cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sangeetha Hariharan (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (CLOUDSTACK-6569) IAM - Regular user is able to listNetworks of another user in the same domain , by passing account and domainId.
Date Thu, 12 Jun 2014 21:19:05 GMT

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-6569?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Sangeetha Hariharan closed CLOUDSTACK-6569.
-------------------------------------------


Tested with latest build from 4.4-forward (after IAM revert)

Regular user is not allowed to list network of other accounts in the same domain:

2014-06-12 10:28:52,820 INFO  [a.c.c.a.ApiServer] (catalina-exec-5:ctx-08e8e4b8 ctx-ec14d52d)
(userId=7 accountId=7 sessionId=05A235CFC99FACA027D130666C218B1C) 10.216.50.29 -- GET command=listNetworks&response=json&sessionkey=ZILTwOXY%2BZYac8MZdC%2BthwzVpHE%3D&listAll=true&page=1&pagesize=20&account=d1-san&domainid=a35f9e43-1707-4ea8-b776-e6e4e75b8fff
531 Acct[9489582f-092e-44a4-bc97-5ab7c0a3d30b-d1-san2] does not have permission to operate
with resource Acct[f83f6755-7c50-4557-8cbc-5d0b9410f4fe-d1-san]


> IAM - Regular user is able to listNetworks of another user in the same domain ,  by passing
account and domainId.
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-6569
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6569
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: IAM
>    Affects Versions: 4.4.0
>         Environment: Build from 4.4
>            Reporter: Sangeetha Hariharan
>            Assignee: Min Chen
>            Priority: Critical
>             Fix For: 4.4.0
>
>
> Regular user is able to listNetworks of another user in the same domain ,  by passing
account and domainId.
> Domain - d1.
> 3 users in this domain , testd1 - domainadmin , testd1a and testd1b regular users.
> Each of the users have 1 isolated network.
>  
> As testd1a , tried to list network of testd1b by passing account and domainId. ListNetwork
returns   testd1b's isolated network.
> 2014-05-02 10:21:29,090 INFO  [a.c.c.a.ApiServer] (catalina-exec-15:ctx-bbcf35b4 ctx-f1b42d4e)
(userId=4 accountId=4 sessionId=AE73B9C62BB908DE5DE16655DAD0CB75) 10.215.2.8 -- GET command=listNetworks&response=json&sessionkey=vHQRHlttApujok8Jf73KKKww5XM%3D&listAll=true&page=1&pagesize=20&domainid=3abd56e8-97da-40f9-b6f5-33fd5b28b43e&response=json&account=testD1B-TestNetworkList-KOGK49
200 { "listnetworksresponse" : { "count":4 ,"network" : [  {"id":"53a9ddfa-ab63-4f87-bdd0-e368e7fd11ca","name":"testD1B-TestNetworkList-KOGK49-network","displaytext":"testD1B-TestNetworkList-KOGK49-network","broadcastdomaintype":"Vlan","traffictype":"Guest","gateway":"10.1.1.1","netmask":"255.255.255.0","cidr":"10.1.1.0/24","zoneid":"b690dddf-5755-49ab-8a4d-0aff04fa39f7","zonename":"BLR1","networkofferingid":"fc25eb7b-d884-4cc3-acbb-a321817a3567","networkofferingname":"DefaultIsolatedNetworkOfferingWithSourceNatService","networkofferingdisplaytext":"Offering
for Isolated networks with Source Nat service enabled","networkofferingconservemode":true,"networkofferingavailability":"Required","issystem":false,"state":"Implemented","related":"53a9ddfa-ab63-4f87-bdd0-e368e7fd11ca","dns1":"4.2.2.2","type":"Isolated","acltype":"Account","account":"testD1B-TestNetworkList-KOGK49","domainid":"3abd56e8-97da-40f9-b6f5-33fd5b28b43e","domain":"D1-R549ZO","service":[{"name":"PortForwarding"},{"name":"UserData"},{"name":"Firewall","capability":[{"name":"MultipleIps","value":"true","canchooseservicecapability":false},{"name":"SupportedEgressProtocols","value":"tcp,udp,icmp,
all","canchooseservicecapability":false},{"name":"SupportedProtocols","value":"tcp,udp,icmp","canchooseservicecapability":false},{"name":"SupportedTrafficDirection","value":"ingress,
egress","canchooseservicecapability":false},{"name":"TrafficStatistics","value":"per public
ip","canchooseservicecapability":false}]},{"name":"Lb","capability":[{"name":"AutoScaleCounters","value":"[{\"methodname\":\"cpu\",\"paramlist\":[]},{\"methodname\":\"memory\",\"paramlist\":[]}]","canchooseservicecapability":false},{"name":"SupportedLBIsolation","value":"dedicated","canchooseservicecapability":false},{"name":"SupportedLbAlgorithms","value":"roundrobin,leastconn,source","canchooseservicecapability":false},{"name":"LbSchemes","value":"Public","canchooseservicecapability":false},{"name":"SupportedProtocols","value":"tcp,
udp","canchooseservicecapability":false},{"name":"SupportedStickinessMethods","value":"[{\"methodname\":\"LbCookie\",\"paramlist\":[{\"paramname\":\"cookie-name\",\"required\":false,\"isflag\":false,\"description\":\"
\"},{\"paramname\":\"mode\",\"required\":false,\"isflag\":false,\"description\":\" \"},{\"paramname\":\"nocache\",\"required\":false,\"isflag\":true,\"description\":\"
\"},{\"paramname\":\"indirect\",\"required\":false,\"isflag\":true,\"description\":\" \"},{\"paramname\":\"postonly\",\"required\":false,\"isflag\":true,\"description\":\"
\"},{\"paramname\":\"domain\",\"required\":false,\"isflag\":false,\"description\":\" \"}],\"description\":\"This
is loadbalancer cookie based stickiness method.\"},{\"methodname\":\"AppCookie\",\"paramlist\":[{\"paramname\":\"cookie-name\",\"required\":false,\"isflag\":false,\"description\":\"
\"},{\"paramname\":\"length\",\"required\":false,\"isflag\":false,\"description\":\" \"},{\"paramname\":\"holdtime\",\"required\":false,\"isflag\":false,\"description\":\"
\"},{\"paramname\":\"request-learn\",\"required\":false,\"isflag\":true,\"description\":\"
\"},{\"paramname\":\"prefix\",\"required\":false,\"isflag\":true,\"description\":\" \"},{\"paramname\":\"mode\",\"required\":false,\"isflag\":false,\"description\":\"
\"}],\"description\":\"This is App session based sticky method. Define session stickiness
on an existing application cookie. It can be used only for a specific http traffic\"},{\"methodname\":\"SourceBased\",\"paramlist\":[{\"paramname\":\"tablesize\",\"required\":false,\"isflag\":false,\"description\":\"
\"},{\"paramname\":\"expire\",\"required\":false,\"isflag\":false,\"description\":\" \"}],\"description\":\"This
is source based Stickiness method, it can be used for any type of protocol.\"}]","canchooseservicecapability":false}]},{"name":"Dhcp","capability":[{"name":"DhcpAccrossMultipleSubnets","value":"true","canchooseservicecapability":false}]},{"name":"Dns","capability":[{"name":"AllowDnsSuffixModification","value":"true","canchooseservicecapability":false}]},{"name":"StaticNat"},{"name":"Vpn","capability":[{"name":"VpnTypes","value":"removeaccessvpn","canchooseservicecapability":false},{"name":"SupportedVpnTypes","value":"pptp,l2tp,ipsec","canchooseservicecapability":false}]},{"name":"SourceNat","capability":[{"name":"SupportedSourceNatTypes","value":"peraccount","canchooses
>  
>  
>  
> mysql> select * from account;
> +----+----------------------------------+--------------------------------------+------+-----------+---------+---------+----------------+----------------+-----------------+---------+
> | id | account_name                     | uuid                                 | type
| domain_id | state   | removed | cleanup_needed | network_domain | default_zone_id | default
|
> +----+----------------------------------+--------------------------------------+------+-----------+---------+---------+----------------+----------------+-----------------+---------+
> |  1 | system                           | 2c320fc2-d1eb-11e3-907f-4adf980f9414 |    1
|         1 | enabled | NULL    |              0 | NULL           |            NULL |    
  1 |
> |  2 | admin                            | 2c324dfc-d1eb-11e3-907f-4adf980f9414 |    1
|         1 | enabled | NULL    |              0 | NULL           |            NULL |    
  1 |
> |  3 | testD1-TestNetworkList-0SNBP5    | 53144728-76db-427a-ab96-5a6901e31a5e |    2
|         2 | enabled | NULL    |              0 | NULL           |            NULL |    
  0 |
> |  4 | testD1A-TestNetworkList-0Y3W33   | 196cc54c-4f4f-4bff-91ee-e084395eb388 |    0
|         2 | enabled | NULL    |              0 | NULL           |            NULL |    
  0 |
> |  5 | testD1B-TestNetworkList-KOGK49   | 52d34195-f6be-482d-b8cb-effaf9d3bcc4 |    0
|         2 | enabled | NULL    |              0 | NULL           |            NULL |    
  0 |
>  



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message