cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alena Prokharchyk (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (CLOUDSTACK-7296) listUsers doesn't respect CS API convention for list commands - when listAll has to be passed in to list other accounts resources
Date Fri, 08 Aug 2014 19:57:14 GMT

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-7296?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Alena Prokharchyk resolved CLOUDSTACK-7296.
-------------------------------------------

    Resolution: Fixed

Fixed with commit 6d1482b97bfa9876a076c2e7a9e1fd4236d9c738

> listUsers doesn't respect CS API convention for list commands - when listAll has to be
passed in to list other accounts resources
> ---------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-7296
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7296
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: API
>    Affects Versions: 4.5.0
>            Reporter: Alena Prokharchyk
>            Assignee: Alena Prokharchyk
>            Priority: Critical
>             Fix For: 4.5.0
>
>
> All list* commands in CS are supposed to follow these rules:
> 1) When no parameters are passed in to the call, the caller sees only HIS resources (even
when the caller is the admin). This is the main difference from how it used to work before
- before admin was seeing everyone else's resources by default.
> 2) When accountName/domainId are passed in, the caller sees the resources dedicated to
the account specified.
>  
> * If the call is executed by the regular user, he is authorized to specify only his own
account/domainId.
> * If the caller is a domain admin, we perform authorization check to see if the caller
can see account/domainId resources.
> 3) When projectId is passed in, only resources belonging to that project are being listed.
> 4) When domainId is passed in, we return only resources belonging to the domain specified.
To see the resources of subdomains, isRecursive=true parameter has to be specified. Again,
regular user can see only his own resources, Root admin can list anything, and domain admin
is authorized to see only resources of his domain and subdomains.
> 5) To see all resources the caller is authorized to see, except for Project resources,
listAll=true parameter has to be passed in.
> 6) To see all Project resources the caller is authorized to see, projectId=-1 has to
be passed in.
> In case of listUsers command, #1 and #5 weren't respected. Basically admin could see
all the users from other accounts w/o passing listAll=true. 
> The CS UI doesn't need any fixes, because it is already automatically appending listAll=true
to the call. 



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message