Hi,
Here the logs (I changed some sensitive info)
Apilog
*****
2022-07-27 11:34:57,218 INFO [a.c.c.a.ApiServer]
(qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b)
(userId=4 accountId=4 sessionId=null) 192.168.xxx.xxx -- GET
algorithm=source&apiKey=GoHebItTOdSc4zf5NcwxDxRo&command=createLoadBalancer&description=lb01&instanceport=8080&name=lb01&networkid=498611f9-xxxx-4030-aa10-e7d7ad062d1a&response=json&scheme=Internal&sourceipaddressnetworkid=498611f9-cd93-4030-aa10-e7d7ad062d1a&sourceport=8080&signature=gB%2BseI8Ku7ZCN9drw
531 Unable to use network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a,
permission denied
Management-server
*****************
2022-07-27 11:34:57,198 DEBUG [c.c.a.ApiServlet]
(qtp2109798150-1192:ctx-de4123f6) (logid:b8e0600b) ===START=== 192.168.xx.xx--
GET algorithm=source&apiKey=GoHebItTOdSc4zf5NcwxDxR
&command=createLoadBalancer&description=lb01&instanceport=8080&name=lb01&networkid=498611f9-xxxx-4030-aa10-e7d7ad062d1a&response=json&scheme=Internal&sourceipaddressnetworkid=498611f9-xxx-4030-aa10-e7d7ad062d1a&sourceport=8080&signature=gB%2BseI8Ku7ZCN9drw3Lxqdo%2Bj8k%3D
2022-07-27 11:34:57,201 DEBUG [c.c.a.ApiServer]
(qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc) (logid:b8e0600b) CIDRs from
which account 'Acct[c5aac4a3-xxxx-43a9-8117-eb2fa34fdca5-cocentrodemo1control]'
is allowed to perform API calls: 0.0.0.0/0,::/0
2022-07-27 11:34:57,205 DEBUG [o.a.c.a.BaseCmd]
(qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b)
Ignoring paremeter fordisplay as the caller is not authorized to pass it in
2022-07-27 11:34:57,207 DEBUG [c.c.u.AccountManagerImpl]
(qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b)
Access to
Acct[39efe918-df79-45ec-b8f0-302c6d44dfa9-PrjAcct-624349294c0efe30d9ec0fd6-3]
granted to Acct[026a2cc9-xxxx-447a-9bf3-6a749fae743a-demo1control] by
DomainChecker
2022-07-27 11:34:57,209 DEBUG [o.a.c.a.BaseCmd]
(qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b)
Ignoring paremeter fordisplay as the caller is not authorized to pass it in
2022-07-27 11:34:57,217 INFO [c.c.a.ApiServer]
(qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b)
PermissionDenied: Unable to use network with id=
498611f9-xxxx-4030-aa10-e7d7ad062d1a, permission denied on objs: []
2022-07-27 11:34:57,218 DEBUG [c.c.a.ApiServlet]
(qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b)
===END=== 192.168. === 192.168.xx.xx -- GET
algorithm=source&apiKey=GoHebItTOdSc4zf5NcwxDxRo5v1FeY&command=createLoadBalancer&description=lb01&instanceport=8080&name=lb01&networkid=498611f9-xxx-4030-aa10-e7d7ad062d1a&response=json&scheme=Internal&sourceipaddressnetworkid=498611f9-xxxx-4030-aa10-e7d7ad062d1a&sourceport=8080&signature=gB%2BseI8Ku7ZCN9drw3Lxqdo%2Bj8k%3D
2022-07-27 11:34:57,566 DEBUG [c.c.a.m.AgentManagerImpl]
(AgentManager-Handler-12:null) (logid:) SeqA 47-30512: Processing Seq 47-30512:
{ Cmd , MgmtId: -1, via: 47, Ver: v1, Flags: 11,
[{"com.cloud.agent.api.ConsoleProxyLoadReportCommand":{"_proxyVmId":"7557","_loadInfo":"{
"connections": []
On 27/07/22, 10:07 AM, "Wei ZHOU" <[email protected]> wrote:
Hi Ricardo,
Could you share more logs ?
-Wei
On Wed, 27 Jul 2022 at 17:04, Ricardo Pertuz <[email protected]>
wrote:
> Hi Wei,
>
> Tried using domainid, account and accountid and all these 3 together,
> still the same error, “Error: (HTTP 531, error code 4365) Unable to use
> network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a, permission denied”
>
> Regards,
>
> Ricardo P
>
> From: Ricardo Pertuz <[email protected]>
> Date: Wednesday, 27 July 2022, 9:46 AM
> To: "[email protected]" <[email protected]>
> Subject: Re: Permission Denied on Domain Controller on Internal
> LoadBalancer
>
> Both, using the UI and API ( Cloudmonkey), I will pass that parameter (not
> in docs btw)
>
> Get Outlook for Android<https://aka.ms/AAb9ysg>
> ________________________________
> From: Wei ZHOU <[email protected]>
> Sent: Wednesday, July 27, 2022 9:44:20 AM
> To: users <[email protected]>
> Subject: Re: Permission Denied on Domain Controller on Internal
> LoadBalancer
>
> Hi Ricardo,
>
> If a domain admin creates a load balancer on an isolated network which
> belongs to another account, domainid/account should be passed.
> By the way, did you do it by API or UI ?
>
> -Wei
>
> On Wed, 27 Jul 2022 at 16:20, Ricardo Pertuz <[email protected]>
> wrote:
>
> > Thanks Wei for replying, the caller has the role Domain Admin, so we
> guess
> > it should be able to execute it
> >
> > On 27/07/22, 9:15 AM, "Wei ZHOU" <[email protected]> wrote:
> >
> > Hi Ricardo,
> >
> > Please check if the caller is the owner of the network, or the
caller
> > can
> > access the network if it belongs to a project.
> >
> > -Wei
> >
> > On Tue, 26 Jul 2022 at 23:16, Ricardo Pertuz <
> [email protected]
> > >
> > wrote:
> >
> > > Hi all,
> > >
> > > We use a domain controller user in ACS to deploy the
> > infrastructure,
> > > however when we try to CreateLoadBalancer we are receiving a “531
> > Unable to
> > > use network with id= 498611f9-xxx-4030-aa10-e7d7ad062d1a,
> permission
> > denied”
> > >
> > > PermissionDenied: Unable to use network with id=
> > > 498611f9-xxx-4030-aa10-e7d7ad062d1a, permission denied on objs: []
> > >
> > > Is there any configuration missing or is it a bug? It works well
> when
> > > using the admin user.
> > >
> > > ACS 4.15.2.0
> > > KVM
> > > Redundant VPC offering
> > >
> > > Supported Services on Network Offering
> > > SourceNat : VpcVirtualRouter
> > > Dhcp : VpcVirtualRouter
> > > Lb : InternalLbVm
> > > UserData : VpcVirtualRouter
> > > Dns : VpcVirtualRouter
> > > NetworkACL : VpcVirtualRouter
> > >
> > > BR,
> > >
> > > Ricardo
> > >
> > >
> > >
> > >
> >
> >
>
