[ https://issues.apache.org/jira/browse/CLOUDSTACK-6517?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sangeetha Hariharan closed CLOUDSTACK-6517. ------------------------------------------- Testing with latest build from 4.4-forward (after IAM revert): Steps to reproduce the problem: As regular user , on a network he owns , acquire an ip address. As admin , try to create a PF rule on this ip address without passing account and domainId. http://10.223.49.6:8080/client/api?command=createPortForwardingRule&response=json&sessionkey=kFu73ky%2BPuW%2BBz9dkcSBIHyXwkM%3D&ipaddressid=0817bae5-c672-4ea7-a2cd-ce163d3a8727&privateport=22&privateendport=22&publicport=22&publicendport=22&protocol=tcp&virtualmachineid=308450de-d4be-4c91-9067-b3826e85e9b2&openfirewall=false&networkid=9fd8bcef-c140-4061-adc0-5c24c5f7dc69&_=1402609388398 This succeeds . This is the desired behavior. Closing this issue. > IAM - Admin is allowed to create PortFowarding rule for a regular user, when > admin does not have " UseEntry" permission for IpAddress. > --------------------------------------------------------------------------------------------------------------------------------------- > > Key: CLOUDSTACK-6517 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6517 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: IAM > Affects Versions: 4.4.0 > Environment: Build from 4.4 > Reporter: Sangeetha Hariharan > Assignee: Prachi Damle > Fix For: 4.4.0 > > > IAM - Admin is allowed to create PortFowarding rule for a regular user, when > admin does not have " UseEntry" permission for IpAddress. > Steps to reproduce the problem: > As regular user , on a network he owns , acquire an ip address. > As admin , try to create a PF rule on this ip address without passing > account and domainId. > Creating PF rule succeeds. > Since Admin has only "ListEntry" permission for IpAddress owned by other > users , we expect this api call to fail. > mysql> select * from iam_policy_permission where resource_type = 'IpAddress' > and policy_id=2; > +------+-----------+-----------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+ > | id | policy_id | action | resource_type | scope_id | scope > | access_type | permission | recursive | removed | created | > +------+-----------+-----------------------+---------------+----------+---------+--------------+------------+-----------+---------+---------------------+ > | 1840 | 2 | listPublicIpAddresses | IpAddress | -1 | ALL > | ListEntry | Allow | 0 | NULL | 2014-04-22 18:31:03 | > | 1841 | 2 | listPublicIpAddresses | IpAddress | -1 | > ACCOUNT | UseEntry | Allow | 0 | NULL | 2014-04-22 > 18:31:03 | > Admin should be allowed to do this only , when he passes account and domainId > of the regular user is passed. -- This message was sent by Atlassian JIRA (v6.2#6252)