You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Min Chen (JIRA)" <ji...@apache.org> on 2014/05/01 18:46:17 UTC
[jira] [Resolved] (CLOUDSTACK-6533) IAM - Templates - Public
templates do not have permissions to be used by ROOT group.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-6533?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Min Chen resolved CLOUDSTACK-6533.
----------------------------------
Resolution: Fixed
> IAM - Templates - Public templates do not have permissions to be used by ROOT group.
> ------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-6533
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6533
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: IAM
> Affects Versions: 4.4.0
> Environment: Build from 4.4
> Reporter: Sangeetha Hariharan
> Assignee: Min Chen
> Priority: Critical
> Fix For: 4.4.0
>
>
> IAM - Templates - Public templates do not have permissions to be used by ROOT group.
> As regular user create a public template.
> In iam_policy_permission policy we do not have permission for Admin group.
> mysql> select * from iam_policy_permission where scope_id = 206;
> +------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
> | id | policy_id | action | resource_type | scope_id | scope | access_type | permission | recursive | removed | created |
> +------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
> | 4949 | 3 | listTemplates | VirtualMachineTemplate | 206 | RESOURCE | UseEntry | Allow | 0 | NULL | 2014-04-29 11:03:52 |
> | 4950 | 1 | listTemplates | VirtualMachineTemplate | 206 | RESOURCE | UseEntry | Allow | 0 | NULL | 2014-04-29 11:03:52 |
> mysql> select * from vm_template where id=206;
> +-----+----------------------------------------------+----------------------------+--------------------------------------+--------+----------+------+-----+------+---------------------------------+--------+---------------------+---------+------------+----------+-----------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+---------+--------+--------------+---------+----------------------+
> | id | unique_name | name | uuid | public | featured | type | hvm | bits | url | format | created | removed | account_id | checksum | display_text | enable_password | enable_sshkey | guest_os_id | bootable | prepopulate | cross_zones | extractable | hypervisor_type | source_template_id | template_tag | sort_key | size | state | update_count | updated | dynamically_scalable |
> +-----+----------------------------------------------+----------------------------+--------------------------------------+--------+----------+------+-----+------+---------------------------------+--------+---------------------+---------+------------+----------+-----------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+---------+--------+--------------+---------+----------------------+
> | 206 | 206-318-179129bc-531f-31fe-a21d-23a8aa7b666f | Public_featured_d2a-G3GJQW | 265192c9-88d3-41d4-b435-6d3c3e5d256a | 1 | 1 | USER | 1 | 64 | http://10.223.110.232:/test.vhd | VHD | 2014-04-29 11:03:52 | NULL | 318 | NULL | public and feature Template | 0 | 0 | 12 | 1 | 0 | 0 | 1 | Simulator | NULL | NULL | 0 | 5242880 | Active | 0 | NULL | 0 |
> +-----+----------------------------------------------+----------------------------+--------------------------------------+--------+----------+------+-----+------+---------------------------------+--------+---------------------+---------+------------+----------+-----------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+---------+--------+--------------+---------+----------------------+
> 1 row in set (0.00 sec)
> Inspite of not having the required permissions to use the template , admin is able to use this template for vm deployment. Root cause for this bug is similar to bug - Bug CLOUDSTACK-6517
> The same behavior is also observed for default templates:
> mysql> select * from iam_policy_permission where scope_id = 111;
> +------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
> | id | policy_id | action | resource_type | scope_id | scope | access_type | permission | recursive | removed | created |
> +------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
> | 3315 | 3 | listTemplates | VirtualMachineTemplate | 111 | RESOURCE | UseEntry | Allow | 0 | NULL | 2014-04-28 10:30:11 |
> | 3316 | 1 | listTemplates | VirtualMachineTemplate | 111 | RESOURCE | UseEntry | Allow | 0 | NULL | 2014-04-28 10:30:11 |
> +------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+
> 2 rows in set (0.00 sec)
> mysql> select * from vm_template where id=111;
> +-----+------------------+---------------------------------------+--------------------------------------+--------+----------+---------+-----+------+---------------------------------------------------------------------------------------------------------+--------+---------------------+---------+------------+----------+---------------------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+------------+--------+--------------+---------+----------------------+
> | id | unique_name | name | uuid | public | featured | type | hvm | bits | url | format | created | removed | account_id | checksum | display_text | enable_password | enable_sshkey | guest_os_id | bootable | prepopulate | cross_zones | extractable | hypervisor_type | source_template_id | template_tag | sort_key | size | state | update_count | updated | dynamically_scalable |
> +-----+------------------+---------------------------------------+--------------------------------------+--------+----------+---------+-----+------+---------------------------------------------------------------------------------------------------------+--------+---------------------+---------+------------+----------+---------------------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+------------+--------+--------------+---------+----------------------+
> | 111 | simulator-Centos | CentOS 5.3(64-bit) no GUI (Simulator) | 7200e25a-ca4b-11e3-907f-4adf980f9414 | 1 | 1 | BUILTIN | 0 | 64 | http://nfs1.lab.vmops.com/templates/centos53-x86_64/latest/f59f18fb-ae94-4f97-afd2-f84755767aca.vhd.bz2 | VHD | 2014-04-22 14:25:13 | NULL | 1 | | CentOS 5.3(64-bit) no GUI (Simulator) | 0 | 0 | 11 | 1 | 0 | 1 | 0 | Simulator | NULL | NULL | 0 | 2147483648 | Active | NULL | NULL | 0 |
> +-----+------------------+---------------------------------------+--------------------------------------+--------+----------+---------+-----+------+---------------------------------------------------------------------------------------------------------+--------+---------------------+---------+------------+----------+---------------------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+------------+--------+--------------+---------+----------------------+
> 1 row in set (0.00 sec)
--
This message was sent by Atlassian JIRA
(v6.2#6252)