Jenkins UCM ClearCase plugin fails due to rights - hudson

I am using Jenkins with the source control plugin name UCM ClearCase.
It tries to create a view and fails with the error:
[onlysourcecode] $ cleartool mkview -snapshot -stream ROLE_Test_Project_DevSG#\Vobname -tag SYSTEM_master_Test_ROLE_001_hudson view
Selected Server Storage Location "Views".
cleartool: Error: unable to set access control list for \\server\viewstor\NT+AUTHORITY\SYSTEM\view.1.vws: Access is denied.
cleartool: Error: protection on \\server\viewstor\NT+AUTHORITY\SYSTEM\view.1.vws is out-of-synch with identity.sd and groups.sd
cleartool: Error: Failed to set identity on view: Permission denied
cleartool: Error: unable to set access control list for \\server\viewstor\NT+AUTHORITY\SYSTEM\view.1.vws: Access is denied.
cleartool: Error: \\server\viewstor\NT+AUTHORITY\SYSTEM\view.1.vws: Permission denied
cleartool: Error: Unable to create view "\\server\viewstor\NT+AUTHORITY\SYSTEM\view.1.vws".
FATAL: UCM ClearCase failed. exit code=1
Which basically means it does not have permissions to create a view. Now my questions:
Any ideas on what exactly is the problem here?
What ID is Jenkins using internally. Meaning I have a user ID on the DOMAIN controller where I log in to the machine and run Jenkins. If Jenkins uses that, then why this error as I can create views.
If not, then what ID does it use and how do I get Jenkins to use my domain ID, or else maybe get the internal ID to be a part of the ClearCase AD group.

I guess this is run on a Windows box as a service. Thus it is not run as a domain user.
It appears that jenkins is trying to create a view storage (.vws) in the default location, based on the clearcase configuration on the system.
Perhaps you should choose the Advanced... option in UCM Clearcase and explicitly specify the location for your view storage. There are
Windows view storage directory
Additional mkview arguments
I run jenkins on a linux box where I have specified an explicit location for the .vws file in Additional mkview arguments.

To add to Raghuram's answer, using the system account (NT+AUTHORITY) is tricky, because even if you specify a local view storage,:
that account won't have a CLEARCASE_PRIMARY_GROUP associated with its profile
even if it did, it wouldn't be part of the group referenced by CLEARCASE_PRIMATY_GROUP
That means it won't be able to access the vob storage of the Vob it will need to access within the view.
Anyway, at the very least you should try and configure Slave Service to Run as Domain User.

Related

Error 403: Required 'compute.zones.get' permission for a terraformproject

J added all the roles.I still cannot get terraform to build the project.
googlecompute: Error creating instance: googleapi: Error 403: Required 'compute.zones.get' permission for 'pr
ojects/terraform-3/zones/us-central1', forbidden Build 'googlecompute'
errored: Error creating instance: googleapi: Error 403: Required
'compute.zones.get' permis sion for
'projects/terraform-3/zones/us-central1', forbidden
This sort of issue might arise if somehow your cloudservices robot gets removed as a project editor. My best guess is that in your case this is the issue.
This might happen due to API call which has SetIamPolicy that is missing cloudservices robot from the "roles/editor" bindings. SetIamPolicy is a straight PUT, it will override with whatever policy is provided in the request. You can get the list of IAM policies for your project with below command as given in this article.
gcloud projects get-iam-policy [project-id]
From the list, you can check whether below service account has the editor permission or not.
To fix the issue, you can grant the mentioned service account "Editor" permission and check whether that solves the issue or not.
[id]#cloudservices.gserviceaccount.com

Hyperledger Composer CLI Ping to a Business Network returns AccessException

Im trying to learn Hyperledger Composer but seems to be a relatively new technology, i mean there are few tutorials and few solutions to a lot of questions, tutorial does not mention possible error case when following the commands and which means there are is also no solution for those errors.
I have joined the composer channel in their community chat, looks like its running in Discord or something, and asked the same question without a response, i have a better experience here in SO.
This is the problem: I have deployed my business network, installed it, started it, created my network admin card and imported it, then to test if everything is ok i have to command composer network ping --card NAME-OF-MY-ADMIN-CARD
And this error comes:
juan#JuanDeDios:~/proyectos/inovacion/a3-poliza-microservice$ composer network ping --card admin#a3-policy-microservice
Error: transaction returned with failure: AccessException: Participant 'org.hyperledger.composer.system.NetworkAdmin#admin' does not have 'READ' access to resource 'org.hyperledger.composer.system.Network#a3-policy-microservice#0.0.1'
Command failed
I think that it has to do something with the permission.acl file, and gave permission to everyone to everything so there would not be any restrictions to anyone, and tryied again, but failed.
So i thought i had to uninstall my business network and create it again, i deleted my .bna and my network.card files also so everything would be created again, but the same error result.
My other attempt was to update the business network, but didn't work, the same error happened and I'm sure i didn't miss any step from the tutorial. I do also followed the playground tutorial. What i have not done its to create another app with the Yeoman but i will do if i don't find a solution to this problem which would not require me to create another app.
This were my steps:
1-. Created my app with Yeoman
yo hyperledger-composer:businessnetwork
2-. Selected Apache-2.0 for my license
3-. Created a3-policy-microservice as the name of the business network
4-. Created org.microservice.policy (Yeah i switched names but Im totally aware)
5-. Generated my app with a template selecting the NO option
6-. Created my assets, participants and transactions
7-. Changed my permission rules to mine
8-. I generated the .bna file
composer archive create -t dir -n .
9-. Then installed my bna file
composer network install --card PeerAdmin#hlfv1 --archiveFile a3-policy-microservice#0.0.1.bna
10-. Then started my network and created my networkadmin card
composer network start --networkName a3-policy-network --networkVersion 0.0.1 --networkAdmin admin --networkAdminEnrollSecret adminpw --card PeerAdmin#hlfv1 --file networkadmin.card
11-. Imported my card
composer card import --file networkadmin.card
12-. Tried to ping my network
composer network ping --card admin#a3-poliza-microservice
And the error happens
Later i tried to create everything again shutting down my fabric and started it again and creating the network from the first step.
My other attempt was to change the permissions and upgrade my bna network, but it failed too. Im running out of options
Hope this description its not too long to ignore it. Thanks in advance
thanks for the question!
First possibility is that your network name is a3-policy-network but you're pinging a network called a3-poliza-microservice - once you do get the correct ACLs in place (currently, that's the error you're trying to resolve).
The procedure for upgrade would normally be the procedure below:
After your step 12 (where you can't ping the business network due to restrictive ACL conditions, assuming you are using the right network name) you would have:
Make the changes to to include your System ACLs this time eg.
/**
* Sample access control list.
*/
rule SystemACL {
description: "System ACL to permit all access"
participant: "org.hyperledger.composer.system.Participant"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
rule NetworkAdminUser {
description: "Grant business network administrators full access to user resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "**"
action: ALLOW
}
rule NetworkAdminSystem {
description: "Grant business network administrators full access to system resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
Update the "version" field in your existing package.json in your Business Network project directory (ie need to change it next increment - eg. update the version property from 0.0.1 to 0.0.2.)
From the same directory, run the following command:
composer archive create --sourceType dir --sourceName . -a a3-policy-network#0.0.2.bna
Now install the new business network code firstly:
composer network install --card PeerAdmin#hlfv1 --archiveFile a3-policy-network#0.0.2.bna
Then perform the requisite upgrade step (single '-' for short form of the parameter):
composer network upgrade -c PeerAdmin#hlfv1 -n a3-policy-network -V 0.0.2
After a few seconds, ping the network again to see ACL changes are now in effect:
composer network ping -c a3-policy-network

Apache Drill with Kerberos

Does anyone know how to enable kerberos with Apache Drill? Is it possible. I can't seem to find any documentation on it, or any questions/answers floating around with the information on it. I am currently running a CDH cluster.
I am getting this error when trying to use HDFS with Drill:
Error: PERMISSION ERROR: SIMPLE authentication is not enabled. 
Available:[TOKEN, KERBEROS]
HDFS + Kerberos integration isn't currently supported / tested / documented. Vote on this ticket to track when it becomes available:
https://issues.apache.org/jira/browse/DRILL-3584
There isn't any documentation that the Drill team provides about how to enable kerberos and they haven't tested kerberos with Drill. Drill Eng. does believe that it should work.
In order to gain access onto the cluster once Kerberized, you must configure certain files in order to gain access.
Make an HDFS Superuser account as indicated in this Cloudera doc. On the Main Node, run
•sudo kadmin.local
In addition, add an 'hdfs' principal with this command
•addprinc hdfs#LOCALDOMAIN -- Where localdomain is the principal name
In order to enable authentication with Kerberos, we also need to copy the file hadoop-yarn-api.jar into Drill's class path. Example given below
•cp /opt/cloudera/parcels/CDH-5.5.1-1.cdh5.5.1.p0.11/lib/hadoop/client/hadoop-yarn-api.jar ~/apache-drill/jars/
The above step and the three following must be performed on each node of the cluster that an Apache Drill is installed.
Next, Drill's conf/core-site.xml file should be edited to contain the following snippet of xml. You might have to copy this file from /etc/hadoop/conf.cloudera.yarn/core-site.xml, etc or a similar path.
<property>
<name>hadoop.security.authentication</name>
<value>kerberos</value>
</property>
After this step, you will also need to add the following xml snippet below to the drill core-site.xml file. In this instance, hdfs/_HOST#LOCALDOMAIN is my principal property. The property can be found on the hdfs-site.xml file
<property>
<name>dfs.namenode.kerberos.principal</name>
<value>hdfs/_HOST#LOCALDOMAIN</value>
</property>
All that is left to do is create an 'hdfs' Kerberos ticket for the user that we're logged into
•kinit hdfs -- hdfs is the super user
Then start up each of the drillbits
•/opt/apachedrillfolder/bin/Drillbit.sh start
So now, Drill has both the configuration and the authority to use our kerberized HDFS store. Give it a shot by opening up a Drill prompt (drill-conf) and trying a query

Application Verifier 6.2 (x64) AVRF: failed to create verifier log file status C0000022

My Windows Store app keeps getting rejected from certification testing and I managed to reproduce a consequent crash when running appverif's LuaPriv-check. I get this output though:
AVRF: failed to create verifier log file \??\C:\Users\xx\AppVerifierLogs\yy.exe.0.dat (status C0000022)
Process Monitor tells me yy.exe got ACCESS DENIED on a CreateFile operation in this folder. I have set full access to all users (the user reported in the log was the same as the owner of the folder). I am running Visual Studio and Application Verifier as Administrator, but this does not seem to apply. What is the correct way of giving user xx full access to this folder on win8? I have attempted to use different log folders for appverify but with no success. Anyone else able to use this tool with Store-apps?
This post describes similar issues. Attempting to run AppVerif –sppath C:\MyLogsLocation as in the suggested workaround gives AVRF: Error: Incorrect image name: <
So does running appverif -enable handles locks -for myapp.exe -sppath c:\MyLogsLocation
It might be a bug in app verifier.
Have a look at these links:
http://social.technet.microsoft.com/Forums/en-US/5ed560c0-76af-401d-8150-8cd1e69d0b8a/why-app-verifier-can-not-create-log-file?forum=windowssdk
http://blogs.msdn.com/b/dougste/archive/2010/01/11/generating-application-verifier-logs-for-web-applications.aspx
0xc000022 is STATUS_ACCESS_DENIED. The process doesn't actually have write permissions, even if it looks like it should. This MSDN blog explains there is a bug in App Verifier so even if you specify -sppath the value won't be honoured unless you first delete the %WINDIR%\system32\config\AppVerifierLogs\ folder.

How to solve " %GDE-I-WRITEERROR, Cannot exit because of write failure. Reason for failure: 13,GDEPUT+48^GDEPUT,%SYSTEM-E-ENO13, Permission denied"

I installed according to instruction latest GT.M release version 6.0-000_linux_i686_pro.tar.gz from http://sourceforge.net/projects/sanchez-gtm.
Before instalation I set $gtm_log then went through innstalation. Afterwards I set $gtm_dist and added to the PATH I set $gtmroutines
I started gtm from parent directory and I was trying to create default Global Directory.
GTM>d ^GDE
%GDE-I-GDUSEDEFS, Using defaults for Global Directory
/usr/lib/mumps.gld
When using exit command I get this error:
GDE> exit
%GDE-I-VERIFY, Verification OK
%GDE-I-GDCREATE, Creating Global Directory file
/usr/lib/mumps.gld
%GDE-I-WRITEERROR, Cannot exit because of write failure. Reason for failure:
13,GDEPUT+48^GDEPUT,%SYSTEM-E-ENO13, Permission denied
Can anyone help me solve this problem?
You should set $gtmgbldir before creating the default Global Directory.
For example, export gtmgbldir="~/mumps.gld" will result in the Global Directory (and by default, the database file as well) being created in your user's home directory, which is a probably better idea than creating them in /usr/lib/.
You should also have a look at the file $gtm_dist/gtmprofile. It can be sourced to create a default environment perfect for learning, but it is also a good source of information to learn which environment variables need/can be defined to what effect.