[jira] [Created] (CLOUDSTACK-7296) listUsers doesn't respect CS API convention for list commands - when listAll has to be passed in to list other accounts resources

Fri, 08 Aug 2014 12:57:27 -0700 

Alena Prokharchyk created CLOUDSTACK-7296:
---------------------------------------------

             Summary: listUsers doesn't respect CS API convention for list 
commands - when listAll has to be passed in to list other accounts resources
                 Key: CLOUDSTACK-7296
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7296
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: API
    Affects Versions: 4.5.0
            Reporter: Alena Prokharchyk
            Assignee: Alena Prokharchyk
            Priority: Critical
             Fix For: 4.5.0


All list* commands in CS are supposed to follow these rules:

1) When no parameters are passed in to the call, the caller sees only HIS 
resources (even when the caller is the admin). This is the main difference from 
how it used to work before - before admin was seeing everyone else's resources 
by default.
2) When accountName/domainId are passed in, the caller sees the resources 
dedicated to the account specified.
 
* If the call is executed by the regular user, he is authorized to specify only 
his own account/domainId.
* If the caller is a domain admin, we perform authorization check to see if the 
caller can see account/domainId resources.
3) When projectId is passed in, only resources belonging to that project are 
being listed.
4) When domainId is passed in, we return only resources belonging to the domain 
specified. To see the resources of subdomains, isRecursive=true parameter has 
to be specified. Again, regular user can see only his own resources, Root admin 
can list anything, and domain admin is authorized to see only resources of his 
domain and subdomains.
5) To see all resources the caller is authorized to see, except for Project 
resources, listAll=true parameter has to be passed in.
6) To see all Project resources the caller is authorized to see, projectId=-1 
has to be passed in.


In case of listUsers command, #1 and #5 weren't respected. Basically admin 
could see all the users from other accounts w/o passing listAll=true. 

The CS UI doesn't need any fixes, because it is already automatically appending 
listAll=true to the call. 



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to