cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Min Chen (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (CLOUDSTACK-7471) Regular user is allowed to deleteNetwork/RestartNetwork that does not belong to him.He is also able to deploy Vm for other users.
Date Wed, 03 Sep 2014 05:22:51 GMT

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-7471?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Min Chen resolved CLOUDSTACK-7471.
----------------------------------
    Resolution: Fixed

> Regular user is allowed to deleteNetwork/RestartNetwork that does not belong to him.He
is also able to deploy Vm for other users.
> ---------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-7471
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7471
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Management Server
>    Affects Versions: 4.5.0
>         Environment: build from master
>            Reporter: Sangeetha Hariharan
>            Assignee: Min Chen
>
> Scenario 1 :
> Regular user is allowed to delete networks that belong to other users
> Create a regular user - d1-a in Domain - d1.
> Create another regular user - d1-b in Domain - d1.
> As user d1-a , create a network.
> As user d1-b , delete network that belongs to d1-a.
> We expect this to not succeed.
> But we are allowed to do this.
> Snippet from apilog indicating AccountId- 92 is attempting the restart network.
> 2014-08-29 06:59:57,912 INFO [a.c.c.a.ApiServer] (catalina-exec-23:ctx-05f928b8 ctx-c081eb69)
(userId=92 accountId=92 sessionId=DC
> A599AA77169CA107BA0AADA19667F7) 10.215.3.6 – GET command=deleteNetwork&id=2f2cc737-ba0f-4806-a81b-92a5749cfe7b&response=json&sessi
> onkey=NHvM0k5Rg%2FQspJg2g0YnQP%2Fhq34%3D 200 { "deletenetworkresponse" :
> {"jobid":"05daf212-1aa7-4885-b133-2645a6ceb7df"}
> }
> Snippet from DB indicating that the owner of network is account_id=89 .
> mysql> select account_id,domain_id from networks where uuid="2f2cc737-ba0f-4806-a81b-92a5749cfe7b";
> ---------------------+
> account_id 	domain_id
> ---------------------+
> 89 	37
> ---------------------+
> 1 row in set (0.00 sec)
> Snippet from management server logs indicating success:
> 2014-08-29 06:59:57,911 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (catalina-exec-23:ctx-05f928b8
ctx-c081eb69) submit async job-995,
> details: AsyncJobVO {id:995, userId: 92, accountId: 92, instanceType: None, instanceId:
null, cmd: org.apache.cloudstack.api.comman
> d.user.network.DeleteNetworkCmd, cmdInfo: {"response":"json","id":"2f2cc737-ba0f-4806-a81b-92a5749cfe7b","sessionkey":"NHvM0k5Rg/Qs
> pJg2g0YnQP/hq34\u003d","ctxDetails":"
> {\"com.cloud.network.Network\":\"2f2cc737-ba0f-4806-a81b-92a5749cfe7b\"}
> ","cmdEventType":"NETW
> ORK.DELETE","ctxUserId":"92","httpmethod":"GET","uuid":"2f2cc737-ba0f-4806-a81b-92a5749cfe7b","ctxAccountId":"92","ctxStartEventId"
> :"3020"}, cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result:
null, initMsid: 82324189320212, completeMsid
> : null, lastUpdated: null, lastPolled: null, created: null}
> 2014-08-29 06:59:57,912 DEBUG [c.c.a.ApiServlet] (catalina-exec-23:ctx-05f928b8 ctx-c081eb69)
===END=== 10.215.3.6 – GET command
> =deleteNetwork&id=2f2cc737-ba0f-4806-a81b-92a5749cfe7b&response=json&sessionkey=NHvM0k5Rg%2FQspJg2g0YnQP%2Fhq34%3D
> 2014-08-29 06:59:57,934 DEBUG [o.a.c.e.o.NetworkOrchestrator] (API-Job-Executor-40:ctx-71036d41
job-995 ctx-502dafa1) Network is al
> ready shutdown: Ntwk[390|Guest|8]
> 2014-08-29 06:59:57,937 DEBUG [c.c.n.r.RulesManagerImpl] (API-Job-Executor-40:ctx-71036d41
job-995 ctx-502dafa1) Releasing 0 port f
> orwarding rules for network id=390
> 2014-08-29 06:59:57,938 DEBUG [c.c.n.r.RulesManagerImpl] (API-Job-Executor-40:ctx-71036d41
job-995 ctx-502dafa1) Releasing 0 static
> nat rules for network id=390
> 2014-08-29 06:59:57,939 DEBUG [c.c.n.r.RulesManagerImpl] (API-Job-Executor-40:ctx-71036d41
job-995 ctx-502dafa1) There are no port
> forwarding rules to apply for network id=390
> 2014-08-29 06:59:57,940 DEBUG [c.c.n.r.RulesManagerImpl] (API-Job-Executor-40:ctx-71036d41
job-995 ctx-502dafa1) There are no stati
> c nat rules to apply for network id=390
> 2014-08-29 06:59:57,941 DEBUG [c.c.n.r.RulesManagerImpl] (API-Job-Executor-40:ctx-71036d41
job-995 ctx-502dafa1) Successfully relea
> sed rules for network id=390 and # of rules now = 0
> 2014-08-29 06:59:57,941 DEBUG [o.a.c.e.o.NetworkOrchestrator] (API-Job-Executor-40:ctx-71036d41
job-995 ctx-502dafa1) Successfully
> cleaned up portForwarding/staticNat rules for network id=390
> 2014-08-29 06:59:57,942 DEBUG [c.c.n.l.LoadBalancingRulesManagerImpl] (API-Job-Executor-40:ctx-71036d41
job-995 ctx-502dafa1) Found
> 0 lb rules to cleanup
> 2014-08-29 06:59:57,942 DEBUG [o.a.c.e.o.NetworkOrchestrator] (API-Job-Executor-40:ctx-71036d41
job-995 ctx-502dafa1) Successfully
> cleaned up load balancing rules for network id=390
> 2014-08-29 06:59:57,949 DEBUG [c.c.n.f.FirewallManagerImpl] (API-Job-Executor-40:ctx-71036d41
job-995 ctx-502dafa1) Releasing 0 firewall rules for network id=390
> 2014-08-29 06:59:57,950 DEBUG [c.c.n.f.FirewallManagerImpl] (API-Job-Executor-40:ctx-71036d41
job-995 ctx-502dafa1) There are no firewall rules to apply
> 2014-08-29 06:59:57,950 DEBUG [c.c.n.f.FirewallManagerImpl] (API-Job-Executor-40:ctx-71036d41
job-995 ctx-502dafa1) Successfully released firewall rules for network id=390 and # of rules
now = 0
> 2014-08-29 06:59:57,955 DEBUG [o.a.c.e.o.NetworkOrchestrator] (API-Job-Executor-40:ctx-71036d41
job-995 ctx-502dafa1) Successfully cleaned up firewallRules rules for network id=390
> 2014-08-29 06:59:57,956 DEBUG [o.a.c.e.o.NetworkOrchestrator] (API-Job-Executor-40:ctx-71036d41
job-995 ctx-502dafa1) Successfully cleaned up NetworkACLs for network id=390
> 2014-08-29 06:59:57,960 DEBUG [o.a.c.e.o.NetworkOrchestrator] (API-Job-Executor-40:ctx-71036d41
job-995 ctx-502dafa1) Sending destroy to com.cloud.network.element.VirtualRouterElement@33e84a52
> 2014-08-29 06:59:57,961 DEBUG [o.a.c.e.o.NetworkOrchestrator] (API-Job-Executor-40:ctx-71036d41
job-995 ctx-502dafa1) Network id=390 is destroyed successfully, cleaning up corresponding
resources now.
> 2014-08-29 06:59:57,963 DEBUG [o.a.c.e.o.NetworkOrchestrator] (API-Job-Executor-40:ctx-71036d41
job-995 ctx-502dafa1) Deleted ip range for private network id=390
> 2014-08-29 06:59:57,981 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (API-Job-Executor-40:ctx-71036d41
job-995 ctx-502dafa1) Complete async job-995, jobStatus: SUCCEEDED, resultCode: 0, result:
org.apache.cloudstack.api.response.SuccessResponse/null/
> {"success":true}
> 2014-08-29 06:59:57,985 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (API-Job-Executor-40:ctx-71036d41
job-995) Done executing org.apache.cloudstack.api.command.user.network.DeleteNetworkCmd for
job-995
> 2014-08-29 06:59:57,989 INFO [o.a.c.f.j.i.AsyncJobMonitor] (API-Job-Executor-40:ctx-71036d41
job-995) Remove job-995 from job monitoring
> Scenario 2:
> Regular user is allowed to restart networks that belong to other users.
> Create a regular user - d1-a in Domain - d1.
> Create another regular user - d1-b in Domain - d1.
> As user d1-a , Deploy a VM.
> As user d1-b , restart network that belongs to d1-a.
> We expect this to not succeed.
> But we are allowed to do this.
> Snippet from apilog indicating AccountId- 92 is attempting the restart network.
> 2014-08-28 13:42:15,541 INFO [a.c.c.a.ApiServer] (catalina-exec-6:ctx-5cd552d7 ctx-a6bba81d)
(userId=92 accountId=92 sessionId=DDD40F81978CB0849844A6BB2FBD6DDC) 10.215.3.6 – GET command=restartNetwork&id=e3fc5e02-52dc-449a-8a06-a2fe66f6df69&cleanup=false&response=json&sessionkey=R4PNr9jK8zTnYQac7sFxqXrg1bw=
200 { "restartnetworkresponse" :
> {"jobid":"8bafd675-c0db-4ccd-b8f8-cf4ae74aefe6"}
> }
> Snippet from DB indicating that the owner of network is account_id=89 .
> mysql> select account_id,domain_id from networks where uuid="e3fc5e02-52dc-449a-8a06-a2fe66f6df69";
> ---------------------+
> account_id 	domain_id
> ---------------------+
> 89 	37
> ---------------------+
> 1 row in set (0.00 sec)
> Snippet from management server logs indicating success:
> 2014-08-28 13:42:15,495 DEBUG [c.c.a.ApiServlet] (catalina-exec-6:ctx-5cd552d7) ===START===
10.215.3.6 – GET command=restartNetwork&id=e3fc5e02-52dc-449a-8a06-a2fe66f6df69&cleanup=false&response=json&sessionkey=R4PNr9jK8zTnYQac7sFxqXrg1bw=
> 2014-08-28 13:42:15,536 INFO [o.a.c.f.j.i.AsyncJobMonitor] (API-Job-Executor-32:ctx-68ebfe7f
job-980) Add job-980 into job monitoring
> 2014-08-28 13:42:15,537 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (API-Job-Executor-32:ctx-68ebfe7f
job-980) Executing AsyncJobVO {id:980, userId: 92, accountId: 92, instanceType: None, instanceId:
null, cmd: org.apache.cloudstack.api.command.user.network.RestartNetworkCmd, cmdInfo: {"response":"json","id":"e3fc5e02-52dc-449a-8a06-a2fe66f6df69","sessionkey":"R4PNr9jK8zTnYQac7sFxqXrg1bw\u003d","cleanup":"false","ctxDetails":"
> {\"com.cloud.network.Network\":\"e3fc5e02-52dc-449a-8a06-a2fe66f6df69\"}
> ","cmdEventType":"NETWORK.RESTART","ctxUserId":"92","httpmethod":"GET","uuid":"e3fc5e02-52dc-449a-8a06-a2fe66f6df69","ctxAccountId":"92","ctxStartEventId":"2977"},
cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result: null, initMsid:
82324189320212, completeMsid: null, lastUpdated: null, lastPolled: null, created: null}
> 2014-08-28 13:42:15,541 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (catalina-exec-6:ctx-5cd552d7
ctx-a6bba81d) submit async job-980, details: AsyncJobVO {id:980, userId: 92, accountId: 92,
instanceType: None, instanceId: null, cmd: org.apache.cloudstack.api.command.user.network.RestartNetworkCmd,
cmdInfo: {"response":"json","id":"e3fc5e02-52dc-449a-8a06-a2fe66f6df69","sessionkey":"R4PNr9jK8zTnYQac7sFxqXrg1bw\u003d","cleanup":"false","ctxDetails":"
> {\"com.cloud.network.Network\":\"e3fc5e02-52dc-449a-8a06-a2fe66f6df69\"}
> ","cmdEventType":"NETWORK.RESTART","ctxUserId":"92","httpmethod":"GET","uuid":"e3fc5e02-52dc-449a-8a06-a2fe66f6df69","ctxAccountId":"92","ctxStartEventId":"2977"},
cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result: null, initMsid:
82324189320212, completeMsid: null, lastUpdated: null, lastPolled: null, created: null}
> 2014-08-28 13:42:15,541 DEBUG [c.c.a.ApiServlet] (catalina-exec-6:ctx-5cd552d7 ctx-a6bba81d)
===END=== 10.215.3.6 – GET command=restartNetwork&id=e3fc5e02-52dc-449a-8a06-a2fe66f6df69&cleanup=false&response=json&sessionkey=R4PNr9jK8zTnYQac7sFxqXrg1bw=
> Scenario 3:
> Regular user is allowed to deploy a VM for another account in the same domain.
> Scenario :
> Create a regular user - d1-a in Domain - d1.
> Create another regular user - d1-b in Domain - d1.
> As user d1-a , Deploy a VM.
> As user d1-b , deploy a VM for user d1-a in a network that belongs to d1-a.
> We expect this to not succeed.
> But we are allowed to do this.
> Snippet from api-log indicating that the deployVirtualMachine command was sent by accountId=92
> 2014-08-28 13:42:02,068 INFO  [a.c.c.a.ApiServer] (catalina-exec-24:ctx-2a532bd3 ctx-169e8ae7)
(userId=92 accountId=92 sessionId=DDD40F81978CB0849844A6BB2FBD6DDC) 10.215.3.6 -- GET command=deployVirtualMachine&response=json&sessionkey=R4PNr9jK8zTnYQac7sFxqXrg1bw=&zoneid=0ed30371-31bc-4f13-ad41-0c4f3af3390f&templateid=4d2af82a-2e01-11e4-94e5-4adf980f9414&hypervisor=Simulator&serviceofferingid=e9d8660a-b531-4651-baf5-5a5f5c7959b3&iptonetworklist%5B0%5D.networkid=e3fc5e02-52dc-449a-8a06-a2fe66f6df69&displayname=test-cross1&name=test-cross1&_=1409271795491&account=d1-a&domainid=7a28c3f6-f2c8-4c45-a08a-d1bd1b57d0b8
200 { "deployvirtualmachineresponse" : {"id":"0c1a4583-3691-48d3-9544-878cbf08eb79","jobid":"12cd6bc3-d9a5-4719-b3b9-05acc226fc23"}
}
> DB entry indicating that the VirtualMachine was successfully created for account_id -
89.
> mysql> select  account_id,domain_id ,uuid,id from vm_instance where name="test-cross1";
> +------------+-----------+--------------------------------------+-----+
> | account_id | domain_id | uuid                                 | id  |
> +------------+-----------+--------------------------------------+-----+
> |         89 |        37 | 0c1a4583-3691-48d3-9544-878cbf08eb79 | 302 |
> +------------+-----------+--------------------------------------+-----+
> 1 row in set (0.00 sec)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message