You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Nitin Mehta (JIRA)" <ji...@apache.org> on 2014/07/22 00:56:38 UTC
[jira] [Commented] (CLOUDSTACK-6698) listResourceDetals - normal
user able to list details not belonging to it
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6698?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14069472#comment-14069472 ]
Nitin Mehta commented on CLOUDSTACK-6698:
-----------------------------------------
Here are the repro steps
1. Create some metadata for the root admin say for resourcetype=UserVm. Eg. Vmid=6 belongs to the root admin here
mysql> select * from user_vm_details where vm_id=6;
+-----+-------+------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+
| id | vm_id | name | value | display |
+-----+-------+------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+
| 124 | 6 | platform | viridian:true;acpi:true;apic:true;pae:true;nx:false | 1 |
| 126 | 6 | Message.ReservedCapacityFreed.Flag | true | 1 |
| 127 | 6 | DR_RECOVERY_ZONE_ID | f6e99f08-c3d0-497d-b6be-c323f5641351 | 1 |
| 129 | 6 | DR_RECOVERY_OBJECT_ID | b0d4520f-605d-4506-96ac-46326326e0bb | 1 |
| 130 | 6 | hypervisortoolsversion | xenserver56 | 1 |
| 211 | 6 | DR_ORIGINAL_NTWK_IDS | 0d55db45-ae0c-462a-a492-216f31c7e275, | 0 |
| 215 | 6 | DR_RECOVERED_NTWK_IDS | 0d55db45-ae0c-462a-a492-216f31c7e275, | 0 |
| 219 | 6 | DR_ORIGINAL_NTWK_IDS | 0d55db45-ae0c-462a-a492-216f31c7e275, | 0 |
| 220 | 6 | DR_RECOVERED_NTWK_IDS | 0d55db45-ae0c-462a-a492-216f31c7e275, | 0 |
| 222 | 6 | DR_ALERT_AUTOSCALE_VMPROFILE | Failed to process event PrepareForFailOverRequested for vm id=001c78af-4991-459c-8377-aab5c874f1fe due to java.io.IOException: Global setting endpointe.url has to be set to the Management Server's API end point Error Code - 431 | 1 |
| 223 | 6 | DR_STATE | SET_FOR_FAILOVER | 1 |
+-----+-------+------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+
11 rows in set (0.00 sec)
mysql> select * from vm_instance where id=6\G;
*************************** 1. row ***************************
id: 6
name: VM-001c78af-4991-459c-8377-aab5c874f1fe
uuid: 001c78af-4991-459c-8377-aab5c874f1fe
instance_name: i-2-6-VM
state: Stopped
vm_template_id: 5
guest_os_id: 142
private_mac_address: 02:00:59:a8:00:03
private_ip_address: 10.1.1.8
pod_id: 1
data_center_id: 1
host_id: NULL
last_host_id: 1
proxy_id: NULL
proxy_assign_time: NULL
vnc_password: e0f5357f6363dfe
ha_enabled: 0
limit_cpu_use: 0
update_count: 15
update_time: 2014-07-02 16:45:20
created: 2014-06-30 18:51:24
removed: NULL
type: User
vm_type: User
account_id: 2
domain_id: 1
service_offering_id: 12
reservation_id: ecb0d7ad-c57d-4756-bb9c-b029222b2346
hypervisor_type: XenServer
disk_offering_id: NULL
owner: 2
host_name: VM-001c78af-4991-459c-8377-aab5c874f1fe
display_name: NULL
desired_state: NULL
dynamically_scalable: 0
display_vm: 1
power_state: PowerOn
power_state_update_time: 2014-07-21 22:46:08
power_state_update_count: 0
power_host: 1
1 row in set (0.00 sec)
2. Create an account 'nitin' and login as that and then fire the api and you get to see the metadata belonging to a resource owned by root admin
http://localhost:8080/client/api?command=listResourceDetails&resourcetype=UserVm&resourceid=6&key=DR_STATE&sessionkey=kBdzR3RGiANveBxBdT1GcLl9x4A%3D
<listresourcedetailsresponse cloud-stack-version="4.4.0-SNAPSHOT"><count>1</count><resourcedetail><resourceid>6</resourceid><resourcetype>UserVm</resourcetype><key>DR_STATE</key><value>SET_FOR_FAILOVER</value><fordisplay>true</fordisplay></resourcedetail></listresourcedetailsresponse>
> listResourceDetals - normal user able to list details not belonging to it
> -------------------------------------------------------------------------
>
> Key: CLOUDSTACK-6698
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6698
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: Management Server
> Affects Versions: 4.4.0
> Reporter: Nitin Mehta
> Assignee: Alena Prokharchyk
> Priority: Critical
> Fix For: 4.4.0
>
>
--
This message was sent by Atlassian JIRA
(v6.2#6252)