OpenStack Compute (nova)

VMware NoPermission faults do not log what permission was missing

Bug #1289627 reported by Shawn Hartsock on 2014-03-07

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
OpenStack Compute (nova)	Fix Released	Low	Eric Brown	OpenStack Compute (nova) 2014.2 "juno"
Icehouse	Fix Released	Low	Eric Brown	OpenStack Compute (nova) 2014.1.1
oslo.vmware	Fix Released	Undecided	Eric Brown

Bug Description

NoPermission object has a privilegeId that tells us which permission the user did not have. Presently the VMware nova driver does not log this data. This is very useful for debugging user permissions problems on vCenter or ESX.

http://pubs.vmware.com/vsphere-55/index.jsp#com.vmware.wssdk.apiref.doc/vim.fault.NoPermission.html

Tags:

Shawn Hartsock (hartsock) on 2014-03-07

Changed in nova:
status:	New → Triaged
importance:	Undecided → Low

Revision history for this message

Eric Brown (ericwb) wrote on 2014-03-10:

Looks like the only place where this exception is thrown is from the Login() in the driver.py.
https://github.com/openstack/nova/blob/master/nova/virt/vmwareapi/driver.py#L725
which currently catches on Exception.

Eric Brown (ericwb) on 2014-03-10

Changed in nova:
assignee:	nobody → Eric Brown (ericwb)

Eric Brown (ericwb) on 2014-03-11

Changed in nova:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-03-11: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/79761

Eric Brown (ericwb) on 2014-03-11

tags:

added: havana-backport-potential

Eric Brown (ericwb) on 2014-03-19

Changed in nova:
status:	In Progress → Fix Committed

Tracy Jones (tjones-i) on 2014-03-24

tags:	added: icehouse-rd-potential
tags:	added: icehouse-rc-potential removed: icehouse-rd-potential

Russell Bryant (russellb) on 2014-03-25

Changed in nova:
milestone:	none → icehouse-rc1

Andrew Laski (alaski) on 2014-03-25

Changed in nova:
status:	Fix Committed → In Progress

Revision history for this message

Tracy Jones (tjones-i) wrote on 2014-03-25:

ok i got called out on this one :-) This should really be rc-potential

Changed in nova:
milestone:	icehouse-rc1 → next

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-03-27: Fix proposed to nova (stable/havana)

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/83502

Thierry Carrez (ttx) on 2014-04-01

tags:

added: icehouse-backport-potential
removed: icehouse-rc-potential

Eric Brown (ericwb) on 2014-04-22

Changed in oslo.vmware:
status:	New → In Progress
assignee:	nobody → Eric Brown (ericwb)

Revision history for this message

Openstack Gerrit (openstack-gerrit) wrote on 2014-04-22: Fix merged to nova (master)

Reviewed: https://review.openstack.org/79761
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=62cb0dc6257daac5ec9fd1a90ee5721e6543dd76
Submitter: Jenkins
Branch: master

commit 62cb0dc6257daac5ec9fd1a90ee5721e6543dd76
Author: Eric Brown <email address hidden>
Date: Tue Mar 11 16:38:54 2014 -0400

VMware: Log additional details of suds faults

    When a suds requests results in a fault response, the current
    code loses details on that fault in the sequence of exceptions
    propagated through the driver. A NoPermission fault will contain
    additional metadata on the privilegeId and object type which
    needs to be logged. The fault string will be propagated with this
    fix, along with details of a NoPermission fault.

    An example of the new exception:
    NoPermissionException: Permission to perform this operation was denied.
    {u'privilegeId': Resource.AssignVMToPool, u'object': domain-c7}

    An example of new exception within retrieveproperties_fault_checker:
    Error(s) NoPermission occurred in the call to RetrievePropertiesEx
    {'privilegeId': System.Read, 'object': datacenter-16}

Change-Id: Iafbf052750c2835f304b2edf21d7300d1fbd7e5a
Closes-bug: #1289627

Changed in nova:
status:	In Progress → Fix Committed

Revision history for this message

Eric Brown (ericwb) wrote on 2014-05-01:

oslo.vmware patch merged with:
https://review.openstack.org/#/c/90699/

Changed in nova:
milestone:	next → juno-1
Changed in oslo.vmware:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-05-31: Fix merged to nova (stable/icehouse)

Reviewed: https://review.openstack.org/90809
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=fe4fe70240d6b30ea157e8802b3dce54d62b4583
Submitter: Jenkins
Branch: stable/icehouse

commit fe4fe70240d6b30ea157e8802b3dce54d62b4583
Author: Eric Brown <email address hidden>
Date: Tue Mar 11 16:38:54 2014 -0400

VMware: Log additional details of suds faults

    An example of the new exception:
    NoPermissionException: Permission to perform this operation was denied.
    {u'privilegeId': Resource.AssignVMToPool, u'object': domain-c7}

    An example of new exception within retrieveproperties_fault_checker:
    Error(s) NoPermission occurred in the call to RetrievePropertiesEx
    {'privilegeId': System.Read, 'object': datacenter-16}

    Change-Id: Iafbf052750c2835f304b2edf21d7300d1fbd7e5a
    Closes-bug: #1289627
    (cherry picked from commit 62cb0dc6257daac5ec9fd1a90ee5721e6543dd76)

tags:

added: in-stable-icehouse

Alan Pevec (apevec) on 2014-06-05

tags:

removed: icehouse-backport-potential in-stable-icehouse

Thierry Carrez (ttx) on 2014-06-11

Changed in nova:
status:	Fix Committed → Fix Released

Revision history for this message

Vipin Balachandran (vbala) wrote on 2014-07-07:

Released in oslo.vmware 0.3.

Changed in oslo.vmware:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in nova:
milestone:	juno-1 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.