You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Sangeetha Hariharan (JIRA)" <ji...@apache.org> on 2014/06/12 23:47:02 UTC
[jira] [Closed] (CLOUDSTACK-6517) IAM - Admin is allowed to create
PortFowarding rule for a regular user, when admin does not have " UseEntry"
permission for IpAddress.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6517?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sangeetha Hariharan closed CLOUDSTACK-6517.
-------------------------------------------
Testing with latest build from 4.4-forward (after IAM revert):
Steps to reproduce the problem:
As regular user , on a network he owns , acquire an ip address.
As admin , try to create a PF rule on this ip address without passing account and domainId.
http://10.223.49.6:8080/client/api?command=createPortForwardingRule&response=json&sessionkey=kFu73ky%2BPuW%2BBz9dkcSBIHyXwkM%3D&ipaddressid=0817bae5-c672-4ea7-a2cd-ce163d3a8727&privateport=22&privateendport=22&publicport=22&publicendport=22&protocol=tcp&virtualmachineid=308450de-d4be-4c91-9067-b3826e85e9b2&openfirewall=false&networkid=9fd8bcef-c140-4061-adc0-5c24c5f7dc69&_=1402609388398
This succeeds . This is the desired behavior.
Closing this issue.
> IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have " UseEntry" permission for IpAddress.
> ---------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-6517
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6517
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: IAM
> Affects Versions: 4.4.0
> Environment: Build from 4.4
> Reporter: Sangeetha Hariharan
> Assignee: Prachi Damle
> Fix For: 4.4.0
>
>
> IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have " UseEntry" permission for IpAddress.
> Steps to reproduce the problem:
> As regular user , on a network he owns , acquire an ip address.
> As admin , try to create a PF rule on this ip address without passing account and domainId.
> Creating PF rule succeeds.
> Since Admin has only "ListEntry" permission for IpAddress owned by other users , we expect this api call to fail.
> mysql> select * from iam_policy_permission where resource_type = 'IpAddress' and policy_id=2;
> +------+-----------+-----------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
> | id | policy_id | action | resource_type | scope_id | scope | access_type | permission | recursive | removed | created |
> +------+-----------+-----------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
> | 1840 | 2 | listPublicIpAddresses | IpAddress | -1 | ALL | ListEntry | Allow | 0 | NULL | 2014-04-22 18:31:03 |
> | 1841 | 2 | listPublicIpAddresses | IpAddress | -1 | ACCOUNT | UseEntry | Allow | 0 | NULL | 2014-04-22 18:31:03 |
> Admin should be allowed to do this only , when he passes account and domainId of the regular user is passed.
--
This message was sent by Atlassian JIRA
(v6.2#6252)