[jira] [Resolved] (CLOUDSTACK-7296) listUsers doesn't respect CS API convention for list commands - when listAll has to be passed in to list other accounts resources

Fri, 08 Aug 2014 12:57:34 -0700 

     [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-7296?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alena Prokharchyk resolved CLOUDSTACK-7296.
-------------------------------------------

    Resolution: Fixed

Fixed with commit 6d1482b97bfa9876a076c2e7a9e1fd4236d9c738

> listUsers doesn't respect CS API convention for list commands - when listAll 
> has to be passed in to list other accounts resources
> ---------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-7296
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7296
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: API
>    Affects Versions: 4.5.0
>            Reporter: Alena Prokharchyk
>            Assignee: Alena Prokharchyk
>            Priority: Critical
>             Fix For: 4.5.0
>
>
> All list* commands in CS are supposed to follow these rules:
> 1) When no parameters are passed in to the call, the caller sees only HIS 
> resources (even when the caller is the admin). This is the main difference 
> from how it used to work before - before admin was seeing everyone else's 
> resources by default.
> 2) When accountName/domainId are passed in, the caller sees the resources 
> dedicated to the account specified.
>  
> * If the call is executed by the regular user, he is authorized to specify 
> only his own account/domainId.
> * If the caller is a domain admin, we perform authorization check to see if 
> the caller can see account/domainId resources.
> 3) When projectId is passed in, only resources belonging to that project are 
> being listed.
> 4) When domainId is passed in, we return only resources belonging to the 
> domain specified. To see the resources of subdomains, isRecursive=true 
> parameter has to be specified. Again, regular user can see only his own 
> resources, Root admin can list anything, and domain admin is authorized to 
> see only resources of his domain and subdomains.
> 5) To see all resources the caller is authorized to see, except for Project 
> resources, listAll=true parameter has to be passed in.
> 6) To see all Project resources the caller is authorized to see, projectId=-1 
> has to be passed in.
> In case of listUsers command, #1 and #5 weren't respected. Basically admin 
> could see all the users from other accounts w/o passing listAll=true. 
> The CS UI doesn't need any fixes, because it is already automatically 
> appending listAll=true to the call. 



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to