cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-6533) IAM - Templates - Public templates do not have permissions to be used by ROOT group.
Date Tue, 29 Apr 2014 19:04:18 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-6533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13984665#comment-13984665
] 

ASF subversion and git services commented on CLOUDSTACK-6533:
-------------------------------------------------------------

Commit b2b59ed83a566762c960371717b7998b4719ba70 in cloudstack's branch refs/heads/4.4-forward
from [~minchen07]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=b2b59ed ]

CLOUDSTACK-6533: IAM - Templates - Public templates do not have
permissions to be used by ROOT group.


> IAM - Templates - Public templates do not have permissions to be used by ROOT group.
> ------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-6533
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6533
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: IAM
>    Affects Versions: 4.4.0
>         Environment: Build from 4.4
>            Reporter: Sangeetha Hariharan
>            Assignee: Min Chen
>            Priority: Critical
>             Fix For: 4.4.0
>
>
> IAM - Templates - Public templates do not have permissions to be used by ROOT group.
> As regular user create a public template.
> In iam_policy_permission policy we do not have permission for Admin group.
> mysql>  select * from iam_policy_permission where scope_id = 206;
> +------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
> | id   | policy_id | action        | resource_type          | scope_id | scope    | access_type
| permission | recursive | removed | created             |
> +------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
> | 4949 |         3 | listTemplates | VirtualMachineTemplate |      206 | RESOURCE | UseEntry
   | Allow      |         0 | NULL    | 2014-04-29 11:03:52 |
> | 4950 |         1 | listTemplates | VirtualMachineTemplate |      206 | RESOURCE | UseEntry
   | Allow      |         0 | NULL    | 2014-04-29 11:03:52 |
> mysql> select * from vm_template where id=206;
> +-----+----------------------------------------------+----------------------------+--------------------------------------+--------+----------+------+-----+------+---------------------------------+--------+---------------------+---------+------------+----------+-----------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+---------+--------+--------------+---------+----------------------+
> | id  | unique_name                                  | name                       | uuid
                                | public | featured | type | hvm | bits | url            
                | format | created             | removed | account_id | checksum | display_text
               | enable_password | enable_sshkey | guest_os_id | bootable | prepopulate |
cross_zones | extractable | hypervisor_type | source_template_id | template_tag | sort_key
| size    | state  | update_count | updated | dynamically_scalable |
> +-----+----------------------------------------------+----------------------------+--------------------------------------+--------+----------+------+-----+------+---------------------------------+--------+---------------------+---------+------------+----------+-----------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+---------+--------+--------------+---------+----------------------+
> | 206 | 206-318-179129bc-531f-31fe-a21d-23a8aa7b666f | Public_featured_d2a-G3GJQW | 265192c9-88d3-41d4-b435-6d3c3e5d256a
|      1 |        1 | USER |   1 |   64 | http://10.223.110.232:/test.vhd | VHD    | 2014-04-29
11:03:52 | NULL    |        318 | NULL     | public and feature Template |               0
|             0 |          12 |        1 |           0 |           0 |           1 | Simulator
      |               NULL | NULL         |        0 | 5242880 | Active |            0 | NULL
   |                    0 |
> +-----+----------------------------------------------+----------------------------+--------------------------------------+--------+----------+------+-----+------+---------------------------------+--------+---------------------+---------+------------+----------+-----------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+---------+--------+--------------+---------+----------------------+
> 1 row in set (0.00 sec)
> Inspite of not having the required permissions to use the template , admin is able to
use this template for vm deployment. Root cause for this bug is similar to bug -  Bug 	CLOUDSTACK-6517
	
> The same behavior is also observed for default templates:
> mysql> select * from iam_policy_permission where scope_id = 111;
> +------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
> | id   | policy_id | action        | resource_type          | scope_id | scope    | access_type
| permission | recursive | removed | created             |
> +------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
> | 3315 |         3 | listTemplates | VirtualMachineTemplate |      111 | RESOURCE | UseEntry
   | Allow      |         0 | NULL    | 2014-04-28 10:30:11 |
> | 3316 |         1 | listTemplates | VirtualMachineTemplate |      111 | RESOURCE | UseEntry
   | Allow      |         0 | NULL    | 2014-04-28 10:30:11 |
> +------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
> 2 rows in set (0.00 sec)
> mysql> select * from vm_template where id=111;
> +-----+------------------+---------------------------------------+--------------------------------------+--------+----------+---------+-----+------+---------------------------------------------------------------------------------------------------------+--------+---------------------+---------+------------+----------+---------------------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+------------+--------+--------------+---------+----------------------+
> | id  | unique_name      | name                                  | uuid             
                   | public | featured | type    | hvm | bits | url                      
                                                                              | format | created
            | removed | account_id | checksum | display_text                          | enable_password
| enable_sshkey | guest_os_id | bootable | prepopulate | cross_zones | extractable | hypervisor_type
| source_template_id | template_tag | sort_key | size       | state  | update_count | updated
| dynamically_scalable |
> +-----+------------------+---------------------------------------+--------------------------------------+--------+----------+---------+-----+------+---------------------------------------------------------------------------------------------------------+--------+---------------------+---------+------------+----------+---------------------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+------------+--------+--------------+---------+----------------------+
> | 111 | simulator-Centos | CentOS 5.3(64-bit) no GUI (Simulator) | 7200e25a-ca4b-11e3-907f-4adf980f9414
|      1 |        1 | BUILTIN |   0 |   64 | http://nfs1.lab.vmops.com/templates/centos53-x86_64/latest/f59f18fb-ae94-4f97-afd2-f84755767aca.vhd.bz2
| VHD    | 2014-04-22 14:25:13 | NULL    |          1 |          | CentOS 5.3(64-bit) no GUI
(Simulator) |               0 |             0 |          11 |        1 |           0 |   
       1 |           0 | Simulator       |               NULL | NULL         |        0 |
2147483648 | Active |         NULL | NULL    |                    0 |
> +-----+------------------+---------------------------------------+--------------------------------------+--------+----------+---------+-----+------+---------------------------------------------------------------------------------------------------------+--------+---------------------+---------+------------+----------+---------------------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+------------+--------+--------------+---------+----------------------+
> 1 row in set (0.00 sec)



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message