0 0 Share PDF

No access to network connect on collection swarm when while restarting service

Article ID: KB000888

Issue

When attempting to restart a service in a particular collection, a user with an appropriate grant on that collection may encounter the following error in the UCP UI:

access denied: no access to Network Connect, on collection swarm

Prerequisites

  • Universal Control Plane version 2.2
  • Universal Control Plane version 3.0
  • Universal Control Plane version 3.1

Root Cause

Network attached to the service was not in a collection on which the user had permissions.

Resolution

Update the stack to place all declared resources associated with the service (networks, volumes, secrets, config, etc) into a collection on which the user has the appropriate level of access. You can do this by adding the com.docker.ucp.access.label label to each resources. The yaml formatting for this label is the same for services, networks, volumes, secrets, and config.

The following abbreviated examples show how label a service, network, volume, secret, and config to put it in the collection /Test/Microservices. The body of each object has been abbreviated with [...].

services:
  proxy:
    [...]
    labels:
      com.docker.ucp.access.label: "/Test/Microservices" 
volumes:
  kv_back:
    [...]
    labels:                                              
      com.docker.ucp.access.label: "/Test/Microservices" 
networks:                                                
  appnet:
    [...]
    labels:                                              
      com.docker.ucp.access.label: "/Test/Microservices" 
configs:
  haproxy.cfg:
    [...]
      labels:
        com.docker.ucp.access.label: "/Test/Microservices"
secrets:
  private.key:
    [...]
      labels:
        com.docker.ucp.access.label: "/Test/Microservices"

What's Next

  • Deploy swarm resource application resources to a collection at docs.docker.com