Return-Path: 
 <issues-return-40859-apmail-cloudstack-issues-archive=cloudstack.apache.org@cloudstack.apache.org>
X-Original-To: apmail-cloudstack-issues-archive@www.apache.org
Delivered-To: apmail-cloudstack-issues-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id ED0CB11BB9
	for <apmail-cloudstack-issues-archive@www.apache.org>;
 Wed, 16 Apr 2014 17:24:02 +0000 (UTC)
Received: (qmail 29538 invoked by uid 500); 16 Apr 2014 17:23:43 -0000
Delivered-To: apmail-cloudstack-issues-archive@cloudstack.apache.org
Received: (qmail 29415 invoked by uid 500); 16 Apr 2014 17:23:31 -0000
Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@cloudstack.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@cloudstack.apache.org>
List-Post: <mailto:issues@cloudstack.apache.org>
List-Id: <issues.cloudstack.apache.org>
Reply-To: dev@cloudstack.apache.org
Delivered-To: mailing list issues@cloudstack.apache.org
Received: (qmail 28556 invoked by uid 500); 16 Apr 2014 17:22:57 -0000
Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org
Received: (qmail 28044 invoked by uid 99); 16 Apr 2014 17:22:32 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 16 Apr 2014 17:22:32 +0000
Date: Wed, 16 Apr 2014 17:22:32 +0000 (UTC)
From: "Min Chen (JIRA)" <jira@apache.org>
To: cloudstack-issues@incubator.apache.org
Message-ID: <JIRA.12708842.1397668162143.126392.1397668952194@arcas>
In-Reply-To: <JIRA.12708842.1397668162143@arcas>
References: <JIRA.12708842.1397668162143@arcas>
Subject: [jira] [Commented] (CLOUDSTACK-6428) IAM - Domain Admin - When his
 sub-domainId is passed to the listVirtualMachine command, Vms from all the
 domains are being listed.
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/CLOUDSTACK-6428?page=3Dcom.atla=
ssian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=
=3D13971685#comment-13971685 ]=20

Min Chen commented on CLOUDSTACK-6428:
--------------------------------------

This is caused by us interpreting DOMAIN scope policy in iam_policy_permiss=
ion table just for current domain. This usecase, the domain id passed is th=
e subdomain id. Fixed by interpreting that to include the domain tree. This=
 is also the assumption we have made in RoleBasedEntityAccessChecker for ph=
ase I.

> IAM - Domain Admin - When his sub-domainId is passed to the listVirtualMa=
chine command, Vms from all the domains are being listed.
> -------------------------------------------------------------------------=
---------------------------------------------------------
>
>                 Key: CLOUDSTACK-6428
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-642=
8
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the defa=
ult.)=20
>          Components: API
>    Affects Versions: 4.4.0
>            Reporter: Min Chen
>            Assignee: Min Chen
>            Priority: Critical
>             Fix For: 4.4.0
>
>
> IAM - Domain Admin - When domainId is passed to the listVirtualMachine co=
mmand, Vms from all the domains are being listed.
> Set up:
> Pre Reqs:
> Admin - Creates object
> Domain Admin for d1 - D1 - Creates object - d1
> Domain Admin for d1 - D1/D11
> User account for d1 - D1/D111 - Creates object - d111a
> Domain Admin for d1 - D1/D12
> Domain Admin for d2 - D2 - Creates object -d2
> User Account in domain D1 - userD1-1 - Creates object -d1a
> User Account in domain D1 - userD1-2 - Creates object - d1b
> User Account in domain D1/D11 - userD1-a - Creates object - d11a
> User Account in domain D1/D11 - userD1-a - Creates object - d11b
> User Account in domain D1/D12- userD1-b - Creates object - d12a
> User Account in domain D1/D12 - userD-a - Creates object - d12b
> As domain admin d1 , tried to list all the Vms for domain - d1/d11.
> The Vm list returned has all the Vms including the Vms from domain d2.
> GET http://10.223.49.6/client/api?command=3DlistVirtualMachines&domainId=
=3D0a0f7c09-2f1a-4939-94ce-88388e197949&listAll=3Dtrue&apiKey=3DHv0VKnmBjXh=
yRMKZ7ixI51gG-iqHqRVTp1xCCLU2-gTnZwhuUNWsa4zZLYZWWLD5lEhvwe05tJKJVa9NeS5REw=
&signature=3DZH7kEjKVDh1eXbLv84T6pHAApt0%3D \n\n
> <?xml version=3D"1.0" encoding=3D"UTF-8"?><listvirtualmachinesresponse cl=
oud-stack-version=3D"4.4.0-SNAPSHOT"><count>10</count><virtualmachine><id>2=
2193996-12f9-46ff-91cd-3d409f7f8c60</id><name>d11a</name><displayname>d11a<=
/displayname><account>testD11A-TestVMList-3385RP</account><domainid>0a0f7c0=
9-2f1a-4939-94ce-88388e197949</domainid><domain>D11-UFBXGQ</domain><created=
>2014-04-10T09:01:37-0400</created><state>Running</state><haenable>false</h=
aenable><zoneid>75d61334-ff70-49c3-99ed-3af702cd51d7</zoneid><zonename>BLR1=
</zonename><templateid>e65cdfa0-c019-11e3-907f-4adf980f9414</templateid><te=
mplatename>CentOS 5.3(64-bit) no GUI (Simulator)</templatename><templatedis=
playtext>CentOS 5.3(64-bit) no GUI (Simulator)</templatedisplaytext><passwo=
rdenabled>false</passwordenabled><serviceofferingid>49dee9f8-a49a-414d-b8b2=
-b0d59b5981f0</serviceofferingid><serviceofferingname>Small Instance</servi=
ceofferingname><cpunumber>1</cpunumber><cpuspeed>100</cpuspeed><memory>128<=
/memory><cpuused>10%</cpuused><networkkbsread>10190848</networkkbsread><net=
workkbswrite>5095424</networkkbswrite><guestosid>e5eba5c4-c019-11e3-907f-4a=
df980f9414</guestosid><rootdeviceid>0</rootdeviceid><rootdevicetype>ROOT</r=
ootdevicetype><nic><id>a1c079e5-ae0f-4470-b0ed-26895fbcf14d</id><networkid>=
f1cf7cfb-c354-47c4-854e-af329c54d77e</networkid><networkname>testD11A-TestV=
MList-3385RP-network</networkname><netmask>255.255.255.0</netmask><gateway>=
10.1.1.1</gateway><ipaddress>10.1.1.217</ipaddress><isolationuri>vlan://107=
1</isolationuri><broadcasturi>vlan://1071</broadcasturi><traffictype>Guest<=
/traffictype><type>Isolated</type><isdefault>true</isdefault><macaddress>02=
:00:06:7b:00:01</macaddress></nic><hypervisor>Simulator</hypervisor><isdyna=
micallyscalable>false</isdynamicallyscalable><ostypeid>11</ostypeid></virtu=
almachine><virtualmachine><id>660a829f-5265-44c3-aa92-957d8bbec8e2</id><nam=
e>d1a</name><displayname>d1b</displayname><account>testD1B-TestVMList-CB23C=
T</account><domainid>dc4bf103-27bf-4292-99aa-dc91fa23ee04</domainid><domain=
>D1-NN5QWT</domain><created>2014-04-10T09:01:32-0400</created><state>Runnin=
g</state><haenable>false</haenable><zoneid>75d61334-ff70-49c3-99ed-3af702cd=
51d7</zoneid><zonename>BLR1</zonename><templateid>e65cdfa0-c019-11e3-907f-4=
adf980f9414</templateid><templatename>CentOS 5.3(64-bit) no GUI (Simulator)=
</templatename><templatedisplaytext>CentOS 5.3(64-bit) no GUI (Simulator)</=
templatedisplaytext><passwordenabled>false</passwordenabled><serviceofferin=
gid>49dee9f8-a49a-414d-b8b2-b0d59b5981f0</serviceofferingid><serviceofferin=
gname>Small Instance</serviceofferingname><cpunumber>1</cpunumber><cpuspeed=
>100</cpuspeed><memory>128</memory><cpuused>10%</cpuused><networkkbsread>10=
190848</networkkbsread><networkkbswrite>5095424</networkkbswrite><guestosid=
>e5eba5c4-c019-11e3-907f-4adf980f9414</guestosid><rootdeviceid>0</rootdevic=
eid><rootdevicetype>ROOT</rootdevicetype><nic><id>b58c4f55-ed7d-4c1c-922b-6=
e2aecad642c</id><networkid>ee8c3501-10e5-4247-b5b4-6e261dde56b1</networkid>=
<networkname>testD1B-TestVMList-CB23CT-network</networkname><netmask>255.25=
5.255.0</netmask><gateway>10.1.1.1</gateway><ipaddress>10.1.1.252</ipaddres=
s><isolationuri>vlan://1697</isolationuri><broadcasturi>vlan://1697</broadc=
asturi><traffictype>Guest</traffictype><type>Isolated</type><isdefault>true=
</isdefault><macaddress>02:00:17:50:00:01</macaddress></nic><hypervisor>Sim=
ulator</hypervisor><isdynamicallyscalable>false</isdynamicallyscalable><ost=
ypeid>11</ostypeid></virtualmachine><virtualmachine><id>2a729bb9-8597-4a07-=
8259-fdcc1ef328ff</id><name>d1a</name><displayname>d1a</displayname><accoun=
t>testD1A-TestVMList-VAZC6S</account><domainid>dc4bf103-27bf-4292-99aa-dc91=
fa23ee04</domainid><domain>D1-NN5QWT</domain><created>2014-04-10T09:01:27-0=
400</created><state>Running</state><haenable>false</haenable><zoneid>75d613=
34-ff70-49c3-99ed-3af702cd51d7</zoneid><zonename>BLR1</zonename><templateid=
>e65cdfa0-c019-11e3-907f-4adf980f9414</templateid><templatename>CentOS 5.3(=
64-bit) no GUI (Simulator)</templatename><templatedisplaytext>CentOS 5.3(64=
-bit) no GUI (Simulator)</templatedisplaytext><passwordenabled>false</passw=
ordenabled><serviceofferingid>49dee9f8-a49a-414d-b8b2-b0d59b5981f0</service=
offeringid><serviceofferingname>Small Instance</serviceofferingname><cpunum=
ber>1</cpunumber><cpuspeed>100</cpuspeed><memory>128</memory><cpuused>10%</=
cpuused><networkkbsread>10190848</networkkbsread><networkkbswrite>5095424</=
networkkbswrite><guestosid>e5eba5c4-c019-11e3-907f-4adf980f9414</guestosid>=
<rootdeviceid>0</rootdeviceid><rootdevicetype>ROOT</rootdevicetype><nic><id=
>61ce424c-a7c0-4543-a748-97184a86716a</id><networkid>8a3ac0bc-2192-48d9-893=
4-18a6aeec6a0a</networkid><networkname>testD1A-TestVMList-VAZC6S-network</n=
etworkname><netmask>255.255.255.0</netmask><gateway>10.1.1.1</gateway><ipad=
dress>10.1.1.27</ipaddress><isolationuri>vlan://3450</isolationuri><broadca=
sturi>vlan://3450</broadcasturi><traffictype>Guest</traffictype><type>Isola=
ted</type><isdefault>true</isdefault><macaddress>02:00:49:c4:00:01</macaddr=
ess></nic><hypervisor>Simulator</hypervisor><isdynamicallyscalable>false</i=
sdynamicallyscalable><ostypeid>11</ostypeid></virtualmachine><virtualmachin=
e><id>e520b97e-13be-4c6a-993c-3b581524e247</id><name>d1</name><displayname>=
d1</displayname><account>testD1-TestVMList-3VK254</account><domainid>dc4bf1=
03-27bf-4292-99aa-dc91fa2 ....



--
This message was sent by Atlassian JIRA
(v6.2#6252)