Sangeetha Hariharan created CLOUDSTACK-6533:
-----------------------------------------------
Summary: IAM - Templates - Public templates do not have
permissions to be used by ROOT group.
Key: CLOUDSTACK-6533
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6533
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: IAM
Affects Versions: 4.4.0
Environment: Build from 4.4
Reporter: Sangeetha Hariharan
Priority: Critical
Fix For: 4.4.0
IAM - Templates - Public templates do not have permissions to be used by ROOT
group.
As regular user create a public template.
In iam_policy_permission policy we do not have permission for Admin group.
mysql> select * from iam_policy_permission where scope_id = 206;
+------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
| id | policy_id | action | resource_type | scope_id | scope
| access_type | permission | recursive | removed | created |
+------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
| 4949 | 3 | listTemplates | VirtualMachineTemplate | 206 |
RESOURCE | UseEntry | Allow | 0 | NULL | 2014-04-29 11:03:52
|
| 4950 | 1 | listTemplates | VirtualMachineTemplate | 206 |
RESOURCE | UseEntry | Allow | 0 | NULL | 2014-04-29 11:03:52
|
mysql> select * from vm_template where id=206;
+-----+----------------------------------------------+----------------------------+--------------------------------------+--------+----------+------+-----+------+---------------------------------+--------+---------------------+---------+------------+----------+-----------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+---------+--------+--------------+---------+----------------------+
| id | unique_name | name
| uuid | public | featured | type | hvm |
bits | url | format | created | removed
| account_id | checksum | display_text | enable_password |
enable_sshkey | guest_os_id | bootable | prepopulate | cross_zones |
extractable | hypervisor_type | source_template_id | template_tag | sort_key |
size | state | update_count | updated | dynamically_scalable |
+-----+----------------------------------------------+----------------------------+--------------------------------------+--------+----------+------+-----+------+---------------------------------+--------+---------------------+---------+------------+----------+-----------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+---------+--------+--------------+---------+----------------------+
| 206 | 206-318-179129bc-531f-31fe-a21d-23a8aa7b666f |
Public_featured_d2a-G3GJQW | 265192c9-88d3-41d4-b435-6d3c3e5d256a | 1 |
1 | USER | 1 | 64 | http://10.223.110.232:/test.vhd | VHD |
2014-04-29 11:03:52 | NULL | 318 | NULL | public and feature
Template | 0 | 0 | 12 | 1 |
0 | 0 | 1 | Simulator | NULL | NULL
| 0 | 5242880 | Active | 0 | NULL |
0 |
+-----+----------------------------------------------+----------------------------+--------------------------------------+--------+----------+------+-----+------+---------------------------------+--------+---------------------+---------+------------+----------+-----------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+---------+--------+--------------+---------+----------------------+
1 row in set (0.00 sec)
Inspite of not having the required permissions to use the template , admin is
able to use this template for vm deployment. Root cause for this bug is similar
to bug - Bug CLOUDSTACK-6517
The same behavior is also observed for default templates:
mysql> select * from iam_policy_permission where scope_id = 111;
+------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
| id | policy_id | action | resource_type | scope_id | scope
| access_type | permission | recursive | removed | created |
+------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
| 3315 | 3 | listTemplates | VirtualMachineTemplate | 111 |
RESOURCE | UseEntry | Allow | 0 | NULL | 2014-04-28 10:30:11
|
| 3316 | 1 | listTemplates | VirtualMachineTemplate | 111 |
RESOURCE | UseEntry | Allow | 0 | NULL | 2014-04-28 10:30:11
|
+------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
2 rows in set (0.00 sec)
mysql> select * from vm_template where id=111;
+-----+------------------+---------------------------------------+--------------------------------------+--------+----------+---------+-----+------+---------------------------------------------------------------------------------------------------------+--------+---------------------+---------+------------+----------+---------------------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+------------+--------+--------------+---------+----------------------+
| id | unique_name | name | uuid
| public | featured | type | hvm | bits | url
| format | created | removed | account_id | checksum |
display_text | enable_password | enable_sshkey |
guest_os_id | bootable | prepopulate | cross_zones | extractable |
hypervisor_type | source_template_id | template_tag | sort_key | size |
state | update_count | updated | dynamically_scalable |
+-----+------------------+---------------------------------------+--------------------------------------+--------+----------+---------+-----+------+---------------------------------------------------------------------------------------------------------+--------+---------------------+---------+------------+----------+---------------------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+------------+--------+--------------+---------+----------------------+
| 111 | simulator-Centos | CentOS 5.3(64-bit) no GUI (Simulator) |
7200e25a-ca4b-11e3-907f-4adf980f9414 | 1 | 1 | BUILTIN | 0 | 64
|
http://nfs1.lab.vmops.com/templates/centos53-x86_64/latest/f59f18fb-ae94-4f97-afd2-f84755767aca.vhd.bz2
| VHD | 2014-04-22 14:25:13 | NULL | 1 | | CentOS
5.3(64-bit) no GUI (Simulator) | 0 | 0 | 11
| 1 | 0 | 1 | 0 | Simulator |
NULL | NULL | 0 | 2147483648 | Active | NULL |
NULL | 0 |
+-----+------------------+---------------------------------------+--------------------------------------+--------+----------+---------+-----+------+---------------------------------------------------------------------------------------------------------+--------+---------------------+---------+------------+----------+---------------------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+------------+--------+--------------+---------+----------------------+
1 row in set (0.00 sec)
--
This message was sent by Atlassian JIRA
(v6.2#6252)
