kiranchavala opened a new issue, #10922:
URL: https://github.com/apache/cloudstack/issues/10922
### problem
Domain Admin cannot update resource limits of its account
### versions
ACS 4.20, 4.19
### The steps to reproduce the bug
1. Create domain under the root ( let's say d1)
2. Create a domain admin account( da1) under the domain 1
3. Create another domain admin account( da2) under the domain 1
4. Login as domain admin account (da1)
5. Navigate accounts > select domain admin account( da2) > configure
limits > Change the max user instance to 21 > success
6. Perform the same action on da1
Navigate accounts > select domain admin account( da1) > configure limits >
Change the max user instance to 21 > failure
Exception
`Unable to update resource limit for their own account 5, permission denied
`
Logs
Domain admin da1 trying to update the resource limits of it own account
```
2025-05-27 05:50:16,301 DEBUG [c.c.a.ApiServlet]
(qtp1390913202-25:[ctx-00360073]) (logid:c905d200) ===START=== 10.0.3.251 --
GET
account=user1domain1&domainid=4c8f9bce-458e-492e-87ea-90067e9d4dd4&resourcetype=5&max=10&command=updateResourceLimit&response=json&sessionkey=hTOoi-3wkfkXjUI3Q4GpuFzna7c
2025-05-27 05:50:16,301 DEBUG [c.c.a.ApiServlet]
(qtp1390913202-25:[ctx-00360073]) (logid:c905d200) Two factor authentication is
already verified for the user 5, so skipping
2025-05-27 05:50:16,317 DEBUG [c.c.a.ApiServer]
(qtp1390913202-25:[ctx-00360073, ctx-c531902f]) (logid:c905d200) CIDRs from
which account 'Account
[{"accountName":"user1domain1","id":5,"uuid":"55289255-54be-4515-a8c5-1288e9a7742b"}]'
is allowed to perform API calls: 0.0.0.0/0,::/0
2025-05-27 05:50:16,330 DEBUG [o.a.c.a.StaticRoleBasedAPIAccessChecker]
(qtp1390913202-25:[ctx-00360073, ctx-c531902f]) (logid:c905d200) RoleService is
enabled. We will use it instead of StaticRoleBasedAPIAccessChecker.
2025-05-27 05:50:16,330 DEBUG [o.a.c.r.ApiRateLimitServiceImpl]
(qtp1390913202-25:[ctx-00360073, ctx-c531902f]) (logid:c905d200) API rate
limiting is disabled. We will not use ApiRateLimitService.
2025-05-27 05:50:16,351 INFO [c.c.a.ApiServer]
(qtp1390913202-25:[ctx-00360073, ctx-c531902f]) (logid:c905d200)
PermissionDenied: Unable to update resource limit for their own account 5,
permission denied on objs: []
2025-05-27 05:50:16,351 INFO [c.c.a.ApiServlet]
(qtp1390913202-25:[ctx-00360073, ctx-c531902f]) (logid:c905d200) (userId=5
accountId=5 sessionId=node012lrf9410vgpra42wupop3i2f10) 10.0.3.251 -- GET
account=user1domain1&domainid=4c8f9bce-458e-492e-87ea-90067e9d4dd4&resourcetype=5&max=10&command=updateResourceLimit&response=json&sessionkey=hTOoi-3wkfkXjUI3Q4GpuFzna7c
531 Unable to update resource limit for their own account 5, permission denied
2025-05-27 05:50:16,351 DEBUG [c.c.a.ApiServlet]
(qtp1390913202-25:[ctx-00360073, ctx-c531902f]) (logid:c905d200) ===END===
10.0.3.251 -- GET
account=user1domain1&domainid=4c8f9bce-458e-492e-87ea-90067e9d4dd4&resourcetype=5&max=10&command=updateResourceLimit&response=json&sessionkey=hTOoi-3wkfkXjUI3Q4GpuFzna7c
```
Domain admin da1 trying to update the resource limits of other domain admin
account
```
[root@ref-trl-8570-k-Mol8-kiran-chavala-mgmt1 ~]# cat
/var/log/cloudstack/management/management-server.log |grep -i "logid:47cbb57a"
2025-05-27 05:56:24,983 DEBUG [c.c.a.ApiServlet]
(qtp1390913202-446:[ctx-7819ab2e]) (logid:47cbb57a) ===START=== 10.0.3.251 --
GET
account=user1domain1&domainid=4c8f9bce-458e-492e-87ea-90067e9d4dd4&resourcetype=2&max=20&command=updateResourceLimit&response=json&sessionkey=wpTP1fHRUE9hbHl8TmCpVBT4DrA
2025-05-27 05:56:24,983 DEBUG [c.c.a.ApiServlet]
(qtp1390913202-446:[ctx-7819ab2e]) (logid:47cbb57a) Two factor authentication
is already verified for the user 6, so skipping
2025-05-27 05:56:25,029 DEBUG [c.c.a.ApiServer]
(qtp1390913202-446:[ctx-7819ab2e, ctx-4e080d07]) (logid:47cbb57a) CIDRs from
which account 'Account
[{"accountName":"user2domain1","id":6,"uuid":"2689f76a-a6c0-458d-8e5d-25007eba12d1"}]'
is allowed to perform API calls: 0.0.0.0/0,::/0
2025-05-27 05:56:25,038 DEBUG [o.a.c.a.StaticRoleBasedAPIAccessChecker]
(qtp1390913202-446:[ctx-7819ab2e, ctx-4e080d07]) (logid:47cbb57a) RoleService
is enabled. We will use it instead of StaticRoleBasedAPIAccessChecker.
2025-05-27 05:56:25,038 DEBUG [o.a.c.r.ApiRateLimitServiceImpl]
(qtp1390913202-446:[ctx-7819ab2e, ctx-4e080d07]) (logid:47cbb57a) API rate
limiting is disabled. We will not use ApiRateLimitService.
2025-05-27 05:56:25,069 DEBUG [c.c.u.AccountManagerImpl]
(qtp1390913202-446:[ctx-7819ab2e, ctx-4e080d07]) (logid:47cbb57a) Access to
Account
[{"accountName":"user1domain1","id":5,"uuid":"55289255-54be-4515-a8c5-1288e9a7742b"}]
granted to Account
[{"accountName":"user2domain1","id":6,"uuid":"2689f76a-a6c0-458d-8e5d-25007eba12d1"}]
by DomainChecker
2025-05-27 05:56:25,112 INFO [c.c.a.ApiServlet]
(qtp1390913202-446:[ctx-7819ab2e, ctx-4e080d07]) (logid:47cbb57a) (userId=6
accountId=6 sessionId=node0x7mtcktao4uahjw82l98xv6411) 10.0.3.251 -- GET
account=user1domain1&domainid=4c8f9bce-458e-492e-87ea-90067e9d4dd4&resourcetype=2&max=20&command=updateResourceLimit&response=json&sessionkey=wpTP1fHRUE9hbHl8TmCpVBT4DrA
200
{"updateresourcelimitresponse":{"resourcelimit":{"account":"user1domain1","domainid":"4c8f9bce-458e-492e-87ea-90067e9d4dd4","domain":"domain1","domainpath":"/domain1/","resourcetype":"2","resourcetypename":"volume","max":20}}}
2025-05-27 05:56:25,113 DEBUG [c.c.a.ApiServlet]
(qtp1390913202-446:[ctx-7819ab2e, ctx-4e080d07]) (logid:47cbb57a) ===END===
10.0.3.251 -- GET
account=user1domain1&domainid=4c8f9bce-458e-492e-87ea-90067e9d4dd4&resourcetype=2&max=20&command=updateResourceLimit&response=json&sessionkey=wpTP1fHRUE9hbHl8TmCpVBT4Dr
```
...
### What to do about it?
Domain admin account user should be able to update the resource limits of
its own account
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
