You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2021/11/29 13:33:59 UTC
[GitHub] [cloudstack] weizhouapache opened a new pull request #5729: server: fix non-root users are able to list system networks by id
weizhouapache opened a new pull request #5729:
URL: https://github.com/apache/cloudstack/pull/5729
### Description
This PR fixes the issue that domain admin and normal users can list system network by id.
for example by cmk
```
cmk list networks issystem=true id=200
cmk list networks issystem=true id=201
cmk list networks issystem=true id=202
cmk list networks issystem=true id=203
```
<!--- Describe your changes in DETAIL - And how has behaviour functionally changed. -->
<!-- For new features, provide link to FS, dev ML discussion etc. -->
<!-- In case of bug fix, the expected and actual behaviours, steps to reproduce. -->
<!-- When "Fixes: #<id>" is specified, the issue/PR will automatically be closed when this PR gets merged -->
<!-- For addressing multiple issues/PRs, use multiple "Fixes: #<id>" -->
<!-- Fixes: # -->
<!--- ********************************************************************************* -->
<!--- NOTE: AUTOMATATION USES THE DESCRIPTIONS TO SET LABELS AND PRODUCE DOCUMENTATION. -->
<!--- PLEASE PUT AN 'X' in only **ONE** box -->
<!--- ********************************************************************************* -->
### Types of changes
- [ ] Breaking change (fix or feature that would cause existing functionality to change)
- [ ] New feature (non-breaking change which adds functionality)
- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] Enhancement (improves an existing feature and functionality)
- [ ] Cleanup (Code refactoring and cleanup, that may add test cases)
### Feature/Enhancement Scale or Bug Severity
#### Bug Severity
- [ ] BLOCKER
- [ ] Critical
- [ ] Major
- [x] Minor
- [ ] Trivial
### Screenshots (if appropriate):
### How Has This Been Tested?
<!-- Please describe in detail how you tested your changes. -->
<!-- Include details of your testing environment, and the tests you ran to -->
<!-- see how your change affects other areas of the code, etc. -->
<!-- Please read the [CONTRIBUTING](https://github.com/apache/cloudstack/blob/main/CONTRIBUTING.md) document -->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sureshanaparti commented on pull request #5729: server: fix non-root users are able to list system networks
Posted by GitBox <gi...@apache.org>.
sureshanaparti commented on pull request #5729:
URL: https://github.com/apache/cloudstack/pull/5729#issuecomment-982369245
> should not
yes, got it @weizhouapache can you update cmk example in description (with some dummy uuids, and indicating that uuid belongs to 200, 201, etc). makes sense?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #5729: server: fix non-root users are able to list system networks
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #5729:
URL: https://github.com/apache/cloudstack/pull/5729#issuecomment-984530131
Packaging result: :heavy_check_mark: el7 :heavy_check_mark: el8 :heavy_check_mark: debian :heavy_check_mark: suse15. SL-JID 1820
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on pull request #5729: server: fix non-root users are able to list system networks
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on pull request #5729:
URL: https://github.com/apache/cloudstack/pull/5729#issuecomment-982384579
> > should not
>
> yes, got it @weizhouapache can you update cmk example in description (with some dummy uuids, and indicating that uuid belongs to 200, 201, etc). makes sense?
@sureshanaparti
domain admin and normal users do not know the uuid of networks if `listnetworks` does not work.
In most cloudstack APIs, we can pass integer value instead of string-format uuid as `id` parameter (string-format uuid will be transformed to integer value in cloudstack).
you can run the cmk commands as domain admin or normal user in your testing environment. they work in 4.15/4.16
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on pull request #5729: server: fix non-root users are able to list system networks by id
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on pull request #5729:
URL: https://github.com/apache/cloudstack/pull/5729#issuecomment-982340555
> @weizhouapache 'by id' means it should be uuid, right?
@sureshanaparti
I removed "by id" in the title.
the points of this PR are.
(1) domain admin and normal users should not be able to list system networks (by id=200, 201...). cloudstack networks starts with id=200 in DB, the first networks are system networks (Public/Management/Control)
(2) domain admin should not be able to list system networks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache merged pull request #5729: server: fix non-root users are able to list system networks
Posted by GitBox <gi...@apache.org>.
weizhouapache merged pull request #5729:
URL: https://github.com/apache/cloudstack/pull/5729
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sureshanaparti commented on pull request #5729: server: fix non-root users are able to list system networks
Posted by GitBox <gi...@apache.org>.
sureshanaparti commented on pull request #5729:
URL: https://github.com/apache/cloudstack/pull/5729#issuecomment-982449190
I've tested with few other list APIs (listManagementServers, listVirtualMachines, etc) which responds to the integer 'id' passed in the 'id' parameter. Accepting the integer 'id' can be a security concern, if anyone (with valid credentials, without knowing the resource 'uuid') tries with a random integers and the resource exists with that integer id - can get to know the resource details. Is it Ok to accept the integer 'id from the API, or Should this be blocked at the API level?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sureshanaparti commented on pull request #5729: server: fix non-root users are able to list system networks by id
Posted by GitBox <gi...@apache.org>.
sureshanaparti commented on pull request #5729:
URL: https://github.com/apache/cloudstack/pull/5729#issuecomment-982295498
@weizhouapache 'by id' means it should be uuid, right?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on pull request #5729: server: fix non-root users are able to list system networks
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on pull request #5729:
URL: https://github.com/apache/cloudstack/pull/5729#issuecomment-985367861
merged based on 2 approvals and trillian test results.
the travis failures are not related to this PR.
```
+------------------------------+---------+-------+-----------+
| Test | Result | Time | Test file |
+==============================+=========+=======+===========+
| test_13_tag_case_insensitive | Failure | 0.293 | test_tags |
+------------------------------+---------+-------+-----------+
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sureshanaparti commented on pull request #5729: server: fix non-root users are able to list system networks
Posted by GitBox <gi...@apache.org>.
sureshanaparti commented on pull request #5729:
URL: https://github.com/apache/cloudstack/pull/5729#issuecomment-982426454
> > > should not
> >
> >
> > yes, got it @weizhouapache can you update cmk example in description (with some dummy uuids, and indicating that uuid belongs to 200, 201, etc). makes sense?
>
> @sureshanaparti domain admin and normal users do not know the uuid of networks if `listnetworks` does not work. In most cloudstack APIs, we can pass integer value instead of string-format uuid as `id` parameter (string-format uuid will be transformed to integer value in cloudstack). you can run the cmk commands as domain admin or normal user in your testing environment. they work in 4.15/4.16
@weizhouapache yes, string-format uuid will be transformed to integer value in cloudstack, that's how it is done. does domain admin and normal users know the integer 'id' values of a network?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #5729: server: fix non-root users are able to list system networks
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #5729:
URL: https://github.com/apache/cloudstack/pull/5729#issuecomment-984534401
@weizhouapache a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on pull request #5729: server: fix non-root users are able to list system networks
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on pull request #5729:
URL: https://github.com/apache/cloudstack/pull/5729#issuecomment-985366286
> this code looks good. I agree with @sureshanaparti about calling with id as int, but am not sure if this is really a formality or a real security issue. In any way it is a backwards compatibility issue and beside the point in this PR.
I do not know if it (list resources by DB id not uuid) is a real issue, it existed for many years (from 4.0.0 ?), and no users complained about it in the past. @DaanHoogland @sureshanaparti
anyway, it is another topic, we need to discuss with community before changing it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #5729: server: fix non-root users are able to list system networks
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #5729:
URL: https://github.com/apache/cloudstack/pull/5729#issuecomment-984466255
@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #5729: server: fix non-root users are able to list system networks
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #5729:
URL: https://github.com/apache/cloudstack/pull/5729#issuecomment-985015376
<b>Trillian test result (tid-2605)</b>
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 35214 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr5729-t2605-kvm-centos7.zip
Smoke tests completed. 91 look OK, 0 have errors
Only failed tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rhtyd commented on pull request #5729: server: fix non-root users are able to list system networks
Posted by GitBox <gi...@apache.org>.
rhtyd commented on pull request #5729:
URL: https://github.com/apache/cloudstack/pull/5729#issuecomment-984464546
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on pull request #5729: server: fix non-root users are able to list system networks
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on pull request #5729:
URL: https://github.com/apache/cloudstack/pull/5729#issuecomment-984534214
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org