jclouds-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aled Sage (JIRA)" <j...@apache.org>
Subject [jira] [Created] (JCLOUDS-723) CloudStack createNodesInGroup fails for service providers with locked down APIs
Date Mon, 22 Sep 2014 12:16:33 GMT
Aled Sage created JCLOUDS-723:
---------------------------------

             Summary: CloudStack createNodesInGroup fails for service providers with locked
down APIs
                 Key: JCLOUDS-723
                 URL: https://issues.apache.org/jira/browse/JCLOUDS-723
             Project: jclouds
          Issue Type: Bug
    Affects Versions: 1.8.0
            Reporter: Aled Sage


Creating VM(s) on CloudStack fails with some service providers, because they lock down access
to parts of their API.

For example, API calls made by the listImages method are sometimes forbidden.
    CloudStackComputeServiceAdapter.listImages:
    https://github.com/apache/jclouds/blob/f17c876d8dc161988f586c3cf343361d896f6928/apis/cloudstack/src/main/java/org/jclouds/cloudstack/compute/strategy/CloudStackComputeServiceAdapter.java#L284-294

The method tries to list all templates. First, it lists all templates that are executable.
Then, it lists all templates associated with each project in the account. Translated to Cloudmonkey-suitable
commands, the call flow is:

    * list templates listAll=true templatefilter=executable
    * list accounts listAll=true
    for each account response: extract name and domainid from response and call:
      * list projects listAll=true account=.. domainid=..

jclouds fails because it gets a response 405 Method Not Allowed to the listAccounts call (and
would do the same for the listProjects call if it got that far).

    /api/CloudPlatformProxy?apiKey=removed&command=listAccounts&expires=2014-07-21T11%3A08%3A32%2B0000&response=json&signatureversion=3&signature=removed"
    HTTP/1.1 405 Method Not Allowed
    Cache-Control: no-cache
    Pragma: no-cache
    Expires: -1
    Server: Microsoft-IIS/7.5
    X-AspNet-Version: 4.0.30319
    X-Powered-By: ASP.NET
    Date: Mon, 21 Jul 2014 11:00:19 GMT
    Content-Length: 0

    /api/CloudPlatformProxy?apiKey=removed&command=listProjects&expires=2014-07-21T11%3A04%3A59%2B0000&response=json&signatureversion=3&signature=removed"
    HTTP/1.1 405 Method Not Allowed
    Cache-Control: no-cache
    Pragma: no-cache
    Expires: -1
    Server: Microsoft-IIS/7.5
    X-AspNet-Version: 4.0.30319
    X-Powered-By: ASP.NET
    Date: Mon, 21 Jul 2014 10:57:13 GMT
    Content-Length: 0

The cloud provider's response was:

    Accounts and projects are blocked simply because this is a multi tenant service where
account isolation is important. So we don’t allow users to list all accounts on the platform
as each one is tied to a customer.

    Projects and domain aren’t exposed because we haven’t assessed the risks to billing
if these are enabled.

    The credentials that we give you will tie you to an account and then (other than domains
and projects) you can do what you want.

    I like the idea of enabling certain list API calls but only when listall is set to false.
Of course if its just stopping a test program then the incentive in fixing it would be minimal.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message