[GitHub] [cloudstack] weizhouapache edited a comment on issue #4155: Domain Limit Exploit for Unlimited Domain Ressources

[GitBox <gi...@apache.org>]

weizhouapache edited a comment on issue #4155:
URL: https://github.com/apache/cloudstack/issues/4155#issuecomment-731563999


     
   
   > @weizhouapache ok, removing the label again, what I read in your reply that it works as designed. so the question is is it a bug or a missing feature or something tha should be done differently from the users perspective?
   > Going over quota by a work around could be considered an operator responsibility.
   
   @DaanHoogland since we provide this feature to users, we should add some checks. Otherwise, it will bring trouble not only to users, but also to admins, if users pass some unexpected value.
   
   similar as global settings,  first,  there should be a check for the type of the value (for example, Integer/Boolean/Float, etc), second, a check for possible value (an invalid value should NOT be accepted). then check some other restrictions, for example, cpuspeed should not be changed if vm use constraint service offering, cpunumber/speed/memory should not be accepted if vm uses fixed offering. The last, check resource count/update resouce limit when update cpu cores,memory.
   
   There might be more checks needed.
   
   As an admin, I would suggest not to provide this feature to users, before these checks are added. To be clear, I suggest to add some settings to user.vm.blacklisted.details or user.vm.readonly.ui.details
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org