You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2022/08/10 09:12:35 UTC

[GitHub] [cloudstack] vdombrovski opened a new issue, #6623: Can't delete any resource tags when multiple accounts have tagged a resource

vdombrovski opened a new issue, #6623:
URL: https://github.com/apache/cloudstack/issues/6623

   <!--
   Verify first that your issue/request is not already reported on GitHub.
   Also test if the latest release and main branch are affected too.
   Always add information AFTER of these HTML comments, but no need to delete the comments.
   -->
   
   ##### ISSUE TYPE
   <!-- Pick one below and delete the rest -->
    * Bug Report
   
   ##### COMPONENT NAME
   <!--
   Categorize the issue, e.g. API, VR, VPN, UI, etc.
   -->
   ~~~
   Core
   ~~~
   
   ##### CLOUDSTACK VERSION
   <!--
   New line separated list of affected versions, commit ID for issues on main branch.
   -->
   
   ~~~
   4.17.0.0
   ~~~
   
   ##### CONFIGURATION
   <!--
   Information about the configuration if relevant, e.g. basic network, advanced networking, etc.  N/A otherwise
   -->
   
   N/A
   
   
   ##### OS / ENVIRONMENT
   <!--
   Information about the environment if relevant, N/A otherwise
   -->
   
   N/A
   
   
   ##### SUMMARY
   <!-- Explain the problem/feature briefly -->
   
   This is somewhat related to my previously created issue https://github.com/apache/cloudstack/issues/6620
   
   Resource tags are always attached to an account. This means that an account can only delete its own tags. However, the permission check done inside the code is made on **all tags belonging to the resource**, regardless of whether the user asks for the tag to be deleted or not, which results in the deletion always failing.
   
   Related code lines:
   
   https://github.com/apache/cloudstack/blob/main/server/src/main/java/com/cloud/tags/TaggedResourceManagerImpl.java#L253
   
   ##### STEPS TO REPRODUCE
   <!--
   For bugs, show exactly how to reproduce the problem, using a minimal test-case. Use Screenshots if accurate.
   
   For new features, show how the feature would be used.
   -->
   
   <!-- Paste example playbooks or commands between quotes below -->
   Using cmk:
   
   ~~~
   # As account 1
   associate ipaddress networkid=[...] vpcid=[...] id=86b1b359-1879-488b-ba9c-772cceeb6908
   create tags resourcetype=publicipaddress resourceids=86b1b359-1879-488b-ba9c-772cceeb6908 tags[0].key=somekey1 tags[0].value=somevalue1
   disassociate  ipaddress id=86b1b359-1879-488b-ba9c-772cceeb6908
   
   # As account 2
   associate ipaddress networkid=[...] vpcid=[...] id=86b1b359-1879-488b-ba9c-772cceeb6908
   create tags resourcetype=publicipaddress resourceids=86b1b359-1879-488b-ba9c-772cceeb6908 tags[0].key=somekey2 tags[0].value=somevalue2
   disassociate  ipaddress id=86b1b359-1879-488b-ba9c-772cceeb6908
   
   
   # As account 1: try to delete my own tag
   delete tags resourcetype=publicipaddress resourceids=86b1b359-1879-488b-ba9c-772cceeb6908 tags[0].key=somekey1
   ~~~
   
   <!-- You can also paste gist.github.com links for larger files -->
   
   ##### EXPECTED RESULTS
   <!-- What did you expect to happen when running the steps above? -->
   
   The tag somekey1 gets deleted
   
   ##### ACTUAL RESULTS
   <!-- What actually happened? -->
   
   <!-- Paste verbatim command output between quotes below -->
   
   Account does not have permission
   
   ~~~
   jobid = 3e9fd323-0175-4fd0-aaf5-9d6b32ecb62a
   accountid = ca1015a8-d479-4327-9366-db44220dcb12
   cmd = org.apache.cloudstack.api.command.user.tag.DeleteTagsCmd
   jobstatus = 2
   jobprocstatus = 0
   jobresultcode = 530
   jobresult = {"errorcode":530,"errortext":"Account account1 does not have permission to operate within domain id=XXXX"}
   userid = 4c238098-36b5-4cf8-8ddf-e930c72b6eb0
   jobresulttype = object
   created = 2022-08-10T11:08:36+0200
   completed = 2022-08-10T11:08:37+0200
   Error: async API failed for job 3e9fd323-0175-4fd0-aaf5-9d6b32ecb62
   ~~~
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] shwstppr commented on issue #6623: Can't delete any resource tags when multiple accounts have tagged a resource

Posted by GitBox <gi...@apache.org>.

shwstppr commented on issue #6623:
URL: https://github.com/apache/cloudstack/issues/6623#issuecomment-1217516200

   Fixed with #6634 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] shwstppr closed issue #6623: Can't delete any resource tags when multiple accounts have tagged a resource

Posted by GitBox <gi...@apache.org>.

shwstppr closed issue #6623: Can't delete any resource tags when multiple accounts have tagged a resource
URL: https://github.com/apache/cloudstack/issues/6623


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org