This is a bug. =Alena.
On 10/8/13 6:12 PM, "Min Chen" <min.c...@citrix.com> wrote: >Just simple listVMsCmd with page information, passing listAll=true or not >passing listAll returns the same set of data. > > >Thanks >-min > >On 10/8/13 5:55 PM, "Alena Prokharchyk" <alena.prokharc...@citrix.com> >wrote: > >>On 10/8/13 5:48 PM, "Min Chen" <min.c...@citrix.com> wrote: >> >>>Thanks Alena for the clarification. >>> >>>If you try ListVMsCmd as a domain admin, if I pass listAll=false, what >>>should be the expected behavior? >> >>The same as if you don't pass anything. The domain admin will see his own >>resources (the ones that belong to his account) >> >> >>>Should he be able to see VMs under his domain but not owned by him? The >>>current CloudStack behavior will >>>show all VMs under his domain. This seems contradictory to the meaning >>>of >>>listAll. >> >>Do you pass anything else to the call besides listAll=false? Is the >>result >>the same when you don't pass listAll=false to the call? If so, what other >>parameters do you pass in >> >>> >>>Thanks >>>-min >>> >>> >>> >>>>On 10/8/13 4:28 PM, "Min Chen" <min.c...@citrix.com> wrote: >>>> >>>>>Hi there, >>>>> >>>>>In working with RBAC design, I am really puzzled by the two query >>>>>parameter "listAll" and "recursive" for all BaseListDomainResourceCmd. >>>>> >>>>> >>>>> @Parameter(name = ApiConstants.LIST_ALL, type = >>>>>CommandType.BOOLEAN, >>>>>description = "If set to false, " + >>>>> >>>>> "list only resources belonging to the command's caller; if >>>>>set to true - list resources that the caller is authorized to see. >>>>>Default value is false") >>>>> >>>>> private Boolean listAll; >>>>> >>>>> >>>>> @Parameter(name = ApiConstants.IS_RECURSIVE, type = >>>>>CommandType.BOOLEAN, description = "defaults to false," + >>>>> >>>>> " but if true, lists all resources from the parent >>>>>specified >>>>>by the domainId till leaves.") >>>>> >>>>> private Boolean recursive; >>>>> >>>>> >>>>>IMHO, if a caller invokes a list API without passing any specific >>>>>query >>>>>parameter, he/she should see all resources that he/she is authorized >>>>>to >>>>>see. In CloudStack, we have implicit authorization rules as follows: >>>>>1. Root admin should be able to see all the resources under Root >>>>>domain. >>>>>2. Domain admin should be able to see all the resources under its own >>>>>domain tree. >>>>>3. Normal user should only see the resources owned by him. >>>> >>>>listAll doesn't impact user calls. >>>> >>>>>4. Project account should be able to see resources assigned to that >>>>>project. >>>> >>>>Project account can't make the calls. Any CS account assigned to the >>>>project + admin can list project resources. When listAll is passed in, >>>>all >>>>resources except project resources, will be returned to the caller. >>>>When >>>>projectId=-1 is passed in, all resources of all projects in the system >>>>that caller is authorized to see, will be returned to the caller. >>>> >>>>>Based on current AccountManager.buildACLSearchParameters >>>>>implementation, >>>>>we are not observing the passed "listAll" and "recursive" value at >>>>>all, >>>>>seems always treating "listAll=true" and "recursive=true". >>>> >>>>recursive=false is respected when passed along with the domainId. In >>>>this >>>>case, it will list all the resources under this domain only, without >>>>subdomains. When recursive=true is passed with domainId, the resources >>>>of >>>>domains + subdomains will be returned. >>>> >>>>>Thus, I am proposing that we change the default value of "listAll" and >>>>>"recursive" to TRUE instead of current FALSE. Any objections? >>>> >>>> >>>>The main objection - it will break all the partners/third party >>>>apps/UIs >>>>built on the current CS behavior. >>>> >>>>> >>>>>Thanks >>>>>-min >>>>> >>>> >>>>Min, >>>> >>> >>> >> >> > >
