[GitHub] [cloudstack] StepBee opened a new issue #5781: Dynamic Role Model partly allows users to create users with more rights

[GitBox <gi...@apache.org>]

StepBee opened a new issue #5781:
URL: https://github.com/apache/cloudstack/issues/5781


   <!--
   Verify first that your issue/request is not already reported on GitHub.
   Also test if the latest release and main branch are affected too.
   Always add information AFTER of these HTML comments, but no need to delete the comments.
   -->
   
   ##### ISSUE TYPE
   <!-- Pick one below and delete the rest -->
    * Bug Report
   
   
   ##### COMPONENT NAME
   <!--
   Categorize the issue, e.g. API, VR, VPN, UI, etc.
   -->
   ~~~
   API
   ~~~
   
   ##### CLOUDSTACK VERSION
   <!--
   New line separated list of affected versions, commit ID for issues on main branch.
   -->
   
   ~~~
   4.16.0
   ~~~
   
   ##### CONFIGURATION
   <!--
   Information about the configuration if relevant, e.g. basic network, advanced networking, etc.  N/A otherwise
   -->
   N/A
   
   ##### OS / ENVIRONMENT
   <!--
   Information about the environment if relevant, N/A otherwise
   -->
   N/A
   
   ##### SUMMARY
   <!-- Explain the problem/feature briefly -->
   A new role, for example "Domain Admin Restricted", is created by a Root Admin Account based on existing role "Domain Admin"
   Some functionality is restricted of the role "Domain Admin Restricted" with setting "Deny" for some APIs, for example createServiceOffering.
   A new Account/User, DAJonDoeRestricted, is created based on the role "Domain Admin Restricted".
   The user "DAJoenDoeRestricted" is not allowed to execute createServiceOffering.
   But the user DAJoenDoeRestricted is allowed to create a new Account based on the default role "Domain Admin".
   For this user, the deny rules of role Domain Admin Restricted are not inherited and do not apply.
   The newly created user has higher rights than the restricted user.
   
   ##### STEPS TO REPRODUCE
   <!--
   For bugs, show exactly how to reproduce the problem, using a minimal test-case. Use Screenshots if accurate.
   
   For new features, show how the feature would be used.
   -->
   Create Role "Domain Admin Restricted" based on "Domain Admin"
   Restrict functionality by choosing Deny for "createServiceOffering"
   Create an Account "DAJonDoeRestricted" based on "Domain Admin Restricted"
   Login as account "DAJonDoeRestricted"
   Create a new account "DAJaneDoeNotrestricted" based on Role "Domain Admin"
   Logout user "DAJonDoeRestricted"
   Login user "DAJaneDoeNotrestricted"
   
   User "DAJonDoeRestricted" is not allowed to issue createServiceOffering.
   User "DAJaneDoeNotrestricted" is allowed to issue createServiceOffering.
   
   <!-- Paste example playbooks or commands between quotes below -->
   
   
   <!-- You can also paste gist.github.com links for larger files -->
   
   ##### EXPECTED RESULTS
   <!-- What did you expect to happen when running the steps above? -->
   
   
   Accounts should not be able to create accounts with rights for more functionality than they are allowed themselves.
   Restrictions should be inherited or the ability to create accounts based on Roles with more functionality rights should not be given.
   
   
   ##### ACTUAL RESULTS
   <!-- What actually happened? -->
   
   <!-- Paste verbatim command output between quotes below -->
   
   Accounts based restricted roles, which were based on Domain Admin role, are able to create Accounts with original/unrestricted Domain Admin functionality rights.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] StepBee commented on issue #5781: Dynamic Role Model partly allows users to create users with more rights

[GitBox <gi...@apache.org>]

StepBee commented on issue #5781:
URL: https://github.com/apache/cloudstack/issues/5781#issuecomment-1017241714


   @rohityadavcloud i agree.
   In my case we have a multi-tenant cloud platform and customers with domain admin privilege for their customer-domain to be able to create users/accounts, but they should not be able to create for example Service Offerings, as our customers are not aware of the required host / storage tags.
   Thats why i tried to configure a domain admin for customers, with carefully restricted rights, where this fix will help a lot.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] sureshanaparti commented on issue #5781: Dynamic Role Model partly allows users to create users with more rights

[GitBox <gi...@apache.org>]

sureshanaparti commented on issue #5781:
URL: https://github.com/apache/cloudstack/issues/5781#issuecomment-1034492704


   > I've tested the fix and it seems to restrict the 'restricted domain admin' to create a normal domain admin, @StepBee can you check if this solves it for you as well.
   
   ping @StepBee can you check / confirm the fix.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] sureshanaparti commented on issue #5781: Dynamic Role Model partly allows users to create users with more rights

[GitBox <gi...@apache.org>]

sureshanaparti commented on issue #5781:
URL: https://github.com/apache/cloudstack/issues/5781#issuecomment-1034540242


   Fixed in #5879. @StepBee If you still notice this issue after the fix, please reopen (with the details). Thanks.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] StepBee commented on issue #5781: Dynamic Role Model partly allows users to create users with more rights

[GitBox <gi...@apache.org>]

StepBee commented on issue #5781:
URL: https://github.com/apache/cloudstack/issues/5781#issuecomment-1034530887


   unfortunately, i am currently in lack of a properly working test environment i could use for testing.
   To not cause any delay i would trust @borisstoyanov result


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] StepBee commented on issue #5781: Dynamic Role Model partly allows users to create users with more rights

[GitBox <gi...@apache.org>]

StepBee commented on issue #5781:
URL: https://github.com/apache/cloudstack/issues/5781#issuecomment-1016547003


   @DaanHoogland thanks for taking care of this issue and thinking about an easy solution.
   
   Indeed, refusing to create a user based on a role with more rights than the current user would be an easy and, from my perspective, satisfying solution.
   Maybe as a bonus there is a chance of not even displaying such roles on the webui when creating a new user?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] borisstoyanov commented on issue #5781: Dynamic Role Model partly allows users to create users with more rights

[GitBox <gi...@apache.org>]

borisstoyanov commented on issue #5781:
URL: https://github.com/apache/cloudstack/issues/5781#issuecomment-1033661793


   I've tested the fix and it seems to restrict the 'restricted domain admin' to create a normal domain admin, @StepBee can you check if this solves it for you as well. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] rohityadavcloud commented on issue #5781: Dynamic Role Model partly allows users to create users with more rights

[GitBox <gi...@apache.org>]

rohityadavcloud commented on issue #5781:
URL: https://github.com/apache/cloudstack/issues/5781#issuecomment-1017223070


   Thanks for reporting this @StepBee - generally, when there's a domain admin account we assume the typical use-case is in an enterprise where the domain admin is privileged in some way. But we should prevent and ensure a role can't create account with roles more than their own role priviledge. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] StepBee commented on issue #5781: Dynamic Role Model partly allows users to create users with more rights

[GitBox <gi...@apache.org>]

StepBee commented on issue #5781:
URL: https://github.com/apache/cloudstack/issues/5781#issuecomment-1016566772


   @DaanHoogland sounds like overload for the display of a role list, indeed.
   From my perspective, sticking to the pure functionality of refuse on create is a valid approach to resolve the issue itself.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] DaanHoogland commented on issue #5781: Dynamic Role Model partly allows users to create users with more rights

[GitBox <gi...@apache.org>]

DaanHoogland commented on issue #5781:
URL: https://github.com/apache/cloudstack/issues/5781#issuecomment-1016507176


   @StepBee, would this be a reasonable implementation for you:
   ```
   get the current user's role
   get the requested role
   if there is any right in requested role that the current user doesn't have; refuse
   ```
   I suspect there is other implementation possibilities, so let me know if you see some more bears on the road ;)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] StepBee commented on issue #5781: Dynamic Role Model partly allows users to create users with more rights

[GitBox <gi...@apache.org>]

StepBee commented on issue #5781:
URL: https://github.com/apache/cloudstack/issues/5781#issuecomment-1034545710


   Many thanks for your work on this fix, much appreciated.
   Yep, will test in my test envrionment once functional again and reopen in case i see issues.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] DaanHoogland commented on issue #5781: Dynamic Role Model partly allows users to create users with more rights

[GitBox <gi...@apache.org>]

DaanHoogland commented on issue #5781:
URL: https://github.com/apache/cloudstack/issues/5781#issuecomment-1016562743


   @StepBee , I think that the algorithm for checking such escalation happening is not trivial; There is deny and allow to check for each entry, but also wildcards are allowed. I think for listing roles this would/may be a bit much given we have 600+ API by now.
   we could just iterate over all API and do a check for the caller to se if they are allowed, but if the list is more than the default eight roles, ....
   I agree with the use-case though ;)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] rohityadavcloud edited a comment on issue #5781: Dynamic Role Model partly allows users to create users with more rights

[GitBox <gi...@apache.org>]

rohityadavcloud edited a comment on issue #5781:
URL: https://github.com/apache/cloudstack/issues/5781#issuecomment-1017223070


   Thanks for reporting this @StepBee - generally, when there's a domain admin account we assume the typical use-case is in an enterprise where the domain admin is privileged in some way. But we should prevent and ensure a role can't create an account with a role of more privilege than their own. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] sureshanaparti closed issue #5781: Dynamic Role Model partly allows users to create users with more rights

[GitBox <gi...@apache.org>]

sureshanaparti closed issue #5781:
URL: https://github.com/apache/cloudstack/issues/5781


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org