[
https://issues.apache.org/jira/browse/CLOUDSTACK-6517?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13986401#comment-13986401
]
ASF subversion and git services commented on CLOUDSTACK-6517:
-------------------------------------------------------------
Commit c32b7ab7c8e73a3422ff31d754c28c8997a9a84c in cloudstack's branch
refs/heads/4.4 from [~prachidamle]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=c32b7ab ]
CLOUDSTACK-6517: IAM - Admin is allowed to create PortFowarding rule for a
regular user, when admin does not have " UseEntry" permission for IpAddress.
Changes:
- IAM was applying ordering on accessTypes. Thus if an account had Operate, he
got USe access as well. So even if IAM schema did not have 'UseEntry"
permission for IpAddress, some other 'OperateEntry' permission on IpAddress was
letting this operation go through.
- Fixed IAM to NOT do ordering of access types anymore. IAm will perform strict
accessType check only.
- This fix is needed so that admin does not get permission to USE resources
from other account just becase he has OPERATE access on those resources due to
some other APIs.
- However due to this fix, we break backwards compatibilty with CS 4.3.
- CS 4.3 allowed root admin to do the createPF operation for a user by passing
in networkId of the user.
- Same was the case for domain admins within their domains
- Why this worked was due to CS 4.3 simply returning true for root admin/domain
admin
- So to maintain backwards compatibilty, we are adding the logic to return
"true" for root admin and domain admin just like CS 4.3.
- Exception is: For Network, AffinityGroup and Templates, we still call IAM
even for root admin/domain admin, since thats what CS 4.3 did. Just for these 3
resource_types, it used to perform access checks even for root admin/domain
admin.
> IAM - Admin is allowed to create PortFowarding rule for a regular user, when
> admin does not have " UseEntry" permission for IpAddress.
> ---------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-6517
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6517
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: IAM
> Affects Versions: 4.4.0
> Environment: Build from 4.4
> Reporter: Sangeetha Hariharan
> Assignee: Prachi Damle
> Fix For: 4.4.0
>
>
> IAM - Admin is allowed to create PortFowarding rule for a regular user, when
> admin does not have " UseEntry" permission for IpAddress.
> Steps to reproduce the problem:
> As regular user , on a network he owns , acquire an ip address.
> As admin , try to create a PF rule on this ip address without passing
> account and domainId.
> Creating PF rule succeeds.
> Since Admin has only "ListEntry" permission for IpAddress owned by other
> users , we expect this api call to fail.
> mysql> select * from iam_policy_permission where resource_type = 'IpAddress'
> and policy_id=2;
> +------+-----------+-----------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
> | id | policy_id | action | resource_type | scope_id | scope
> | access_type | permission | recursive | removed | created |
> +------+-----------+-----------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
> | 1840 | 2 | listPublicIpAddresses | IpAddress | -1 | ALL
> | ListEntry | Allow | 0 | NULL | 2014-04-22 18:31:03 |
> | 1841 | 2 | listPublicIpAddresses | IpAddress | -1 |
> ACCOUNT | UseEntry | Allow | 0 | NULL | 2014-04-22
> 18:31:03 |
> Admin should be allowed to do this only , when he passes account and domainId
> of the regular user is passed.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
