cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-6560) IAM - Admin user is denied permission to create Egress rule for a user's network
Date Thu, 01 May 2014 23:10:14 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-6560?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13987149#comment-13987149
] 

ASF subversion and git services commented on CLOUDSTACK-6560:
-------------------------------------------------------------

Commit 2e5b5291574417e31b4e81a6cc170e77a0cd7f65 in cloudstack's branch refs/heads/4.4-forward
from [~prachidamle]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=2e5b529 ]

CLOUDSTACK-6560: IAM - Admin user is denied permission to create Egress rule for a user's
network

Changes:
- CS 4.3 handled Network entity in two ways:
a) Specified "UseNetwork" access and did a strict check w.r.t who can use this network. Regular
users and Domain Admin went through the strict check. Root admin got access always.
b) Specified "null" access and that meant admins can access this network for the calling API
that passes null access.

- Fixing CS 4.4 IAM to handle this behavior:
a) "UseNetwork" is mapped to "UseEntry" and IAM check will be done only for domain admin and
regular users when this access is specified. Root Admin is grated access.
b) If "null" access is specified, root and domain admin both are granted access. Regular users
still go through IAM.


> IAM - Admin user is denied permission to create Egress rule for a user's network
> --------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-6560
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6560
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: IAM
>    Affects Versions: 4.4.0
>            Reporter: Prachi Damle
>            Assignee: Prachi Damle
>            Priority: Critical
>             Fix For: 4.4.0
>
>
> Steps to reproduce:
> - Setup Advance Zone
> - Create a regular user 
> - Login as the user and create an isolated network or deploy a VM that will create a
network 
> - Logout
> - Login as an Admin and list the user's network
> - Try to create Egress Firewall Rule on this network
> - Admin is denied permission



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message