You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Min Chen (JIRA)" <ji...@apache.org> on 2014/05/02 20:21:16 UTC
[jira] [Resolved] (CLOUDSTACK-6535) IAM:MS:API createVMSnapshot
doesn't preserve access rights
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6535?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Min Chen resolved CLOUDSTACK-6535.
----------------------------------
Resolution: Fixed
> IAM:MS:API createVMSnapshot doesn't preserve access rights
> ----------------------------------------------------------
>
> Key: CLOUDSTACK-6535
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6535
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: API, IAM
> Affects Versions: 4.4.0
> Environment: 4.4
> Reporter: Parth Jagirdar
> Assignee: Min Chen
> Priority: Critical
> Attachments: apilog.log.bz2, db_dump.sql.bz2, management-server.log.bz2
>
>
> As domain Admin or as regular user; one can create a snapshot of a VM owned by other users. (Create Snapshot succeeds across Domains as well).
> Please refer to API and MS logs.
> DB Dump is attached.
> 2014-04-29 15:32:38,316 INFO [a.c.c.a.ApiServer] (catalina-exec-19:ctx-baaf5fbe ctx-d89f1942) (userId=9
> accountId=9 sessionId=13E9CF7AD4BB55EE9EDF2920D6E62915) 10.215.2.19 -- GET command=createVMSnapshot&vir
> tualmachineid=219d649d-b6fc-475e-ab0f-8800a7f95235&response=json&sessionkey=p1pPn2KtylzYt92NSHuE2u4G68w%
> 3D 200 { "createvmsnapshotresponse" : {"id":"8","jobid":"fa37d77f-28b0-485b-af81-834a07ed6e4e"} }
> 2014-04-29 15:32:40,306 INFO [a.c.c.a.ApiServer] (catalina-exec-25:ctx-114bb10a ctx-d396131c) (userId=2
> accountId=2 sessionId=5EC896B528FB6DB972CE5B02A277047B) 10.215.2.19 -- GET command=listVirtualMachines&
> response=json&sessionkey=e1WRj6SbsZEClPvlCdLP9f3MhYI%3D&listAll=true&page=1&pagesize=20&_=1398810759989
> 200 { "listvirtualmachinesresponse" : { "count":6 ,"virtualmachine" : [ {"id":"cea5fc51-6a31-4209-b26f-
> 9097c9d17011","name":"d2-vm","displayname":"d2-vm","account":"d2","domainid":"0af12b69-67f4-454a-9eb6-f2
> bef02aba0b","domain":"d2","created":"2014-04-28T10:21:08-0700","state":"Running","haenable":false,"zonei
> d":"6933ac3e-29fe-4170-8411-b1827aa2f5cf","zonename":"z","hostid":"d8fb3cb9-782e-4cdc-b0c0-3adcf65a7a15"
> ,"hostname":"10.223.58.68","templateid":"549440c8-bf4b-11e3-a56d-ced18bec4952","templatename":"CentOS 5.
> 3(64-bit) no GUI (vSphere)","templatedisplaytext":"CentOS 5.3(64-bit) no GUI (vSphere)","passwordenabled
> ":false,"serviceofferingid":"4c035b12-f32f-4c0c-b768-264ec02ac242","serviceofferingname":"Small Instance
> ","cpunumber":1,"cpuspeed":500,"memory":512,"cpuused":"45%","networkkbsread":0,"networkkbswrite":0,"gues
> tosid":"54a23660-bf4b-11e3-a56d-ced18bec4952","rootdeviceid":0,"rootdevicetype":"ROOT","securitygroup":[
> ],"nic":[{"id":"cae4f3d2-1598-4aa0-98b9-669a4c7de6ae","networkid":"f417c31a-e19f-45db-9180-87f17a195bf0"
> ,"networkname":"d2-net","netmask":"255.255.255.0","gateway":"10.1.1.1","ipaddress":"10.1.1.151","isolati
> onuri":"vlan://2342","broadcasturi":"vlan://2342","traffictype":"Guest","type":"Isolated","isdefault":tr
> ue,"macaddress":"02:00:41:11:00:01"}],"hypervisor":"VMware","publicipid":"a6866b38-e8dd-4deb-965f-c09931
> d183fe","publicip":"10.223.138.11","instancename":"i-10-32-VM","tags":[],"affinitygroup":[],"displayvm":
> true,"isdynamicallyscalable":false,"ostypeid":12}, {"id":"e887d23a-fac0-4397-adb9-edfbf2169453","name":"
> d1-vm","displayname":"d1-vm","account":"d1","domainid":"90a8c572-3f92-420b-9176-5daafa9853da","domain":"
> d1","created":"2014-04-28T10:20:39-0700","state":"Running","haenable":false,"zoneid":"6933ac3e-29fe-4170
> -8411-b1827aa2f5cf","zonename":"z","hostid":"d8fb3cb9-782e-4cdc-b0c0-3adcf65a7a15","hostname":"10.223.58
> .68","templateid":"549440c8-bf4b-11e3-a56d-ced18bec4952","templatename":"CentOS 5.3(64-bit) no GUI (vSph
> ere)","templatedisplaytext":"CentOS 5.3(64-bit) no GUI (vSphere)","passwordenabled":false,"serviceofferi
> ngid":"4c035b12-f32f-4c0c-b768-264ec02ac242","serviceofferingname":"Small Instance","cpunumber":1,"cpusp
> eed":500,"memory":512,"cpuused":"45%","networkkbsread":0,"networkkbswrite":0,"guestosid":"54a23660-bf4b-
> 11e3-a56d-ced18bec4952","rootdeviceid":0,"rootdevicetype":"ROOT","securitygroup":[],"nic":[{"id":"5c410c
> a5-5151-48d8-8de7-4fc674bd597a","networkid":"2a7d1254-3120-42f5-b8b9-dd64485cfed4","networkname":"d1-net
> ","netmask":"255.255.255.0","gateway":"10.1.1.1","ipaddress":"10.1.1.184","isolationuri":"vlan://2268","
> mysql> select * from iam_group_account_map where removed is NULL order by group_id;
> +----+----------+------------+---------+---------------------+
> | id | group_id | account_id | removed | created |
> +----+----------+------------+---------+---------------------+
> | 43 | 1 | 23 | NULL | 2014-04-14 23:18:40 |
> | 45 | 1 | 24 | NULL | 2014-04-17 22:23:41 |
> | 41 | 1 | 22 | NULL | 2014-04-14 23:18:24 |
> | 39 | 1 | 21 | NULL | 2014-04-14 23:17:59 |
> | 37 | 1 | 20 | NULL | 2014-04-14 23:17:40 |
> | 2 | 2 | 2 | NULL | 2014-04-08 18:29:34 |
> | 1 | 2 | 1 | NULL | 2014-04-08 18:29:34 |
> | 17 | 3 | 10 | NULL | 2014-04-10 21:50:18 |
> | 15 | 3 | 9 | NULL | 2014-04-10 21:49:18 |
> | 16 | 7 | 9 | NULL | 2014-04-10 21:49:18 |
> | 46 | 7 | 24 | NULL | 2014-04-17 22:23:41 |
> | 18 | 8 | 10 | NULL | 2014-04-10 21:50:18 |
> | 38 | 9 | 20 | NULL | 2014-04-14 23:17:40 |
> | 40 | 10 | 21 | NULL | 2014-04-14 23:17:59 |
> | 42 | 11 | 22 | NULL | 2014-04-14 23:18:24 |
> | 44 | 12 | 23 | NULL | 2014-04-14 23:18:40 |
> | 47 | 13 | 1 | NULL | 2014-04-23 18:56:28 |
> | 48 | 13 | 2 | NULL | 2014-04-23 18:56:28 |
> +----+----------+------------+---------+---------------------+
> 18 rows in set (0.00 sec)
> mysql> select * from iam_group_policy_map;
> +----+----------+-----------+---------+---------------------+
> | id | group_id | policy_id | removed | created |
> +----+----------+-----------+---------+---------------------+
> | 1 | 1 | 1 | NULL | 2014-04-08 11:27:45 |
> | 2 | 2 | 2 | NULL | 2014-04-08 11:27:45 |
> | 3 | 3 | 3 | NULL | 2014-04-08 11:27:45 |
> | 4 | 4 | 4 | NULL | 2014-04-08 11:27:45 |
> | 5 | 5 | 5 | NULL | 2014-04-08 11:27:45 |
> +----+----------+-----------+---------+---------------------+
> 5 rows in set (0.00 sec)
> mysql> select * from iam_policy_permission where action = "createVMSnapshot";
> +------+-----------+------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
> | id | policy_id | action | resource_type | scope_id | scope | access_type | permission | recursive | removed | created |
> +------+-----------+------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
> | 4377 | 2 | createVMSnapshot | VMSnapshot | -1 | ALL | OperateEntry | Allow | 0 | NULL | 2014-04-23 19:00:12 |
> | 4378 | 4 | createVMSnapshot | VMSnapshot | -1 | DOMAIN | OperateEntry | Allow | 0 | NULL | 2014-04-23 19:00:12 |
> | 4379 | 3 | createVMSnapshot | VMSnapshot | -1 | DOMAIN | OperateEntry | Allow | 0 | NULL | 2014-04-23 19:00:12 |
> | 4380 | 1 | createVMSnapshot | VMSnapshot | -1 | ACCOUNT | OperateEntry | Allow | 0 | NULL | 2014-04-23 19:00:13 |
> +------+-----------+------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
> 4 rows in set (0.00 sec)
--
This message was sent by Atlassian JIRA
(v6.2#6252)