[
https://issues.apache.org/jira/browse/CLOUDSTACK-6428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13971685#comment-13971685
]
Min Chen commented on CLOUDSTACK-6428:
--------------------------------------
This is caused by us interpreting DOMAIN scope policy in iam_policy_permission
table just for current domain. This usecase, the domain id passed is the
subdomain id. Fixed by interpreting that to include the domain tree. This is
also the assumption we have made in RoleBasedEntityAccessChecker for phase I.
> IAM - Domain Admin - When his sub-domainId is passed to the
> listVirtualMachine command, Vms from all the domains are being listed.
> ----------------------------------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-6428
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6428
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
> Affects Versions: 4.4.0
> Reporter: Min Chen
> Assignee: Min Chen
> Priority: Critical
> Fix For: 4.4.0
>
>
> IAM - Domain Admin - When domainId is passed to the listVirtualMachine
> command, Vms from all the domains are being listed.
> Set up:
> Pre Reqs:
> Admin - Creates object
> Domain Admin for d1 - D1 - Creates object - d1
> Domain Admin for d1 - D1/D11
> User account for d1 - D1/D111 - Creates object - d111a
> Domain Admin for d1 - D1/D12
> Domain Admin for d2 - D2 - Creates object -d2
> User Account in domain D1 - userD1-1 - Creates object -d1a
> User Account in domain D1 - userD1-2 - Creates object - d1b
> User Account in domain D1/D11 - userD1-a - Creates object - d11a
> User Account in domain D1/D11 - userD1-a - Creates object - d11b
> User Account in domain D1/D12- userD1-b - Creates object - d12a
> User Account in domain D1/D12 - userD-a - Creates object - d12b
> As domain admin d1 , tried to list all the Vms for domain - d1/d11.
> The Vm list returned has all the Vms including the Vms from domain d2.
> GET
> http://10.223.49.6/client/api?command=listVirtualMachines&domainId=0a0f7c09-2f1a-4939-94ce-88388e197949&listAll=true&apiKey=Hv0VKnmBjXhyRMKZ7ixI51gG-iqHqRVTp1xCCLU2-gTnZwhuUNWsa4zZLYZWWLD5lEhvwe05tJKJVa9NeS5REw&signature=ZH7kEjKVDh1eXbLv84T6pHAApt0%3D
> \n\n
> <?xml version="1.0" encoding="UTF-8"?><listvirtualmachinesresponse
> cloud-stack-version="4.4.0-SNAPSHOT"><count>10</count><virtualmachine><id>22193996-12f9-46ff-91cd-3d409f7f8c60</id><name>d11a</name><displayname>d11a</displayname><account>testD11A-TestVMList-3385RP</account><domainid>0a0f7c09-2f1a-4939-94ce-88388e197949</domainid><domain>D11-UFBXGQ</domain><created>2014-04-10T09:01:37-0400</created><state>Running</state><haenable>false</haenable><zoneid>75d61334-ff70-49c3-99ed-3af702cd51d7</zoneid><zonename>BLR1</zonename><templateid>e65cdfa0-c019-11e3-907f-4adf980f9414</templateid><templatename>CentOS
> 5.3(64-bit) no GUI (Simulator)</templatename><templatedisplaytext>CentOS
> 5.3(64-bit) no GUI
> (Simulator)</templatedisplaytext><passwordenabled>false</passwordenabled><serviceofferingid>49dee9f8-a49a-414d-b8b2-b0d59b5981f0</serviceofferingid><serviceofferingname>Small
>
> Instance</serviceofferingname><cpunumber>1</cpunumber><cpuspeed>100</cpuspeed><memory>128</memory><cpuused>10%</cpuused><networkkbsread>10190848</networkkbsread><networkkbswrite>5095424</networkkbswrite><guestosid>e5eba5c4-c019-11e3-907f-4adf980f9414</guestosid><rootdeviceid>0</rootdeviceid><rootdevicetype>ROOT</rootdevicetype><nic><id>a1c079e5-ae0f-4470-b0ed-26895fbcf14d</id><networkid>f1cf7cfb-c354-47c4-854e-af329c54d77e</networkid><networkname>testD11A-TestVMList-3385RP-network</networkname><netmask>255.255.255.0</netmask><gateway>10.1.1.1</gateway><ipaddress>10.1.1.217</ipaddress><isolationuri>vlan://1071</isolationuri><broadcasturi>vlan://1071</broadcasturi><traffictype>Guest</traffictype><type>Isolated</type><isdefault>true</isdefault><macaddress>02:00:06:7b:00:01</macaddress></nic><hypervisor>Simulator</hypervisor><isdynamicallyscalable>false</isdynamicallyscalable><ostypeid>11</ostypeid></virtualmachine><virtualmachine><id>660a829f-5265-44c3-aa92-957d8bbec8e2</id><name>d1a</name><displayname>d1b</displayname><account>testD1B-TestVMList-CB23CT</account><domainid>dc4bf103-27bf-4292-99aa-dc91fa23ee04</domainid><domain>D1-NN5QWT</domain><created>2014-04-10T09:01:32-0400</created><state>Running</state><haenable>false</haenable><zoneid>75d61334-ff70-49c3-99ed-3af702cd51d7</zoneid><zonename>BLR1</zonename><templateid>e65cdfa0-c019-11e3-907f-4adf980f9414</templateid><templatename>CentOS
> 5.3(64-bit) no GUI (Simulator)</templatename><templatedisplaytext>CentOS
> 5.3(64-bit) no GUI
> (Simulator)</templatedisplaytext><passwordenabled>false</passwordenabled><serviceofferingid>49dee9f8-a49a-414d-b8b2-b0d59b5981f0</serviceofferingid><serviceofferingname>Small
>
> Instance</serviceofferingname><cpunumber>1</cpunumber><cpuspeed>100</cpuspeed><memory>128</memory><cpuused>10%</cpuused><networkkbsread>10190848</networkkbsread><networkkbswrite>5095424</networkkbswrite><guestosid>e5eba5c4-c019-11e3-907f-4adf980f9414</guestosid><rootdeviceid>0</rootdeviceid><rootdevicetype>ROOT</rootdevicetype><nic><id>b58c4f55-ed7d-4c1c-922b-6e2aecad642c</id><networkid>ee8c3501-10e5-4247-b5b4-6e261dde56b1</networkid><networkname>testD1B-TestVMList-CB23CT-network</networkname><netmask>255.255.255.0</netmask><gateway>10.1.1.1</gateway><ipaddress>10.1.1.252</ipaddress><isolationuri>vlan://1697</isolationuri><broadcasturi>vlan://1697</broadcasturi><traffictype>Guest</traffictype><type>Isolated</type><isdefault>true</isdefault><macaddress>02:00:17:50:00:01</macaddress></nic><hypervisor>Simulator</hypervisor><isdynamicallyscalable>false</isdynamicallyscalable><ostypeid>11</ostypeid></virtualmachine><virtualmachine><id>2a729bb9-8597-4a07-8259-fdcc1ef328ff</id><name>d1a</name><displayname>d1a</displayname><account>testD1A-TestVMList-VAZC6S</account><domainid>dc4bf103-27bf-4292-99aa-dc91fa23ee04</domainid><domain>D1-NN5QWT</domain><created>2014-04-10T09:01:27-0400</created><state>Running</state><haenable>false</haenable><zoneid>75d61334-ff70-49c3-99ed-3af702cd51d7</zoneid><zonename>BLR1</zonename><templateid>e65cdfa0-c019-11e3-907f-4adf980f9414</templateid><templatename>CentOS
> 5.3(64-bit) no GUI (Simulator)</templatename><templatedisplaytext>CentOS
> 5.3(64-bit) no GUI
> (Simulator)</templatedisplaytext><passwordenabled>false</passwordenabled><serviceofferingid>49dee9f8-a49a-414d-b8b2-b0d59b5981f0</serviceofferingid><serviceofferingname>Small
>
> Instance</serviceofferingname><cpunumber>1</cpunumber><cpuspeed>100</cpuspeed><memory>128</memory><cpuused>10%</cpuused><networkkbsread>10190848</networkkbsread><networkkbswrite>5095424</networkkbswrite><guestosid>e5eba5c4-c019-11e3-907f-4adf980f9414</guestosid><rootdeviceid>0</rootdeviceid><rootdevicetype>ROOT</rootdevicetype><nic><id>61ce424c-a7c0-4543-a748-97184a86716a</id><networkid>8a3ac0bc-2192-48d9-8934-18a6aeec6a0a</networkid><networkname>testD1A-TestVMList-VAZC6S-network</networkname><netmask>255.255.255.0</netmask><gateway>10.1.1.1</gateway><ipaddress>10.1.1.27</ipaddress><isolationuri>vlan://3450</isolationuri><broadcasturi>vlan://3450</broadcasturi><traffictype>Guest</traffictype><type>Isolated</type><isdefault>true</isdefault><macaddress>02:00:49:c4:00:01</macaddress></nic><hypervisor>Simulator</hypervisor><isdynamicallyscalable>false</isdynamicallyscalable><ostypeid>11</ostypeid></virtualmachine><virtualmachine><id>e520b97e-13be-4c6a-993c-3b581524e247</id><name>d1</name><displayname>d1</displayname><account>testD1-TestVMList-3VK254</account><domainid>dc4bf103-27bf-4292-99aa-dc91fa2
> ....
--
This message was sent by Atlassian JIRA
(v6.2#6252)
