normal user authorization failed

the bug had been filed as Question #139287.
in nova-api.log
nova-api(root): INFO Looking up user: '96bb3b1e-cab5-4d68-b5af-47592bb3dfe7'
nova-api(root): INFO user: User('anna', 'anna', '96bb3b1e-cab5-4d68-b5af-47592bb3dfe7', 'f9c918e9-cde4-42e5-8689-bfe3d4364b09', False)
nova-api(root): DEBUG using _calc_signature_2
nova-api(root): DEBUG query string: AWSAccessKeyId=96bb3b1e-cab5-4d68-b5af-47592bb3dfe7%3Aanna&Action=AuthorizeSecurityGroupIngress&CidrIp=0.0.0.0%2F0&FromPort=22&GroupName=default&IpProtocol=tcp&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2010-12-29T21%3A18%3A20&ToPort=22&Version=2009-11-30
nova-api(root): DEBUG string_to_sign: GET
172.16.60.250:8773
/services/Cloud/
AWSAccessKeyId=96bb3b1e-cab5-4d68-b5af-47592bb3dfe7%3Aanna&Action=AuthorizeSecurityGroupIngress&CidrIp=0.0.0.0%2F0&FromPort=22&GroupName=default&IpProtocol=tcp&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2010-12-29T21%3A18%3A20&ToPort=22&Version=2009-11-30
nova-api(root): DEBUG len(b64)=44
nova-api(root): DEBUG base64 encoded digest: wgzv+Jo8NaLBw9gZckh33Qg0ijMEf3nJw6du00eTcls=
nova-api(root): DEBUG user.secret: f9c918e9-cde4-42e5-8689-bfe3d4364b09
nova-api(root): DEBUG expected_signature: wgzv+Jo8NaLBw9gZckh33Qg0ijMEf3nJw6du00eTcls=
nova-api(root): DEBUG signature: wgzv+Jo8NaLBw9gZckh33Qg0ijMEf3nJw6du00eTcls=
nova-api(api): DEBUG action: AuthorizeSecurityGroupIngress
nova-api(api): DEBUG arg: GroupName val: default
nova-api(api): DEBUG arg: CidrIp val: 0.0.0.0/0
nova-api(api): DEBUG arg: FromPort val: 22
nova-api(api): DEBUG arg: ToPort val: 22
nova-api(api): DEBUG arg: IpProtocol val: tcp

By default, you need the netadmin role to authorize security groups
and associate public ips. Use BOTH of the following to give the user
the netadmin access to a project:

nova-manage role add (user) netadmin
nova-manage role add (user) netadmin (project)

Vish
On Thursday, December 30, 2010, Launchpad Bug Tracker
<email address hidden> wrote:
> You have been subscribed to a public bug:
>
> Upgrade Openstack to 2011.1~bzr456-0ubuntu1. admin user doesn't have
> problems to run jobs.  Normal users can bundle, upload and register
> images but cannot run jobs.
>
> $ euca-authorize default -P tcp -p 22 -s 0.0.0.0/0
> Warning: failed to parse error message from AWS: <unknown>:1:0: syntax error
> EC2ResponseError: 401 Unauthorized
> 401 Unauthorized
>
> This server could not verify that you are authorized to access the document you requested.  Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.
>
>
> Thanks,
>
> Anping
>
> ** Affects: nova
>     Importance: Undecided
>         Status: New
>
> --
> normal user authorization failed
> https://bugs.launchpad.net/bugs/695504
> You received this bug notification because you are a member of Nova Bug Team, which is subscribed to OpenStack Compute (nova).
>

Hi Vish,

Thank you very much for your response. Does a normal user need to have the netadmin role?
After I did bundle/upload/register images, I tried to run euca-run-instance. I got the same output of NotAuthorized as I got from running euca-authorize. It's important for us to know if a normal openstack user can do what a normal Eucalyptus user can. Your help is highly appreciated. Thanks.

Anping

----- Original Message -----
From: "Vish Ishaya" <email address hidden>
To: <email address hidden>
Sent: Thursday, December 30, 2010 12:01:07 PM
Subject: Re: [Bug 695504] [NEW] normal user authorization failed

By default, you need the netadmin role to authorize security groups
and associate public ips. Use BOTH of the following to give the user
the netadmin access to a project:

nova-manage role add (user) netadmin
nova-manage role add (user) netadmin (project)

Vish
On Thursday, December 30, 2010, Launchpad Bug Tracker
<email address hidden> wrote:
> You have been subscribed to a public bug:
>
> Upgrade Openstack to 2011.1~bzr456-0ubuntu1. admin user doesn't have
> problems to run jobs.  Normal users can bundle, upload and register
> images but cannot run jobs.
>
> $ euca-authorize default -P tcp -p 22 -s 0.0.0.0/0
> Warning: failed to parse error message from AWS: <unknown>:1:0: syntax error
> EC2ResponseError: 401 Unauthorized
> 401 Unauthorized
>
> This server could not verify that you are authorized to access the document you requested.  Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.
>
>
> Thanks,
>
> Anping
>
> ** Affects: nova
>     Importance: Undecided
>         Status: New
>
> --
> normal user authorization failed
> https://bugs.launchpad.net/bugs/695504
> You received this bug notification because you are a member of Nova Bug Team, which is subscribed to OpenStack Compute (nova).
>

--
You received this bug notification because you are a direct subscriber
of the bug.
https://bugs.launchpad.net/bugs/695504

Title:
  normal user authorization failed

Status in OpenStack Compute (Nova):
  New

Bug description:
  Upgrade Openstack to 2011.1~bzr456-0ubuntu1. admin user doesn't have problems to run jobs. Normal users can bundle, upload and register images but cannot run jobs.

$ euca-authorize default -P tcp -p 22 -s 0.0.0.0/0
Warning: failed to parse error message from AWS: <unknown>:1:0: syntax error
EC2ResponseError: 401 Unauthorized
401 Unauthorized

This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.

Thanks,

Anping

To unsubscribe from this bug, go to:
https://bugs.launchpad.net/nova/+bug/695504/+subscribe

Hi Vish,

I created a normal user anna and registered images. when I ran jobs, I got
# euca-describe-images
IMAGE ami-paqlq8l5 anna/ttylinux-uec-amd64-12.1_2.6.35-22_1-vmlinuz.manifest.xml anna available private x86_64 kernel true
IMAGE ami-xy70vc7p anna/ttylinux-uec-amd64-12.1_2.6.35-22_1-initrd.manifest.xml anna available private x86_64 ramdisk true
IMAGE ami-unwifk1z anna/ttylinux-uec-amd64-12.1_2.6.35-22_1.img.manifest.xml anna available private x86_64 machine
root@user07:~/images2# euca-run-instances ami-unwifk1z --kernel ami-paqlq8l5 --ramdisk ami-xy70vc7p -t m1.tiny
NotAuthorized: None

-Anping

----- Original Message -----
From: "Anping Liu" <email address hidden>
To: "Bug 695504" <email address hidden>
Cc: <email address hidden>
Sent: Thursday, December 30, 2010 12:57:30 PM
Subject: Re: [Bug 695504] [NEW] normal user authorization failed

Hi Vish,

Thank you very much for your response. Does a normal user need to have the netadmin role?
After I did bundle/upload/register images, I tried to run euca-run-instance. I got the same output of NotAuthorized as I got from running euca-authorize. It's important for us to know if a normal openstack user can do what a normal Eucalyptus user can. Your help is highly appreciated. Thanks.

Anping

----- Original Message -----
From: "Vish Ishaya" <email address hidden>
To: <email address hidden>
Sent: Thursday, December 30, 2010 12:01:07 PM
Subject: Re: [Bug 695504] [NEW] normal user authorization failed

By default, you need the netadmin role to authorize security groups
and associate public ips. Use BOTH of the following to give the user
the netadmin access to a project:

nova-manage role add (user) netadmin
nova-manage role add (user) netadmin (project)

Vish
On Thursday, December 30, 2010, Launchpad Bug Tracker
<email address hidden> wrote:
> You have been subscribed to a public bug:
>
> Upgrade Openstack to 2011.1~bzr456-0ubuntu1. admin user doesn't have
> problems to run jobs.  Normal users can bundle, upload and register
> images but cannot run jobs.
>
> $ euca-authorize default -P tcp -p 22 -s 0.0.0.0/0
> Warning: failed to parse error message from AWS: <unknown>:1:0: syntax error
> EC2ResponseError: 401 Unauthorized
> 401 Unauthorized
>
> This server could not verify that you are authorized to access the document you requested.  Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.
>
>
> Thanks,
>
> Anping
>
> ** Affects: nova
>     Importance: Undecided
>         Status: New
>
> --
> normal user authorization failed
> https://bugs.launchpad.net/bugs/695504
> You received this bug notification because you are a member of Nova Bug Team, which is subscribed to OpenStack Compute (nova).
>

--
You received this bug notification because you are a direct subscriber
of the bug.
https://bugs.launchpad.net/bugs/695504

Title:
  normal user authorization failed

Status in OpenStack Compute (Nova):
  New

Bug description:
  Upgrade Openstack to 2011.1~bzr456-0ubuntu1. admin user doesn't have problems to run jobs. Normal users can bundle, upload and register images but cannot run jobs.

$ euca-authoriz...

I did
nova-manage role add anna netadmin
nova-namage role add anna netadmin anna
I can now do "euca-authorize", but still cannot run jobs
euca-run-instances ami-unwifk1z --kernel ami-paqlq8l5 --ramdisk ami-xy70vc7p -t m1.tiny
NotAuthorized: None

-Anping

----- Original Message -----
From: "Anping Liu" <email address hidden>
To: "Bug 695504" <email address hidden>
Cc: <email address hidden>
Sent: Thursday, December 30, 2010 2:59:43 PM
Subject: Re: [Bug 695504] [NEW] normal user authorization failed

Hi Vish,

I created a normal user anna and registered images. when I ran jobs, I got
# euca-describe-images
IMAGE ami-paqlq8l5 anna/ttylinux-uec-amd64-12.1_2.6.35-22_1-vmlinuz.manifest.xml anna available private x86_64 kernel true
IMAGE ami-xy70vc7p anna/ttylinux-uec-amd64-12.1_2.6.35-22_1-initrd.manifest.xml anna available private x86_64 ramdisk true
IMAGE ami-unwifk1z anna/ttylinux-uec-amd64-12.1_2.6.35-22_1.img.manifest.xml anna available private x86_64 machine
root@user07:~/images2# euca-run-instances ami-unwifk1z --kernel ami-paqlq8l5 --ramdisk ami-xy70vc7p -t m1.tiny
NotAuthorized: None

-Anping

----- Original Message -----
From: "Anping Liu" <email address hidden>
To: "Bug 695504" <email address hidden>
Cc: <email address hidden>
Sent: Thursday, December 30, 2010 12:57:30 PM
Subject: Re: [Bug 695504] [NEW] normal user authorization failed

Hi Vish,

Thank you very much for your response. Does a normal user need to have the netadmin role?
After I did bundle/upload/register images, I tried to run euca-run-instance. I got the same output of NotAuthorized as I got from running euca-authorize. It's important for us to know if a normal openstack user can do what a normal Eucalyptus user can. Your help is highly appreciated. Thanks.

Anping

----- Original Message -----
From: "Vish Ishaya" <email address hidden>
To: <email address hidden>
Sent: Thursday, December 30, 2010 12:01:07 PM
Subject: Re: [Bug 695504] [NEW] normal user authorization failed

By default, you need the netadmin role to authorize security groups
and associate public ips. Use BOTH of the following to give the user
the netadmin access to a project:

nova-manage role add (user) netadmin
nova-manage role add (user) netadmin (project)

Vish
On Thursday, December 30, 2010, Launchpad Bug Tracker
<email address hidden> wrote:
> You have been subscribed to a public bug:
>
> Upgrade Openstack to 2011.1~bzr456-0ubuntu1. admin user doesn't have
> problems to run jobs.  Normal users can bundle, upload and register
> images but cannot run jobs.
>
> $ euca-authorize default -P tcp -p 22 -s 0.0.0.0/0
> Warning: failed to parse error message from AWS: <unknown>:1:0: syntax error
> EC2ResponseError: 401 Unauthorized
> 401 Unauthorized
>
> This server could not verify that you are authorized to access the document you requested.  Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.
>
>
> Thanks,
>
> Anping
>
> ** Affects: nova
>     Importance: Undecided
>         Status: New
>
> --
> normal user authorization failed
> https://bugs.launchpad.net/bugs/695504
> You received this bug notification because...

in nova-api.log:
Thu, 30 Dec 2010 22:21:52 GMT
/_images/
nova-api(boto): DEBUG Method: GET
nova-api(boto): DEBUG Path: /_images/
nova-api(boto): DEBUG Data:
nova-api(boto): DEBUG Headers: {'Date': 'Thu, 30 Dec 2010 22:21:52 GMT', 'Content-Length': '0', 'Authorization': 'AWS 96bb3b1e-cab5-4d68-b5af-47592bb3dfe7:anna:5jcbWfLwBX9rr27e8QBNetp6M6E=', 'User-Agent': 'Boto/1.9b (linux2)'}
nova-api(boto): DEBUG Host: 172.16.60.250:3333
nova-api(boto): DEBUG establishing HTTP connection
nova-api(root): DEBUG Going to run 1 instances...
nova-api(root): ERROR NotAuthorized: None

----- Original Message -----
From: "Anping Liu" <email address hidden>
To: "Bug 695504" <email address hidden>
Cc: <email address hidden>
Sent: Thursday, December 30, 2010 3:17:04 PM
Subject: Re: [Bug 695504] [NEW] normal user authorization failed

I did
nova-manage role add anna netadmin
nova-namage role add anna netadmin anna
I can now do "euca-authorize", but still cannot run jobs
euca-run-instances ami-unwifk1z --kernel ami-paqlq8l5 --ramdisk ami-xy70vc7p -t m1.tiny
NotAuthorized: None

-Anping

----- Original Message -----
From: "Anping Liu" <email address hidden>
To: "Bug 695504" <email address hidden>
Cc: <email address hidden>
Sent: Thursday, December 30, 2010 2:59:43 PM
Subject: Re: [Bug 695504] [NEW] normal user authorization failed

Hi Vish,

I created a normal user anna and registered images. when I ran jobs, I got
# euca-describe-images
IMAGE ami-paqlq8l5 anna/ttylinux-uec-amd64-12.1_2.6.35-22_1-vmlinuz.manifest.xml anna available private x86_64 kernel true
IMAGE ami-xy70vc7p anna/ttylinux-uec-amd64-12.1_2.6.35-22_1-initrd.manifest.xml anna available private x86_64 ramdisk true
IMAGE ami-unwifk1z anna/ttylinux-uec-amd64-12.1_2.6.35-22_1.img.manifest.xml anna available private x86_64 machine
root@user07:~/images2# euca-run-instances ami-unwifk1z --kernel ami-paqlq8l5 --ramdisk ami-xy70vc7p -t m1.tiny
NotAuthorized: None

-Anping

----- Original Message -----
From: "Anping Liu" <email address hidden>
To: "Bug 695504" <email address hidden>
Cc: <email address hidden>
Sent: Thursday, December 30, 2010 12:57:30 PM
Subject: Re: [Bug 695504] [NEW] normal user authorization failed

Hi Vish,

Thank you very much for your response. Does a normal user need to have the netadmin role?
After I did bundle/upload/register images, I tried to run euca-run-instance. I got the same output of NotAuthorized as I got from running euca-authorize. It's important for us to know if a normal openstack user can do what a normal Eucalyptus user can. Your help is highly appreciated. Thanks.

Anping

----- Original Message -----
From: "Vish Ishaya" <email address hidden>
To: <email address hidden>
Sent: Thursday, December 30, 2010 12:01:07 PM
Subject: Re: [Bug 695504] [NEW] normal user authorization failed

By default, you need the netadmin role to authorize security groups
and associate public ips. Use BOTH of the following to give the user
the netadmin access to a project:

nova-manage role add (user) netadmin
nova-manage role add (user) netadmin (project)

Vish
On Thursday, December 30, 2010, Launchpad Bug Tracker
<email address hidden> wrote:
> You have been subscribed to a public bug:...

This is not a bug, but a question.

Hi Thierry,

I still think it is a bug. Although adding the netadmin role to a normal user (projectmanager) and the user can use euca-authorize to add the iptable rules for the security groups, the user still cannot run jobs, i.e. euca-run-instances still produces "NotAuthorized" in nova-api.log. If I change is_admin to 1 in the users table, the user can do everything, or if adding the user to the admin project, the user can also do everything.

Thanks,

Anping

----- Original Message -----
From: "Thierry Carrez" <email address hidden>
To: <email address hidden>
Sent: Wednesday, January 5, 2011 4:16:42 AM
Subject: [Bug 695504] Re: normal user authorization failed

This is not a bug, but a question.

** Changed in: nova
       Status: New => Invalid

** Converted to question:
   https://answers.launchpad.net/nova/+question/140239

--
You received this bug notification because you are a direct subscriber
of the bug.
https://bugs.launchpad.net/bugs/695504

Title:
  normal user authorization failed

Status in OpenStack Compute (Nova):
  Invalid

Bug description:
  Upgrade Openstack to 2011.1~bzr456-0ubuntu1. admin user doesn't have problems to run jobs. Normal users can bundle, upload and register images but cannot run jobs.

$ euca-authorize default -P tcp -p 22 -s 0.0.0.0/0
Warning: failed to parse error message from AWS: <unknown>:1:0: syntax error
EC2ResponseError: 401 Unauthorized
401 Unauthorized

This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.

Thanks,

Anping

To unsubscribe from this bug, go to:
https://bugs.launchpad.net/nova/+bug/695504/+subscribe

See my answer at https://answers.launchpad.net/nova/+question/140239
To be able to run instances, a user needs to have "projectmanager" or "sysadmin" roles. If you only grant him "netmanager", it's normal he can't run instances.

If you still think there's a bug, could you describe it ? "Normal users should be able to run instances" ?

HI Thierry,

Thanks for your response.
By "normal user" I meant a projectmanager not a sysadmin. I created a user by "nova-manage user create anna" and a project owned by anna "nova-manage project create anna anna". the user anna can upload and register images and modify the images from private to public, but couldn't run jobs, even after adding netadmin role to anna. By default, a projectmanager should be able to run jobs, right?

# nova-manage user list
INFO:root:backend <module 'nova.db.sqlalchemy.api' from '/usr/lib/pymodules/python2.6/nova/db/sqlalchemy/api.pyc'>
admin
aliu
anna

root@user07:~/bin# nova-manage project list
INFO:root:backend <module 'nova.db.sqlalchemy.api' from '/usr/lib/pymodules/python2.6/nova/db/sqlalchemy/api.pyc'>
admin-project
aliu
anna

nova-api.log

nova-api(root): INFO Looking up user: u'96bb3b1e-cab5-4d68-b5af-47592bb3dfe7'
nova-api(root): INFO user: User('anna', 'anna', '96bb3b1e-cab5-4d68-b5af-47592bb3dfe7', 'f9c918e9-cde4-42e5-8689-bfe3d
4364b09', False)
nova-api(root): DEBUG using _calc_signature_2
nova-api(root): DEBUG query string: AWSAccessKeyId=96bb3b1e-cab5-4d68-b5af-47592bb3dfe7%3Aanna&Action=RunInstances&Ima
geId=ami-unwifk1z&InstanceType=m1.small&KernelId=ami-paqlq8l5&MaxCount=1&MinCount=1&RamdiskId=ami-xy70vc7p&SecurityGro
up.1=anna&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2011-01-04T19%3A55%3A22&Version=2009-11-30
nova-api(root): DEBUG string_to_sign: POST
172.16.60.250:8773
/services/Cloud/
AWSAccessKeyId=96bb3b1e-cab5-4d68-b5af-47592bb3dfe7%3Aanna&Action=RunInstances&ImageId=ami-unwifk1z&InstanceType=m1.sm
all&KernelId=ami-paqlq8l5&MaxCount=1&MinCount=1&RamdiskId=ami-xy70vc7p&SecurityGroup.1=anna&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2011-01-04T19%3A55%3A22&Version=2009-11-30
nova-api(root): DEBUG len(b64)=44
nova-api(root): DEBUG base64 encoded digest: 9yM0IOrm9JyNyBzM4pNWQCXm3AbNM/fRoiembLOczjs=
nova-api(root): DEBUG user.secret: f9c918e9-cde4-42e5-8689-bfe3d4364b09
nova-api(root): DEBUG expected_signature: 9yM0IOrm9JyNyBzM4pNWQCXm3AbNM/fRoiembLOczjs=
nova-api(root): DEBUG signature: 9yM0IOrm9JyNyBzM4pNWQCXm3AbNM/fRoiembLOczjs=
nova-api(api): DEBUG action: RunInstances
nova-api(api): DEBUG arg: SecurityGroup.1 val: anna
nova-api(api): DEBUG arg: ImageId val: ami-unwifk1z
nova-api(api): DEBUG arg: KernelId val: ami-paqlq8l5
nova-api(api): DEBUG arg: RamdiskId val: ami-xy70vc7p
nova-api(api): DEBUG arg: MaxCount val: 1
nova-api(api): DEBUG arg: MinCount val: 1
nova-api(api): DEBUG arg: InstanceType val: m1.small
nova-api(boto): DEBUG Canonical: GET

..............

Tue, 04 Jan 2011 19:55:23 GMT
/_images/
nova-api(boto): DEBUG Method: GET
nova-api(boto): DEBUG Path: /_images/
nova-api(boto): DEBUG Data:
nova-api(boto): DEBUG Headers: {'Date': 'Tue, 04 Jan 2011 19:55:23 GMT', 'Content-Length': '0', 'Authorization': 'AWS 96bb3b1e-cab5-4d68-b5af-47592bb3dfe7:anna:ieH+AEgc9IdzPLgbil6FxSANaGk=', 'User-Agent': 'Boto/1.9b (linux2)'}
nova-api(boto): DEBUG Host: 172.16.60.250:3333
nova-api(boto): DEBUG establishing HTTP connection
nova-api(root): DEBUG Going to run 1 instances...
nova-...

It looks like anna doesn't have permission to access one or more of the images you are trying to run. Please make sure that the images are public by setting "isPublic" to true directly in images/<image_id>/info.json or by running:
euca-modify-image-attribute -l -a all <image_id>
as an admin or the user that uploaded the image.

Make sure to do it for all three of your images:
nova-api(api): DEBUG arg: ImageId val: ami-unwifk1z
nova-api(api): DEBUG arg: KernelId val: ami-paqlq8l5
nova-api(api): DEBUG arg: RamdiskId val: ami-xy70vc7p

Vish

On Jan 5, 2011, at 9:21 AM, Anping Liu wrote:

> HI Thierry,
>
> Thanks for your response.
> By "normal user" I meant a projectmanager not a sysadmin. I created a user by "nova-manage user create anna" and a project owned by anna "nova-manage project create anna anna". the user anna can upload and register images and modify the images from private to public, but couldn't run jobs, even after adding netadmin role to anna. By default, a projectmanager should be able to run jobs, right?
>
> # nova-manage user list
> INFO:root:backend <module 'nova.db.sqlalchemy.api' from '/usr/lib/pymodules/python2.6/nova/db/sqlalchemy/api.pyc'>
> admin
> aliu
> anna
>
> root@user07:~/bin# nova-manage project list
> INFO:root:backend <module 'nova.db.sqlalchemy.api' from '/usr/lib/pymodules/python2.6/nova/db/sqlalchemy/api.pyc'>
> admin-project
> aliu
> anna
>
>
> nova-api.log
>
> nova-api(root): INFO Looking up user: u'96bb3b1e-cab5-4d68-b5af-47592bb3dfe7'
> nova-api(root): INFO user: User('anna', 'anna', '96bb3b1e-cab5-4d68-b5af-47592bb3dfe7', 'f9c918e9-cde4-42e5-8689-bfe3d
> 4364b09', False)
> nova-api(root): DEBUG using _calc_signature_2
> nova-api(root): DEBUG query string: AWSAccessKeyId=96bb3b1e-cab5-4d68-b5af-47592bb3dfe7%3Aanna&Action=RunInstances&Ima
> geId=ami-unwifk1z&InstanceType=m1.small&KernelId=ami-paqlq8l5&MaxCount=1&MinCount=1&RamdiskId=ami-xy70vc7p&SecurityGro
> up.1=anna&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2011-01-04T19%3A55%3A22&Version=2009-11-30
> nova-api(root): DEBUG string_to_sign: POST
> 172.16.60.250:8773
> /services/Cloud/
> AWSAccessKeyId=96bb3b1e-cab5-4d68-b5af-47592bb3dfe7%3Aanna&Action=RunInstances&ImageId=ami-unwifk1z&InstanceType=m1.sm
> all&KernelId=ami-paqlq8l5&MaxCount=1&MinCount=1&RamdiskId=ami-xy70vc7p&SecurityGroup.1=anna&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2011-01-04T19%3A55%3A22&Version=2009-11-30
> nova-api(root): DEBUG len(b64)=44
> nova-api(root): DEBUG base64 encoded digest: 9yM0IOrm9JyNyBzM4pNWQCXm3AbNM/fRoiembLOczjs=
> nova-api(root): DEBUG user.secret: f9c918e9-cde4-42e5-8689-bfe3d4364b09
> nova-api(root): DEBUG expected_signature: 9yM0IOrm9JyNyBzM4pNWQCXm3AbNM/fRoiembLOczjs=
> nova-api(root): DEBUG signature: 9yM0IOrm9JyNyBzM4pNWQCXm3AbNM/fRoiembLOczjs=
> nova-api(api): DEBUG action: RunInstances
> nova-api(api): DEBUG arg: SecurityGroup.1 val: anna
> nova-api(api): DEBUG arg: ImageId val: ami-unwifk1z
> nova-api(api): DEBUG arg: KernelId val: ami-paqlq8l5
> nova-api(api): DEBUG arg: RamdiskId val: ami-xy70vc7p
> nova-api(api): DEBUG arg: ...

Thanks, Vish.

I did. even anna could modify her images. I also changed the admin's image to public. The log I sent is for running these public images. by the way "euca-modify-image-attribute -l" doesn't produce any output.

# euca-describe-images
IMAGE ami-dfm4sow5 mybucket/vmlinuz-2.6.32-23-server.manifest.xml admin-project available public x86_64 kernel true
IMAGE ami-2j7g8j3k mybucket/initrd.img-2.6.32-23-server.manifest.xml admin-project available public x86_64 ramdisk true
IMAGE ami-o92h00h5 mybucket/ubuntu-lucid.img.manifest.xml admin-project available public x86_64 machine
IMAGE ami-d0itumio mybucket/initrd.img-2.6.32-23-server.manifest.xml admin-project available public x86_64 ramdisk true
IMAGE ami-paqlq8l5 anna/ttylinux-uec-amd64-12.1_2.6.35-22_1-vmlinuz.manifest.xml anna available public x86_64 kernel true
IMAGE ami-xy70vc7p anna/ttylinux-uec-amd64-12.1_2.6.35-22_1-initrd.manifest.xml anna available public x86_64 ramdisk true
IMAGE ami-unwifk1z anna/ttylinux-uec-amd64-12.1_2.6.35-22_1.img.manifest.xml anna available public x86_64 machine

-Anping

----- Original Message -----
From: "Vish Ishaya" <email address hidden>
To: <email address hidden>
Sent: Wednesday, January 5, 2011 6:52:25 PM
Subject: Re: [Bug 695504] Re: normal user authorization failed

It looks like anna doesn't have permission to access one or more of the images you are trying to run. Please make sure that the images are public by setting "isPublic" to true directly in images/<image_id>/info.json or by running:
euca-modify-image-attribute -l -a all <image_id>
as an admin or the user that uploaded the image.

Make sure to do it for all three of your images:
nova-api(api): DEBUG arg: ImageId val: ami-unwifk1z
nova-api(api): DEBUG arg: KernelId val: ami-paqlq8l5
nova-api(api): DEBUG arg: RamdiskId val: ami-xy70vc7p

Vish

On Jan 5, 2011, at 9:21 AM, Anping Liu wrote:

> HI Thierry,
>
> Thanks for your response.
> By "normal user" I meant a projectmanager not a sysadmin. I created a user by "nova-manage user create anna" and a project owned by anna "nova-manage project create anna anna". the user anna can upload and register images and modify the images from private to public, but couldn't run jobs, even after adding netadmin role to anna. By default, a projectmanager should be able to run jobs, right?
>
> # nova-manage user list
> INFO:root:backend <module 'nova.db.sqlalchemy.api' from '/usr/lib/pymodules/python2.6/nova/db/sqlalchemy/api.pyc'>
> admin
> aliu
> anna
>
> root@user07:~/bin# nova-manage project list
> INFO:root:backend <module 'nova.db.sqlalchemy.api' from '/usr/lib/pymodules/python2.6/nova/db/sqlalchemy/api.pyc'>
> admin-project
> aliu
> anna
>
>
> nova-api.log
>
> nova-api(root): INFO Looking up user: u'96bb3b1e-cab5-4d68-b5af-47592bb3dfe7'
> nova-api(root): INFO user: User('anna', 'anna', '96bb3b1e-cab5-4d68-b5af-47592bb3dfe7', 'f9c918e9-cde4-42e5-8689-bfe3d
> 4364b09', False)
> nova-api(root): DEBUG using _calc_signature_2
> nova-api(root): DEBUG query string: AWSAccessKeyId=96bb3b1e-cab5-4d68-b5af-47592bb3dfe7%3Aanna&Action=RunInstances&Ima
> geId=ami-unwifk1z&InstanceType=m1.sma...