Uploaded image for project: 'CloudStack'
  1. CloudStack
  2. CLOUDSTACK-5145

ListNetworkACL API should list ACLs owned by the user only

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Blocker
    • Resolution: Fixed
    • None
    • 4.2.1, 4.3.0
    • None
    • Security Level: Public (Anyone can view this level - this is the default.)
    • None

    Description

      ListNetworkACL API should filter ACLs by caller and list ACLs which can be accessed by the user only.

      If API call is not called with a networkid or other filter, every ACL in the system is dumped, which is both a performance issue and a security issue. If a networkid is provided, but the network doesn't have an ACL list or any ACL items attached, the same issue occurs.

      Likewise, listNetworkACLLists gives access to see non-owned lists, which in turn gives vpc ids for non-owned resources.

      Example:

      1. Set up a zone
      2. Create a VPC or network as admin
      3. Create an ACL list for the network
      4. Create a new domain and unprivileged user
      5. Generate API keys for user
      6. Issue a 'listNetworkACLs' API call. You should see the ACL list items from the admin-owned list
      7. Issue a 'listNetworkACLLists' API call referencing aclid from non-owned acl item. You should see the acl list info and which vpc it belongs to.
      8. Listing the vpc attached to the acl list properly stops with an 'unauthorized' response as step 7 above should.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            kishan Kishan
            kishan Kishan
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment