisfeaturedfalse/isfeaturedcrossZonesfalse/crossZonesostypeide5ebce64-c019-11e3-907f-4adf980f9414/ostypeidostypenameCentOS 5.3 (64-bit)/ostypenameaccounttesttemplateD1A/accountzoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenamesize5242880/sizetemplatetypeUSER/templatetypehypervisorSimulator/hypervisordomainD1/domaindomainid691ab662-6793-42a0-96e6-3b31a2c4e52d/domainidisextractabletrue/isextractablesshkeyenabledfalse/sshkeyenabledisdynamicallyscalablefalse/isdynamicallyscalable/templatetemplateide65cdfa0-c019-11e3-907f-4adf980f9414/idnameCentOS 5.3(64-bit) no
[jira] [Created] (CLOUDSTACK-6517) IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have UseEntry permission for IpAddress.
Sangeetha Hariharan created CLOUDSTACK-6517: --- Summary: IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have UseEntry permission for IpAddress. Key: CLOUDSTACK-6517 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6517 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Fix For: 4.4.0 IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have UseEntry permission for IpAddress. Steps to reproduce the problem: As regular user , on a network he owns , acquire an ip address. As admin , try to create a PF rule on this ip address without passing account and domainId. Creating PF rule succeeds. Since Admin has only ListEntry permission for IpAddress owned by other users , we expect this api call to fail. mysql select * from iam_policy_permission where resource_type = 'IpAddress' and policy_id=2; +--+---+---+---+--+-+--++---+-+-+ | id | policy_id | action| resource_type | scope_id | scope | access_type | permission | recursive | removed | created | +--+---+---+---+--+-+--++---+-+-+ | 1840 | 2 | listPublicIpAddresses | IpAddress | -1 | ALL | ListEntry| Allow | 0 | NULL| 2014-04-22 18:31:03 | | 1841 | 2 | listPublicIpAddresses | IpAddress | -1 | ACCOUNT | UseEntry | Allow | 0 | NULL| 2014-04-22 18:31:03 | Admin should be allowed to do this only , when he passes account and domainId of the regular user is passed. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6501) IAM - DomainAdmin - When listVirtualMachines is used with listall=true and account and domainId , Vms owned by the account account is not listed.
Sangeetha Hariharan created CLOUDSTACK-6501: --- Summary: IAM - DomainAdmin - When listVirtualMachines is used with listall=true and account and domainId , Vms owned by the account account is not listed. Key: CLOUDSTACK-6501 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6501 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 IAM - DomainAdmin - When listVirtualMachines is used with listall=true and account and domainId , Vms owned by the account is not listed. Steps to reproduce the problem: Set up: Pre Reqs: Admin - Creates object Domain Admin for d1 - D1 - Creates object - d1 Domain Admin for d1 - D1/D11 User account for d1 - D1/D111 - Creates object - d111a Domain Admin for d1 - D1/D12 Domain Admin for d2 - D2 - Creates object -d2 User Account in domain D1 - userD1-1 - Creates object -d1a User Account in domain D1 - userD1-2 - Creates object - d1b Domain Account in domain D1/D11 - D11 - Creates object - d11 User Account in domain D1/D11 - userD1-a - Creates object - d11a User Account in domain D1/D11 - userD1-a - Creates object - d11b User Account in domain D1/D12- userD1-b - Creates object - d12a User Account in domain D1/D12 - userD-a - Creates object - d12b As domain admin account D1 , try to list all the Vms for d11 (domain admin user) using account and domainId parameters. Expected Result: Vm owned by the account that is passed in account/domainId parameter. Actual Result: Empty set is returned. GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=0e8d9d60-c39a-4304-b048-1e63500d0d30account=testD11listAll=trueisrecursive=trueapiKey=bW1FEJkIERji0cWRNQqvmWOgOINjMeBggyoPsMjN9_Qnvq-QtC6L4ORqmbdfQ-XtUYQdSoJIniZrHK3_oi9pcQsignature=5qLgaWzslWKSz%2FXbVSK0zdj%2B49I%3D \n\n current Time: Thu Apr 24 14:43:18 PDT 2014 ?xml version=1.0 encoding=UTF-8?listvirtualmachinesresponse cloud-stack-version=4.4.0-SNAPSHOT/listvirtualmachinesresponseConnection to 10.223.49.6 8080 port [tcp/webcache] succeeded! Response Time(in secs) : 0 current Time: Thu Apr 24 14:43:18 PDT 2014 -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6474) IAM - Not able to list shared networks that is created with scope=all
Sangeetha Hariharan created CLOUDSTACK-6474: --- Summary: IAM - Not able to list shared networks that is created with scope=all Key: CLOUDSTACK-6474 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6474 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 IAM - Not able to list shared networks that is created with scope=all Steps to reproduce the problem: As admin , create a shared network with scope=all. As regular user , tried to list networks. No shared network is returned. http://10.223.49.6:8080/client/api?command=listNetworksresponse=jsonsessionkey=wOwS556QDduN5hRqHf1PU3gPBEw%3DlistAll=truepage=1pagesize=20_=1398206302627 listnetworksresponse : { } } As admin user , I am able to list this network: http://10.223.49.6:8080/client/api?command=listNetworksresponse=jsonsessionkey=58UVhAXG49kJHSOENDGphnXDEh4%3DlistAll=truepage=1pagesize=20_=1398206454900 { listnetworksresponse : { count:3 ,network : [ {id:65324d0a-5571-4e96-aebe-89d45fbabc72,name:test-domain,displaytext:test-domain,broadcastdomaintype:Vlan,traffictype:Guest,gateway:10.223.1.1,netmask:255.255.255.0,cidr:10.223.1.0/24,zoneid:75d61334-ff70-49c3-99ed-3af702cd51d7,zonename:BLR1,networkofferingid:564de11f-a786-44cf-a729-c4683a12dfe0,networkofferingname:DefaultSharedNetworkOfferingWithSGService,networkofferingdisplaytext:Offering for Shared Security group enabled networks,networkofferingconservemode:true,networkofferingavailability:Optional,issystem:false,state:Setup,related:65324d0a-5571-4e96-aebe-89d45fbabc72,broadcasturi:vlan://501,dns1:4.2.2.2,type:Shared,vlan:501,acltype:Domain,subdomainaccess:false,domainid:691ab662-6793-42a0-96e6-3b31a2c4e52d,domain:D1,service:[{name:UserData},{name:Dns,capability:[{name:AllowDnsSuffixModification,value:true,canchooseservicecapability:false}]},{name:Dhcp,capability:[{name:DhcpAccrossMultipleSubnets,value:true,canchooseservicecapability:false}]},{name:SecurityGroup}],networkdomain:cs1cloud.internal,physicalnetworkid:3856a5bc-8509-4a7f-a92e-86146cbc6bc1,restartrequired:false,specifyipranges:true,canusefordeploy:true,ispersistent:false,tags:[],displaynetwork:true,strechedl2subnet:false}, {id:49146336-bf81-4861-a2bd-5c92efc14cff,name:test,displaytext:test,broadcastdomaintype:Vlan,traffictype:Guest,gateway:10.223.1.1,netmask:255.255.255.0,cidr:10.223.1.0/24,zoneid:75d61334-ff70-49c3-99ed-3af702cd51d7,zonename:BLR1,networkofferingid:564de11f-a786-44cf-a729-c4683a12dfe0,networkofferingname:DefaultSharedNetworkOfferingWithSGService,networkofferingdisplaytext:Offering for Shared Security group enabled networks,networkofferingconservemode:true,networkofferingavailability:Optional,issystem:false,state:Setup,related:49146336-bf81-4861-a2bd-5c92efc14cff,broadcasturi:vlan://500,dns1:4.2.2.2,type:Shared,vlan:500,acltype:Domain,subdomainaccess:true,domainid:e5e2ad7a-c019-11e3-907f-4adf980f9414,domain:ROOT,service:[{name:UserData},{name:Dns,capability:[{name:AllowDnsSuffixModification,value:true,canchooseservicecapability:false}]},{name:Dhcp,capability:[{name:DhcpAccrossMultipleSubnets,value:true,canchooseservicecapability:false}]},{name:SecurityGroup}],networkdomain:cs1cloud.internal,physicalnetworkid:3856a5bc-8509-4a7f-a92e-86146cbc6bc1,restartrequired:false,specifyipranges:true,canusefordeploy:true,ispersistent:false,tags:[],displaynetwork:true,strechedl2subnet:false}, {id:aee03e51-468e-4311-aebc-827d9a43adf0,name:test,displaytext:test,broadcastdomaintype:Vlan,traffictype:Guest,gateway:10.1.1.1,netmask:255.255.255.0,cidr:10.1.1.0/24,zoneid:75d61334-ff70-49c3-99ed-3af702cd51d7,zonename:BLR1,networkofferingid:987d8feb-73b5-4f01-9152-6680a31bc60a,networkofferingname:DefaultIsolatedNetworkOfferingWithSourceNatService,networkofferingdisplaytext:Offering for Isolated networks with Source Nat service enabled,networkofferingconservemode:true,networkofferingavailability:Required,issystem:false,state:Implemented,related:aee03e51-468e-4311-aebc-827d9a43adf0,broadcasturi:vlan://1,dns1:4.2.2.2,type:Isolated,vlan:1,acltype:Account,account:admin,domainid:e5e2ad7a-c019-11e3-907f-4adf980f9414,domain:ROOT,service:[{name:SourceNat,capability:[{name:SupportedSourceNatTypes,value:peraccount,canchooseservicecapability:false},{name:RedundantRouter,value:true,canchooseservicecapability:false}]},{name:Firewall,capability:[{name:SupportedTrafficDirection,value:ingress, egress,canchooseservicecapability:false},{name:SupportedProtocols,value:tcp,udp,icmp,canchooseservicecapability:false},{name:TrafficStatistics,value:per public
[jira] [Created] (CLOUDSTACK-6468) IAM - Templates - Admin user is not allowed to edit template and set isExtractable() paramater.
Sangeetha Hariharan created CLOUDSTACK-6468: --- Summary: IAM - Templates - Admin user is not allowed to edit template and set isExtractable() paramater. Key: CLOUDSTACK-6468 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6468 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Fix For: 4.4.0 IAM - Templates - Admin user is not allowed to edit template and set isExtractable() paramater. From UI , As admin , tried to update the isFeatured() flag to true for a template that was created by regular user. This fails with Only ROOT admins are allowed to modify this attribute. http://10.223.49.6:8080/client/api?command=updateTemplatePermissionsresponse=jsonsessionkey=1WTLpcX%2FCiA4QLBY3RZTTB0ceaE%3Did=851cfe02-d91f-4226-b325-b48a09d2a2afispublic=falseisfeatured=trueisextractable=true_=1398114267369 { updatetemplatepermissionsresponse : {uuidList:[],errorcode:431,cserrorcode:4350,errortext:Only ROOT admins are allowed to modify this attribute.} } -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6458) IAM - When a domain is deleted , the group created for this domian is not removed.
Sangeetha Hariharan created CLOUDSTACK-6458: --- Summary: IAM - When a domain is deleted , the group created for this domian is not removed. Key: CLOUDSTACK-6458 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6458 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Fix For: 4.4.0 IAM - When a domain is deleted , the group created for this domian is not removed. Steps to reproduce the problem: Create a domain. Notice that as part of domain creation , an IAM group specific to this domain is created. Delete this domain. IAM group specific to this domain is not marked as being removed in the iam_group table. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (CLOUDSTACK-6381) IAM - DomainAdmin - When listVirtualMachines is used with listall=true (with out passing isrecursive falg) , all Vms from the subdomain are also listed.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6381?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-6381: Component/s: (was: Management Server) IAM IAM - DomainAdmin - When listVirtualMachines is used with listall=true (with out passing isrecursive falg) , all Vms from the subdomain are also listed. Key: CLOUDSTACK-6381 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6381 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4. Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 IAM - DomainAdmin - When listVirtualMachines is used with listall=true (with out passing isrecursive falg) , all Vms from the subdomain are also listed. Set up: Pre Reqs: Admin - Creates object Domain Admin for d1 - D1 - Creates object - d1 Domain Admin for d1 - D1/D11 User account for d1 - D1/D111 - Creates object - d111a Domain Admin for d1 - D1/D12 Domain Admin for d2 - D2 - Creates object -d2 User Account in domain D1 - userD1-1 - Creates object -d1a User Account in domain D1 - userD1-2 - Creates object - d1b User Account in domain D1/D11 - userD1-a - Creates object - d11a User Account in domain D1/D11 - userD1-a - Creates object - d11b User Account in domain D1/D12- userD1-b - Creates object - d12a User Account in domain D1/D12 - userD-a - Creates object - d12b As domain admin - D1 , i tried to listVistualMachines passing listAll=true parameter (no isrecurssive parameter). Expected result: only all the Vms that belong to this domain should be listed , which should be 3 Vms , d1,d1a and d1b. But I see 8 Vms being returned , which also includes the Vms in the domain, d12 and d111. GET http://10.223.49.6/client/api?command=listVirtualMachineslistAll=trueapiKey=Hv0VKnmBjXhyRMKZ7ixI51gG-iqHqRVTp1xCCLU2-gTnZwhuUNWsa4zZLYZWWLD5lEhvwe05tJKJVa9NeS5REwsignature=cDqQMD6qlKeiz2g40pSOYqJKqoE%3D \n\n ?xml version=1.0 encoding=UTF-8?listvirtualmachinesresponse cloud-stack-version=4.4.0-SNAPSHOTcount8/countvirtualmachineid22193996-12f9-46ff-91cd-3d409f7f8c60/idnamed11a/namedisplaynamed11a/displaynameaccounttestD11A-TestVMList-3385RP/accountdomainid0a0f7c09-2f1a-4939-94ce-88388e197949/domainiddomainD11-UFBXGQ/domaincreated2014-04-10T09:01:37-0400/createdstateRunning/statehaenablefalse/haenablezoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenametemplateide65cdfa0-c019-11e3-907f-4adf980f9414/templateidtemplatenameCentOS 5.3(64-bit) no GUI (Simulator)/templatenametemplatedisplaytextCentOS 5.3(64-bit) no GUI (Simulator)/templatedisplaytextpasswordenabledfalse/passwordenabledserviceofferingid49dee9f8-a49a-414d-b8b2-b0d59b5981f0/serviceofferingidserviceofferingnameSmall Instance/serviceofferingnamecpunumber1/cpunumbercpuspeed100/cpuspeedmemory128/memorycpuused10%/cpuusednetworkkbsread10190848/networkkbsreadnetworkkbswrite5095424/networkkbswriteguestoside5eba5c4-c019-11e3-907f-4adf980f9414/guestosidrootdeviceid0/rootdeviceidrootdevicetypeROOT/rootdevicetypenicida1c079e5-ae0f-4470-b0ed-26895fbcf14d/idnetworkidf1cf7cfb-c354-47c4-854e-af329c54d77e/networkidnetworknametestD11A-TestVMList-3385RP-network/networknamenetmask255.255.255.0/netmaskgateway10.1.1.1/gatewayipaddress10.1.1.217/ipaddressisolationurivlan://1071/isolationuribroadcasturivlan://1071/broadcasturitraffictypeGuest/traffictypetypeIsolated/typeisdefaulttrue/isdefaultmacaddress02:00:06:7b:00:01/macaddress/nichypervisorSimulator/hypervisorisdynamicallyscalablefalse/isdynamicallyscalableostypeid11/ostypeid/virtualmachinevirtualmachineid660a829f-5265-44c3-aa92-957d8bbec8e2/idnamed1a/namedisplaynamed1b/displaynameaccounttestD1B-TestVMList-CB23CT/accountdomainiddc4bf103-27bf-4292-99aa-dc91fa23ee04/domainiddomainD1-NN5QWT/domaincreated2014-04-10T09:01:32-0400/createdstateRunning/statehaenablefalse/haenablezoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenametemplateide65cdfa0-c019-11e3-907f-4adf980f9414/templateidtemplatenameCentOS 5.3(64-bit) no GUI (Simulator)/templatenametemplatedisplaytextCentOS 5.3(64-bit) no GUI (Simulator)/templatedisplaytextpasswordenabledfalse/passwordenabledserviceofferingid49dee9f8-a49a-414d-b8b2-b0d59b5981f0/serviceofferingidserviceofferingnameSmall
[jira] [Updated] (CLOUDSTACK-6429) IAM - As admin , When listAll=false is used to list all Vms under a subdomain , all Vms (even those that are not in this subdmain) are listed.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6429?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-6429: Component/s: (was: Management Server) IAM IAM - As admin , When listAll=false is used to list all Vms under a subdomain , all Vms (even those that are not in this subdmain) are listed. -- Key: CLOUDSTACK-6429 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6429 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Assignee: Min Chen Priority: Critical Fix For: 4.4.0 IAM - As admin , When listAll=false is used to list all Vms under a subdomain , all Vms (even those that are not in this subdmain) are listed. Steps to reproduce the problem: Set up: Pre Reqs: Admin - Creates object Domain Admin for d1 - D1 - Creates object - d1 Domain Admin for d1 - D1/D11 User account for d1 - D1/D111 - Creates object - d111a Domain Admin for d1 - D1/D12 Domain Admin for d2 - D2 - Creates object -d2 User Account in domain D1 - userD1-1 - Creates object -d1a User Account in domain D1 - userD1-2 - Creates object - d1b User Account in domain D1/D11 - userD1-a - Creates object - d11a User Account in domain D1/D11 - userD1-a - Creates object - d11b User Account in domain D1/D12- userD1-b - Creates object - d12a User Account in domain D1/D12 - userD-a - Creates object - d12b As ROOT admin , tried to list all the Vms for domain - d1/d11 , this results in all the Vms (even those that are not in this subdmain) being listed. All the following API calls as Admin when trying to list Vms from domain - d1/d11 , results in 11 Vms which is all the Vms in the cluouds. GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0listAll=falseapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=1S3PA2HyPP70jnv5FiKSp%2FXfqw4%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0listAll=falseisrecursive=falseapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=FtoJ8isO896ZkqLJH5YzVjodFdg%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0listAll=falseisrecursive=trueapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=4HHrtJo1Cx3yqjdIHUFi43kqZ3E%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0isrecursive=falseapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=A6kJuc9XDIp6f9Ha8Bp9Ig3Xigg%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0isrecursive=trueapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=S04gwOtMs0%2F00CV4I1Q7pbCCC08%3D \n\n -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (CLOUDSTACK-6350) IAM - Listing of VM using uuid when owner account of this Vm is deleted results is VM not being returned.But list VM with listAll=true is able to return this VM.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6350?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-6350: Component/s: IAM IAM - Listing of VM using uuid when owner account of this Vm is deleted results is VM not being returned.But list VM with listAll=true is able to return this VM. - Key: CLOUDSTACK-6350 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6350 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Environment: Build from 4.4 Reporter: Sangeetha Hariharan Assignee: Min Chen Priority: Critical Attachments: cloud-dmp.rar IAM - Listing of VM using uuid when owner account of this Vm is deleted results is VM not being returned.But list VM with listAll=true is able to return this VM. Steps that lead to the problem: Had few Domains and sub domains created. Accounts were created in these Domains and sub domains Had Vms deployed as these accounts. Tried to delete all the accounts (Except admin account). After this , tried to delete all Domains (Except ROOT). I see that all Accouts have been deleted. But some of the Vms remained in Running state. I am able to list all these Vms using listAll=true as admin : http://10.223.49.6:8080/client/api?command=listVirtualMachinesresponse=jsonsessionkey=os3e6ZwGKaaRRkpMyoi1nl9ttsI%3DlistAll=truepage=1pagesize=20_=1396909849873 { listvirtualmachinesresponse : { count:7 ,virtualmachine : [ {id:9a0a4d1b-7918-4d9a-86b0-a72b0a378c07,name:d12b,displayname:d12b,account:testD12B-TestVMDeploy-2U21LA,domainid:5314248a-0419-4e0f-9a63-b663abbbce5b,domain:D12-G39UMB,created:2014-04-07T09:55:28-0400,state:Running,haenable:false,zoneid:24ea97ba-f26f-40d2-9bda-538abffb8181,zonename:BLR1,hostid:c404603f-8a1a-495f-9278-3c988ff9833b,hostname:SimulatedAgent.2fda14b6-647e-492b-a6ab-7e809d56d41a,templateid:62114ed8-b9df-11e3-a5ee-4adf980f9414,templatename:CentOS 5.3(64-bit) no GUI (Simulator),templatedisplaytext:CentOS 5.3(64-bit) no GUI (Simulator),passwordenabled:false,serviceofferingid:fa7bb82d-4f3b-43e6-ac8c-a87419cd78d9,serviceofferingname:Small Instance,cpunumber:1,cpuspeed:100,memory:128,cpuused:10%,networkkbsread:2916352,networkkbswrite:1458176,guestosid:292dc664-b9df-11e3-a5ee-4adf980f9414,rootdeviceid:0,rootdevicetype:ROOT,securitygroup:[],nic:[{id:3d24baa0-13be-456d-b43d-f003dba13444,networkid:22e12e93-84b5-4298-bec2-405f114ac19b,networkname:testD12B-TestVMDeploy-2U21LA-network,netmask:255.255.255.0,gateway:10.1.1.1,ipaddress:10.1.1.187,isolationuri:vlan://2150,broadcasturi:vlan://2150,traffictype:Guest,type:Isolated,isdefault:true,macaddress:02:00:50:44:00:01}],hypervisor:Simulator,instancename:i-156-263-VM,tags:[],affinitygroup:[],displayvm:true,isdynamicallyscalable:false,ostypeid:11}, {id:5f620fd0-054f-484a-b3d0-5fa30861272e,name:d12a,displayname:d12a,account:testD12A-TestVMDeploy-DLBXEJ,domainid:5314248a-0419-4e0f-9a63-b663abbbce5b,domain:D12-G39UMB,created:2014-04-07T09:55:23-0400,state:Running,haenable:false,zoneid:24ea97ba-f26f-40d2-9bda-538abffb8181,zonename:BLR1,hostid:8c5fe6d4-d5c4-4eb1-b286-9f498a8a9626,hostname:SimulatedAgent.656f464b-f058-4416-afb8-ab5b12e59128,templateid:62114ed8-b9df-11e3-a5ee-4adf980f9414,templatename:CentOS 5.3(64-bit) no GUI (Simulator),templatedisplaytext:CentOS 5.3(64-bit) no GUI (Simulator),passwordenabled:false,serviceofferingid:fa7bb82d-4f3b-43e6-ac8c-a87419cd78d9,serviceofferingname:Small Instance,cpunumber:1,cpuspeed:100,memory:128,cpuused:10%,networkkbsread:2916352,networkkbswrite:1458176,guestosid:292dc664-b9df-11e3-a5ee-4adf980f9414,rootdeviceid:0,rootdevicetype:ROOT,securitygroup:[],nic:[{id:ab72b85e-ca4a-4fd1-bed4-265e232d3689,networkid:bf0a3fca-1997-4345-8f94-1a680ff88db4,networkname:testD12A-TestVMDeploy-DLBXEJ-network,netmask:255.255.255.0,gateway:10.1.1.1,ipaddress:10.1.1.207,isolationuri:vlan://1964,broadcasturi:vlan://1964,traffictype:Guest,type:Isolated,isdefault:true,macaddress:02:00:00:b7:00:01}],hypervisor:Simulator,instancename:i-155-261-VM,tags:[],affinitygroup:[],displayvm:true,isdynamicallyscalable:false,ostypeid:11}, {id:e532616f-9746-46af-b645-c5c094681e47,name:d11b,displayname:d11b,account:testD11B-TestVMDeploy-T05ADJ,domainid:11e13385-da60-48a1-8718-cac576651f80,domain:D11-EA5P3E,created:2014-04-07T09:55:17-0400,state:Running,haenable:false,zoneid:24ea97ba-f26f-40d2-9bda-538abffb8181,zonename:BLR1,hostid:eca1522a-381b-436d-8cfd-b1b542ffa88f,hostname:SimulatedAgent.4244557f-5aaf-4ea3-bb84-eac6633537f8,templateid:62114ed8-b9df-11e3-a5ee-4adf980f9414,templatename:CentOS
[jira] [Updated] (CLOUDSTACK-6349) IAM - No error message presented to the user , when invalid password is provided.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6349?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-6349: Component/s: (was: Management Server) IAM IAM - No error message presented to the user , when invalid password is provided. - Key: CLOUDSTACK-6349 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6349 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4. Reporter: Sangeetha Hariharan Assignee: Prachi Damle Priority: Critical Fix For: 4.4.0 Try to log in as regular user , by providing invalid username/password. User is not presented with any error message: apilog.log: 2014-04-07 10:51:15,849 INFO [a.c.c.a.ApiServer] (catalina-exec-6:ctx-5511ac44) 10.215.3.0 -- POST command=login domain=/ unknown exception writing api response Management server log: 2014-04-07 10:47:28,001 DEBUG [c.c.a.ApiServlet] (catalina-exec-3:ctx-845578ba) ===START=== 10.215.3.0 -- POST 2014-04-07 10:47:28,003 DEBUG [c.c.u.AccountManagerImpl] (catalina-exec-3:ctx-845578ba) Attempting to log in user: test in domain 1 2014-04-07 10:47:28,003 DEBUG [c.c.s.a.SHA256SaltedUserAuthenticator] (catalina-exec-3:ctx-845578ba) Retrieving user: test 2014-04-07 10:47:28,005 DEBUG [c.c.s.a.MD5UserAuthenticator] (catalina-exec-3:ctx-845578ba) Retrieving user: test 2014-04-07 10:47:28,009 DEBUG [c.c.s.a.MD5UserAuthenticator] (catalina-exec-3:ctx-845578ba) Password does not match 2014-04-07 10:47:28,012 DEBUG [c.c.s.a.PlainTextUserAuthenticator] (catalina-exec-3:ctx-845578ba) Retrieving user: test 2014-04-07 10:47:28,016 DEBUG [c.c.s.a.PlainTextUserAuthenticator] (catalina-exec-3:ctx-845578ba) Password does not match 2014-04-07 10:47:28,016 DEBUG [c.c.u.AccountManagerImpl] (catalina-exec-3:ctx-845578ba) Unable to authenticate user with username test in domain 1 2014-04-07 10:47:28,019 ERROR [c.c.a.ApiServlet] (catalina-exec-3:ctx-845578ba) unknown exception writing api response com.cloud.exception.InvalidParameterValueException: Caller cannot be passed as NULL to IAM! at org.apache.cloudstack.iam.RoleBasedEntityAccessChecker.checkAccess(RoleBasedEntityAccessChecker.java:67) at com.cloud.user.AccountManagerImpl.isRootAdmin(AccountManagerImpl.java:371) at com.cloud.user.AccountManagerImpl.isInternalAccount(AccountManagerImpl.java:420) at com.cloud.user.AccountManagerImpl.getUserAccount(AccountManagerImpl.java:2045) at com.cloud.user.AccountManagerImpl.authenticateUser(AccountManagerImpl.java:1871) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at $Proxy99.authenticateUser(Unknown Source) at com.cloud.api.ApiServer.loginUser(ApiServer.java:850) at com.cloud.api.ApiServlet.processRequestInContext(ApiServlet.java:231) at com.cloud.api.ApiServlet.access$000(ApiServlet.java:54) at com.cloud.api.ApiServlet$1.run(ApiServlet.java:118) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103) at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53) at com.cloud.api.ApiServlet.processRequest(ApiServlet.java:115) at com.cloud.api.ApiServlet.doPost(ApiServlet.java:82) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) at
[jira] [Updated] (CLOUDSTACK-6348) IAM - Regular User is not able to change password.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6348?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sangeetha Hariharan updated CLOUDSTACK-6348: Component/s: (was: Management Server) IAM IAM - Regular User is not able to change password. -- Key: CLOUDSTACK-6348 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6348 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Reporter: Sangeetha Hariharan Assignee: Prachi Damle Priority: Critical Fix For: 4.4.0 Steps to reproduce the problem: As regular user , try to change password. Following error message is presented to the user: Acct[eb54ae7f-c932-4513-aab6-984f03f9df41-test] does not have permission to access resource Acct[eb54ae7f-c932-4513-aab6-984f03f9df41-test] Management server log: 2014-04-07 10:43:58,185 DEBUG [c.c.a.ApiServlet] (catalina-exec-4:ctx-3b2e2f03) ===START=== 10.215.3.0 -- POST command=updateUserresponse=jsonsessionkey=P7c7ohM5rOC6mJLLima8CXlOAho%3D 2014-04-07 10:43:58,204 DEBUG [o.a.c.i.RoleBasedEntityAccessChecker] (catalina-exec-4:ctx-3b2e2f03 ctx-8030779f) Account Acct[eb54ae7f-c932-4513-aab6-984f03f9df41-test] does not have permission to access resource Acct[eb54ae7f-c932-4513-aab6-984f03f9df41-test] for access type: OperateEntry 2014-04-07 10:43:58,211 INFO [c.c.a.ApiServer] (catalina-exec-4:ctx-3b2e2f03 ctx-8030779f) PermissionDenied: Acct[eb54ae7f-c932-4513-aab6-984f03f9df41-test] does not have permission to access resource Acct[eb54ae7f-c932-4513-aab6-984f03f9df41-test] on objs: [] 2014-04-07 10:43:58,212 DEBUG [c.c.a.ApiServlet] (catalina-exec-4:ctx-3b2e2f03 ctx-8030779f) ===END=== 10.215.3.0 -- POST command=updateUserresponse=jsonsessionkey=P7c7ohM5rOC6mJLLima8CXlOAho%3D -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (CLOUDSTACK-6429) IAM - As admin , When listAll=false is used to list all Vms under a subdomain , all Vms (even those that are not in this subdmain) are listed.
Sangeetha Hariharan created CLOUDSTACK-6429: --- Summary: IAM - As admin , When listAll=false is used to list all Vms under a subdomain , all Vms (even those that are not in this subdmain) are listed. Key: CLOUDSTACK-6429 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6429 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 IAM - As admin , When listAll=false is used to list all Vms under a subdomain , all Vms (even those that are not in this subdmain) are listed. Steps to reproduce the problem: Set up: Pre Reqs: Admin - Creates object Domain Admin for d1 - D1 - Creates object - d1 Domain Admin for d1 - D1/D11 User account for d1 - D1/D111 - Creates object - d111a Domain Admin for d1 - D1/D12 Domain Admin for d2 - D2 - Creates object -d2 User Account in domain D1 - userD1-1 - Creates object -d1a User Account in domain D1 - userD1-2 - Creates object - d1b User Account in domain D1/D11 - userD1-a - Creates object - d11a User Account in domain D1/D11 - userD1-a - Creates object - d11b User Account in domain D1/D12- userD1-b - Creates object - d12a User Account in domain D1/D12 - userD-a - Creates object - d12b As ROOT admin , tried to list all the Vms for domain - d1/d11 , this results in all the Vms (even those that are not in this subdmain) being listed. All the following API calls as Admin when trying to list Vms from domain - d1/d11 , results in 11 Vms which is all the Vms in the cluouds. GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0listAll=falseapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=1S3PA2HyPP70jnv5FiKSp%2FXfqw4%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0listAll=falseisrecursive=falseapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=FtoJ8isO896ZkqLJH5YzVjodFdg%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0listAll=falseisrecursive=trueapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=4HHrtJo1Cx3yqjdIHUFi43kqZ3E%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0isrecursive=falseapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=A6kJuc9XDIp6f9Ha8Bp9Ig3Xigg%3D \n\n GET http://10.223.49.6/client/api?command=listVirtualMachinesdomainId=7add6894-37ba-4b9a-bc43-12e49c3599c0isrecursive=trueapiKey=oKz6XB3IKFtUTdw_0rYhGMk4AV0ih4AvpPKCcD-KO51d6qYpyPXLPOjoHp5V02-J-pwnci7khJvhV0c4XDP8agsignature=S04gwOtMs0%2F00CV4I1Q7pbCCC08%3D \n\n -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (CLOUDSTACK-6381) IAM - DomainAdmin - When listVirtualMachines is used with listall=true (with out passing isrecursive falg) , all Vms from the subdomain are also listed.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6381?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13967339#comment-13967339 ] Sangeetha Hariharan commented on CLOUDSTACK-6381: - The same issue is also seen when using listVirtualMachines with listall=true and passing domainId and account parameter when testing with a domain account. IAM - DomainAdmin - When listVirtualMachines is used with listall=true (with out passing isrecursive falg) , all Vms from the subdomain are also listed. Key: CLOUDSTACK-6381 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6381 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server Affects Versions: 4.4.0 Environment: Build from 4.4. Reporter: Sangeetha Hariharan Priority: Critical Fix For: 4.4.0 IAM - DomainAdmin - When listVirtualMachines is used with listall=true (with out passing isrecursive falg) , all Vms from the subdomain are also listed. Set up: Pre Reqs: Admin - Creates object Domain Admin for d1 - D1 - Creates object - d1 Domain Admin for d1 - D1/D11 User account for d1 - D1/D111 - Creates object - d111a Domain Admin for d1 - D1/D12 Domain Admin for d2 - D2 - Creates object -d2 User Account in domain D1 - userD1-1 - Creates object -d1a User Account in domain D1 - userD1-2 - Creates object - d1b User Account in domain D1/D11 - userD1-a - Creates object - d11a User Account in domain D1/D11 - userD1-a - Creates object - d11b User Account in domain D1/D12- userD1-b - Creates object - d12a User Account in domain D1/D12 - userD-a - Creates object - d12b As domain admin - D1 , i tried to listVistualMachines passing listAll=true parameter (no isrecurssive parameter). Expected result: only all the Vms that belong to this domain should be listed , which should be 3 Vms , d1,d1a and d1b. But I see 8 Vms being returned , which also includes the Vms in the domain, d12 and d111. GET http://10.223.49.6/client/api?command=listVirtualMachineslistAll=trueapiKey=Hv0VKnmBjXhyRMKZ7ixI51gG-iqHqRVTp1xCCLU2-gTnZwhuUNWsa4zZLYZWWLD5lEhvwe05tJKJVa9NeS5REwsignature=cDqQMD6qlKeiz2g40pSOYqJKqoE%3D \n\n ?xml version=1.0 encoding=UTF-8?listvirtualmachinesresponse cloud-stack-version=4.4.0-SNAPSHOTcount8/countvirtualmachineid22193996-12f9-46ff-91cd-3d409f7f8c60/idnamed11a/namedisplaynamed11a/displaynameaccounttestD11A-TestVMList-3385RP/accountdomainid0a0f7c09-2f1a-4939-94ce-88388e197949/domainiddomainD11-UFBXGQ/domaincreated2014-04-10T09:01:37-0400/createdstateRunning/statehaenablefalse/haenablezoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenametemplateide65cdfa0-c019-11e3-907f-4adf980f9414/templateidtemplatenameCentOS 5.3(64-bit) no GUI (Simulator)/templatenametemplatedisplaytextCentOS 5.3(64-bit) no GUI (Simulator)/templatedisplaytextpasswordenabledfalse/passwordenabledserviceofferingid49dee9f8-a49a-414d-b8b2-b0d59b5981f0/serviceofferingidserviceofferingnameSmall Instance/serviceofferingnamecpunumber1/cpunumbercpuspeed100/cpuspeedmemory128/memorycpuused10%/cpuusednetworkkbsread10190848/networkkbsreadnetworkkbswrite5095424/networkkbswriteguestoside5eba5c4-c019-11e3-907f-4adf980f9414/guestosidrootdeviceid0/rootdeviceidrootdevicetypeROOT/rootdevicetypenicida1c079e5-ae0f-4470-b0ed-26895fbcf14d/idnetworkidf1cf7cfb-c354-47c4-854e-af329c54d77e/networkidnetworknametestD11A-TestVMList-3385RP-network/networknamenetmask255.255.255.0/netmaskgateway10.1.1.1/gatewayipaddress10.1.1.217/ipaddressisolationurivlan://1071/isolationuribroadcasturivlan://1071/broadcasturitraffictypeGuest/traffictypetypeIsolated/typeisdefaulttrue/isdefaultmacaddress02:00:06:7b:00:01/macaddress/nichypervisorSimulator/hypervisorisdynamicallyscalablefalse/isdynamicallyscalableostypeid11/ostypeid/virtualmachinevirtualmachineid660a829f-5265-44c3-aa92-957d8bbec8e2/idnamed1a/namedisplaynamed1b/displaynameaccounttestD1B-TestVMList-CB23CT/accountdomainiddc4bf103-27bf-4292-99aa-dc91fa23ee04/domainiddomainD1-NN5QWT/domaincreated2014-04-10T09:01:32-0400/createdstateRunning/statehaenablefalse/haenablezoneid75d61334-ff70-49c3-99ed-3af702cd51d7/zoneidzonenameBLR1/zonenametemplateide65cdfa0-c019-11e3-907f-4adf980f9414/templateidtemplatenameCentOS 5.3(64-bit) no GUI (Simulator)/templatenametemplatedisplaytextCentOS 5.3(64-bit) no GUI (Simulator)/templatedisplaytextpasswordenabledfalse/passwordenabledserviceofferingid49dee9f8-a49a-414d-b8b2-b0d59b5981f0/serviceofferingidserviceofferingnameSmall