[jira] [Resolved] (CLOUDSTACK-6517) IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have " UseEntry" permission for IpAddress.

Prachi Damle (JIRA) Wed, 30 Apr 2014 12:02:52 -0700

     [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-6517?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Prachi Damle resolved CLOUDSTACK-6517.
--------------------------------------

    Resolution: Fixed

Fixed in 4.4-forward branch

> IAM - Admin is allowed to create PortFowarding rule for a regular user, when 
> admin does not have " UseEntry" permission for IpAddress. 
> ---------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-6517
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6517
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: IAM
>    Affects Versions: 4.4.0
>         Environment: Build from 4.4
>            Reporter: Sangeetha Hariharan
>            Assignee: Prachi Damle
>             Fix For: 4.4.0
>
>
> IAM - Admin is allowed to create PortFowarding rule for a regular user, when 
> admin does not have " UseEntry" permission for IpAddress.
> Steps to reproduce the problem:
> As regular user , on a network he owns , acquire an ip address.
> As admin , try to create a PF rule on this ip address  without passing 
> account and domainId.
> Creating PF rule succeeds. 
> Since Admin has only  "ListEntry" permission for IpAddress owned by other 
> users , we expect this api call to fail. 
> mysql> select * from iam_policy_permission where resource_type = 'IpAddress' 
> and policy_id=2;
> +------+-----------+-----------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
> | id   | policy_id | action                | resource_type | scope_id | scope 
>   | access_type  | permission | recursive | removed | created             |
> +------+-----------+-----------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
> | 1840 |         2 | listPublicIpAddresses | IpAddress     |       -1 | ALL   
>   | ListEntry    | Allow      |         0 | NULL    | 2014-04-22 18:31:03 |
> | 1841 |         2 | listPublicIpAddresses | IpAddress     |       -1 | 
> ACCOUNT | UseEntry     | Allow      |         0 | NULL    | 2014-04-22 
> 18:31:03 |
> Admin should be allowed to do this only , when he passes account and domainId 
> of the regular user is passed.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Resolved] (CLOUDSTACK-6517) IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have " UseEntry" permission for IpAddress.

Reply via email to