erikbocks opened a new pull request, #12046:
URL: https://github.com/apache/cloudstack/pull/12046
### Description
The `updateResourceLimit` API, by default, is allowed only to the Root
Admin, Domain Admin, and Resource Admin role types. These role types cannot
change their account and domain limits using the API. However, if an account is
created with a User type role, and the permission to this API is granted, they
will be capable of changing their own account and domain resource limits and
bypassing what has been allocated to them. In this scenario, the user could
also cause a DoS by allocating all the resources (for instance, all the IP
addresses).
This PR fixes this by implementing an account type validation that throws an
exception if the caller's account is of type `User`.
### Types of changes
- [ ] Breaking change (fix or feature that would cause existing
functionality to change)
- [ ] New feature (non-breaking change which adds functionality)
- [X] Bug fix (non-breaking change which fixes an issue)
- [ ] Enhancement (improves an existing feature and functionality)
- [ ] Cleanup (Code refactoring and cleanup, that may add test cases)
- [ ] build/CI
- [ ] test (unit or integration test code)
### Feature/Enhancement Scale or Bug Severity
#### Bug Severity
- [ ] BLOCKER
- [ ] Critical
- [ ] Major
- [X] Minor
- [ ] Trivial
### Screenshots (if appropriate):
### How Has This Been Tested?
In an example environment, a `Modified User` role was created, based on the
default `User` role. Then, the permission to call the `updateResourceLimit` API
was granted. A new account, named `user`, was created using the `Modified User`
role. By default, the user had a limit of `20` Public IP to allocate.
Using the user credentials, the user can run the following command in CMK to
unlimit the number of Public IP they can allocate:
```
update resourceLimit account=user resourcetype=1 max=-1 domainid=<domain_id>
```
With that, the user can exhaust the available public IPs in the environment.
It also applies to the other limit types.
Besides changing its account limit, it can also change its domain limits by
running the following command:
```
update resourceLimit resourcetype=1 max=-1 domainid=<domain_id>
```
The user cannot change the limits of other accounts within its domain or
other domains' limits.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
