You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cloudstack.apache.org by "Sangeetha Hariharan (JIRA)" <ji...@apache.org> on 2014/04/25 23:53:14 UTC

[jira] [Created] (CLOUDSTACK-6517) IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have " UseEntry" permission for IpAddress.

Sangeetha Hariharan created CLOUDSTACK-6517:
-----------------------------------------------

             Summary: IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have " UseEntry" permission for IpAddress. 
                 Key: CLOUDSTACK-6517
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6517
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: IAM
    Affects Versions: 4.4.0
         Environment: Build from 4.4
            Reporter: Sangeetha Hariharan
             Fix For: 4.4.0


IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have " UseEntry" permission for IpAddress.

Steps to reproduce the problem:

As regular user , on a network he owns , acquire an ip address.
As admin , try to create a PF rule on this ip address  without passing account and domainId.

Creating PF rule succeeds. 

Since Admin has only  "ListEntry" permission for IpAddress owned by other users , we expect this api call to fail. 

mysql> select * from iam_policy_permission where resource_type = 'IpAddress' and policy_id=2;
+------+-----------+-----------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
| id   | policy_id | action                | resource_type | scope_id | scope   | access_type  | permission | recursive | removed | created             |
+------+-----------+-----------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
| 1840 |         2 | listPublicIpAddresses | IpAddress     |       -1 | ALL     | ListEntry    | Allow      |         0 | NULL    | 2014-04-22 18:31:03 |
| 1841 |         2 | listPublicIpAddresses | IpAddress     |       -1 | ACCOUNT | UseEntry     | Allow      |         0 | NULL    | 2014-04-22 18:31:03 |

Admin should be allowed to do this only , when he passes account and domainId of the regular user is passed.



--
This message was sent by Atlassian JIRA
(v6.2#6252)