Bug #3860

Virtual Nets visible to all users

Added by Tao Zhang over 4 years ago. Updated over 4 years ago.

Status:ClosedStart date:07/01/2015
Priority:NormalDue date:
Assignee:Carlos Martín% Done:

0%

Category:Core & System
Target version:Release 4.14
Resolution:invalid Pull request:
Affected Versions:Development

Description

Virtual Nets visible to all users, which violates permission control policy.
The attached patch provides a temporary fix for this issue, which correct the where_filter usage in VirtualNetworkPoolInfo::request_execute().

0001-Fix-Virtual-Nets-visibility-issue.patch Magnifier - Fix patch (1.08 KB) Tao Zhang, 07/01/2015 09:16 PM

History

#1 Updated by Ruben S. Montero over 4 years ago

  • Category set to Core & System
  • Target version set to Release 4.14

Thanks, we'll look into it

#2 Updated by Ruben S. Montero over 4 years ago

  • Assignee set to Carlos Martín

#3 Updated by Carlos Martín over 4 years ago

  • Status changed from Pending to Closed
  • Resolution set to invalid

Hi,

The permission control is working fine for me.
To test it, I've created 2 users, and 2 vnets owned by each one of them. The onevnet output contains only their own vnet.

Please note that by default, the VDC 0 contains the CLUSTER ALL for zone 0. This internally creates the acl '@1 NET+DATASTORE/* USE #0'. If you don't want this behaviour, update the VDC and the ACL rules will be adjusted internally.

As far as I can tell, the patch you provide prevents the 'all' and 'cluster' ACL rules from working properly.

Also available in: Atom PDF