Sangeetha Hariharan created CLOUDSTACK-6517: -----------------------------------------------
Summary: IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have " UseEntry" permission for IpAddress. Key: CLOUDSTACK-6517 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6517 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: IAM Affects Versions: 4.4.0 Environment: Build from 4.4 Reporter: Sangeetha Hariharan Fix For: 4.4.0 IAM - Admin is allowed to create PortFowarding rule for a regular user, when admin does not have " UseEntry" permission for IpAddress. Steps to reproduce the problem: As regular user , on a network he owns , acquire an ip address. As admin , try to create a PF rule on this ip address without passing account and domainId. Creating PF rule succeeds. Since Admin has only "ListEntry" permission for IpAddress owned by other users , we expect this api call to fail. mysql> select * from iam_policy_permission where resource_type = 'IpAddress' and policy_id=2; +------+-----------+-----------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+ | id | policy_id | action | resource_type | scope_id | scope | access_type | permission | recursive | removed | created | +------+-----------+-----------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+ | 1840 | 2 | listPublicIpAddresses | IpAddress | -1 | ALL | ListEntry | Allow | 0 | NULL | 2014-04-22 18:31:03 | | 1841 | 2 | listPublicIpAddresses | IpAddress | -1 | ACCOUNT | UseEntry | Allow | 0 | NULL | 2014-04-22 18:31:03 | Admin should be allowed to do this only , when he passes account and domainId of the regular user is passed. -- This message was sent by Atlassian JIRA (v6.2#6252)