[ https://issues.apache.org/jira/browse/CLOUDSTACK-6533?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sangeetha Hariharan closed CLOUDSTACK-6533. ------------------------------------------- Tested with latest build from 4.4-forward (after IAM revert) ROOT admin is able to see and use templates(for VM deployment) that are owned by regular users and is marked as "Public". > IAM - Templates - Public templates do not have permissions to be used by ROOT > group. > ------------------------------------------------------------------------------------ > > Key: CLOUDSTACK-6533 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6533 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: IAM > Affects Versions: 4.4.0 > Environment: Build from 4.4 > Reporter: Sangeetha Hariharan > Assignee: Min Chen > Priority: Critical > Fix For: 4.4.0 > > > IAM - Templates - Public templates do not have permissions to be used by ROOT > group. > As regular user create a public template. > In iam_policy_permission policy we do not have permission for Admin group. > mysql> select * from iam_policy_permission where scope_id = 206; > +------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+ > | id | policy_id | action | resource_type | scope_id | > scope | access_type | permission | recursive | removed | created > | > +------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+ > | 4949 | 3 | listTemplates | VirtualMachineTemplate | 206 | > RESOURCE | UseEntry | Allow | 0 | NULL | 2014-04-29 > 11:03:52 | > | 4950 | 1 | listTemplates | VirtualMachineTemplate | 206 | > RESOURCE | UseEntry | Allow | 0 | NULL | 2014-04-29 > 11:03:52 | > mysql> select * from vm_template where id=206; > +-----+----------------------------------------------+----------------------------+--------------------------------------+--------+----------+------+-----+------+---------------------------------+--------+---------------------+---------+------------+----------+-----------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+---------+--------+--------------+---------+----------------------+ > | id | unique_name | name > | uuid | public | featured | type | hvm | > bits | url | format | created | > removed | account_id | checksum | display_text | > enable_password | enable_sshkey | guest_os_id | bootable | prepopulate | > cross_zones | extractable | hypervisor_type | source_template_id | > template_tag | sort_key | size | state | update_count | updated | > dynamically_scalable | > +-----+----------------------------------------------+----------------------------+--------------------------------------+--------+----------+------+-----+------+---------------------------------+--------+---------------------+---------+------------+----------+-----------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+---------+--------+--------------+---------+----------------------+ > | 206 | 206-318-179129bc-531f-31fe-a21d-23a8aa7b666f | > Public_featured_d2a-G3GJQW | 265192c9-88d3-41d4-b435-6d3c3e5d256a | 1 | > 1 | USER | 1 | 64 | http://10.223.110.232:/test.vhd | VHD | > 2014-04-29 11:03:52 | NULL | 318 | NULL | public and feature > Template | 0 | 0 | 12 | 1 | > 0 | 0 | 1 | Simulator | NULL | NULL > | 0 | 5242880 | Active | 0 | NULL | > 0 | > +-----+----------------------------------------------+----------------------------+--------------------------------------+--------+----------+------+-----+------+---------------------------------+--------+---------------------+---------+------------+----------+-----------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+---------+--------+--------------+---------+----------------------+ > 1 row in set (0.00 sec) > Inspite of not having the required permissions to use the template , admin is > able to use this template for vm deployment. Root cause for this bug is > similar to bug - Bug CLOUDSTACK-6517 > The same behavior is also observed for default templates: > mysql> select * from iam_policy_permission where scope_id = 111; > +------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+ > | id | policy_id | action | resource_type | scope_id | > scope | access_type | permission | recursive | removed | created > | > +------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+ > | 3315 | 3 | listTemplates | VirtualMachineTemplate | 111 | > RESOURCE | UseEntry | Allow | 0 | NULL | 2014-04-28 > 10:30:11 | > | 3316 | 1 | listTemplates | VirtualMachineTemplate | 111 | > RESOURCE | UseEntry | Allow | 0 | NULL | 2014-04-28 > 10:30:11 | > +------+-----------+---------------+------------------------+----------+----------+-------------+------------+-----------+---------+---------------------+ > 2 rows in set (0.00 sec) > mysql> select * from vm_template where id=111; > +-----+------------------+---------------------------------------+--------------------------------------+--------+----------+---------+-----+------+---------------------------------------------------------------------------------------------------------+--------+---------------------+---------+------------+----------+---------------------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+------------+--------+--------------+---------+----------------------+ > | id | unique_name | name | uuid > | public | featured | type | hvm | bits | url > > | format | created | removed | account_id | > checksum | display_text | enable_password | > enable_sshkey | guest_os_id | bootable | prepopulate | cross_zones | > extractable | hypervisor_type | source_template_id | template_tag | sort_key > | size | state | update_count | updated | dynamically_scalable | > +-----+------------------+---------------------------------------+--------------------------------------+--------+----------+---------+-----+------+---------------------------------------------------------------------------------------------------------+--------+---------------------+---------+------------+----------+---------------------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+------------+--------+--------------+---------+----------------------+ > | 111 | simulator-Centos | CentOS 5.3(64-bit) no GUI (Simulator) | > 7200e25a-ca4b-11e3-907f-4adf980f9414 | 1 | 1 | BUILTIN | 0 | > 64 | > http://nfs1.lab.vmops.com/templates/centos53-x86_64/latest/f59f18fb-ae94-4f97-afd2-f84755767aca.vhd.bz2 > | VHD | 2014-04-22 14:25:13 | NULL | 1 | | CentOS > 5.3(64-bit) no GUI (Simulator) | 0 | 0 | > 11 | 1 | 0 | 1 | 0 | Simulator | > NULL | NULL | 0 | 2147483648 | Active | > NULL | NULL | 0 | > +-----+------------------+---------------------------------------+--------------------------------------+--------+----------+---------+-----+------+---------------------------------------------------------------------------------------------------------+--------+---------------------+---------+------------+----------+---------------------------------------+-----------------+---------------+-------------+----------+-------------+-------------+-------------+-----------------+--------------------+--------------+----------+------------+--------+--------------+---------+----------------------+ > 1 row in set (0.00 sec) -- This message was sent by Atlassian JIRA (v6.2#6252)