cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alena Prokharchyk <Alena.Prokharc...@citrix.com>
Subject Re: [DISCUSS] listAll and recursive parameters for BaseListDomainResourceCmd should have default value as TRUE
Date Wed, 09 Oct 2013 00:55:41 GMT
On 10/8/13 5:48 PM, "Min Chen" <min.chen@citrix.com> wrote:

>Thanks Alena for the clarification.
>
>If you try ListVMsCmd as a domain admin, if I pass listAll=false, what
>should be the expected behavior?

The same as if you don't pass anything. The domain admin will see his own
resources (the ones that belong to his account)


>Should he be able to see VMs under his domain but not owned by him? The
>current CloudStack behavior will
>show all VMs under his domain. This seems contradictory to the meaning of
>listAll.

Do you pass anything else to the call besides listAll=false? Is the result
the same when you don't pass listAll=false to the call? If so, what other
parameters do you pass in

>
>Thanks
>-min
>
>
>
>>On 10/8/13 4:28 PM, "Min Chen" <min.chen@citrix.com> wrote:
>>
>>>Hi there,
>>>
>>>In working with RBAC design, I am really puzzled by the two query
>>>parameter "listAll" and "recursive" for all BaseListDomainResourceCmd.
>>>
>>>
>>>    @Parameter(name = ApiConstants.LIST_ALL, type = CommandType.BOOLEAN,
>>>description = "If set to false, " +
>>>
>>>            "list only resources belonging to the command's caller; if
>>>set to true - list resources that the caller is authorized to see.
>>>Default value is false")
>>>
>>>    private Boolean listAll;
>>>
>>>
>>>    @Parameter(name = ApiConstants.IS_RECURSIVE, type =
>>>CommandType.BOOLEAN, description = "defaults to false," +
>>>
>>>            " but if true, lists all resources from the parent specified
>>>by the domainId till leaves.")
>>>
>>>    private Boolean recursive;
>>>
>>>
>>>IMHO, if a caller invokes a list API without passing any specific query
>>>parameter, he/she should see all resources that he/she is authorized to
>>>see.  In CloudStack, we have implicit authorization rules as follows:
>>>1. Root admin should be able to see all the resources under Root domain.
>>>2. Domain admin should be able to see all the resources under its own
>>>domain tree.
>>>3. Normal user should only see the resources owned by him.
>>
>>listAll doesn't impact user calls.
>>
>>>4. Project account should be able to see resources assigned to that
>>>project.
>>
>>Project account can't make the calls. Any CS account assigned to the
>>project + admin can list project resources. When listAll is passed in,
>>all
>>resources except project resources, will be returned to the caller. When
>>projectId=-1 is passed in, all resources of all projects in the system
>>that caller is authorized to see, will be returned to the caller.
>>
>>>Based on current AccountManager.buildACLSearchParameters implementation,
>>>we are not observing the passed "listAll" and "recursive" value at all,
>>>seems always treating "listAll=true" and "recursive=true".
>>
>>recursive=false is respected when passed along with the domainId. In this
>>case, it will list all the resources under this domain only, without
>>subdomains. When recursive=true is passed with domainId, the resources of
>>domains + subdomains will be returned.
>>
>>>Thus, I am proposing that we change the default value of "listAll" and
>>>"recursive" to TRUE instead of current FALSE.  Any objections?
>>
>>
>>The main objection - it will break all the partners/third party apps/UIs
>>built on the current CS behavior.
>>
>>>
>>>Thanks
>>>-min
>>>
>>
>>Min, 
>>
>
>



Mime
View raw message