jclouds-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Gaul (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (JCLOUDS-723) CloudStack createNodesInGroup fails for service providers with locked down APIs
Date Fri, 23 Jan 2015 22:08:34 GMT

     [ https://issues.apache.org/jira/browse/JCLOUDS-723?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Andrew Gaul updated JCLOUDS-723:
--------------------------------
    Component/s: jclouds-compute

> CloudStack createNodesInGroup fails for service providers with locked down APIs
> -------------------------------------------------------------------------------
>
>                 Key: JCLOUDS-723
>                 URL: https://issues.apache.org/jira/browse/JCLOUDS-723
>             Project: jclouds
>          Issue Type: Bug
>          Components: jclouds-compute
>    Affects Versions: 1.8.0
>            Reporter: Aled Sage
>
> Creating VM(s) on CloudStack fails with some service providers, because they lock down
access to parts of their API.
> For example, API calls made by the listImages method are sometimes forbidden.
>     CloudStackComputeServiceAdapter.listImages:
>     https://github.com/apache/jclouds/blob/f17c876d8dc161988f586c3cf343361d896f6928/apis/cloudstack/src/main/java/org/jclouds/cloudstack/compute/strategy/CloudStackComputeServiceAdapter.java#L284-294
> The method tries to list all templates. First, it lists all templates that are executable.
Then, it lists all templates associated with each project in the account. Translated to Cloudmonkey-suitable
commands, the call flow is:
>     * list templates listAll=true templatefilter=executable
>     * list accounts listAll=true
>     for each account response: extract name and domainid from response and call:
>       * list projects listAll=true account=.. domainid=..
> jclouds fails because it gets a response 405 Method Not Allowed to the listAccounts call
(and would do the same for the listProjects call if it got that far).
>     /api/CloudPlatformProxy?apiKey=removed&command=listAccounts&expires=2014-07-21T11%3A08%3A32%2B0000&response=json&signatureversion=3&signature=removed"
>     HTTP/1.1 405 Method Not Allowed
>     Cache-Control: no-cache
>     Pragma: no-cache
>     Expires: -1
>     Server: Microsoft-IIS/7.5
>     X-AspNet-Version: 4.0.30319
>     X-Powered-By: ASP.NET
>     Date: Mon, 21 Jul 2014 11:00:19 GMT
>     Content-Length: 0
>     /api/CloudPlatformProxy?apiKey=removed&command=listProjects&expires=2014-07-21T11%3A04%3A59%2B0000&response=json&signatureversion=3&signature=removed"
>     HTTP/1.1 405 Method Not Allowed
>     Cache-Control: no-cache
>     Pragma: no-cache
>     Expires: -1
>     Server: Microsoft-IIS/7.5
>     X-AspNet-Version: 4.0.30319
>     X-Powered-By: ASP.NET
>     Date: Mon, 21 Jul 2014 10:57:13 GMT
>     Content-Length: 0
> The cloud provider's response was:
>     Accounts and projects are blocked simply because this is a multi tenant service where
account isolation is important. So we don’t allow users to list all accounts on the platform
as each one is tied to a customer.
>     Projects and domain aren’t exposed because we haven’t assessed the risks to billing
if these are enabled.
>     The credentials that we give you will tie you to an account and then (other than
domains and projects) you can do what you want.
>     I like the idea of enabling certain list API calls but only when listall is set to
false. Of course if its just stopping a test program then the incentive in fixing it would
be minimal.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message