bernardodemarco commented on PR #9188: URL: https://github.com/apache/cloudstack/pull/9188#issuecomment-2244984069
> ok @bernardodemarco , this means that listing will show the dedicated resources, even if the caller has no access to them, right? (that was what I was asking) Actually, in the provided test cases on https://github.com/apache/cloudstack/pull/9188#issuecomment-2241304416, the `dedicatedresources` field appeared because both users, admin and admin2, are root admins. The code validates whether the API caller is a root admin. Therefore, the `dedicatedresources` field will only be populated if the caller is a root admin. https://github.com/apache/cloudstack/blob/10d97dd3ee36965117a7de0baf55ad726431443d/server/src/main/java/com/cloud/api/query/dao/AffinityGroupJoinDaoImpl.java#L92-L98 --- Here are some test cases, in the same environment as the previous tests, calling the `listAffinityGroups` API with a root admin and a normal user. I created a user with the User role, called `u1`. Later, I dedicated `host-01` to the `admin` account and `host-02` to `u1`. <details> <summary><code>listAffinityGroups listall=true</code> for admin</summary> ```bash list affinitygroups listall=true { "affinitygroup": [ { "account": "admin", "dedicatedresources": [ { "resourceid": "8928748b-cf9c-46df-b4c8-b39f476ebad3", "resourcename": "host-01", "resourcetype": "Host" } ], "description": "Dedicated host group", "domain": "ROOT", "domainid": "ba820fc7-12ea-11ef-9500-d283eea8b15e", "id": "24b6aa85-b767-4f6e-841b-baf43460b7df", "name": "DedicatedHostGrp-admin", "type": "ExplicitDedication" }, { "account": "u1", "dedicatedresources": [ { "resourceid": "8a783642-c6a0-4948-8128-61aa73aef8a9", "resourcename": "host-02", "resourcetype": "Host" } ], "description": "Dedicated host group", "domain": "ROOT", "domainid": "ba820fc7-12ea-11ef-9500-d283eea8b15e", "id": "780e66b8-71c1-4177-873e-2012763a1d9d", "name": "DedicatedHostGrp-u1", "type": "ExplicitDedication" } ], "count": 2 } ``` </details> <details> <summary><code>listAffinityGroups listall=true</code> for u1</summary> ```bash list affinitygroups listall=true { "affinitygroup": [ { "account": "u1", "description": "Dedicated host group", "domain": "ROOT", "domainid": "ba820fc7-12ea-11ef-9500-d283eea8b15e", "id": "780e66b8-71c1-4177-873e-2012763a1d9d", "name": "DedicatedHostGrp-u1", "type": "ExplicitDedication" } ], "count": 1 } ``` </details> As can be noticed, the `dedicatedresources` field is not returned for the `u1` call, since it is an account with the User role and does not have access to infrastructure resources. Additionally, here is the affinity groups UI for the user.  -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
