Please follow https://github.com/apache/cloudstack/issues/6590
BR On 28/07/22, 7:45 AM, "Wei ZHOU" <[email protected]> wrote: Hi Ricardo, Can you create a github issue to describe how to reproduce the issue ? Thanks https://github.com/apache/cloudstack/issues -Wei On Wed, 27 Jul 2022 at 20:21, Ricardo Pertuz <[email protected]> wrote: > Thanks Wei, > > Passing projectid same result, not so sure when you say "add the domain > admin to the project ", we want to make it available for any user on the > platform on demand. > > Regards, > > Ricardo P > > On 27/07/22, 12:51 PM, "Wei ZHOU" <[email protected]> wrote: > > Hi, > > Does the network belong to a project ? If so, please pass projectid or > add > the domain admin to the project. > > -Wei > > On Wednesday, 27 July 2022, Ricardo Pertuz <[email protected]> > wrote: > > > Hi, > > > > Here the logs (I changed some sensitive info) > > > > Apilog > > ***** > > 2022-07-27 11:34:57,218 INFO [a.c.c.a.ApiServer] > (qtp2109798150-1192:ctx-de4123f6 > > ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) (userId=4 accountId=4 > > sessionId=null) 192.168.xxx.xxx -- GET algorithm=source&apiKey= > > GoHebItTOdSc4zf5NcwxDxRo&command=createLoadBalancer& > > description=lb01&instanceport=8080&name=lb01&networkid= > > 498611f9-xxxx-4030-aa10-e7d7ad062d1a&response=json&scheme=Internal& > > sourceipaddressnetworkid=498611f9-cd93-4030-aa10- > > e7d7ad062d1a&sourceport=8080&signature=gB%2BseI8Ku7ZCN9drw 531 > Unable to > > use network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a, permission > > denied > > > > Management-server > > ***************** > > 2022-07-27 11:34:57,198 DEBUG [c.c.a.ApiServlet] > (qtp2109798150-1192:ctx-de4123f6) > > (logid:b8e0600b) ===START=== 192.168.xx.xx-- GET > algorithm=source&apiKey=GoHebItTOdSc4zf5NcwxDxR > > &command=createLoadBalancer&description=lb01&instanceport= > > 8080&name=lb01&networkid=498611f9-xxxx-4030-aa10- > > e7d7ad062d1a&response=json&scheme=Internal&sourceipaddressnetworkid= > > 498611f9-xxx-4030-aa10-e7d7ad062d1a&sourceport=8080&signature=gB% > > 2BseI8Ku7ZCN9drw3Lxqdo%2Bj8k%3D > > 2022-07-27 11:34:57,201 DEBUG [c.c.a.ApiServer] > (qtp2109798150-1192:ctx-de4123f6 > > ctx-f93ec0cc) (logid:b8e0600b) CIDRs from which account > > 'Acct[c5aac4a3-xxxx-43a9-8117-eb2fa34fdca5-cocentrodemo1control]' is > > allowed to perform API calls: 0.0.0.0/0,::/0 > > 2022-07-27 11:34:57,205 DEBUG [o.a.c.a.BaseCmd] > (qtp2109798150-1192:ctx-de4123f6 > > ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) Ignoring paremeter > fordisplay > > as the caller is not authorized to pass it in > > 2022-07-27 11:34:57,207 DEBUG [c.c.u.AccountManagerImpl] > > (qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc ctx-8c0287a4) > > (logid:b8e0600b) Access to Acct[39efe918-df79-45ec-b8f0- > > 302c6d44dfa9-PrjAcct-624349294c0efe30d9ec0fd6-3] granted to > > Acct[026a2cc9-xxxx-447a-9bf3-6a749fae743a-demo1control] by > DomainChecker > > 2022-07-27 11:34:57,209 DEBUG [o.a.c.a.BaseCmd] > (qtp2109798150-1192:ctx-de4123f6 > > ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) Ignoring paremeter > fordisplay > > as the caller is not authorized to pass it in > > 2022-07-27 11:34:57,217 INFO [c.c.a.ApiServer] > (qtp2109798150-1192:ctx-de4123f6 > > ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) PermissionDenied: Unable > to use > > network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a, permission > denied > > on objs: [] > > 2022-07-27 11:34:57,218 DEBUG [c.c.a.ApiServlet] > (qtp2109798150-1192:ctx-de4123f6 > > ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) ===END=== 192.168. === > > 192.168.xx.xx -- GET algorithm=source&apiKey= > > GoHebItTOdSc4zf5NcwxDxRo5v1FeY&command=createLoadBalancer& > > description=lb01&instanceport=8080&name=lb01&networkid= > > 498611f9-xxx-4030-aa10-e7d7ad062d1a&response=json&scheme=Internal& > > sourceipaddressnetworkid=498611f9-xxxx-4030-aa10- > > > e7d7ad062d1a&sourceport=8080&signature=gB%2BseI8Ku7ZCN9drw3Lxqdo%2Bj8k%3D > > 2022-07-27 11:34:57,566 DEBUG [c.c.a.m.AgentManagerImpl] > > (AgentManager-Handler-12:null) (logid:) SeqA 47-30512: Processing Seq > > 47-30512: { Cmd , MgmtId: -1, via: 47, Ver: v1, Flags: 11, > > [{"com.cloud.agent.api.ConsoleProxyLoadReportCommand" > > :{"_proxyVmId":"7557","_loadInfo":"{ > > "connections": [] > > > > > > On 27/07/22, 10:07 AM, "Wei ZHOU" <[email protected]> wrote: > > > > Hi Ricardo, > > > > Could you share more logs ? > > > > -Wei > > > > On Wed, 27 Jul 2022 at 17:04, Ricardo Pertuz < > [email protected] > > > > > wrote: > > > > > Hi Wei, > > > > > > Tried using domainid, account and accountid and all these 3 > together, > > > still the same error, “Error: (HTTP 531, error code 4365) > Unable to > > use > > > network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a, > permission > > denied” > > > > > > Regards, > > > > > > Ricardo P > > > > > > From: Ricardo Pertuz <[email protected]> > > > Date: Wednesday, 27 July 2022, 9:46 AM > > > To: "[email protected]" <[email protected] > > > > > Subject: Re: Permission Denied on Domain Controller on Internal > > > LoadBalancer > > > > > > Both, using the UI and API ( Cloudmonkey), I will pass that > > parameter (not > > > in docs btw) > > > > > > Get Outlook for Android<https://aka.ms/AAb9ysg> > > > ________________________________ > > > From: Wei ZHOU <[email protected]> > > > Sent: Wednesday, July 27, 2022 9:44:20 AM > > > To: users <[email protected]> > > > Subject: Re: Permission Denied on Domain Controller on Internal > > > LoadBalancer > > > > > > Hi Ricardo, > > > > > > If a domain admin creates a load balancer on an isolated > network > > which > > > belongs to another account, domainid/account should be passed. > > > By the way, did you do it by API or UI ? > > > > > > -Wei > > > > > > On Wed, 27 Jul 2022 at 16:20, Ricardo Pertuz < > > [email protected]> > > > wrote: > > > > > > > Thanks Wei for replying, the caller has the role Domain > Admin, so > > we > > > guess > > > > it should be able to execute it > > > > > > > > On 27/07/22, 9:15 AM, "Wei ZHOU" <[email protected]> > wrote: > > > > > > > > Hi Ricardo, > > > > > > > > Please check if the caller is the owner of the network, > or the > > caller > > > > can > > > > access the network if it belongs to a project. > > > > > > > > -Wei > > > > > > > > On Tue, 26 Jul 2022 at 23:16, Ricardo Pertuz < > > > [email protected] > > > > > > > > > wrote: > > > > > > > > > Hi all, > > > > > > > > > > We use a domain controller user in ACS to deploy the > > > > infrastructure, > > > > > however when we try to CreateLoadBalancer we are > receiving a > > “531 > > > > Unable to > > > > > use network with id= > 498611f9-xxx-4030-aa10-e7d7ad062d1a, > > > permission > > > > denied” > > > > > > > > > > PermissionDenied: Unable to use network with id= > > > > > 498611f9-xxx-4030-aa10-e7d7ad062d1a, permission denied > on > > objs: [] > > > > > > > > > > Is there any configuration missing or is it a bug? It > works > > well > > > when > > > > > using the admin user. > > > > > > > > > > ACS 4.15.2.0 > > > > > KVM > > > > > Redundant VPC offering > > > > > > > > > > Supported Services on Network Offering > > > > > SourceNat : VpcVirtualRouter > > > > > Dhcp : VpcVirtualRouter > > > > > Lb : InternalLbVm > > > > > UserData : VpcVirtualRouter > > > > > Dns : VpcVirtualRouter > > > > > NetworkACL : VpcVirtualRouter > > > > > > > > > > BR, > > > > > > > > > > Ricardo > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
