incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wido den Hollander (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-1054) ListDomains does not list all domains when the name is specified
Date Fri, 25 Jan 2013 14:11:14 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-1054?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13562703#comment-13562703
] 

Wido den Hollander commented on CLOUDSTACK-1054:
------------------------------------------------

Since I'm not 100% positive about this change I've posted it to reviewboard: https://reviews.apache.org/r/9111/

If I was certain I would have committed it :)
                
> ListDomains does not list all domains when the name is specified
> ----------------------------------------------------------------
>
>                 Key: CLOUDSTACK-1054
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1054
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: API
>    Affects Versions: 4.0.0, 4.0.1, 4.1.0
>            Reporter: Wido den Hollander
>            Priority: Minor
>             Fix For: Future
>
>
> The documentation for listDomains says that you can list all domains by specifying the
'name'.
> id: List domain by domain ID.
> name: List domain by domain name.
> When doing this however you don't get the expected result.
> I turned on MySQL debugging and it showed me this query:
> SELECT domain.id, domain.parent, domain.name, domain.owner, domain.path, domain.level,
domain.removed, domain.child_count, domain.next_child_seq, domain.state, domain.network_domain,
domain.uuid FROM domain WHERE domain.id = 1  AND domain.name LIKE _binary'%pcextreme%'  AND
domain.state = 'Active'  AND domain.removed IS NULL  ORDER BY domain.id ASC  LIMIT 0, 500
> What I noticed is 'domain.id = 1'.
> I haven't specified an ID and still it is set?
> Going into the code (DomainManagerImpl) I found:
>         Long domainId = cmd.getId();
>         boolean listAll = cmd.listAll();
>         boolean isRecursive = false;
>         if (domainId != null) {
>             Domain domain = getDomain(domainId);
>             if (domain == null) {
>                 throw new InvalidParameterValueException("Domain id=" + domainId + "
doesn't exist");
>             }
>             _accountMgr.checkAccess(caller, domain);
>         } else {
>             domainId = caller.getDomainId();
>             if (listAll) {
>                 isRecursive = true;
>             }
>         }
> So if domainId is not specified it is automatically set to the ID of the domain I'm in?
Since I'm admin my ID is set to 1.
> This is odd behaviour since I want the domain specified by the name, not by my ID.
> I understand that this is a security flaw if every user can query for every domain, but
it is kind of weird.
> The description for the 'name' argument isn't clear either.
> The code does: name LIKE '%<name>%' so it is actually a wildcard search which the
documentation does not say.
> I'm thinking about checking if the user is an admin and if that is the case not setting
the domainId to the domain where the user is in.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message