gpordeus opened a new pull request, #8689: URL: https://github.com/apache/cloudstack/pull/8689
### Description This PR adds a role access check to the `expungeVirtualMachine` command when calling `destroyVirtualMachine` with the expunge parameter. Currently, if you are an admin (even if not Root), it bypasses the `allow.user.expunge.recover.vm` verification and you are always allowed to expunge when calling for `destroyVirtualMachine`. The use case that called for this change was a need for a role of type domain admin to be unable to expunge VMs. It was then found that even with the DENY rule, the user could still expunge through `destroyVirtualMachine` (even on already destroyed VMs, with an API call) and the setting `allow.user.expunge.recover.vm` did nothing. ### Types of changes - [ ] Breaking change (fix or feature that would cause existing functionality to change) - [ ] New feature (non-breaking change which adds functionality) - [X] Bug fix (non-breaking change which fixes an issue) - [ ] Enhancement (improves an existing feature and functionality) - [ ] Cleanup (Code refactoring and cleanup, that may add test cases) - [ ] build/CI ### Feature/Enhancement Scale or Bug Severity #### Bug Severity - [ ] BLOCKER - [ ] Critical - [X] Major - [ ] Minor - [ ] Trivial ### Screenshots (if appropriate): ### How Has This Been Tested? I created a role, based on the default Domain Admin, and changed the `expungeVirtualMachine` rule to `DENY`. I then created an account with said role. I created two VMs and destroyed one of them, verifying that the expunge option did not show up on the GUI. I then ran `destroy virtualmachine` on cloudmonkey with `expunge = true` on both VMs and both returned the error `Account does not have permission for expunging`. Calling the same command without the parameter destroyed the running VM successfully. I repeated the tests with a role based on default User: With `allow.user.expunge.recover.vm = true`, it behaved the same as the DomainAdmin-based one. With `allow.user.expunge.recover.vm = false`, it did not allow the expunge action, no matter the role rules. Without the expunge parameter, the destroy action worked as expected. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
