[DRBD-user] Proxmox/Linstor - Identity 'PUBLIC' using role: 'PUBLIC' is not authorized to access resource group 'DfltRscGrp'

Greb opengreb at free.fr
Mon Aug 19 15:20:55 CEST 2019 

Hello, 

I had a problem on two proxmox / linstor / drbd clusters on LVM Thinprovisioning storage. 
I rebuilt the thinprovisioning storage to increase the metadata space, initially undersized. 
Everything went well, but when I wanted to move the VMs from the temporary storage to the drbd storage, I could not. Same problem when creating a VM or creating a linstor resource in manual. 

To recover the functional access to the storage, I had to change the global security level from "MAC" to "NO_SECURITY" ( setSecLvl secLvl (NO_SECURITY) in Linstor debug mode ). 

My installations are nothing special, the "MAC" mode seems to be the default one during the first installation. I do not understand why this value needs to be changed. 

I did not find any information about the different Linstor security modes; where can I find it? 

If I go back to "MAC" mode again, I reproduce the problem. 

Thank you for your lighting ... 

Greb, 

Further informations : 

pve-manager/5.4-13/aee6f0ec (running kernel: 4.15.18-20-pve) 
linstor-client 1.0.1-1 
linstor-common 1.0.1-1 
linstor-controller 1.0.1-1 
linstor-proxmox 4.0.0-1 
linstor-satellite 1.0.1-1 
python-linstor 1.0.0-1 
drbd-dkms 9.0.19-1 
drbd-utils 9.10.0-1 

Proxmox GUI 

TASK ERROR: unable to create VM 999 - error with cfs lock 'storage-drbdstorage': Could not create resource definition vm-999-disk-1, because: [{"ret_code":-4611686018406940253,"message":"Identity 'PUBLIC' using role: 'PUBLIC' is not authorized to access resource group 'DfltRscGrp'.","cause":"Access of type 'VIEW' not allowed by the access control list","details":"Resource definition: vm-999-disk-1","error_report_ids":["5D53C454-00000-000001"],"obj_refs":{"RscDfn":"vm-999-disk-1"}}] at /usr/share/perl5/PVE/Storage/Custom/LINSTORPlugin.pm line 253. ... 

linstor rd create first 

ERROR: 
Description: 
Identity 'PUBLIC' using role: 'PUBLIC' is not authorized to access resource group 'DfltRscGrp'. 
Cause: 
Access of type 'VIEW' not allowed by the access control list 
Details: 
Resource definition: first 
Show reports: 
linstor error-reports show 5D52CC74-00000-000001 

ERROR REPORT 5D52CC74-00000-000001 

============================================================ 

Application: LINBIT® LINSTOR 
Module: Controller 
Version: 1.0.1 
Build ID: 98a9905de43631b745c7c0741c2ef8f577513b23 
Build time: 2019-08-09T06:50:31+00:00 
Error time: 2019-08-13 17:42:26 
Node: pve1 
Peer: RestClient(127.0.0.1; 'PythonLinstor/1.0.0 (API1.0.4)') 

============================================================ 

Reported error: 
=============== 

Description: 
Access to the protected object was denied 
Cause: 
The access control list for the protected object does not allow access of type VIEW by role PUBLIC 
Correction: 
An entry that allows access must be added by an authorized role 

Category: LinStorException 
Class name: AccessDeniedException 
Class canonical name: com.linbit.linstor.security.AccessDeniedException 
Generated at: Method 'requireAccess', Source file 'AccessControlList.java', Line #69 

Error message: Access of type 'VIEW' not allowed by the access control list 

Error context: 
Identity 'PUBLIC' using role: 'PUBLIC' is not authorized to access resource group 'DfltRscGrp'. 

Call backtrace: 

Method Native Class:Line number 
requireAccess N com.linbit.linstor.security.AccessControlList:69 
requireAccess N com.linbit.linstor.security.ObjectProtection:174 
get N com.linbit.linstor.core.repository.ResourceGroupProtectionRepository:62 
loadResourceGroup N com.linbit.linstor.core.apicallhandler.controller.CtrlApiDataLoader:577 
loadResourceGroup N com.linbit.linstor.core.apicallhandler.controller.CtrlApiDataLoader:544 
createRscDfn N com.linbit.linstor.core.apicallhandler.controller.CtrlRscDfnApiCallHandler:487 
createResourceDefinition N com.linbit.linstor.core.apicallhandler.controller.CtrlRscDfnApiCallHandler:167 
createResourceDefinition N com.linbit.linstor.core.apicallhandler.controller.CtrlApiCallHandler:215 
lambda$createResourceDefinition$3 N com.linbit.linstor.api.rest.v1.ResourceDefinitions:120 
doInScope N com.linbit.linstor.api.rest.v1.RequestHelper:226 
createResourceDefinition N com.linbit.linstor.api.rest.v1.ResourceDefinitions:103 
invoke0 Y sun.reflect.NativeMethodAccessorImpl:unknown 
invoke N sun.reflect.NativeMethodAccessorImpl:62 
invoke N sun.reflect.DelegatingMethodAccessorImpl:43 
invoke N java.lang.reflect.Method:498 
lambda$static$0 N org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory:52 
run N org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1:124 
invoke N org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher:167 
doDispatch N org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker:176 
dispatch N org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher:79 
invoke N org.glassfish.jersey.server.model.ResourceMethodInvoker:469 
apply N org.glassfish.jersey.server.model.ResourceMethodInvoker:391 
apply N org.glassfish.jersey.server.model.ResourceMethodInvoker:80 
run N org.glassfish.jersey.server.ServerRuntime$1:253 
call N org.glassfish.jersey.internal.Errors$1:248 
call N org.glassfish.jersey.internal.Errors$1:244 
process N org.glassfish.jersey.internal.Errors:292 
process N org.glassfish.jersey.internal.Errors:274 
process N org.glassfish.jersey.internal.Errors:244 
runInScope N org.glassfish.jersey.process.internal.RequestScope:265 
process N org.glassfish.jersey.server.ServerRuntime:232 
handle N org.glassfish.jersey.server.ApplicationHandler:680 
service N org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer:353 
run N org.glassfish.grizzly.http.server.HttpHandler$1:200 
doWork N org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker:569 
run N org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker:549 
run N java.lang.Thread:748 

END OF ERROR REPORT. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linbit.com/pipermail/drbd-user/attachments/20190819/ca1f1c79/attachment-0001.htm>

More information about the drbd-user mailing list