You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Sangeetha Hariharan (JIRA)" <ji...@apache.org> on 2014/04/25 23:53:14 UTC
[jira] [Created] (CLOUDSTACK-6517) IAM - Admin is allowed to create
PortFowarding rule for a regular user, when admin does not have " UseEntry"
permission for IpAddress.
Sangeetha Hariharan created CLOUDSTACK-6517:
-----------------------------------------------
Summary: IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have " UseEntry" permission for IpAddress.
Key: CLOUDSTACK-6517
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6517
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: IAM
Affects Versions: 4.4.0
Environment: Build from 4.4
Reporter: Sangeetha Hariharan
Fix For: 4.4.0
IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have " UseEntry" permission for IpAddress.
Steps to reproduce the problem:
As regular user , on a network he owns , acquire an ip address.
As admin , try to create a PF rule on this ip address without passing account and domainId.
Creating PF rule succeeds.
Since Admin has only "ListEntry" permission for IpAddress owned by other users , we expect this api call to fail.
mysql> select * from iam_policy_permission where resource_type = 'IpAddress' and policy_id=2;
+------+-----------+-----------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
| id | policy_id | action | resource_type | scope_id | scope | access_type | permission | recursive | removed | created |
+------+-----------+-----------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+
| 1840 | 2 | listPublicIpAddresses | IpAddress | -1 | ALL | ListEntry | Allow | 0 | NULL | 2014-04-22 18:31:03 |
| 1841 | 2 | listPublicIpAddresses | IpAddress | -1 | ACCOUNT | UseEntry | Allow | 0 | NULL | 2014-04-22 18:31:03 |
Admin should be allowed to do this only , when he passes account and domainId of the regular user is passed.
--
This message was sent by Atlassian JIRA
(v6.2#6252)