Return-Path: 
 <issues-return-41737-apmail-cloudstack-issues-archive=cloudstack.apache.org@cloudstack.apache.org>
X-Original-To: apmail-cloudstack-issues-archive@www.apache.org
Delivered-To: apmail-cloudstack-issues-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 3E233115B4
	for <apmail-cloudstack-issues-archive@www.apache.org>;
 Fri,  2 May 2014 18:21:23 +0000 (UTC)
Received: (qmail 25266 invoked by uid 500); 2 May 2014 18:21:17 -0000
Delivered-To: apmail-cloudstack-issues-archive@cloudstack.apache.org
Received: (qmail 24940 invoked by uid 500); 2 May 2014 18:21:16 -0000
Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@cloudstack.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@cloudstack.apache.org>
List-Post: <mailto:issues@cloudstack.apache.org>
List-Id: <issues.cloudstack.apache.org>
Reply-To: dev@cloudstack.apache.org
Delivered-To: mailing list issues@cloudstack.apache.org
Received: (qmail 24753 invoked by uid 500); 2 May 2014 18:21:16 -0000
Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org
Received: (qmail 24678 invoked by uid 99); 2 May 2014 18:21:16 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 May 2014 18:21:16 +0000
Date: Fri, 2 May 2014 18:21:16 +0000 (UTC)
From: "Min Chen (JIRA)" <jira@apache.org>
To: cloudstack-issues@incubator.apache.org
Message-ID: <JIRA.12711333.1398814214195.221594.1399054876470@arcas>
In-Reply-To: <JIRA.12711333.1398814214195@arcas>
References: <JIRA.12711333.1398814214195@arcas>
Subject: [jira] [Resolved] (CLOUDSTACK-6535) IAM:MS:API createVMSnapshot
 doesn't preserve access rights
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


     [ https://issues.apache.org/jira/browse/CLOUDSTACK-6535?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Min Chen resolved CLOUDSTACK-6535.
----------------------------------

    Resolution: Fixed

> IAM:MS:API createVMSnapshot doesn't preserve access rights
> ----------------------------------------------------------
>
>                 Key: CLOUDSTACK-6535
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6535
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: API, IAM
>    Affects Versions: 4.4.0
>         Environment: 4.4
>            Reporter: Parth Jagirdar
>            Assignee: Min Chen
>            Priority: Critical
>         Attachments: apilog.log.bz2, db_dump.sql.bz2, management-server.log.bz2
>
>
> As domain Admin or as regular user; one can create a snapshot of a VM owned by other users. (Create Snapshot succeeds across Domains as well).
> Please refer to API and MS logs.
> DB Dump is attached.
> 2014-04-29 15:32:38,316 INFO  [a.c.c.a.ApiServer] (catalina-exec-19:ctx-baaf5fbe ctx-d89f1942) (userId=9
>  accountId=9 sessionId=13E9CF7AD4BB55EE9EDF2920D6E62915) 10.215.2.19 -- GET command=createVMSnapshot&vir
> tualmachineid=219d649d-b6fc-475e-ab0f-8800a7f95235&response=json&sessionkey=p1pPn2KtylzYt92NSHuE2u4G68w%
> 3D 200 { "createvmsnapshotresponse" : {"id":"8","jobid":"fa37d77f-28b0-485b-af81-834a07ed6e4e"} }
> 2014-04-29 15:32:40,306 INFO  [a.c.c.a.ApiServer] (catalina-exec-25:ctx-114bb10a ctx-d396131c) (userId=2
>  accountId=2 sessionId=5EC896B528FB6DB972CE5B02A277047B) 10.215.2.19 -- GET command=listVirtualMachines&
> response=json&sessionkey=e1WRj6SbsZEClPvlCdLP9f3MhYI%3D&listAll=true&page=1&pagesize=20&_=1398810759989
> 200 { "listvirtualmachinesresponse" : { "count":6 ,"virtualmachine" : [  {"id":"cea5fc51-6a31-4209-b26f-
> 9097c9d17011","name":"d2-vm","displayname":"d2-vm","account":"d2","domainid":"0af12b69-67f4-454a-9eb6-f2
> bef02aba0b","domain":"d2","created":"2014-04-28T10:21:08-0700","state":"Running","haenable":false,"zonei
> d":"6933ac3e-29fe-4170-8411-b1827aa2f5cf","zonename":"z","hostid":"d8fb3cb9-782e-4cdc-b0c0-3adcf65a7a15"
> ,"hostname":"10.223.58.68","templateid":"549440c8-bf4b-11e3-a56d-ced18bec4952","templatename":"CentOS 5.
> 3(64-bit) no GUI (vSphere)","templatedisplaytext":"CentOS 5.3(64-bit) no GUI (vSphere)","passwordenabled
> ":false,"serviceofferingid":"4c035b12-f32f-4c0c-b768-264ec02ac242","serviceofferingname":"Small Instance
> ","cpunumber":1,"cpuspeed":500,"memory":512,"cpuused":"45%","networkkbsread":0,"networkkbswrite":0,"gues
> tosid":"54a23660-bf4b-11e3-a56d-ced18bec4952","rootdeviceid":0,"rootdevicetype":"ROOT","securitygroup":[
> ],"nic":[{"id":"cae4f3d2-1598-4aa0-98b9-669a4c7de6ae","networkid":"f417c31a-e19f-45db-9180-87f17a195bf0"
> ,"networkname":"d2-net","netmask":"255.255.255.0","gateway":"10.1.1.1","ipaddress":"10.1.1.151","isolati
> onuri":"vlan://2342","broadcasturi":"vlan://2342","traffictype":"Guest","type":"Isolated","isdefault":tr
> ue,"macaddress":"02:00:41:11:00:01"}],"hypervisor":"VMware","publicipid":"a6866b38-e8dd-4deb-965f-c09931
> d183fe","publicip":"10.223.138.11","instancename":"i-10-32-VM","tags":[],"affinitygroup":[],"displayvm":
> true,"isdynamicallyscalable":false,"ostypeid":12}, {"id":"e887d23a-fac0-4397-adb9-edfbf2169453","name":"
> d1-vm","displayname":"d1-vm","account":"d1","domainid":"90a8c572-3f92-420b-9176-5daafa9853da","domain":"
> d1","created":"2014-04-28T10:20:39-0700","state":"Running","haenable":false,"zoneid":"6933ac3e-29fe-4170
> -8411-b1827aa2f5cf","zonename":"z","hostid":"d8fb3cb9-782e-4cdc-b0c0-3adcf65a7a15","hostname":"10.223.58
> .68","templateid":"549440c8-bf4b-11e3-a56d-ced18bec4952","templatename":"CentOS 5.3(64-bit) no GUI (vSph
> ere)","templatedisplaytext":"CentOS 5.3(64-bit) no GUI (vSphere)","passwordenabled":false,"serviceofferi
> ngid":"4c035b12-f32f-4c0c-b768-264ec02ac242","serviceofferingname":"Small Instance","cpunumber":1,"cpusp
> eed":500,"memory":512,"cpuused":"45%","networkkbsread":0,"networkkbswrite":0,"guestosid":"54a23660-bf4b-
> 11e3-a56d-ced18bec4952","rootdeviceid":0,"rootdevicetype":"ROOT","securitygroup":[],"nic":[{"id":"5c410c
> a5-5151-48d8-8de7-4fc674bd597a","networkid":"2a7d1254-3120-42f5-b8b9-dd64485cfed4","networkname":"d1-net
> ","netmask":"255.255.255.0","gateway":"10.1.1.1","ipaddress":"10.1.1.184","isolationuri":"vlan://2268","
> mysql> select * from iam_group_account_map where removed is NULL order by group_id;
> +----+----------+------------+---------+---------------------+
> | id | group_id | account_id | removed | created             |
> +----+----------+------------+---------+---------------------+
> | 43 |        1 |         23 | NULL    | 2014-04-14 23:18:40 |
> | 45 |        1 |         24 | NULL    | 2014-04-17 22:23:41 |
> | 41 |        1 |         22 | NULL    | 2014-04-14 23:18:24 |
> | 39 |        1 |         21 | NULL    | 2014-04-14 23:17:59 |
> | 37 |        1 |         20 | NULL    | 2014-04-14 23:17:40 |
> |  2 |        2 |          2 | NULL    | 2014-04-08 18:29:34 |
> |  1 |        2 |          1 | NULL    | 2014-04-08 18:29:34 |
> | 17 |        3 |         10 | NULL    | 2014-04-10 21:50:18 |
> | 15 |        3 |          9 | NULL    | 2014-04-10 21:49:18 |
> | 16 |        7 |          9 | NULL    | 2014-04-10 21:49:18 |
> | 46 |        7 |         24 | NULL    | 2014-04-17 22:23:41 |
> | 18 |        8 |         10 | NULL    | 2014-04-10 21:50:18 |
> | 38 |        9 |         20 | NULL    | 2014-04-14 23:17:40 |
> | 40 |       10 |         21 | NULL    | 2014-04-14 23:17:59 |
> | 42 |       11 |         22 | NULL    | 2014-04-14 23:18:24 |
> | 44 |       12 |         23 | NULL    | 2014-04-14 23:18:40 |
> | 47 |       13 |          1 | NULL    | 2014-04-23 18:56:28 |
> | 48 |       13 |          2 | NULL    | 2014-04-23 18:56:28 |
> +----+----------+------------+---------+---------------------+
> 18 rows in set (0.00 sec)
> mysql> select * from iam_group_policy_map;
> +----+----------+-----------+---------+---------------------+
> | id | group_id | policy_id | removed | created             |
> +----+----------+-----------+---------+---------------------+
> |  1 |        1 |         1 | NULL    | 2014-04-08 11:27:45 |
> |  2 |        2 |         2 | NULL    | 2014-04-08 11:27:45 |
> |  3 |        3 |         3 | NULL    | 2014-04-08 11:27:45 |
> |  4 |        4 |         4 | NULL    | 2014-04-08 11:27:45 |
> |  5 |        5 |         5 | NULL    | 2014-04-08 11:27:45 |
> +----+----------+-----------+---------+---------------------+
> 5 rows in set (0.00 sec)
> mysql> select * from iam_policy_permission where action = "createVMSnapshot";
> +------+-----------+------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
> | id   | policy_id | action           | resource_type | scope_id | scope   | access_type  | permission | recursive | removed | created             |
> +------+-----------+------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
> | 4377 |         2 | createVMSnapshot | VMSnapshot    |       -1 | ALL     | OperateEntry | Allow      |         0 | NULL    | 2014-04-23 19:00:12 |
> | 4378 |         4 | createVMSnapshot | VMSnapshot    |       -1 | DOMAIN  | OperateEntry | Allow      |         0 | NULL    | 2014-04-23 19:00:12 |
> | 4379 |         3 | createVMSnapshot | VMSnapshot    |       -1 | DOMAIN  | OperateEntry | Allow      |         0 | NULL    | 2014-04-23 19:00:12 |
> | 4380 |         1 | createVMSnapshot | VMSnapshot    |       -1 | ACCOUNT | OperateEntry | Allow      |         0 | NULL    | 2014-04-23 19:00:13 |
> +------+-----------+------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
> 4 rows in set (0.00 sec)



--
This message was sent by Atlassian JIRA
(v6.2#6252)