cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Prachi Damle (JIRA)" <j...@apache.org>
Subject [jira] [Assigned] (CLOUDSTACK-6517) IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have " UseEntry" permission for IpAddress.
Date Wed, 30 Apr 2014 01:28:16 GMT

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-6517?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Prachi Damle reassigned CLOUDSTACK-6517:
----------------------------------------

    Assignee: Prachi Damle

> IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does
not have " UseEntry" permission for IpAddress. 
> ---------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-6517
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6517
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: IAM
>    Affects Versions: 4.4.0
>         Environment: Build from 4.4
>            Reporter: Sangeetha Hariharan
>            Assignee: Prachi Damle
>             Fix For: 4.4.0
>
>
> IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does
not have " UseEntry" permission for IpAddress.
> Steps to reproduce the problem:
> As regular user , on a network he owns , acquire an ip address.
> As admin , try to create a PF rule on this ip address  without passing account and domainId.
> Creating PF rule succeeds. 
> Since Admin has only  "ListEntry" permission for IpAddress owned by other users , we
expect this api call to fail. 
> mysql> select * from iam_policy_permission where resource_type = 'IpAddress' and policy_id=2;
> +------+-----------+-----------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
> | id   | policy_id | action                | resource_type | scope_id | scope   | access_type
 | permission | recursive | removed | created             |
> +------+-----------+-----------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
> | 1840 |         2 | listPublicIpAddresses | IpAddress     |       -1 | ALL     | ListEntry
   | Allow      |         0 | NULL    | 2014-04-22 18:31:03 |
> | 1841 |         2 | listPublicIpAddresses | IpAddress     |       -1 | ACCOUNT | UseEntry
    | Allow      |         0 | NULL    | 2014-04-22 18:31:03 |
> Admin should be allowed to do this only , when he passes account and domainId of the
regular user is passed.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message