mirror of https://github.com/apache/cloudstack.git
e14c2ec724
Changes: - IAM was applying ordering on accessTypes. Thus if an account had Operate, he got USe access as well. So even if IAM schema did not have 'UseEntry" permission for IpAddress, some other 'OperateEntry' permission on IpAddress was letting this operation go through. - Fixed IAM to NOT do ordering of access types anymore. IAm will perform strict accessType check only. - This fix is needed so that admin does not get permission to USE resources from other account just becase he has OPERATE access on those resources due to some other APIs. - However due to this fix, we break backwards compatibilty with CS 4.3. - CS 4.3 allowed root admin to do the createPF operation for a user by passing in networkId of the user. - Same was the case for domain admins within their domains - Why this worked was due to CS 4.3 simply returning true for root admin/domain admin - So to maintain backwards compatibilty, we are adding the logic to return "true" for root admin and domain admin just like CS 4.3. - Exception is: For Network, AffinityGroup and Templates, we still call IAM even for root admin/domain admin, since thats what CS 4.3 did. Just for these 3 resource_types, it used to perform access checks even for root admin/domain admin. |
||
|---|---|---|
| .. | ||
| conf | ||
| resources | ||
| scripts | ||
| src | ||
| test | ||
| pom.xml | ||