[jira] [Commented] (CLOUDSTACK-6560) IAM - Admin user is denied permission to create Egress rule for a user's network

ASF subversion and git services (JIRA) Thu, 01 May 2014 16:11:21 -0700

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-6560?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13987149#comment-13987149
 ]


ASF subversion and git services commented on CLOUDSTACK-6560:
-------------------------------------------------------------

Commit 2e5b5291574417e31b4e81a6cc170e77a0cd7f65 in cloudstack's branch 
refs/heads/4.4-forward from [~prachidamle]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=2e5b529 ]

CLOUDSTACK-6560: IAM - Admin user is denied permission to create Egress rule 
for a user's network

Changes:
- CS 4.3 handled Network entity in two ways:
a) Specified "UseNetwork" access and did a strict check w.r.t who can use this 
network. Regular users and Domain Admin went through the strict check. Root 
admin got access always.
b) Specified "null" access and that meant admins can access this network for 
the calling API that passes null access.

- Fixing CS 4.4 IAM to handle this behavior:
a) "UseNetwork" is mapped to "UseEntry" and IAM check will be done only for 
domain admin and regular users when this access is specified. Root Admin is 
grated access.
b) If "null" access is specified, root and domain admin both are granted 
access. Regular users still go through IAM.


> IAM - Admin user is denied permission to create Egress rule for a user's 
> network
> --------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-6560
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6560
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: IAM
>    Affects Versions: 4.4.0
>            Reporter: Prachi Damle
>            Assignee: Prachi Damle
>            Priority: Critical
>             Fix For: 4.4.0
>
>
> Steps to reproduce:
> - Setup Advance Zone
> - Create a regular user 
> - Login as the user and create an isolated network or deploy a VM that will 
> create a network 
> - Logout
> - Login as an Admin and list the user's network
> - Try to create Egress Firewall Rule on this network
> - Admin is denied permission



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Commented] (CLOUDSTACK-6560) IAM - Admin user is denied permission to create Egress rule for a user's network

Reply via email to