You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Parth Jagirdar (JIRA)" <ji...@apache.org> on 2014/04/30 01:30:16 UTC
[jira] [Created] (CLOUDSTACK-6535) IAM:MS:API createVMSnapshot
fails doesn't preserve access rights
Parth Jagirdar created CLOUDSTACK-6535:
------------------------------------------
Summary: IAM:MS:API createVMSnapshot fails doesn't preserve access rights
Key: CLOUDSTACK-6535
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6535
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: API, IAM
Affects Versions: 4.4.0
Environment: 4.4
Reporter: Parth Jagirdar
Priority: Critical
As domain Admin or as regular user; one can create a snapshot of a VM owned by other users. (Create Snapshot succeeds across Domains as well).
Please refer to API and MS logs.
DB Dump is attached.
2014-04-29 15:32:38,316 INFO [a.c.c.a.ApiServer] (catalina-exec-19:ctx-baaf5fbe ctx-d89f1942) (userId=9
accountId=9 sessionId=13E9CF7AD4BB55EE9EDF2920D6E62915) 10.215.2.19 -- GET command=createVMSnapshot&vir
tualmachineid=219d649d-b6fc-475e-ab0f-8800a7f95235&response=json&sessionkey=p1pPn2KtylzYt92NSHuE2u4G68w%
3D 200 { "createvmsnapshotresponse" : {"id":"8","jobid":"fa37d77f-28b0-485b-af81-834a07ed6e4e"} }
2014-04-29 15:32:40,306 INFO [a.c.c.a.ApiServer] (catalina-exec-25:ctx-114bb10a ctx-d396131c) (userId=2
accountId=2 sessionId=5EC896B528FB6DB972CE5B02A277047B) 10.215.2.19 -- GET command=listVirtualMachines&
response=json&sessionkey=e1WRj6SbsZEClPvlCdLP9f3MhYI%3D&listAll=true&page=1&pagesize=20&_=1398810759989
200 { "listvirtualmachinesresponse" : { "count":6 ,"virtualmachine" : [ {"id":"cea5fc51-6a31-4209-b26f-
9097c9d17011","name":"d2-vm","displayname":"d2-vm","account":"d2","domainid":"0af12b69-67f4-454a-9eb6-f2
bef02aba0b","domain":"d2","created":"2014-04-28T10:21:08-0700","state":"Running","haenable":false,"zonei
d":"6933ac3e-29fe-4170-8411-b1827aa2f5cf","zonename":"z","hostid":"d8fb3cb9-782e-4cdc-b0c0-3adcf65a7a15"
,"hostname":"10.223.58.68","templateid":"549440c8-bf4b-11e3-a56d-ced18bec4952","templatename":"CentOS 5.
3(64-bit) no GUI (vSphere)","templatedisplaytext":"CentOS 5.3(64-bit) no GUI (vSphere)","passwordenabled
":false,"serviceofferingid":"4c035b12-f32f-4c0c-b768-264ec02ac242","serviceofferingname":"Small Instance
","cpunumber":1,"cpuspeed":500,"memory":512,"cpuused":"45%","networkkbsread":0,"networkkbswrite":0,"gues
tosid":"54a23660-bf4b-11e3-a56d-ced18bec4952","rootdeviceid":0,"rootdevicetype":"ROOT","securitygroup":[
],"nic":[{"id":"cae4f3d2-1598-4aa0-98b9-669a4c7de6ae","networkid":"f417c31a-e19f-45db-9180-87f17a195bf0"
,"networkname":"d2-net","netmask":"255.255.255.0","gateway":"10.1.1.1","ipaddress":"10.1.1.151","isolati
onuri":"vlan://2342","broadcasturi":"vlan://2342","traffictype":"Guest","type":"Isolated","isdefault":tr
ue,"macaddress":"02:00:41:11:00:01"}],"hypervisor":"VMware","publicipid":"a6866b38-e8dd-4deb-965f-c09931
d183fe","publicip":"10.223.138.11","instancename":"i-10-32-VM","tags":[],"affinitygroup":[],"displayvm":
true,"isdynamicallyscalable":false,"ostypeid":12}, {"id":"e887d23a-fac0-4397-adb9-edfbf2169453","name":"
d1-vm","displayname":"d1-vm","account":"d1","domainid":"90a8c572-3f92-420b-9176-5daafa9853da","domain":"
d1","created":"2014-04-28T10:20:39-0700","state":"Running","haenable":false,"zoneid":"6933ac3e-29fe-4170
-8411-b1827aa2f5cf","zonename":"z","hostid":"d8fb3cb9-782e-4cdc-b0c0-3adcf65a7a15","hostname":"10.223.58
.68","templateid":"549440c8-bf4b-11e3-a56d-ced18bec4952","templatename":"CentOS 5.3(64-bit) no GUI (vSph
ere)","templatedisplaytext":"CentOS 5.3(64-bit) no GUI (vSphere)","passwordenabled":false,"serviceofferi
ngid":"4c035b12-f32f-4c0c-b768-264ec02ac242","serviceofferingname":"Small Instance","cpunumber":1,"cpusp
eed":500,"memory":512,"cpuused":"45%","networkkbsread":0,"networkkbswrite":0,"guestosid":"54a23660-bf4b-
11e3-a56d-ced18bec4952","rootdeviceid":0,"rootdevicetype":"ROOT","securitygroup":[],"nic":[{"id":"5c410c
a5-5151-48d8-8de7-4fc674bd597a","networkid":"2a7d1254-3120-42f5-b8b9-dd64485cfed4","networkname":"d1-net
","netmask":"255.255.255.0","gateway":"10.1.1.1","ipaddress":"10.1.1.184","isolationuri":"vlan://2268","
mysql> select * from iam_group_account_map where removed is NULL order by group_id;
+----+----------+------------+---------+---------------------+
| id | group_id | account_id | removed | created |
+----+----------+------------+---------+---------------------+
| 43 | 1 | 23 | NULL | 2014-04-14 23:18:40 |
| 45 | 1 | 24 | NULL | 2014-04-17 22:23:41 |
| 41 | 1 | 22 | NULL | 2014-04-14 23:18:24 |
| 39 | 1 | 21 | NULL | 2014-04-14 23:17:59 |
| 37 | 1 | 20 | NULL | 2014-04-14 23:17:40 |
| 2 | 2 | 2 | NULL | 2014-04-08 18:29:34 |
| 1 | 2 | 1 | NULL | 2014-04-08 18:29:34 |
| 17 | 3 | 10 | NULL | 2014-04-10 21:50:18 |
| 15 | 3 | 9 | NULL | 2014-04-10 21:49:18 |
| 16 | 7 | 9 | NULL | 2014-04-10 21:49:18 |
| 46 | 7 | 24 | NULL | 2014-04-17 22:23:41 |
| 18 | 8 | 10 | NULL | 2014-04-10 21:50:18 |
| 38 | 9 | 20 | NULL | 2014-04-14 23:17:40 |
| 40 | 10 | 21 | NULL | 2014-04-14 23:17:59 |
| 42 | 11 | 22 | NULL | 2014-04-14 23:18:24 |
| 44 | 12 | 23 | NULL | 2014-04-14 23:18:40 |
| 47 | 13 | 1 | NULL | 2014-04-23 18:56:28 |
| 48 | 13 | 2 | NULL | 2014-04-23 18:56:28 |
+----+----------+------------+---------+---------------------+
18 rows in set (0.00 sec)
mysql> select * from iam_group_policy_map;
+----+----------+-----------+---------+---------------------+
| id | group_id | policy_id | removed | created |
+----+----------+-----------+---------+---------------------+
| 1 | 1 | 1 | NULL | 2014-04-08 11:27:45 |
| 2 | 2 | 2 | NULL | 2014-04-08 11:27:45 |
| 3 | 3 | 3 | NULL | 2014-04-08 11:27:45 |
| 4 | 4 | 4 | NULL | 2014-04-08 11:27:45 |
| 5 | 5 | 5 | NULL | 2014-04-08 11:27:45 |
+----+----------+-----------+---------+---------------------+
5 rows in set (0.00 sec)
mysql> select * from iam_policy_permission where action = "createVMSnapshot";
+------+-----------+------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
| id | policy_id | action | resource_type | scope_id | scope | access_type | permission | recursive | removed | created |
+------+-----------+------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
| 4377 | 2 | createVMSnapshot | VMSnapshot | -1 | ALL | OperateEntry | Allow | 0 | NULL | 2014-04-23 19:00:12 |
| 4378 | 4 | createVMSnapshot | VMSnapshot | -1 | DOMAIN | OperateEntry | Allow | 0 | NULL | 2014-04-23 19:00:12 |
| 4379 | 3 | createVMSnapshot | VMSnapshot | -1 | DOMAIN | OperateEntry | Allow | 0 | NULL | 2014-04-23 19:00:12 |
| 4380 | 1 | createVMSnapshot | VMSnapshot | -1 | ACCOUNT | OperateEntry | Allow | 0 | NULL | 2014-04-23 19:00:13 |
+------+-----------+------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
4 rows in set (0.00 sec)
--
This message was sent by Atlassian JIRA
(v6.2#6252)