[ https://issues.apache.org/jira/browse/CLOUDSTACK-6517?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Prachi Damle resolved CLOUDSTACK-6517. -------------------------------------- Resolution: Fixed Fixed in 4.4-forward branch > IAM - Admin is allowed to create PortFowarding rule for a regular user, when > admin does not have " UseEntry" permission for IpAddress. > --------------------------------------------------------------------------------------------------------------------------------------- > > Key: CLOUDSTACK-6517 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6517 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: IAM > Affects Versions: 4.4.0 > Environment: Build from 4.4 > Reporter: Sangeetha Hariharan > Assignee: Prachi Damle > Fix For: 4.4.0 > > > IAM - Admin is allowed to create PortFowarding rule for a regular user, when > admin does not have " UseEntry" permission for IpAddress. > Steps to reproduce the problem: > As regular user , on a network he owns , acquire an ip address. > As admin , try to create a PF rule on this ip address without passing > account and domainId. > Creating PF rule succeeds. > Since Admin has only "ListEntry" permission for IpAddress owned by other > users , we expect this api call to fail. > mysql> select * from iam_policy_permission where resource_type = 'IpAddress' > and policy_id=2; > +------+-----------+-----------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+ > | id | policy_id | action | resource_type | scope_id | scope > | access_type | permission | recursive | removed | created | > +------+-----------+-----------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+ > | 1840 | 2 | listPublicIpAddresses | IpAddress | -1 | ALL > | ListEntry | Allow | 0 | NULL | 2014-04-22 18:31:03 | > | 1841 | 2 | listPublicIpAddresses | IpAddress | -1 | > ACCOUNT | UseEntry | Allow | 0 | NULL | 2014-04-22 > 18:31:03 | > Admin should be allowed to do this only , when he passes account and domainId > of the regular user is passed. -- This message was sent by Atlassian JIRA (v6.2#6252)