Sangeetha Hariharan created CLOUDSTACK-7471:
-----------------------------------------------

             Summary: Regular user is allowed to deleteNetwork/RestartNetwork 
that does not belong to him.He is also able to deploy Vm for other users.
                 Key: CLOUDSTACK-7471
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7471
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: Management Server
    Affects Versions: 4.5.0
         Environment: build from master
            Reporter: Sangeetha Hariharan
            Assignee: Min Chen


Scenario 1 :
Regular user is allowed to delete networks that belong to other users

Create a regular user - d1-a in Domain - d1.
Create another regular user - d1-b in Domain - d1.
As user d1-a , create a network.
As user d1-b , delete network that belongs to d1-a.
We expect this to not succeed.
But we are allowed to do this.

Snippet from apilog indicating AccountId- 92 is attempting the restart network.
2014-08-29 06:59:57,912 INFO [a.c.c.a.ApiServer] (catalina-exec-23:ctx-05f928b8 
ctx-c081eb69) (userId=92 accountId=92 sessionId=DC
A599AA77169CA107BA0AADA19667F7) 10.215.3.6 – GET 
command=deleteNetwork&id=2f2cc737-ba0f-4806-a81b-92a5749cfe7b&response=json&sessi
onkey=NHvM0k5Rg%2FQspJg2g0YnQP%2Fhq34%3D 200 { "deletenetworkresponse" :
{"jobid":"05daf212-1aa7-4885-b133-2645a6ceb7df"}

}

Snippet from DB indicating that the owner of network is account_id=89 .
mysql> select account_id,domain_id from networks where 
uuid="2f2cc737-ba0f-4806-a81b-92a5749cfe7b";
---------------------+
account_id      domain_id

---------------------+
89      37

---------------------+
1 row in set (0.00 sec)

Snippet from management server logs indicating success:

2014-08-29 06:59:57,911 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] 
(catalina-exec-23:ctx-05f928b8 ctx-c081eb69) submit async job-995,
details: AsyncJobVO {id:995, userId: 92, accountId: 92, instanceType: None, 
instanceId: null, cmd: org.apache.cloudstack.api.comman
d.user.network.DeleteNetworkCmd, cmdInfo: 
{"response":"json","id":"2f2cc737-ba0f-4806-a81b-92a5749cfe7b","sessionkey":"NHvM0k5Rg/Qs
pJg2g0YnQP/hq34\u003d","ctxDetails":"
{\"com.cloud.network.Network\":\"2f2cc737-ba0f-4806-a81b-92a5749cfe7b\"}

","cmdEventType":"NETW
ORK.DELETE","ctxUserId":"92","httpmethod":"GET","uuid":"2f2cc737-ba0f-4806-a81b-92a5749cfe7b","ctxAccountId":"92","ctxStartEventId"
:"3020"}, cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, 
result: null, initMsid: 82324189320212, completeMsid
: null, lastUpdated: null, lastPolled: null, created: null}
2014-08-29 06:59:57,912 DEBUG [c.c.a.ApiServlet] (catalina-exec-23:ctx-05f928b8 
ctx-c081eb69) ===END=== 10.215.3.6 – GET command
=deleteNetwork&id=2f2cc737-ba0f-4806-a81b-92a5749cfe7b&response=json&sessionkey=NHvM0k5Rg%2FQspJg2g0YnQP%2Fhq34%3D
2014-08-29 06:59:57,934 DEBUG [o.a.c.e.o.NetworkOrchestrator] 
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Network is al
ready shutdown: Ntwk[390|Guest|8]
2014-08-29 06:59:57,937 DEBUG [c.c.n.r.RulesManagerImpl] 
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Releasing 0 port f
orwarding rules for network id=390
2014-08-29 06:59:57,938 DEBUG [c.c.n.r.RulesManagerImpl] 
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Releasing 0 static
nat rules for network id=390
2014-08-29 06:59:57,939 DEBUG [c.c.n.r.RulesManagerImpl] 
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) There are no port
forwarding rules to apply for network id=390
2014-08-29 06:59:57,940 DEBUG [c.c.n.r.RulesManagerImpl] 
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) There are no stati
c nat rules to apply for network id=390
2014-08-29 06:59:57,941 DEBUG [c.c.n.r.RulesManagerImpl] 
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Successfully relea
sed rules for network id=390 and # of rules now = 0
2014-08-29 06:59:57,941 DEBUG [o.a.c.e.o.NetworkOrchestrator] 
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Successfully
cleaned up portForwarding/staticNat rules for network id=390
2014-08-29 06:59:57,942 DEBUG [c.c.n.l.LoadBalancingRulesManagerImpl] 
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Found
0 lb rules to cleanup
2014-08-29 06:59:57,942 DEBUG [o.a.c.e.o.NetworkOrchestrator] 
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Successfully
cleaned up load balancing rules for network id=390
2014-08-29 06:59:57,949 DEBUG [c.c.n.f.FirewallManagerImpl] 
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Releasing 0 firewall 
rules for network id=390
2014-08-29 06:59:57,950 DEBUG [c.c.n.f.FirewallManagerImpl] 
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) There are no firewall 
rules to apply
2014-08-29 06:59:57,950 DEBUG [c.c.n.f.FirewallManagerImpl] 
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Successfully released 
firewall rules for network id=390 and # of rules now = 0
2014-08-29 06:59:57,955 DEBUG [o.a.c.e.o.NetworkOrchestrator] 
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Successfully cleaned up 
firewallRules rules for network id=390
2014-08-29 06:59:57,956 DEBUG [o.a.c.e.o.NetworkOrchestrator] 
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Successfully cleaned up 
NetworkACLs for network id=390
2014-08-29 06:59:57,960 DEBUG [o.a.c.e.o.NetworkOrchestrator] 
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Sending destroy to 
com.cloud.network.element.VirtualRouterElement@33e84a52
2014-08-29 06:59:57,961 DEBUG [o.a.c.e.o.NetworkOrchestrator] 
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Network id=390 is 
destroyed successfully, cleaning up corresponding resources now.
2014-08-29 06:59:57,963 DEBUG [o.a.c.e.o.NetworkOrchestrator] 
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Deleted ip range for 
private network id=390
2014-08-29 06:59:57,981 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] 
(API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Complete async job-995, 
jobStatus: SUCCEEDED, resultCode: 0, result: 
org.apache.cloudstack.api.response.SuccessResponse/null/
{"success":true}

2014-08-29 06:59:57,985 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] 
(API-Job-Executor-40:ctx-71036d41 job-995) Done executing 
org.apache.cloudstack.api.command.user.network.DeleteNetworkCmd for job-995
2014-08-29 06:59:57,989 INFO [o.a.c.f.j.i.AsyncJobMonitor] 
(API-Job-Executor-40:ctx-71036d41 job-995) Remove job-995 from job monitoring

Scenario 2:

Regular user is allowed to restart networks that belong to other users.
Create a regular user - d1-a in Domain - d1.
Create another regular user - d1-b in Domain - d1.
As user d1-a , Deploy a VM.
As user d1-b , restart network that belongs to d1-a.
We expect this to not succeed.
But we are allowed to do this.

Snippet from apilog indicating AccountId- 92 is attempting the restart network.
2014-08-28 13:42:15,541 INFO [a.c.c.a.ApiServer] (catalina-exec-6:ctx-5cd552d7 
ctx-a6bba81d) (userId=92 accountId=92 
sessionId=DDD40F81978CB0849844A6BB2FBD6DDC) 10.215.3.6 – GET 
command=restartNetwork&id=e3fc5e02-52dc-449a-8a06-a2fe66f6df69&cleanup=false&response=json&sessionkey=R4PNr9jK8zTnYQac7sFxqXrg1bw=
 200 { "restartnetworkresponse" :
{"jobid":"8bafd675-c0db-4ccd-b8f8-cf4ae74aefe6"}

}

Snippet from DB indicating that the owner of network is account_id=89 .
mysql> select account_id,domain_id from networks where 
uuid="e3fc5e02-52dc-449a-8a06-a2fe66f6df69";
---------------------+
account_id      domain_id

---------------------+
89      37

---------------------+
1 row in set (0.00 sec)

Snippet from management server logs indicating success:

2014-08-28 13:42:15,495 DEBUG [c.c.a.ApiServlet] (catalina-exec-6:ctx-5cd552d7) 
===START=== 10.215.3.6 – GET 
command=restartNetwork&id=e3fc5e02-52dc-449a-8a06-a2fe66f6df69&cleanup=false&response=json&sessionkey=R4PNr9jK8zTnYQac7sFxqXrg1bw=
2014-08-28 13:42:15,536 INFO [o.a.c.f.j.i.AsyncJobMonitor] 
(API-Job-Executor-32:ctx-68ebfe7f job-980) Add job-980 into job monitoring
2014-08-28 13:42:15,537 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] 
(API-Job-Executor-32:ctx-68ebfe7f job-980) Executing AsyncJobVO {id:980, 
userId: 92, accountId: 92, instanceType: None, instanceId: null, cmd: 
org.apache.cloudstack.api.command.user.network.RestartNetworkCmd, cmdInfo: 
{"response":"json","id":"e3fc5e02-52dc-449a-8a06-a2fe66f6df69","sessionkey":"R4PNr9jK8zTnYQac7sFxqXrg1bw\u003d","cleanup":"false","ctxDetails":"
{\"com.cloud.network.Network\":\"e3fc5e02-52dc-449a-8a06-a2fe66f6df69\"}

","cmdEventType":"NETWORK.RESTART","ctxUserId":"92","httpmethod":"GET","uuid":"e3fc5e02-52dc-449a-8a06-a2fe66f6df69","ctxAccountId":"92","ctxStartEventId":"2977"},
 cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result: 
null, initMsid: 82324189320212, completeMsid: null, lastUpdated: null, 
lastPolled: null, created: null}
2014-08-28 13:42:15,541 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] 
(catalina-exec-6:ctx-5cd552d7 ctx-a6bba81d) submit async job-980, details: 
AsyncJobVO {id:980, userId: 92, accountId: 92, instanceType: None, instanceId: 
null, cmd: org.apache.cloudstack.api.command.user.network.RestartNetworkCmd, 
cmdInfo: 
{"response":"json","id":"e3fc5e02-52dc-449a-8a06-a2fe66f6df69","sessionkey":"R4PNr9jK8zTnYQac7sFxqXrg1bw\u003d","cleanup":"false","ctxDetails":"
{\"com.cloud.network.Network\":\"e3fc5e02-52dc-449a-8a06-a2fe66f6df69\"}

","cmdEventType":"NETWORK.RESTART","ctxUserId":"92","httpmethod":"GET","uuid":"e3fc5e02-52dc-449a-8a06-a2fe66f6df69","ctxAccountId":"92","ctxStartEventId":"2977"},
 cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result: 
null, initMsid: 82324189320212, completeMsid: null, lastUpdated: null, 
lastPolled: null, created: null}
2014-08-28 13:42:15,541 DEBUG [c.c.a.ApiServlet] (catalina-exec-6:ctx-5cd552d7 
ctx-a6bba81d) ===END=== 10.215.3.6 – GET 
command=restartNetwork&id=e3fc5e02-52dc-449a-8a06-a2fe66f6df69&cleanup=false&response=json&sessionkey=R4PNr9jK8zTnYQac7sFxqXrg1bw=

Scenario 3:
Regular user is allowed to deploy a VM for another account in the same domain.

Scenario :
Create a regular user - d1-a in Domain - d1.
Create another regular user - d1-b in Domain - d1.
As user d1-a , Deploy a VM.
As user d1-b , deploy a VM for user d1-a in a network that belongs to d1-a.
We expect this to not succeed.
But we are allowed to do this.

Snippet from api-log indicating that the deployVirtualMachine command was sent 
by accountId=92

2014-08-28 13:42:02,068 INFO  [a.c.c.a.ApiServer] 
(catalina-exec-24:ctx-2a532bd3 ctx-169e8ae7) (userId=92 accountId=92 
sessionId=DDD40F81978CB0849844A6BB2FBD6DDC) 10.215.3.6 -- GET 
command=deployVirtualMachine&response=json&sessionkey=R4PNr9jK8zTnYQac7sFxqXrg1bw=&zoneid=0ed30371-31bc-4f13-ad41-0c4f3af3390f&templateid=4d2af82a-2e01-11e4-94e5-4adf980f9414&hypervisor=Simulator&serviceofferingid=e9d8660a-b531-4651-baf5-5a5f5c7959b3&iptonetworklist%5B0%5D.networkid=e3fc5e02-52dc-449a-8a06-a2fe66f6df69&displayname=test-cross1&name=test-cross1&_=1409271795491&account=d1-a&domainid=7a28c3f6-f2c8-4c45-a08a-d1bd1b57d0b8
 200 { "deployvirtualmachineresponse" : 
{"id":"0c1a4583-3691-48d3-9544-878cbf08eb79","jobid":"12cd6bc3-d9a5-4719-b3b9-05acc226fc23"}
 }


DB entry indicating that the VirtualMachine was successfully created for 
account_id - 89.

mysql> select  account_id,domain_id ,uuid,id from vm_instance where 
name="test-cross1";
+------------+-----------+--------------------------------------+-----+
| account_id | domain_id | uuid                                 | id  |
+------------+-----------+--------------------------------------+-----+
|         89 |        37 | 0c1a4583-3691-48d3-9544-878cbf08eb79 | 302 |
+------------+-----------+--------------------------------------+-----+
1 row in set (0.00 sec)




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to