You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Sangeetha Hariharan (JIRA)" <ji...@apache.org> on 2014/04/29 20:46:16 UTC
[jira] [Created] (CLOUDSTACK-6533) IAM - Templates - Public
templates do not have permissions to be used by ROOT group.
Sangeetha Hariharan created CLOUDSTACK-6533:
-----------------------------------------------
Summary: IAM - Templates - Public templates do not have permissions to be used by ROOT group.
Key: CLOUDSTACK-6533
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6533
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: IAM
Affects Versions: 4.4.0
Environment: Build from 4.4
Reporter: Sangeetha Hariharan
Priority: Critical
Fix For: 4.4.0
IAM - Templates - Public templates do not have permissions to be used by ROOT group.
As regular user create a public template.
In iam_policy_permission policy we do not have permission for Admin group.
mysql> select * from iam_policy_permission where scope_id = 206;
+------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
| id | policy_id | action | resource_type | scope_id | scope | access_type | permission | recursive | removed | created |
+------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
| 4949 | 3 | listTemplates | VirtualMachineTemplate | 206 | RESOURCE | UseEntry | Allow | 0 | NULL | 2014-04-29 11:03:52 |
| 4950 | 1 | listTemplates | VirtualMachineTemplate | 206 | RESOURCE | UseEntry | Allow | 0 | NULL | 2014-04-29 11:03:52 |
mysql> select * from vm_template where id=206;
+-----+----------------------------------------------+----------------------------+--------------------------------------+--------+----------+------+-----+------+---------------------------------+--------+---------------------+---------+------------+----------+-----------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+---------+--------+--------------+---------+----------------------+
| id | unique_name | name | uuid | public | featured | type | hvm | bits | url | format | created | removed | account_id | checksum | display_text | enable_password | enable_sshkey | guest_os_id | bootable | prepopulate | cross_zones | extractable | hypervisor_type | source_template_id | template_tag | sort_key | size | state | update_count | updated | dynamically_scalable |
+-----+----------------------------------------------+----------------------------+--------------------------------------+--------+----------+------+-----+------+---------------------------------+--------+---------------------+---------+------------+----------+-----------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+---------+--------+--------------+---------+----------------------+
| 206 | 206-318-179129bc-531f-31fe-a21d-23a8aa7b666f | Public_featured_d2a-G3GJQW | 265192c9-88d3-41d4-b435-6d3c3e5d256a | 1 | 1 | USER | 1 | 64 | http://10.223.110.232:/test.vhd | VHD | 2014-04-29 11:03:52 | NULL | 318 | NULL | public and feature Template | 0 | 0 | 12 | 1 | 0 | 0 | 1 | Simulator | NULL | NULL | 0 | 5242880 | Active | 0 | NULL | 0 |
+-----+----------------------------------------------+----------------------------+--------------------------------------+--------+----------+------+-----+------+---------------------------------+--------+---------------------+---------+------------+----------+-----------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+---------+--------+--------------+---------+----------------------+
1 row in set (0.00 sec)
Inspite of not having the required permissions to use the template , admin is able to use this template for vm deployment. Root cause for this bug is similar to bug - Bug CLOUDSTACK-6517
The same behavior is also observed for default templates:
mysql> select * from iam_policy_permission where scope_id = 111;
+------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
| id | policy_id | action | resource_type | scope_id | scope | access_type | permission | recursive | removed | created |
+------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
| 3315 | 3 | listTemplates | VirtualMachineTemplate | 111 | RESOURCE | UseEntry | Allow | 0 | NULL | 2014-04-28 10:30:11 |
| 3316 | 1 | listTemplates | VirtualMachineTemplate | 111 | RESOURCE | UseEntry | Allow | 0 | NULL | 2014-04-28 10:30:11 |
+------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
2 rows in set (0.00 sec)
mysql> select * from vm_template where id=111;
+-----+------------------+---------------------------------------+--------------------------------------+--------+----------+---------+-----+------+---------------------------------------------------------------------------------------------------------+--------+---------------------+---------+------------+----------+---------------------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+------------+--------+--------------+---------+----------------------+
| id | unique_name | name | uuid | public | featured | type | hvm | bits | url | format | created | removed | account_id | checksum | display_text | enable_password | enable_sshkey | guest_os_id | bootable | prepopulate | cross_zones | extractable | hypervisor_type | source_template_id | template_tag | sort_key | size | state | update_count | updated | dynamically_scalable |
+-----+------------------+---------------------------------------+--------------------------------------+--------+----------+---------+-----+------+---------------------------------------------------------------------------------------------------------+--------+---------------------+---------+------------+----------+---------------------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+------------+--------+--------------+---------+----------------------+
| 111 | simulator-Centos | CentOS 5.3(64-bit) no GUI (Simulator) | 7200e25a-ca4b-11e3-907f-4adf980f9414 | 1 | 1 | BUILTIN | 0 | 64 | http://nfs1.lab.vmops.com/templates/centos53-x86_64/latest/f59f18fb-ae94-4f97-afd2-f84755767aca.vhd.bz2 | VHD | 2014-04-22 14:25:13 | NULL | 1 | | CentOS 5.3(64-bit) no GUI (Simulator) | 0 | 0 | 11 | 1 | 0 | 1 | 0 | Simulator | NULL | NULL | 0 | 2147483648 | Active | NULL | NULL | 0 |
+-----+------------------+---------------------------------------+--------------------------------------+--------+----------+---------+-----+------+---------------------------------------------------------------------------------------------------------+--------+---------------------+---------+------------+----------+---------------------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+------------+--------+--------------+---------+----------------------+
1 row in set (0.00 sec)
--
This message was sent by Atlassian JIRA
(v6.2#6252)