[jira] [Commented] (CLOUDSTACK-7471) Regular user is allowed to deleteNetwork/RestartNetwork that does not belong to him.He is also able to deploy Vm for other users.

[Min Chen (JIRA)]

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-7471?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14119337#comment-14119337
 ] 

Min Chen commented on CLOUDSTACK-7471:
--------------------------------------

This bug is caused by incorrect merge resolution in cherry-picking the commit 
of disabling IAM feature from 4.4 to master branch.
Sangeetha has written marvin automated testcases for these bugs, can simply 
verify the fix by running those automated tests.


> Regular user is allowed to deleteNetwork/RestartNetwork that does not belong 
> to him.He is also able to deploy Vm for other users.
> ---------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-7471
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7471
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: Management Server
>    Affects Versions: 4.5.0
>         Environment: build from master
>            Reporter: Sangeetha Hariharan
>            Assignee: Min Chen
>
> Scenario 1 :
> Regular user is allowed to delete networks that belong to other users
> Create a regular user - d1-a in Domain - d1.
> Create another regular user - d1-b in Domain - d1.
> As user d1-a , create a network.
> As user d1-b , delete network that belongs to d1-a.
> We expect this to not succeed.
> But we are allowed to do this.
> Snippet from apilog indicating AccountId- 92 is attempting the restart 
> network.
> 2014-08-29 06:59:57,912 INFO [a.c.c.a.ApiServer] 
> (catalina-exec-23:ctx-05f928b8 ctx-c081eb69) (userId=92 accountId=92 
> sessionId=DC
> A599AA77169CA107BA0AADA19667F7) 10.215.3.6 – GET 
> command=deleteNetwork&id=2f2cc737-ba0f-4806-a81b-92a5749cfe7b&response=json&sessi
> onkey=NHvM0k5Rg%2FQspJg2g0YnQP%2Fhq34%3D 200 { "deletenetworkresponse" :
> {"jobid":"05daf212-1aa7-4885-b133-2645a6ceb7df"}
> }
> Snippet from DB indicating that the owner of network is account_id=89 .
> mysql> select account_id,domain_id from networks where 
> uuid="2f2cc737-ba0f-4806-a81b-92a5749cfe7b";
> ---------------------+
> account_id    domain_id
> ---------------------+
> 89    37
> ---------------------+
> 1 row in set (0.00 sec)
> Snippet from management server logs indicating success:
> 2014-08-29 06:59:57,911 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] 
> (catalina-exec-23:ctx-05f928b8 ctx-c081eb69) submit async job-995,
> details: AsyncJobVO {id:995, userId: 92, accountId: 92, instanceType: None, 
> instanceId: null, cmd: org.apache.cloudstack.api.comman
> d.user.network.DeleteNetworkCmd, cmdInfo: 
> {"response":"json","id":"2f2cc737-ba0f-4806-a81b-92a5749cfe7b","sessionkey":"NHvM0k5Rg/Qs
> pJg2g0YnQP/hq34\u003d","ctxDetails":"
> {\"com.cloud.network.Network\":\"2f2cc737-ba0f-4806-a81b-92a5749cfe7b\"}
> ","cmdEventType":"NETW
> ORK.DELETE","ctxUserId":"92","httpmethod":"GET","uuid":"2f2cc737-ba0f-4806-a81b-92a5749cfe7b","ctxAccountId":"92","ctxStartEventId"
> :"3020"}, cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 
> 0, result: null, initMsid: 82324189320212, completeMsid
> : null, lastUpdated: null, lastPolled: null, created: null}
> 2014-08-29 06:59:57,912 DEBUG [c.c.a.ApiServlet] 
> (catalina-exec-23:ctx-05f928b8 ctx-c081eb69) ===END=== 10.215.3.6 – GET 
> command
> =deleteNetwork&id=2f2cc737-ba0f-4806-a81b-92a5749cfe7b&response=json&sessionkey=NHvM0k5Rg%2FQspJg2g0YnQP%2Fhq34%3D
> 2014-08-29 06:59:57,934 DEBUG [o.a.c.e.o.NetworkOrchestrator] 
> (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Network is al
> ready shutdown: Ntwk[390|Guest|8]
> 2014-08-29 06:59:57,937 DEBUG [c.c.n.r.RulesManagerImpl] 
> (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Releasing 0 port f
> orwarding rules for network id=390
> 2014-08-29 06:59:57,938 DEBUG [c.c.n.r.RulesManagerImpl] 
> (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Releasing 0 static
> nat rules for network id=390
> 2014-08-29 06:59:57,939 DEBUG [c.c.n.r.RulesManagerImpl] 
> (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) There are no port
> forwarding rules to apply for network id=390
> 2014-08-29 06:59:57,940 DEBUG [c.c.n.r.RulesManagerImpl] 
> (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) There are no stati
> c nat rules to apply for network id=390
> 2014-08-29 06:59:57,941 DEBUG [c.c.n.r.RulesManagerImpl] 
> (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Successfully relea
> sed rules for network id=390 and # of rules now = 0
> 2014-08-29 06:59:57,941 DEBUG [o.a.c.e.o.NetworkOrchestrator] 
> (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Successfully
> cleaned up portForwarding/staticNat rules for network id=390
> 2014-08-29 06:59:57,942 DEBUG [c.c.n.l.LoadBalancingRulesManagerImpl] 
> (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Found
> 0 lb rules to cleanup
> 2014-08-29 06:59:57,942 DEBUG [o.a.c.e.o.NetworkOrchestrator] 
> (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Successfully
> cleaned up load balancing rules for network id=390
> 2014-08-29 06:59:57,949 DEBUG [c.c.n.f.FirewallManagerImpl] 
> (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Releasing 0 firewall 
> rules for network id=390
> 2014-08-29 06:59:57,950 DEBUG [c.c.n.f.FirewallManagerImpl] 
> (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) There are no firewall 
> rules to apply
> 2014-08-29 06:59:57,950 DEBUG [c.c.n.f.FirewallManagerImpl] 
> (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Successfully released 
> firewall rules for network id=390 and # of rules now = 0
> 2014-08-29 06:59:57,955 DEBUG [o.a.c.e.o.NetworkOrchestrator] 
> (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Successfully cleaned 
> up firewallRules rules for network id=390
> 2014-08-29 06:59:57,956 DEBUG [o.a.c.e.o.NetworkOrchestrator] 
> (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Successfully cleaned 
> up NetworkACLs for network id=390
> 2014-08-29 06:59:57,960 DEBUG [o.a.c.e.o.NetworkOrchestrator] 
> (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Sending destroy to 
> com.cloud.network.element.VirtualRouterElement@33e84a52
> 2014-08-29 06:59:57,961 DEBUG [o.a.c.e.o.NetworkOrchestrator] 
> (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Network id=390 is 
> destroyed successfully, cleaning up corresponding resources now.
> 2014-08-29 06:59:57,963 DEBUG [o.a.c.e.o.NetworkOrchestrator] 
> (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Deleted ip range for 
> private network id=390
> 2014-08-29 06:59:57,981 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] 
> (API-Job-Executor-40:ctx-71036d41 job-995 ctx-502dafa1) Complete async 
> job-995, jobStatus: SUCCEEDED, resultCode: 0, result: 
> org.apache.cloudstack.api.response.SuccessResponse/null/
> {"success":true}
> 2014-08-29 06:59:57,985 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] 
> (API-Job-Executor-40:ctx-71036d41 job-995) Done executing 
> org.apache.cloudstack.api.command.user.network.DeleteNetworkCmd for job-995
> 2014-08-29 06:59:57,989 INFO [o.a.c.f.j.i.AsyncJobMonitor] 
> (API-Job-Executor-40:ctx-71036d41 job-995) Remove job-995 from job monitoring
> Scenario 2:
> Regular user is allowed to restart networks that belong to other users.
> Create a regular user - d1-a in Domain - d1.
> Create another regular user - d1-b in Domain - d1.
> As user d1-a , Deploy a VM.
> As user d1-b , restart network that belongs to d1-a.
> We expect this to not succeed.
> But we are allowed to do this.
> Snippet from apilog indicating AccountId- 92 is attempting the restart 
> network.
> 2014-08-28 13:42:15,541 INFO [a.c.c.a.ApiServer] 
> (catalina-exec-6:ctx-5cd552d7 ctx-a6bba81d) (userId=92 accountId=92 
> sessionId=DDD40F81978CB0849844A6BB2FBD6DDC) 10.215.3.6 – GET 
> command=restartNetwork&id=e3fc5e02-52dc-449a-8a06-a2fe66f6df69&cleanup=false&response=json&sessionkey=R4PNr9jK8zTnYQac7sFxqXrg1bw=
>  200 { "restartnetworkresponse" :
> {"jobid":"8bafd675-c0db-4ccd-b8f8-cf4ae74aefe6"}
> }
> Snippet from DB indicating that the owner of network is account_id=89 .
> mysql> select account_id,domain_id from networks where 
> uuid="e3fc5e02-52dc-449a-8a06-a2fe66f6df69";
> ---------------------+
> account_id    domain_id
> ---------------------+
> 89    37
> ---------------------+
> 1 row in set (0.00 sec)
> Snippet from management server logs indicating success:
> 2014-08-28 13:42:15,495 DEBUG [c.c.a.ApiServlet] 
> (catalina-exec-6:ctx-5cd552d7) ===START=== 10.215.3.6 – GET 
> command=restartNetwork&id=e3fc5e02-52dc-449a-8a06-a2fe66f6df69&cleanup=false&response=json&sessionkey=R4PNr9jK8zTnYQac7sFxqXrg1bw=
> 2014-08-28 13:42:15,536 INFO [o.a.c.f.j.i.AsyncJobMonitor] 
> (API-Job-Executor-32:ctx-68ebfe7f job-980) Add job-980 into job monitoring
> 2014-08-28 13:42:15,537 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] 
> (API-Job-Executor-32:ctx-68ebfe7f job-980) Executing AsyncJobVO {id:980, 
> userId: 92, accountId: 92, instanceType: None, instanceId: null, cmd: 
> org.apache.cloudstack.api.command.user.network.RestartNetworkCmd, cmdInfo: 
> {"response":"json","id":"e3fc5e02-52dc-449a-8a06-a2fe66f6df69","sessionkey":"R4PNr9jK8zTnYQac7sFxqXrg1bw\u003d","cleanup":"false","ctxDetails":"
> {\"com.cloud.network.Network\":\"e3fc5e02-52dc-449a-8a06-a2fe66f6df69\"}
> ","cmdEventType":"NETWORK.RESTART","ctxUserId":"92","httpmethod":"GET","uuid":"e3fc5e02-52dc-449a-8a06-a2fe66f6df69","ctxAccountId":"92","ctxStartEventId":"2977"},
>  cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result: 
> null, initMsid: 82324189320212, completeMsid: null, lastUpdated: null, 
> lastPolled: null, created: null}
> 2014-08-28 13:42:15,541 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] 
> (catalina-exec-6:ctx-5cd552d7 ctx-a6bba81d) submit async job-980, details: 
> AsyncJobVO {id:980, userId: 92, accountId: 92, instanceType: None, 
> instanceId: null, cmd: 
> org.apache.cloudstack.api.command.user.network.RestartNetworkCmd, cmdInfo: 
> {"response":"json","id":"e3fc5e02-52dc-449a-8a06-a2fe66f6df69","sessionkey":"R4PNr9jK8zTnYQac7sFxqXrg1bw\u003d","cleanup":"false","ctxDetails":"
> {\"com.cloud.network.Network\":\"e3fc5e02-52dc-449a-8a06-a2fe66f6df69\"}
> ","cmdEventType":"NETWORK.RESTART","ctxUserId":"92","httpmethod":"GET","uuid":"e3fc5e02-52dc-449a-8a06-a2fe66f6df69","ctxAccountId":"92","ctxStartEventId":"2977"},
>  cmdVersion: 0, status: IN_PROGRESS, processStatus: 0, resultCode: 0, result: 
> null, initMsid: 82324189320212, completeMsid: null, lastUpdated: null, 
> lastPolled: null, created: null}
> 2014-08-28 13:42:15,541 DEBUG [c.c.a.ApiServlet] 
> (catalina-exec-6:ctx-5cd552d7 ctx-a6bba81d) ===END=== 10.215.3.6 – GET 
> command=restartNetwork&id=e3fc5e02-52dc-449a-8a06-a2fe66f6df69&cleanup=false&response=json&sessionkey=R4PNr9jK8zTnYQac7sFxqXrg1bw=
> Scenario 3:
> Regular user is allowed to deploy a VM for another account in the same domain.
> Scenario :
> Create a regular user - d1-a in Domain - d1.
> Create another regular user - d1-b in Domain - d1.
> As user d1-a , Deploy a VM.
> As user d1-b , deploy a VM for user d1-a in a network that belongs to d1-a.
> We expect this to not succeed.
> But we are allowed to do this.
> Snippet from api-log indicating that the deployVirtualMachine command was 
> sent by accountId=92
> 2014-08-28 13:42:02,068 INFO  [a.c.c.a.ApiServer] 
> (catalina-exec-24:ctx-2a532bd3 ctx-169e8ae7) (userId=92 accountId=92 
> sessionId=DDD40F81978CB0849844A6BB2FBD6DDC) 10.215.3.6 -- GET 
> command=deployVirtualMachine&response=json&sessionkey=R4PNr9jK8zTnYQac7sFxqXrg1bw=&zoneid=0ed30371-31bc-4f13-ad41-0c4f3af3390f&templateid=4d2af82a-2e01-11e4-94e5-4adf980f9414&hypervisor=Simulator&serviceofferingid=e9d8660a-b531-4651-baf5-5a5f5c7959b3&iptonetworklist%5B0%5D.networkid=e3fc5e02-52dc-449a-8a06-a2fe66f6df69&displayname=test-cross1&name=test-cross1&_=1409271795491&account=d1-a&domainid=7a28c3f6-f2c8-4c45-a08a-d1bd1b57d0b8
>  200 { "deployvirtualmachineresponse" : 
> {"id":"0c1a4583-3691-48d3-9544-878cbf08eb79","jobid":"12cd6bc3-d9a5-4719-b3b9-05acc226fc23"}
>  }
> DB entry indicating that the VirtualMachine was successfully created for 
> account_id - 89.
> mysql> select  account_id,domain_id ,uuid,id from vm_instance where 
> name="test-cross1";
> +------------+-----------+--------------------------------------+-----+
> | account_id | domain_id | uuid                                 | id  |
> +------------+-----------+--------------------------------------+-----+
> |         89 |        37 | 0c1a4583-3691-48d3-9544-878cbf08eb79 | 302 |
> +------------+-----------+--------------------------------------+-----+
> 1 row in set (0.00 sec)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)