You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Parth Jagirdar (JIRA)" <ji...@apache.org> on 2014/04/30 01:30:16 UTC

[jira] [Created] (CLOUDSTACK-6535) IAM:MS:API createVMSnapshot fails doesn't preserve access rights

Parth Jagirdar created CLOUDSTACK-6535:
------------------------------------------

             Summary: IAM:MS:API createVMSnapshot fails doesn't preserve access rights
                 Key: CLOUDSTACK-6535
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6535
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: API, IAM
    Affects Versions: 4.4.0
         Environment: 4.4
            Reporter: Parth Jagirdar
            Priority: Critical


As domain Admin or as regular user; one can create a snapshot of a VM owned by other users. (Create Snapshot succeeds across Domains as well).

Please refer to API and MS logs.

DB Dump is attached.



2014-04-29 15:32:38,316 INFO  [a.c.c.a.ApiServer] (catalina-exec-19:ctx-baaf5fbe ctx-d89f1942) (userId=9
 accountId=9 sessionId=13E9CF7AD4BB55EE9EDF2920D6E62915) 10.215.2.19 -- GET command=createVMSnapshot&vir
tualmachineid=219d649d-b6fc-475e-ab0f-8800a7f95235&response=json&sessionkey=p1pPn2KtylzYt92NSHuE2u4G68w%
3D 200 { "createvmsnapshotresponse" : {"id":"8","jobid":"fa37d77f-28b0-485b-af81-834a07ed6e4e"} }
2014-04-29 15:32:40,306 INFO  [a.c.c.a.ApiServer] (catalina-exec-25:ctx-114bb10a ctx-d396131c) (userId=2
 accountId=2 sessionId=5EC896B528FB6DB972CE5B02A277047B) 10.215.2.19 -- GET command=listVirtualMachines&
response=json&sessionkey=e1WRj6SbsZEClPvlCdLP9f3MhYI%3D&listAll=true&page=1&pagesize=20&_=1398810759989
200 { "listvirtualmachinesresponse" : { "count":6 ,"virtualmachine" : [  {"id":"cea5fc51-6a31-4209-b26f-
9097c9d17011","name":"d2-vm","displayname":"d2-vm","account":"d2","domainid":"0af12b69-67f4-454a-9eb6-f2
bef02aba0b","domain":"d2","created":"2014-04-28T10:21:08-0700","state":"Running","haenable":false,"zonei
d":"6933ac3e-29fe-4170-8411-b1827aa2f5cf","zonename":"z","hostid":"d8fb3cb9-782e-4cdc-b0c0-3adcf65a7a15"
,"hostname":"10.223.58.68","templateid":"549440c8-bf4b-11e3-a56d-ced18bec4952","templatename":"CentOS 5.
3(64-bit) no GUI (vSphere)","templatedisplaytext":"CentOS 5.3(64-bit) no GUI (vSphere)","passwordenabled
":false,"serviceofferingid":"4c035b12-f32f-4c0c-b768-264ec02ac242","serviceofferingname":"Small Instance
","cpunumber":1,"cpuspeed":500,"memory":512,"cpuused":"45%","networkkbsread":0,"networkkbswrite":0,"gues
tosid":"54a23660-bf4b-11e3-a56d-ced18bec4952","rootdeviceid":0,"rootdevicetype":"ROOT","securitygroup":[
],"nic":[{"id":"cae4f3d2-1598-4aa0-98b9-669a4c7de6ae","networkid":"f417c31a-e19f-45db-9180-87f17a195bf0"
,"networkname":"d2-net","netmask":"255.255.255.0","gateway":"10.1.1.1","ipaddress":"10.1.1.151","isolati
onuri":"vlan://2342","broadcasturi":"vlan://2342","traffictype":"Guest","type":"Isolated","isdefault":tr
ue,"macaddress":"02:00:41:11:00:01"}],"hypervisor":"VMware","publicipid":"a6866b38-e8dd-4deb-965f-c09931
d183fe","publicip":"10.223.138.11","instancename":"i-10-32-VM","tags":[],"affinitygroup":[],"displayvm":
true,"isdynamicallyscalable":false,"ostypeid":12}, {"id":"e887d23a-fac0-4397-adb9-edfbf2169453","name":"
d1-vm","displayname":"d1-vm","account":"d1","domainid":"90a8c572-3f92-420b-9176-5daafa9853da","domain":"
d1","created":"2014-04-28T10:20:39-0700","state":"Running","haenable":false,"zoneid":"6933ac3e-29fe-4170
-8411-b1827aa2f5cf","zonename":"z","hostid":"d8fb3cb9-782e-4cdc-b0c0-3adcf65a7a15","hostname":"10.223.58
.68","templateid":"549440c8-bf4b-11e3-a56d-ced18bec4952","templatename":"CentOS 5.3(64-bit) no GUI (vSph
ere)","templatedisplaytext":"CentOS 5.3(64-bit) no GUI (vSphere)","passwordenabled":false,"serviceofferi
ngid":"4c035b12-f32f-4c0c-b768-264ec02ac242","serviceofferingname":"Small Instance","cpunumber":1,"cpusp
eed":500,"memory":512,"cpuused":"45%","networkkbsread":0,"networkkbswrite":0,"guestosid":"54a23660-bf4b-
11e3-a56d-ced18bec4952","rootdeviceid":0,"rootdevicetype":"ROOT","securitygroup":[],"nic":[{"id":"5c410c
a5-5151-48d8-8de7-4fc674bd597a","networkid":"2a7d1254-3120-42f5-b8b9-dd64485cfed4","networkname":"d1-net
","netmask":"255.255.255.0","gateway":"10.1.1.1","ipaddress":"10.1.1.184","isolationuri":"vlan://2268","










mysql> select * from iam_group_account_map where removed is NULL order by group_id;
+----+----------+------------+---------+---------------------+
| id | group_id | account_id | removed | created             |
+----+----------+------------+---------+---------------------+
| 43 |        1 |         23 | NULL    | 2014-04-14 23:18:40 |
| 45 |        1 |         24 | NULL    | 2014-04-17 22:23:41 |
| 41 |        1 |         22 | NULL    | 2014-04-14 23:18:24 |
| 39 |        1 |         21 | NULL    | 2014-04-14 23:17:59 |
| 37 |        1 |         20 | NULL    | 2014-04-14 23:17:40 |
|  2 |        2 |          2 | NULL    | 2014-04-08 18:29:34 |
|  1 |        2 |          1 | NULL    | 2014-04-08 18:29:34 |
| 17 |        3 |         10 | NULL    | 2014-04-10 21:50:18 |
| 15 |        3 |          9 | NULL    | 2014-04-10 21:49:18 |
| 16 |        7 |          9 | NULL    | 2014-04-10 21:49:18 |
| 46 |        7 |         24 | NULL    | 2014-04-17 22:23:41 |
| 18 |        8 |         10 | NULL    | 2014-04-10 21:50:18 |
| 38 |        9 |         20 | NULL    | 2014-04-14 23:17:40 |
| 40 |       10 |         21 | NULL    | 2014-04-14 23:17:59 |
| 42 |       11 |         22 | NULL    | 2014-04-14 23:18:24 |
| 44 |       12 |         23 | NULL    | 2014-04-14 23:18:40 |
| 47 |       13 |          1 | NULL    | 2014-04-23 18:56:28 |
| 48 |       13 |          2 | NULL    | 2014-04-23 18:56:28 |
+----+----------+------------+---------+---------------------+
18 rows in set (0.00 sec)

mysql> select * from iam_group_policy_map;
+----+----------+-----------+---------+---------------------+
| id | group_id | policy_id | removed | created             |
+----+----------+-----------+---------+---------------------+
|  1 |        1 |         1 | NULL    | 2014-04-08 11:27:45 |
|  2 |        2 |         2 | NULL    | 2014-04-08 11:27:45 |
|  3 |        3 |         3 | NULL    | 2014-04-08 11:27:45 |
|  4 |        4 |         4 | NULL    | 2014-04-08 11:27:45 |
|  5 |        5 |         5 | NULL    | 2014-04-08 11:27:45 |
+----+----------+-----------+---------+---------------------+
5 rows in set (0.00 sec)

mysql> select * from iam_policy_permission where action = "createVMSnapshot";
+------+-----------+------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
| id   | policy_id | action           | resource_type | scope_id | scope   | access_type  | permission | recursive | removed | created             |
+------+-----------+------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
| 4377 |         2 | createVMSnapshot | VMSnapshot    |       -1 | ALL     | OperateEntry | Allow      |         0 | NULL    | 2014-04-23 19:00:12 |
| 4378 |         4 | createVMSnapshot | VMSnapshot    |       -1 | DOMAIN  | OperateEntry | Allow      |         0 | NULL    | 2014-04-23 19:00:12 |
| 4379 |         3 | createVMSnapshot | VMSnapshot    |       -1 | DOMAIN  | OperateEntry | Allow      |         0 | NULL    | 2014-04-23 19:00:12 |
| 4380 |         1 | createVMSnapshot | VMSnapshot    |       -1 | ACCOUNT | OperateEntry | Allow      |         0 | NULL    | 2014-04-23 19:00:13 |
+------+-----------+------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
4 rows in set (0.00 sec)










--
This message was sent by Atlassian JIRA
(v6.2#6252)