I'm using the VCD SDK 1.51 for C#. When updating a vApp, I occasionally encounter an "access is forbidden" exception, even though I am logged in as as administrator and some of the operations do succeed.
For example, in one such failed attempt, I modified the vApp start order section (which succeeded), and immediately after tried to modify the vApp network section (which failed).
In the VCD logs I see this:
Request log:
x.x.x.x - - [31/Jan/2012:18:38:30 +0200] "GET /api/entity/urn:vcloud:vapp:4f6fea06-0db1-45de-b35c-91327ef35b8e HTTP/1.1" 200 673 "-" "-"
x.x.x.x - - [31/Jan/2012:18:38:30 +0200] "GET /api/vApp/vapp-4f6fea06-0db1-45de-b35c-91327ef35b8e HTTP/1.1" 200 21799 "-" "-"
x.x.x.x - - [31/Jan/2012:18:38:31 +0200] "PUT /api/vApp/vapp-4f6fea06-0db1-45de-b35c-91327ef35b8e/startupSection/ HTTP/1.1" 202 1274 "-" "-"
x.x.x.x - - [31/Jan/2012:18:38:31 +0200] "GET /api/task/b30ce287-46b4-41fa-8232-f7ee6d07e1d1 HTTP/1.1" 200 1274 "-" "-"
x.x.x.x - - [31/Jan/2012:18:38:31 +0200] "GET /api/task/b30ce287-46b4-41fa-8232-f7ee6d07e1d1 HTTP/1.1" 200 1274 "-" "-"
[...]
x.x.x.x - - [31/Jan/2012:18:38:31 +0200] "GET /api/task/b30ce287-46b4-41fa-8232-f7ee6d07e1d1 HTTP/1.1" 200 1274 "-" "-"
x.x.x.x - - [31/Jan/2012:18:38:31 +0200] "GET /api/task/b30ce287-46b4-41fa-8232-f7ee6d07e1d1 HTTP/1.1" 200 1193 "-" "-"
x.x.x.x - - [31/Jan/2012:18:38:32 +0200] "GET /api/entity/urn:vcloud:vapp:4f6fea06-0db1-45de-b35c-91327ef35b8e HTTP/1.1" 200 673 "-" "-"
x.x.x.x - - [31/Jan/2012:18:38:32 +0200] "GET /api/vApp/vapp-4f6fea06-0db1-45de-b35c-91327ef35b8e HTTP/1.1" 200 21799 "-" "-"
x.x.x.x - - [31/Jan/2012:18:38:32 +0200] "GET /api/entity/urn:vcloud:network:52bd866a-0e99-4e66-9d6e-73ed7f8c9f2c HTTP/1.1" 200 1019 "-" "-"
x.x.x.x - - [31/Jan/2012:18:38:32 +0200] "GET /api/network/52bd866a-0e99-4e66-9d6e-73ed7f8c9f2c HTTP/1.1" 200 1847 "-" "-"
x.x.x.x - - [31/Jan/2012:18:38:32 +0200] "PUT /api/vApp/vapp-4f6fea06-0db1-45de-b35c-91327ef35b8e/networkConfigSection/ HTTP/1.1" 403 7388 "-" "-"
Updating the startupSection succeeded (code 202), but updating the networkConfigSection failed (code 403).
The vcloud-container-debug-log shows the following:
2012-01-31 18:38:32,172 | DEBUG | 2071395076@pool-jetty-13 | AuthorizationMethodInterceptor | Authorizing method: public abstract com.vmware.vcloud.api.presentation.entity.network.
NetworkSpec com.vmware.vcloud.api.presentation.service.NetworkService.getNetworkSpec(com.vmware.vcloud.api.presentation.entity.common.EntityRef). |
2012-01-31 18:38:32,225 | DEBUG | 2071395076@pool-jetty-13 | AuthorizationMethodInterceptor | Authorizing method: public abstract java.util.List com.vmware.vcloud.api.presentation.
service.NetworkService.getAllocatedIpAddresses(com.vmware.vcloud.api.presentation.entity.common.EntityRef). |
2012-01-31 18:38:32,250 | DEBUG | 2071395076@pool-jetty-13 | AuthorizationMethodInterceptor | Authorizing method: public abstract java.util.List com.vmware.vcloud.api.presentation.
service.TaskService.getTasks(com.vmware.vcloud.api.presentation.entity.common.TaskFilterParams). |
2012-01-31 18:38:32,254 | DEBUG | 2071395076@pool-jetty-13 | UriUtils | Unable to read property restapi.baseUri from the configuration file. Using primary cel
l IP. |
2012-01-31 18:38:32,255 | DEBUG | 2071395076@pool-jetty-13 | UriUtils | Unable to read property restapi.baseUri from the configuration file. Using primary cel
l IP. |
2012-01-31 18:38:32,256 | DEBUG | 2071395076@pool-jetty-13 | JaxRsDispatcherServlet | Successfully completed request |
2012-01-31 18:38:32,579 | DEBUG | 2071395076@pool-jetty-13 | AuthorizationMethodInterceptor | Authorizing method: public abstract com.vmware.vcloud.api.presentation.entity.system.P
roductSpec com.vmware.vcloud.api.presentation.service.SystemService.getProductSpec(). |
2012-01-31 18:38:32,580 | DEBUG | 2071395076@pool-jetty-13 | AuthorizationMethodInterceptor | Authorizing method: public abstract java.util.List com.vmware.vcloud.api.presentation.
service.OrgService.getRights(). |
2012-01-31 18:38:32,590 | DEBUG | 1489230252@pool-jetty-8 | CustomExceptionMapper | REST API CustomExceptionMapper caught following exception |
com.vmware.vcloud.api.rest.handlers.exceptions.UnauthorizedAccessRestApiException: Access is forbidden
at com.vmware.vcloud.api.rest.common.handlers.ErrorHandler.getUnauthorizedRestApiException(ErrorHandler.java:77)
at com.vmware.vcloud.api.rest.common.handlers.ErrorHandler.errorUnauthorisedAccess(ErrorHandler.java:52)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[...]
I am using the vapp.UpdateSection method in both cases.
Note that on other occasions, updating the startup order failed with access is forbidden, even though I successfully used the same client just seconds before. One other thing worthy of note is that I am using the same vCloudClient from multiple threads. In this case, there was another thread accessing the VCD client when I got the Access is Forbidden error.
I can't figure out why I'm getting these seemingly-random errors. Could it be related to concurrency? Please let me know if any other helpful information is missing.
I have been able to reproduce the issue. It seems to be related to concurrent accesses to the same client.
Is this a known issue with the C# SDK?