Hi there,
In working with RBAC design, I am really puzzled by the two query parameter
"listAll" and "recursive" for all BaseListDomainResourceCmd.
@Parameter(name = ApiConstants.LIST_ALL, type = CommandType.BOOLEAN,
description = "If set to false, " +
"list only resources belonging to the command's caller; if set to
true - list resources that the caller is authorized to see. Default value is
false")
private Boolean listAll;
@Parameter(name = ApiConstants.IS_RECURSIVE, type = CommandType.BOOLEAN,
description = "defaults to false," +
" but if true, lists all resources from the parent specified by the
domainId till leaves.")
private Boolean recursive;
IMHO, if a caller invokes a list API without passing any specific query
parameter, he/she should see all resources that he/she is authorized to see.
In CloudStack, we have implicit authorization rules as follows:
1. Root admin should be able to see all the resources under Root domain.
2. Domain admin should be able to see all the resources under its own domain
tree.
3. Normal user should only see the resources owned by him.
4. Project account should be able to see resources assigned to that project.
Based on current AccountManager.buildACLSearchParameters implementation, we are
not observing the passed "listAll" and "recursive" value at all, seems always
treating "listAll=true" and "recursive=true". Thus, I am proposing that we
change the default value of "listAll" and "recursive" to TRUE instead of
current FALSE. Any objections?
Thanks
-min
