VMware {code} Community
yskp
Enthusiast
Enthusiast
‎02-01-2012 12:57 AM

Occasional "Access is forbidden" when updating vApp section

I'm using the VCD SDK 1.51 for C#. When updating a vApp, I occasionally encounter an "access is forbidden" exception, even though I am logged in as as administrator and some of the operations do succeed.

For example, in one such failed attempt, I modified the vApp start order section (which succeeded), and immediately after tried to modify the vApp network section (which failed).

In the VCD logs I see this:

Request log:

x.x.x.x -  -  [31/Jan/2012:18:38:30 +0200] "GET /api/entity/urn:vcloud:vapp:4f6fea06-0db1-45de-b35c-91327ef35b8e HTTP/1.1" 200 673 "-" "-"
x.x.x.x -  -  [31/Jan/2012:18:38:30 +0200] "GET /api/vApp/vapp-4f6fea06-0db1-45de-b35c-91327ef35b8e HTTP/1.1" 200 21799 "-" "-"
x.x.x.x -  -  [31/Jan/2012:18:38:31 +0200] "PUT /api/vApp/vapp-4f6fea06-0db1-45de-b35c-91327ef35b8e/startupSection/ HTTP/1.1" 202 1274 "-" "-"
x.x.x.x -  -  [31/Jan/2012:18:38:31 +0200] "GET /api/task/b30ce287-46b4-41fa-8232-f7ee6d07e1d1 HTTP/1.1" 200 1274 "-" "-"

x.x.x.x -  -  [31/Jan/2012:18:38:31 +0200] "GET /api/task/b30ce287-46b4-41fa-8232-f7ee6d07e1d1 HTTP/1.1" 200 1274 "-" "-"
[...]

x.x.x.x -  -  [31/Jan/2012:18:38:31 +0200] "GET /api/task/b30ce287-46b4-41fa-8232-f7ee6d07e1d1 HTTP/1.1" 200 1274 "-" "-"

x.x.x.x -  -  [31/Jan/2012:18:38:31 +0200] "GET /api/task/b30ce287-46b4-41fa-8232-f7ee6d07e1d1 HTTP/1.1" 200 1193 "-" "-"
x.x.x.x -  -  [31/Jan/2012:18:38:32 +0200] "GET /api/entity/urn:vcloud:vapp:4f6fea06-0db1-45de-b35c-91327ef35b8e HTTP/1.1" 200 673 "-" "-"
x.x.x.x -  -  [31/Jan/2012:18:38:32 +0200] "GET /api/vApp/vapp-4f6fea06-0db1-45de-b35c-91327ef35b8e HTTP/1.1" 200 21799 "-" "-"
x.x.x.x -  -  [31/Jan/2012:18:38:32 +0200] "GET /api/entity/urn:vcloud:network:52bd866a-0e99-4e66-9d6e-73ed7f8c9f2c HTTP/1.1" 200 1019 "-" "-"
x.x.x.x -  -  [31/Jan/2012:18:38:32 +0200] "GET /api/network/52bd866a-0e99-4e66-9d6e-73ed7f8c9f2c HTTP/1.1" 200 1847 "-" "-"
x.x.x.x -  -  [31/Jan/2012:18:38:32 +0200] "PUT /api/vApp/vapp-4f6fea06-0db1-45de-b35c-91327ef35b8e/networkConfigSection/ HTTP/1.1" 403 7388 "-" "-"

Updating the startupSection succeeded (code 202), but updating the networkConfigSection failed (code 403).

The vcloud-container-debug-log shows the following:

2012-01-31 18:38:32,172 | DEBUG    | 2071395076@pool-jetty-13  | AuthorizationMethodInterceptor | Authorizing method: public abstract com.vmware.vcloud.api.presentation.entity.network.
NetworkSpec com.vmware.vcloud.api.presentation.service.NetworkService.getNetworkSpec(com.vmware.vcloud.api.presentation.entity.common.EntityRef). |
2012-01-31 18:38:32,225 | DEBUG    | 2071395076@pool-jetty-13  | AuthorizationMethodInterceptor | Authorizing method: public abstract java.util.List com.vmware.vcloud.api.presentation.
service.NetworkService.getAllocatedIpAddresses(com.vmware.vcloud.api.presentation.entity.common.EntityRef). |
2012-01-31 18:38:32,250 | DEBUG    | 2071395076@pool-jetty-13  | AuthorizationMethodInterceptor | Authorizing method: public abstract java.util.List com.vmware.vcloud.api.presentation.
service.TaskService.getTasks(com.vmware.vcloud.api.presentation.entity.common.TaskFilterParams). |
2012-01-31 18:38:32,254 | DEBUG    | 2071395076@pool-jetty-13  | UriUtils                       | Unable to read property restapi.baseUri from the configuration file. Using primary cel
l IP. |
2012-01-31 18:38:32,255 | DEBUG    | 2071395076@pool-jetty-13  | UriUtils                       | Unable to read property restapi.baseUri from the configuration file. Using primary cel
l IP. |
2012-01-31 18:38:32,256 | DEBUG    | 2071395076@pool-jetty-13  | JaxRsDispatcherServlet         | Successfully completed request |
2012-01-31 18:38:32,579 | DEBUG    | 2071395076@pool-jetty-13  | AuthorizationMethodInterceptor | Authorizing method: public abstract com.vmware.vcloud.api.presentation.entity.system.P
roductSpec com.vmware.vcloud.api.presentation.service.SystemService.getProductSpec(). |
2012-01-31 18:38:32,580 | DEBUG    | 2071395076@pool-jetty-13  | AuthorizationMethodInterceptor | Authorizing method: public abstract java.util.List com.vmware.vcloud.api.presentation.
service.OrgService.getRights(). |
2012-01-31 18:38:32,590 | DEBUG    | 1489230252@pool-jetty-8   | CustomExceptionMapper          | REST API CustomExceptionMapper caught following exception |
com.vmware.vcloud.api.rest.handlers.exceptions.UnauthorizedAccessRestApiException: Access is forbidden
        at com.vmware.vcloud.api.rest.common.handlers.ErrorHandler.getUnauthorizedRestApiException(ErrorHandler.java:77)
        at com.vmware.vcloud.api.rest.common.handlers.ErrorHandler.errorUnauthorisedAccess(ErrorHandler.java:52)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        [...]

I am using the vapp.UpdateSection method in both cases.

Note that on other occasions, updating the startup order failed with access is forbidden, even though I successfully used the same client just seconds before. One other thing worthy of note is that I am using the same vCloudClient from multiple threads. In this case, there was another thread accessing the VCD client when I got the Access is Forbidden error.

I can't figure out why I'm getting these seemingly-random errors. Could it be related to concurrency? Please let me know if any other helpful information is missing.

Tags (1)
0 Kudos
1 Reply
yskp
Enthusiast
Enthusiast
‎02-01-2012 07:56 AM

I have been able to reproduce the issue. It seems to be related to concurrent accesses to the same client.

Is this a known issue with the C# SDK?

0 Kudos