You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Min Chen <mi...@citrix.com> on 2013/10/09 01:28:10 UTC
[DISCUSS] listAll and recursive parameters for
BaseListDomainResourceCmd should have default value as TRUE
Hi there,
In working with RBAC design, I am really puzzled by the two query parameter "listAll" and "recursive" for all BaseListDomainResourceCmd.
@Parameter(name = ApiConstants.LIST_ALL, type = CommandType.BOOLEAN, description = "If set to false, " +
"list only resources belonging to the command's caller; if set to true - list resources that the caller is authorized to see. Default value is false")
private Boolean listAll;
@Parameter(name = ApiConstants.IS_RECURSIVE, type = CommandType.BOOLEAN, description = "defaults to false," +
" but if true, lists all resources from the parent specified by the domainId till leaves.")
private Boolean recursive;
IMHO, if a caller invokes a list API without passing any specific query parameter, he/she should see all resources that he/she is authorized to see. In CloudStack, we have implicit authorization rules as follows:
1. Root admin should be able to see all the resources under Root domain.
2. Domain admin should be able to see all the resources under its own domain tree.
3. Normal user should only see the resources owned by him.
4. Project account should be able to see resources assigned to that project.
Based on current AccountManager.buildACLSearchParameters implementation, we are not observing the passed "listAll" and "recursive" value at all, seems always treating "listAll=true" and "recursive=true". Thus, I am proposing that we change the default value of "listAll" and "recursive" to TRUE instead of current FALSE. Any objections?
Thanks
-min
Re: [DISCUSS] listAll and recursive parameters for
BaseListDomainResourceCmd should have default value as TRUE
Posted by Alena Prokharchyk <Al...@citrix.com>.
This is a bug.
=Alena.
On 10/8/13 6:12 PM, "Min Chen" <mi...@citrix.com> wrote:
>Just simple listVMsCmd with page information, passing listAll=true or not
>passing listAll returns the same set of data.
>
>
>Thanks
>-min
>
>On 10/8/13 5:55 PM, "Alena Prokharchyk" <Al...@citrix.com>
>wrote:
>
>>On 10/8/13 5:48 PM, "Min Chen" <mi...@citrix.com> wrote:
>>
>>>Thanks Alena for the clarification.
>>>
>>>If you try ListVMsCmd as a domain admin, if I pass listAll=false, what
>>>should be the expected behavior?
>>
>>The same as if you don't pass anything. The domain admin will see his own
>>resources (the ones that belong to his account)
>>
>>
>>>Should he be able to see VMs under his domain but not owned by him? The
>>>current CloudStack behavior will
>>>show all VMs under his domain. This seems contradictory to the meaning
>>>of
>>>listAll.
>>
>>Do you pass anything else to the call besides listAll=false? Is the
>>result
>>the same when you don't pass listAll=false to the call? If so, what other
>>parameters do you pass in
>>
>>>
>>>Thanks
>>>-min
>>>
>>>
>>>
>>>>On 10/8/13 4:28 PM, "Min Chen" <mi...@citrix.com> wrote:
>>>>
>>>>>Hi there,
>>>>>
>>>>>In working with RBAC design, I am really puzzled by the two query
>>>>>parameter "listAll" and "recursive" for all BaseListDomainResourceCmd.
>>>>>
>>>>>
>>>>> @Parameter(name = ApiConstants.LIST_ALL, type =
>>>>>CommandType.BOOLEAN,
>>>>>description = "If set to false, " +
>>>>>
>>>>> "list only resources belonging to the command's caller; if
>>>>>set to true - list resources that the caller is authorized to see.
>>>>>Default value is false")
>>>>>
>>>>> private Boolean listAll;
>>>>>
>>>>>
>>>>> @Parameter(name = ApiConstants.IS_RECURSIVE, type =
>>>>>CommandType.BOOLEAN, description = "defaults to false," +
>>>>>
>>>>> " but if true, lists all resources from the parent
>>>>>specified
>>>>>by the domainId till leaves.")
>>>>>
>>>>> private Boolean recursive;
>>>>>
>>>>>
>>>>>IMHO, if a caller invokes a list API without passing any specific
>>>>>query
>>>>>parameter, he/she should see all resources that he/she is authorized
>>>>>to
>>>>>see. In CloudStack, we have implicit authorization rules as follows:
>>>>>1. Root admin should be able to see all the resources under Root
>>>>>domain.
>>>>>2. Domain admin should be able to see all the resources under its own
>>>>>domain tree.
>>>>>3. Normal user should only see the resources owned by him.
>>>>
>>>>listAll doesn't impact user calls.
>>>>
>>>>>4. Project account should be able to see resources assigned to that
>>>>>project.
>>>>
>>>>Project account can't make the calls. Any CS account assigned to the
>>>>project + admin can list project resources. When listAll is passed in,
>>>>all
>>>>resources except project resources, will be returned to the caller.
>>>>When
>>>>projectId=-1 is passed in, all resources of all projects in the system
>>>>that caller is authorized to see, will be returned to the caller.
>>>>
>>>>>Based on current AccountManager.buildACLSearchParameters
>>>>>implementation,
>>>>>we are not observing the passed "listAll" and "recursive" value at
>>>>>all,
>>>>>seems always treating "listAll=true" and "recursive=true".
>>>>
>>>>recursive=false is respected when passed along with the domainId. In
>>>>this
>>>>case, it will list all the resources under this domain only, without
>>>>subdomains. When recursive=true is passed with domainId, the resources
>>>>of
>>>>domains + subdomains will be returned.
>>>>
>>>>>Thus, I am proposing that we change the default value of "listAll" and
>>>>>"recursive" to TRUE instead of current FALSE. Any objections?
>>>>
>>>>
>>>>The main objection - it will break all the partners/third party
>>>>apps/UIs
>>>>built on the current CS behavior.
>>>>
>>>>>
>>>>>Thanks
>>>>>-min
>>>>>
>>>>
>>>>Min,
>>>>
>>>
>>>
>>
>>
>
>
Re: [DISCUSS] listAll and recursive parameters for
BaseListDomainResourceCmd should have default value as TRUE
Posted by Min Chen <mi...@citrix.com>.
Just simple listVMsCmd with page information, passing listAll=true or not
passing listAll returns the same set of data.
Thanks
-min
On 10/8/13 5:55 PM, "Alena Prokharchyk" <Al...@citrix.com>
wrote:
>On 10/8/13 5:48 PM, "Min Chen" <mi...@citrix.com> wrote:
>
>>Thanks Alena for the clarification.
>>
>>If you try ListVMsCmd as a domain admin, if I pass listAll=false, what
>>should be the expected behavior?
>
>The same as if you don't pass anything. The domain admin will see his own
>resources (the ones that belong to his account)
>
>
>>Should he be able to see VMs under his domain but not owned by him? The
>>current CloudStack behavior will
>>show all VMs under his domain. This seems contradictory to the meaning of
>>listAll.
>
>Do you pass anything else to the call besides listAll=false? Is the result
>the same when you don't pass listAll=false to the call? If so, what other
>parameters do you pass in
>
>>
>>Thanks
>>-min
>>
>>
>>
>>>On 10/8/13 4:28 PM, "Min Chen" <mi...@citrix.com> wrote:
>>>
>>>>Hi there,
>>>>
>>>>In working with RBAC design, I am really puzzled by the two query
>>>>parameter "listAll" and "recursive" for all BaseListDomainResourceCmd.
>>>>
>>>>
>>>> @Parameter(name = ApiConstants.LIST_ALL, type =
>>>>CommandType.BOOLEAN,
>>>>description = "If set to false, " +
>>>>
>>>> "list only resources belonging to the command's caller; if
>>>>set to true - list resources that the caller is authorized to see.
>>>>Default value is false")
>>>>
>>>> private Boolean listAll;
>>>>
>>>>
>>>> @Parameter(name = ApiConstants.IS_RECURSIVE, type =
>>>>CommandType.BOOLEAN, description = "defaults to false," +
>>>>
>>>> " but if true, lists all resources from the parent
>>>>specified
>>>>by the domainId till leaves.")
>>>>
>>>> private Boolean recursive;
>>>>
>>>>
>>>>IMHO, if a caller invokes a list API without passing any specific query
>>>>parameter, he/she should see all resources that he/she is authorized to
>>>>see. In CloudStack, we have implicit authorization rules as follows:
>>>>1. Root admin should be able to see all the resources under Root
>>>>domain.
>>>>2. Domain admin should be able to see all the resources under its own
>>>>domain tree.
>>>>3. Normal user should only see the resources owned by him.
>>>
>>>listAll doesn't impact user calls.
>>>
>>>>4. Project account should be able to see resources assigned to that
>>>>project.
>>>
>>>Project account can't make the calls. Any CS account assigned to the
>>>project + admin can list project resources. When listAll is passed in,
>>>all
>>>resources except project resources, will be returned to the caller. When
>>>projectId=-1 is passed in, all resources of all projects in the system
>>>that caller is authorized to see, will be returned to the caller.
>>>
>>>>Based on current AccountManager.buildACLSearchParameters
>>>>implementation,
>>>>we are not observing the passed "listAll" and "recursive" value at all,
>>>>seems always treating "listAll=true" and "recursive=true".
>>>
>>>recursive=false is respected when passed along with the domainId. In
>>>this
>>>case, it will list all the resources under this domain only, without
>>>subdomains. When recursive=true is passed with domainId, the resources
>>>of
>>>domains + subdomains will be returned.
>>>
>>>>Thus, I am proposing that we change the default value of "listAll" and
>>>>"recursive" to TRUE instead of current FALSE. Any objections?
>>>
>>>
>>>The main objection - it will break all the partners/third party apps/UIs
>>>built on the current CS behavior.
>>>
>>>>
>>>>Thanks
>>>>-min
>>>>
>>>
>>>Min,
>>>
>>
>>
>
>
Re: [DISCUSS] listAll and recursive parameters for
BaseListDomainResourceCmd should have default value as TRUE
Posted by Alena Prokharchyk <Al...@citrix.com>.
On 10/8/13 5:48 PM, "Min Chen" <mi...@citrix.com> wrote:
>Thanks Alena for the clarification.
>
>If you try ListVMsCmd as a domain admin, if I pass listAll=false, what
>should be the expected behavior?
The same as if you don't pass anything. The domain admin will see his own
resources (the ones that belong to his account)
>Should he be able to see VMs under his domain but not owned by him? The
>current CloudStack behavior will
>show all VMs under his domain. This seems contradictory to the meaning of
>listAll.
Do you pass anything else to the call besides listAll=false? Is the result
the same when you don't pass listAll=false to the call? If so, what other
parameters do you pass in
>
>Thanks
>-min
>
>
>
>>On 10/8/13 4:28 PM, "Min Chen" <mi...@citrix.com> wrote:
>>
>>>Hi there,
>>>
>>>In working with RBAC design, I am really puzzled by the two query
>>>parameter "listAll" and "recursive" for all BaseListDomainResourceCmd.
>>>
>>>
>>> @Parameter(name = ApiConstants.LIST_ALL, type = CommandType.BOOLEAN,
>>>description = "If set to false, " +
>>>
>>> "list only resources belonging to the command's caller; if
>>>set to true - list resources that the caller is authorized to see.
>>>Default value is false")
>>>
>>> private Boolean listAll;
>>>
>>>
>>> @Parameter(name = ApiConstants.IS_RECURSIVE, type =
>>>CommandType.BOOLEAN, description = "defaults to false," +
>>>
>>> " but if true, lists all resources from the parent specified
>>>by the domainId till leaves.")
>>>
>>> private Boolean recursive;
>>>
>>>
>>>IMHO, if a caller invokes a list API without passing any specific query
>>>parameter, he/she should see all resources that he/she is authorized to
>>>see. In CloudStack, we have implicit authorization rules as follows:
>>>1. Root admin should be able to see all the resources under Root domain.
>>>2. Domain admin should be able to see all the resources under its own
>>>domain tree.
>>>3. Normal user should only see the resources owned by him.
>>
>>listAll doesn't impact user calls.
>>
>>>4. Project account should be able to see resources assigned to that
>>>project.
>>
>>Project account can't make the calls. Any CS account assigned to the
>>project + admin can list project resources. When listAll is passed in,
>>all
>>resources except project resources, will be returned to the caller. When
>>projectId=-1 is passed in, all resources of all projects in the system
>>that caller is authorized to see, will be returned to the caller.
>>
>>>Based on current AccountManager.buildACLSearchParameters implementation,
>>>we are not observing the passed "listAll" and "recursive" value at all,
>>>seems always treating "listAll=true" and "recursive=true".
>>
>>recursive=false is respected when passed along with the domainId. In this
>>case, it will list all the resources under this domain only, without
>>subdomains. When recursive=true is passed with domainId, the resources of
>>domains + subdomains will be returned.
>>
>>>Thus, I am proposing that we change the default value of "listAll" and
>>>"recursive" to TRUE instead of current FALSE. Any objections?
>>
>>
>>The main objection - it will break all the partners/third party apps/UIs
>>built on the current CS behavior.
>>
>>>
>>>Thanks
>>>-min
>>>
>>
>>Min,
>>
>
>
Re: [DISCUSS] listAll and recursive parameters for
BaseListDomainResourceCmd should have default value as TRUE
Posted by Min Chen <mi...@citrix.com>.
Thanks Alena for the clarification.
If you try ListVMsCmd as a domain admin, if I pass listAll=false, what
should be the expected behavior?
Should he be able to see VMs under his domain but not owned by him? The
current CloudStack behavior will
show all VMs under his domain. This seems contradictory to the meaning of
listAll.
Thanks
-min
>On 10/8/13 4:28 PM, "Min Chen" <mi...@citrix.com> wrote:
>
>>Hi there,
>>
>>In working with RBAC design, I am really puzzled by the two query
>>parameter "listAll" and "recursive" for all BaseListDomainResourceCmd.
>>
>>
>> @Parameter(name = ApiConstants.LIST_ALL, type = CommandType.BOOLEAN,
>>description = "If set to false, " +
>>
>> "list only resources belonging to the command's caller; if
>>set to true - list resources that the caller is authorized to see.
>>Default value is false")
>>
>> private Boolean listAll;
>>
>>
>> @Parameter(name = ApiConstants.IS_RECURSIVE, type =
>>CommandType.BOOLEAN, description = "defaults to false," +
>>
>> " but if true, lists all resources from the parent specified
>>by the domainId till leaves.")
>>
>> private Boolean recursive;
>>
>>
>>IMHO, if a caller invokes a list API without passing any specific query
>>parameter, he/she should see all resources that he/she is authorized to
>>see. In CloudStack, we have implicit authorization rules as follows:
>>1. Root admin should be able to see all the resources under Root domain.
>>2. Domain admin should be able to see all the resources under its own
>>domain tree.
>>3. Normal user should only see the resources owned by him.
>
>listAll doesn't impact user calls.
>
>>4. Project account should be able to see resources assigned to that
>>project.
>
>Project account can't make the calls. Any CS account assigned to the
>project + admin can list project resources. When listAll is passed in, all
>resources except project resources, will be returned to the caller. When
>projectId=-1 is passed in, all resources of all projects in the system
>that caller is authorized to see, will be returned to the caller.
>
>>Based on current AccountManager.buildACLSearchParameters implementation,
>>we are not observing the passed "listAll" and "recursive" value at all,
>>seems always treating "listAll=true" and "recursive=true".
>
>recursive=false is respected when passed along with the domainId. In this
>case, it will list all the resources under this domain only, without
>subdomains. When recursive=true is passed with domainId, the resources of
>domains + subdomains will be returned.
>
>>Thus, I am proposing that we change the default value of "listAll" and
>>"recursive" to TRUE instead of current FALSE. Any objections?
>
>
>The main objection - it will break all the partners/third party apps/UIs
>built on the current CS behavior.
>
>>
>>Thanks
>>-min
>>
>
>Min,
>
Re: [DISCUSS] listAll and recursive parameters for
BaseListDomainResourceCmd should have default value as TRUE
Posted by Alena Prokharchyk <Al...@citrix.com>.
On 10/8/13 4:28 PM, "Min Chen" <mi...@citrix.com> wrote:
>Hi there,
>
>In working with RBAC design, I am really puzzled by the two query
>parameter "listAll" and "recursive" for all BaseListDomainResourceCmd.
>
>
> @Parameter(name = ApiConstants.LIST_ALL, type = CommandType.BOOLEAN,
>description = "If set to false, " +
>
> "list only resources belonging to the command's caller; if
>set to true - list resources that the caller is authorized to see.
>Default value is false")
>
> private Boolean listAll;
>
>
> @Parameter(name = ApiConstants.IS_RECURSIVE, type =
>CommandType.BOOLEAN, description = "defaults to false," +
>
> " but if true, lists all resources from the parent specified
>by the domainId till leaves.")
>
> private Boolean recursive;
>
>
>IMHO, if a caller invokes a list API without passing any specific query
>parameter, he/she should see all resources that he/she is authorized to
>see. In CloudStack, we have implicit authorization rules as follows:
>1. Root admin should be able to see all the resources under Root domain.
>2. Domain admin should be able to see all the resources under its own
>domain tree.
>3. Normal user should only see the resources owned by him.
listAll doesn't impact user calls.
>4. Project account should be able to see resources assigned to that
>project.
Project account can't make the calls. Any CS account assigned to the
project + admin can list project resources. When listAll is passed in, all
resources except project resources, will be returned to the caller. When
projectId=-1 is passed in, all resources of all projects in the system
that caller is authorized to see, will be returned to the caller.
>Based on current AccountManager.buildACLSearchParameters implementation,
>we are not observing the passed "listAll" and "recursive" value at all,
>seems always treating "listAll=true" and "recursive=true".
recursive=false is respected when passed along with the domainId. In this
case, it will list all the resources under this domain only, without
subdomains. When recursive=true is passed with domainId, the resources of
domains + subdomains will be returned.
>Thus, I am proposing that we change the default value of "listAll" and
>"recursive" to TRUE instead of current FALSE. Any objections?
The main objection - it will break all the partners/third party apps/UIs
built on the current CS behavior.
>
>Thanks
>-min
>
Min,