You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Sangeetha Hariharan (JIRA)" <ji...@apache.org> on 2014/06/21 04:04:26 UTC
[jira] [Updated] (CLOUDSTACK-6973) IAM - listNetworks - When Domain
Admin calls listNetwork with listall=false , isolated networks belonging to
other users in the domain is also listed.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sangeetha Hariharan updated CLOUDSTACK-6973:
--------------------------------------------
Summary: IAM - listNetworks - When Domain Admin calls listNetwork with listall=false , isolated networks belonging to other users in the domain is also listed. (was: IAM - listNetworks - When Domain Admin calls listNetwork with listall=false , isolated networks belonging to other users in the domain is also listed. Edit Comment Assign More Resolve Issue Close Issue Export)
> IAM - listNetworks - When Domain Admin calls listNetwork with listall=false , isolated networks belonging to other users in the domain is also listed.
> ------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-6973
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6973
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: Management Server
> Affects Versions: 4.4.0
> Environment: Build from 4.4-forward
> Reporter: Sangeetha Hariharan
>
> IAM - listNetworks - When Domain Admin calls listNetwork with listall=false , isolated networks belonging to other users in the domain is also listed.
> Steps to reproduce the problem:
> Domain D1 -> has user d1 (domain admin), d1a and d1b regular users.
> Each user has a isolated network that he owns.
> Calling listNetworks() with no parameters (or listall=false) , results in isolated networks owned by other regular users in the domain to be listed.
> As domain admin d1 , when I listed istNetworks() with no parameters (or listall=false) , i see the isolated networks owned by d1a and d1b regular users listed:
> -----------------------------------------------------------------------------------------------------------------------------------------------------
> id account_name uuid type domain_id state removed cleanup_needed network_domain default_zone_id default
> -----------------------------------------------------------------------------------------------------------------------------------------------------
> 1 system 2c320fc2-d1eb-11e3-907f-4adf980f9414 1 1 enabled NULL 0 NULL NULL 1
> 2 admin 2c324dfc-d1eb-11e3-907f-4adf980f9414 1 1 enabled NULL 0 NULL NULL 1
> 3 testD1-TestNetworkList-0SNBP5 53144728-76db-427a-ab96-5a6901e31a5e 2 2 enabled NULL 0 NULL NULL 0
> 4 testD1A-TestNetworkList-0Y3W33 196cc54c-4f4f-4bff-91ee-e084395eb388 0 2 enabled NULL 0 NULL NULL 0
> 5 testD1B-TestNetworkList-KOGK49 52d34195-f6be-482d-b8cb-effaf9d3bcc4 0 2 enabled NULL 0 NULL NULL 0
> List call response:
> 2014-05-02 07:38:19,152 INFO [a.c.c.a.ApiServer] (catalina-exec-10:ctx-4d9ac3c7 ctx-d8785a9c ctx-aa28872f) (userId=3 accountId=3 ses
> sionId=null) 10.223.56.66 – GET apiKey=ASspPltVyUxiuOKQLuyfJnsS_zezNXRjZPfZsdjAXpJMUnu7r75Zn9dqk7p_eL1PrATjDbDanUN3uGsGbsCcwg&respon
> se=json&listall=false&command=listNetworks&signature=s9FYHRWmLi2E7LeQDhXcyi%2Fu0J0%3D 200 { "listnetworksresponse" : { "count":5 ,"ne
> twork" : [ {"id":"53a9ddfa-ab63-4f87-bdd0-e368e7fd11ca","name":"testD1B-TestNetworkList-KOGK49-network","displaytext":"testD1B-TestN
> etworkList-KOGK49-network","broadcastdomaintype":"Vlan","traffictype":"Guest","gateway":"10.1.1.1","netmask":"255.255.255.0","cidr":"
> 10.1.1.0/24","zoneid":"b690dddf-5755-49ab-8a4d-0aff04fa39f7","zonename":"BLR1","networkofferingid":"fc25eb7b-d884-4cc3-acbb-a321817a3
> 567","networkofferingname":"DefaultIsolatedNetworkOfferingWithSourceNatService","networkofferingdisplaytext":"Offering for Isolated n
> etworks with Source Nat service enabled","networkofferingconservemode":true,"networkofferingavailability":"Required","issystem":false
> ,"state":"Implemented","related":"53a9ddfa-ab63-4f87-bdd0-e368e7fd11ca","dns1":"4.2.2.2","type":"Isolated","acltype":"Account","accou
> nt":"testD1B-TestNetworkList-KOGK49","domainid":"3abd56e8-97da-40f9-b6f5-33fd5b28b43e","domain":"D1-R549ZO","service":[
> {"name":"PortF orwarding"}
> ,
> {"name":"UserData"}
> ,{"name":"Firewall","capability":[
> {"name":"MultipleIps","value":"true","canchooseservicecapability":fa lse}
> ,
> {"name":"SupportedEgressProtocols","value":"tcp,udp,icmp, all","canchooseservicecapability":false}
> ,
> {"name":"SupportedProtocols", "value":"tcp,udp,icmp","canchooseservicecapability":false}
> ,
> {"name":"SupportedTrafficDirection","value":"ingress, egress","canchoosese rvicecapability":false}
> ,
> {"name":"TrafficStatistics","value":"per public ip","canchooseservicecapability":false}
> ]},{"name":"Lb","capab
> ility":[{"name":"AutoScaleCounters","value":"[
> {\"methodname\":\"cpu\",\"paramlist\":[]}
> ,
> {\"methodname\":\"memory\",\"paramlist\":[]}
> ]
> ","canchooseservicecapability":false},
> {"name":"SupportedLBIsolation","value":"dedicated","canchooseservicecapability":false}
> ,
> {"name": "SupportedLbAlgorithms","value":"roundrobin,leastconn,source","canchooseservicecapability":false}
> ,
> {"name":"LbSchemes","value":"Public ","canchooseservicecapability":false}
> ,
> {"name":"SupportedProtocols","value":"tcp, udp","canchooseservicecapability":false}
> ,{"name":"Su
> pportedStickinessMethods","value":"[{\"methodname\":\"LbCookie\",\"paramlist\":[
> {\"paramname\":\"cookie-name\",\"required\":false,\"i sflag\":false,\"description\":\" \"}
> ,
> {\"paramname\":\"mode\",\"required\":false,\"isflag\":false,\"description\":\" \"}
> ,
> {\"paramname\ ":\"nocache\",\"required\":false,\"isflag\":true,\"description\":\" \"}
> ,
> {\"paramname\":\"indirect\",\"required\":false,\"isflag\":tru e,\"description\":\" \"}
> ,
> {\"paramname\":\"postonly\",\"required\":false,\"isflag\":true,\"description\":\" \"}
> ,
> {\"paramname\":\"domai n\",\"required\":false,\"isflag\":false,\"description\":\" \"}
> ],\"description\":\"This is loadbalancer cookie based stickiness method
> .\"},{\"methodname\":\"AppCookie\",\"paramlist\":[
> {\"paramname\":\"cookie-name\",\"required\":false,\"isflag\":false,\"description\": \" \"}
> ,
> {\"paramname\":\"length\",\"required\":false,\"isflag\":false,\"description\":\" \"}
> ,
> {\"paramname\":\"holdtime\",\"required\": false,\"isflag\":false,\"description\":\" \"}
> ,
> {\"paramname\":\"request-learn\",\"required\":false,\"isflag\":true,\"description\":\" \"}
> ,
> {\"paramname\":\"prefix\",\"required\":false,\"isflag\":true,\"description\":\" \"}
> ,
> {\"paramname\":\"mode\",\"required\":false,\" isflag\":false,\"description\":\" \"}
> ],\"description\":\"This is App session based sticky method. Define session stickiness on an exi
> sting application cookie. It can be used only for a specific http traffic\"},{\"methodname\":\"SourceBased\",\"paramlist\":[
> {\"paramname\":\"tablesize\",\"required\":false,\"isflag\":false,\"description\":\" \"}
> ,
> {\"paramname\":\"expire\",\"required\":false,\"isflag\":false,\"description\":\" \"}
> ],\"description\":\"This is source based Stickiness method, it can be used for any type of protocol.\"}]","canchooseservicecapability":false}]},{"name":"Dhcp","capability":[
> {"name":"DhcpAccrossMultipleSubnets","value":"true","canchooseservicecapability":false}
> ]},{"name":"Dns","capability":[
> {"name":"AllowDnsSuffixModification","value":"true","canchooseservicecapability":false}
> ]},
> {"name":"StaticNat"}
> ,{"name":"Vpn","capability":[
> {"name":"VpnTypes","value":"removeaccessvpn","canchooseservicecapability":false}
> ,
> {"name":"SupportedVpnTypes","value":"pptp,l2tp,ipsec","canchooseservicecapability":false}
> ]},{"name":"SourceNat","capability":[
> {"name":"SupportedSourceNatTypes","value":"peraccount","canchooseservicecapability":false}
> ,
> {"name":"RedundantRouter","value":"true","canchooseservicecapability":false}
> ]}],"networkdomain":"cs5cloud.internal","physicalnetworkid":"5c47dee5-9ac4-45f6-a1c5-2540006a5ba9","restartrequired":false,"specifyipranges":false,"canusefordeploy":true,"ispersistent":false,"tags":[],"strechedl2subnet":false}, {"id":"eb189b59-3ebf-4eda-bedb-469d92540f43","name":"testD1A-TestNetworkList-0Y3W33-network","displaytext":"testD1A-TestNetworkList-0Y3W33-network","broadcastdomaintype":"Vlan","traffictype":"Guest","gateway":"10.1.1.1","netmask":"255.255.255.0","cidr":"10.1.1.0/24","zoneid":"b690dddf-5755-49ab-8a4d-0aff04fa39f7","zonename":"BLR1","networkofferingid":"fc25eb7b-d884-4cc3-acbb-a321817a3567","networkofferingname":"DefaultIsolatedNetworkOfferingWithSourceNatService","networkofferingdisplaytext":"Offering for Isolated networks with Source Nat service enabled","networkofferingconservemode":true,"networkofferingavailability":"Required","issystem":false,"state":"Implemented","related":"eb189b59-3ebf-4eda-bedb-469d92540f43","dns1":"4.2.2.2","type":"Isolated","acltype":"Account","account":"testD1A-TestNetworkList-0Y3W33","domainid":"3abd56e8-97da-40f9-b6f5-33fd5b28b43e","domain":"D1-R549ZO","service":[
> {"name":"PortForwarding"}
> ,
> {"name":"UserData"}
> ,{"name":"Firewall","capability":[
> {"name":"MultipleIps","value":"true","canchooseservicecapability":false}
> ,
> {"name":"SupportedEgressProtocols","value":"tcp,udp,icmp, all","canchooseservicecapability":false}
> ,
> {"name":"SupportedProtocols","value":"tcp,udp,icmp","canchooseservicecapability":false}
> ,
> {"name":"SupportedTrafficDirection","value":"ingress, egress","canchooseservicecapability":false}
> ,
> {"name":"TrafficStatistics","value":"per public ip","canchooseservicecapability":false}
> ]},{"name":"Lb","capability":[{"name":"AutoScaleCounters","value":"[
> {\"methodname\":\"cpu\",\"paramlist\":[]}
> ,
> {\"methodname\":\"memory\",\"paramlist\":[]}
> ]","canchooseservicecapability":false},
> {"name":"SupportedLBIsolation","value":"dedicated","canchooseservicecapability":false}
> ,
> {"name":"SupportedLbAlgorithms","value":"roundrobin,leastconn,source","canchooseservicecapability":false}
> ,
> {"name":"LbSchemes","value":"Public","canchooseservicecapability":false}
> ,
> {"name":"SupportedProtocols","value":"tcp, udp","canchooseservicecapability":false}
> ,{"name":"SupportedStickinessMethods","value":"[{\"methodname\":\"LbCookie\",\"paramlist\":[
> {\"paramname\":\"cookie-name\",\"required\":false,\"isflag\":false,\"description\":\" \"}
> ,
> {\"paramname\":\"mode\",\"required\":false,\"isflag\":false,\"description\":\" \"}
> ,
> {\"paramname\":\"nocache\",\"required\":false,\"isflag\":true,\"description\":\" \"}
> ,
> {\"paramname\":\"indirect\",\"required\":false,\"isflag\":true,\"description\":\" \"}
> ,
> {\"paramname\":\"postonly\",\"required\":false,\"isflag\":true,\"description\":\" \"}
> ,
> {\"paramname\":\"domain\",\"required\":false,\"isflag\":false,\"description\":\" \"}
> ],\"description\":\"This is loadbalancer cookie based stickiness method.\"},{\"methodname\":\"AppCookie\",\"paramlist\":[
> {\"paramname\":\"cookie-name\",\"required\":false,\"isflag\":false,\"description\":\" \"}
> ,
> {\"paramname\":\"length\",\"required\":false,\"isflag\":false,\"description\":\" \"}
> ,
> {\"paramname\":\"holdtime\",\"required\":false,\"isflag\":false,\"description\":\" \"}
> ,
> {\"paramname\":\"request-learn\",\"required\":false,\"isflag\":true,\"description\":\" \"}
> ,
> {\"paramname\":\"prefix\",\"required\":false,\"isflag\":true,\"description\":\" \"}
> ,
> {\"paramname\":\"mode\",\"required\":false,\"isflag\":false,\"description\":\" \"}
> ],\"description\":\"This is App session based sticky method. Define session stickiness on an existing application cookie. It can be used only for a specific http traffic\"},{\"methodname\":\"SourceBased\",\"paramlist\":[
> {\"paramname\":\"tablesize\",\"required\":false,\"isflag\":false,\"description\":\" \"}
> ,
> {\"paramname\":\"expire\",\"required\":false,\"isflag\":false,\"description\":\" \"}
> ],\"description\":\"This is source based Stickiness method, it can be used for any type of protocol.\"}]","canchooseservicecapability":false}]},{"name":"Dhcp","capability":[
> {"name":"DhcpAccrossMultipleSubnets","value":"true","canchooseservicecapability":false}
> ]},{"name":"Dns","capability":[
> {"name":"AllowDnsSuffixModification","value":"true","canchooseservicecapability":false}
> ]},
> {"name":"StaticNat"}
> ,{"name":"Vpn","capability":[
> {"name":"VpnTypes","value":"removeaccessvpn","canchooseservicecapability":false}
> ,
> {"name":"SupportedVpnTypes","value":"pptp,l2tp,ipsec","canchooseservicecapability":false}
> ]},{"name":"SourceNat","capability":[
> {"name":"SupportedSourceNatTypes","value":"peraccount","canchooseservicecapability":false}
> ,
> {"name":"RedundantRouter","value":"true","canchooseservicecapability":false}
> ]}],"networkdomain":"cs4cloud.internal","physicalnetworkid":"5c47dee5-9ac4-45f6-a1c5-2540006a5ba9","restartrequired":false,"specifyipranges":false,"canusefordeploy":true,"ispersistent":false,"tags":[],"strechedl2subnet":false}, {"id":"6597aadd-2967-495c-819a-c6b6e03e5311","name":"testD1-TestNetworkList-0SNBP5-network","displaytext":"testD1-TestNetworkList-0SNBP5-network","broadcastdomaintype":"Vlan","traffictype":"Guest","gateway":"10.1.1.1","netmask":"255.255.255.0","cidr":"10.1.1.0/24","zoneid":"b690dddf-5755-49ab-8a4d-0aff04fa39f7","zonename":"BLR1","networkofferingid":"fc25eb7b-d884-4cc3-acbb-a321817a3567","networkofferingname":"DefaultIsolatedNetworkOfferingWithSourceNatService","networkofferingdisplaytext":"Offering for Isolated networks with Source Nat service enabled","networkofferingconservemode":true,"networkofferingavailability":"Required","issystem":false,"state":"Implemented","relate " ....
--
This message was sent by Atlassian JIRA
(v6.2#6252)