On 10/8/13 4:28 PM, "Min Chen" <min.c...@citrix.com> wrote:
>Hi there, > >In working with RBAC design, I am really puzzled by the two query >parameter "listAll" and "recursive" for all BaseListDomainResourceCmd. > > > @Parameter(name = ApiConstants.LIST_ALL, type = CommandType.BOOLEAN, >description = "If set to false, " + > > "list only resources belonging to the command's caller; if >set to true - list resources that the caller is authorized to see. >Default value is false") > > private Boolean listAll; > > > @Parameter(name = ApiConstants.IS_RECURSIVE, type = >CommandType.BOOLEAN, description = "defaults to false," + > > " but if true, lists all resources from the parent specified >by the domainId till leaves.") > > private Boolean recursive; > > >IMHO, if a caller invokes a list API without passing any specific query >parameter, he/she should see all resources that he/she is authorized to >see. In CloudStack, we have implicit authorization rules as follows: >1. Root admin should be able to see all the resources under Root domain. >2. Domain admin should be able to see all the resources under its own >domain tree. >3. Normal user should only see the resources owned by him. listAll doesn't impact user calls. >4. Project account should be able to see resources assigned to that >project. Project account can't make the calls. Any CS account assigned to the project + admin can list project resources. When listAll is passed in, all resources except project resources, will be returned to the caller. When projectId=-1 is passed in, all resources of all projects in the system that caller is authorized to see, will be returned to the caller. >Based on current AccountManager.buildACLSearchParameters implementation, >we are not observing the passed "listAll" and "recursive" value at all, >seems always treating "listAll=true" and "recursive=true". recursive=false is respected when passed along with the domainId. In this case, it will list all the resources under this domain only, without subdomains. When recursive=true is passed with domainId, the resources of domains + subdomains will be returned. >Thus, I am proposing that we change the default value of "listAll" and >"recursive" to TRUE instead of current FALSE. Any objections? The main objection - it will break all the partners/third party apps/UIs built on the current CS behavior. > >Thanks >-min > Min,