vdombrovski opened a new issue, #6623:
URL: https://github.com/apache/cloudstack/issues/6623
<!--
Verify first that your issue/request is not already reported on GitHub.
Also test if the latest release and main branch are affected too.
Always add information AFTER of these HTML comments, but no need to delete
the comments.
-->
##### ISSUE TYPE
<!-- Pick one below and delete the rest -->
* Bug Report
##### COMPONENT NAME
<!--
Categorize the issue, e.g. API, VR, VPN, UI, etc.
-->
~~~
Core
~~~
##### CLOUDSTACK VERSION
<!--
New line separated list of affected versions, commit ID for issues on main
branch.
-->
~~~
4.17.0.0
~~~
##### CONFIGURATION
<!--
Information about the configuration if relevant, e.g. basic network,
advanced networking, etc. N/A otherwise
-->
N/A
##### OS / ENVIRONMENT
<!--
Information about the environment if relevant, N/A otherwise
-->
N/A
##### SUMMARY
<!-- Explain the problem/feature briefly -->
This is somewhat related to my previously created issue
https://github.com/apache/cloudstack/issues/6620
Resource tags are always attached to an account. This means that an account
can only delete its own tags. However, the permission check done inside the
code is made on **all tags belonging to the resource**, regardless of whether
the user asks for the tag to be deleted or not, which results in the deletion
always failing.
Related code lines:
https://github.com/apache/cloudstack/blob/main/server/src/main/java/com/cloud/tags/TaggedResourceManagerImpl.java#L253
##### STEPS TO REPRODUCE
<!--
For bugs, show exactly how to reproduce the problem, using a minimal
test-case. Use Screenshots if accurate.
For new features, show how the feature would be used.
-->
<!-- Paste example playbooks or commands between quotes below -->
Using cmk:
~~~
# As account 1
associate ipaddress networkid=[...] vpcid=[...]
id=86b1b359-1879-488b-ba9c-772cceeb6908
create tags resourcetype=publicipaddress
resourceids=86b1b359-1879-488b-ba9c-772cceeb6908 tags[0].key=somekey1
tags[0].value=somevalue1
disassociate ipaddress id=86b1b359-1879-488b-ba9c-772cceeb6908
# As account 2
associate ipaddress networkid=[...] vpcid=[...]
id=86b1b359-1879-488b-ba9c-772cceeb6908
create tags resourcetype=publicipaddress
resourceids=86b1b359-1879-488b-ba9c-772cceeb6908 tags[0].key=somekey2
tags[0].value=somevalue2
disassociate ipaddress id=86b1b359-1879-488b-ba9c-772cceeb6908
# As account 1: try to delete my own tag
delete tags resourcetype=publicipaddress
resourceids=86b1b359-1879-488b-ba9c-772cceeb6908 tags[0].key=somekey1
~~~
<!-- You can also paste gist.github.com links for larger files -->
##### EXPECTED RESULTS
<!-- What did you expect to happen when running the steps above? -->
The tag somekey1 gets deleted
##### ACTUAL RESULTS
<!-- What actually happened? -->
<!-- Paste verbatim command output between quotes below -->
Account does not have permission
~~~
jobid = 3e9fd323-0175-4fd0-aaf5-9d6b32ecb62a
accountid = ca1015a8-d479-4327-9366-db44220dcb12
cmd = org.apache.cloudstack.api.command.user.tag.DeleteTagsCmd
jobstatus = 2
jobprocstatus = 0
jobresultcode = 530
jobresult = {"errorcode":530,"errortext":"Account account1 does not have
permission to operate within domain id=XXXX"}
userid = 4c238098-36b5-4cf8-8ddf-e930c72b6eb0
jobresulttype = object
created = 2022-08-10T11:08:36+0200
completed = 2022-08-10T11:08:37+0200
Error: async API failed for job 3e9fd323-0175-4fd0-aaf5-9d6b32ecb62
~~~
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
