Description
problem
When creating a ResourceAdmin account with special listing permissions on a domain with a dedicated zone, CloudStack is listing all the zones on the environment, instead of filtering them by domain and listing only the zone dedicated to this domain.
This behaviour is only affecting zones listing, filtering is applied for pods and clusters and CloudStack is filtering them by the domain, excluding the rest of non-dedicated pods or clusters for that domain.
versions
ACS 4.18 onwards
The steps to reproduce the bug
- Create a new zone and a new domain, dedicate the zone to the domain
- Create a new role based on the role = ResourceAdmin, and give them Allow permissions for these APIs: addCluster, listDedicatedZones, listDedicatedPods, listDedicatedClusters, listDedicatedHosts, listDedicatedGuestVlanRanges, listInfrastructure, listZonesMetrics, listClustersMetrics, listHostsMetrics, dedicateCluster
(listInfrastructure API is needed for the user to see the Infrastructure tab in the UI, similarly listZonesMetrics, listClustersMetrics, listHostsMetrics to see zones, clusters and hosts within Infrastructure) - Create an account on the domain using the new role and log in
Limitations:
- I was able to list zones, however CloudStack is not filtering the zones and is displaying also the non-dedicated zones for the user, which should not be visible.
- I was able to add a cluster on the dedicated zone, by choosing the correct zone on the add cluster wizard. Ideally CloudStack should have only listed the dedicated zone (same for hosts).
What to do about it?
No response
Metadata
Metadata
Assignees
Type
Projects
Status
No status