cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Min Chen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-6428) IAM - Domain Admin - When his sub-domainId is passed to the listVirtualMachine command, Vms from all the domains are being listed.
Date Wed, 16 Apr 2014 17:22:32 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-6428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13971685#comment-13971685
] 

Min Chen commented on CLOUDSTACK-6428:
--------------------------------------

This is caused by us interpreting DOMAIN scope policy in iam_policy_permission table just
for current domain. This usecase, the domain id passed is the subdomain id. Fixed by interpreting
that to include the domain tree. This is also the assumption we have made in RoleBasedEntityAccessChecker
for phase I.

> IAM - Domain Admin - When his sub-domainId is passed to the listVirtualMachine command,
Vms from all the domains are being listed.
> ----------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-6428
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6428
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: API
>    Affects Versions: 4.4.0
>            Reporter: Min Chen
>            Assignee: Min Chen
>            Priority: Critical
>             Fix For: 4.4.0
>
>
> IAM - Domain Admin - When domainId is passed to the listVirtualMachine command, Vms from
all the domains are being listed.
> Set up:
> Pre Reqs:
> Admin - Creates object
> Domain Admin for d1 - D1 - Creates object - d1
> Domain Admin for d1 - D1/D11
> User account for d1 - D1/D111 - Creates object - d111a
> Domain Admin for d1 - D1/D12
> Domain Admin for d2 - D2 - Creates object -d2
> User Account in domain D1 - userD1-1 - Creates object -d1a
> User Account in domain D1 - userD1-2 - Creates object - d1b
> User Account in domain D1/D11 - userD1-a - Creates object - d11a
> User Account in domain D1/D11 - userD1-a - Creates object - d11b
> User Account in domain D1/D12- userD1-b - Creates object - d12a
> User Account in domain D1/D12 - userD-a - Creates object - d12b
> As domain admin d1 , tried to list all the Vms for domain - d1/d11.
> The Vm list returned has all the Vms including the Vms from domain d2.
> GET http://10.223.49.6/client/api?command=listVirtualMachines&domainId=0a0f7c09-2f1a-4939-94ce-88388e197949&listAll=true&apiKey=Hv0VKnmBjXhyRMKZ7ixI51gG-iqHqRVTp1xCCLU2-gTnZwhuUNWsa4zZLYZWWLD5lEhvwe05tJKJVa9NeS5REw&signature=ZH7kEjKVDh1eXbLv84T6pHAApt0%3D
\n\n
> <?xml version="1.0" encoding="UTF-8"?><listvirtualmachinesresponse cloud-stack-version="4.4.0-SNAPSHOT"><count>10</count><virtualmachine><id>22193996-12f9-46ff-91cd-3d409f7f8c60</id><name>d11a</name><displayname>d11a</displayname><account>testD11A-TestVMList-3385RP</account><domainid>0a0f7c09-2f1a-4939-94ce-88388e197949</domainid><domain>D11-UFBXGQ</domain><created>2014-04-10T09:01:37-0400</created><state>Running</state><haenable>false</haenable><zoneid>75d61334-ff70-49c3-99ed-3af702cd51d7</zoneid><zonename>BLR1</zonename><templateid>e65cdfa0-c019-11e3-907f-4adf980f9414</templateid><templatename>CentOS
5.3(64-bit) no GUI (Simulator)</templatename><templatedisplaytext>CentOS 5.3(64-bit)
no GUI (Simulator)</templatedisplaytext><passwordenabled>false</passwordenabled><serviceofferingid>49dee9f8-a49a-414d-b8b2-b0d59b5981f0</serviceofferingid><serviceofferingname>Small
Instance</serviceofferingname><cpunumber>1</cpunumber><cpuspeed>100</cpuspeed><memory>128</memory><cpuused>10%</cpuused><networkkbsread>10190848</networkkbsread><networkkbswrite>5095424</networkkbswrite><guestosid>e5eba5c4-c019-11e3-907f-4adf980f9414</guestosid><rootdeviceid>0</rootdeviceid><rootdevicetype>ROOT</rootdevicetype><nic><id>a1c079e5-ae0f-4470-b0ed-26895fbcf14d</id><networkid>f1cf7cfb-c354-47c4-854e-af329c54d77e</networkid><networkname>testD11A-TestVMList-3385RP-network</networkname><netmask>255.255.255.0</netmask><gateway>10.1.1.1</gateway><ipaddress>10.1.1.217</ipaddress><isolationuri>vlan://1071</isolationuri><broadcasturi>vlan://1071</broadcasturi><traffictype>Guest</traffictype><type>Isolated</type><isdefault>true</isdefault><macaddress>02:00:06:7b:00:01</macaddress></nic><hypervisor>Simulator</hypervisor><isdynamicallyscalable>false</isdynamicallyscalable><ostypeid>11</ostypeid></virtualmachine><virtualmachine><id>660a829f-5265-44c3-aa92-957d8bbec8e2</id><name>d1a</name><displayname>d1b</displayname><account>testD1B-TestVMList-CB23CT</account><domainid>dc4bf103-27bf-4292-99aa-dc91fa23ee04</domainid><domain>D1-NN5QWT</domain><created>2014-04-10T09:01:32-0400</created><state>Running</state><haenable>false</haenable><zoneid>75d61334-ff70-49c3-99ed-3af702cd51d7</zoneid><zonename>BLR1</zonename><templateid>e65cdfa0-c019-11e3-907f-4adf980f9414</templateid><templatename>CentOS
5.3(64-bit) no GUI (Simulator)</templatename><templatedisplaytext>CentOS 5.3(64-bit)
no GUI (Simulator)</templatedisplaytext><passwordenabled>false</passwordenabled><serviceofferingid>49dee9f8-a49a-414d-b8b2-b0d59b5981f0</serviceofferingid><serviceofferingname>Small
Instance</serviceofferingname><cpunumber>1</cpunumber><cpuspeed>100</cpuspeed><memory>128</memory><cpuused>10%</cpuused><networkkbsread>10190848</networkkbsread><networkkbswrite>5095424</networkkbswrite><guestosid>e5eba5c4-c019-11e3-907f-4adf980f9414</guestosid><rootdeviceid>0</rootdeviceid><rootdevicetype>ROOT</rootdevicetype><nic><id>b58c4f55-ed7d-4c1c-922b-6e2aecad642c</id><networkid>ee8c3501-10e5-4247-b5b4-6e261dde56b1</networkid><networkname>testD1B-TestVMList-CB23CT-network</networkname><netmask>255.255.255.0</netmask><gateway>10.1.1.1</gateway><ipaddress>10.1.1.252</ipaddress><isolationuri>vlan://1697</isolationuri><broadcasturi>vlan://1697</broadcasturi><traffictype>Guest</traffictype><type>Isolated</type><isdefault>true</isdefault><macaddress>02:00:17:50:00:01</macaddress></nic><hypervisor>Simulator</hypervisor><isdynamicallyscalable>false</isdynamicallyscalable><ostypeid>11</ostypeid></virtualmachine><virtualmachine><id>2a729bb9-8597-4a07-8259-fdcc1ef328ff</id><name>d1a</name><displayname>d1a</displayname><account>testD1A-TestVMList-VAZC6S</account><domainid>dc4bf103-27bf-4292-99aa-dc91fa23ee04</domainid><domain>D1-NN5QWT</domain><created>2014-04-10T09:01:27-0400</created><state>Running</state><haenable>false</haenable><zoneid>75d61334-ff70-49c3-99ed-3af702cd51d7</zoneid><zonename>BLR1</zonename><templateid>e65cdfa0-c019-11e3-907f-4adf980f9414</templateid><templatename>CentOS
5.3(64-bit) no GUI (Simulator)</templatename><templatedisplaytext>CentOS 5.3(64-bit)
no GUI (Simulator)</templatedisplaytext><passwordenabled>false</passwordenabled><serviceofferingid>49dee9f8-a49a-414d-b8b2-b0d59b5981f0</serviceofferingid><serviceofferingname>Small
Instance</serviceofferingname><cpunumber>1</cpunumber><cpuspeed>100</cpuspeed><memory>128</memory><cpuused>10%</cpuused><networkkbsread>10190848</networkkbsread><networkkbswrite>5095424</networkkbswrite><guestosid>e5eba5c4-c019-11e3-907f-4adf980f9414</guestosid><rootdeviceid>0</rootdeviceid><rootdevicetype>ROOT</rootdevicetype><nic><id>61ce424c-a7c0-4543-a748-97184a86716a</id><networkid>8a3ac0bc-2192-48d9-8934-18a6aeec6a0a</networkid><networkname>testD1A-TestVMList-VAZC6S-network</networkname><netmask>255.255.255.0</netmask><gateway>10.1.1.1</gateway><ipaddress>10.1.1.27</ipaddress><isolationuri>vlan://3450</isolationuri><broadcasturi>vlan://3450</broadcasturi><traffictype>Guest</traffictype><type>Isolated</type><isdefault>true</isdefault><macaddress>02:00:49:c4:00:01</macaddress></nic><hypervisor>Simulator</hypervisor><isdynamicallyscalable>false</isdynamicallyscalable><ostypeid>11</ostypeid></virtualmachine><virtualmachine><id>e520b97e-13be-4c6a-993c-3b581524e247</id><name>d1</name><displayname>d1</displayname><account>testD1-TestVMList-3VK254</account><domainid>dc4bf103-27bf-4292-99aa-dc91fa2
....



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message