cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-6517) IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have " UseEntry" permission for IpAddress.
Date Thu, 01 May 2014 06:37:15 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-6517?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13986401#comment-13986401
] 

ASF subversion and git services commented on CLOUDSTACK-6517:
-------------------------------------------------------------

Commit c32b7ab7c8e73a3422ff31d754c28c8997a9a84c in cloudstack's branch refs/heads/4.4 from
[~prachidamle]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=c32b7ab ]

CLOUDSTACK-6517: IAM - Admin is allowed to create PortFowarding rule for a regular user, when
admin does not have " UseEntry" permission for IpAddress.

Changes:
- IAM was applying ordering on accessTypes. Thus if an account had Operate, he got USe access
as well. So even if IAM schema did not have 'UseEntry" permission for IpAddress, some other
'OperateEntry' permission on IpAddress was letting this operation go through.
- Fixed IAM to NOT do ordering of access types anymore. IAm will perform strict accessType
check only.
- This fix is needed so that admin does not get permission to USE resources from other account
just becase he has OPERATE access on those resources due to some other APIs.

- However due to this fix, we break backwards compatibilty with CS 4.3.
- CS 4.3 allowed root admin to do the createPF operation for a user by passing in networkId
of the user.
- Same was the case for domain admins within their domains
- Why this worked was due to CS 4.3 simply returning true for root admin/domain admin

- So to maintain backwards compatibilty, we are adding the logic to return "true" for root
admin and domain admin just like CS 4.3.
- Exception is: For Network, AffinityGroup and Templates, we still call IAM even for root
admin/domain admin, since thats what CS 4.3 did. Just for these 3 resource_types, it used
to perform access checks even for root admin/domain admin.


> IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does
not have " UseEntry" permission for IpAddress. 
> ---------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-6517
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6517
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: IAM
>    Affects Versions: 4.4.0
>         Environment: Build from 4.4
>            Reporter: Sangeetha Hariharan
>            Assignee: Prachi Damle
>             Fix For: 4.4.0
>
>
> IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does
not have " UseEntry" permission for IpAddress.
> Steps to reproduce the problem:
> As regular user , on a network he owns , acquire an ip address.
> As admin , try to create a PF rule on this ip address  without passing account and domainId.
> Creating PF rule succeeds. 
> Since Admin has only  "ListEntry" permission for IpAddress owned by other users , we
expect this api call to fail. 
> mysql> select * from iam_policy_permission where resource_type = 'IpAddress' and policy_id=2;
> +------+-----------+-----------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
> | id   | policy_id | action                | resource_type | scope_id | scope   | access_type
 | permission | recursive | removed | created             |
> +------+-----------+-----------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
> | 1840 |         2 | listPublicIpAddresses | IpAddress     |       -1 | ALL     | ListEntry
   | Allow      |         0 | NULL    | 2014-04-22 18:31:03 |
> | 1841 |         2 | listPublicIpAddresses | IpAddress     |       -1 | ACCOUNT | UseEntry
    | Allow      |         0 | NULL    | 2014-04-22 18:31:03 |
> Admin should be allowed to do this only , when he passes account and domainId of the
regular user is passed.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message