Thanks Alena for the clarification. If you try ListVMsCmd as a domain admin, if I pass listAll=false, what should be the expected behavior? Should he be able to see VMs under his domain but not owned by him? The current CloudStack behavior will show all VMs under his domain. This seems contradictory to the meaning of listAll.
Thanks -min >On 10/8/13 4:28 PM, "Min Chen" <min.c...@citrix.com> wrote: > >>Hi there, >> >>In working with RBAC design, I am really puzzled by the two query >>parameter "listAll" and "recursive" for all BaseListDomainResourceCmd. >> >> >> @Parameter(name = ApiConstants.LIST_ALL, type = CommandType.BOOLEAN, >>description = "If set to false, " + >> >> "list only resources belonging to the command's caller; if >>set to true - list resources that the caller is authorized to see. >>Default value is false") >> >> private Boolean listAll; >> >> >> @Parameter(name = ApiConstants.IS_RECURSIVE, type = >>CommandType.BOOLEAN, description = "defaults to false," + >> >> " but if true, lists all resources from the parent specified >>by the domainId till leaves.") >> >> private Boolean recursive; >> >> >>IMHO, if a caller invokes a list API without passing any specific query >>parameter, he/she should see all resources that he/she is authorized to >>see. In CloudStack, we have implicit authorization rules as follows: >>1. Root admin should be able to see all the resources under Root domain. >>2. Domain admin should be able to see all the resources under its own >>domain tree. >>3. Normal user should only see the resources owned by him. > >listAll doesn't impact user calls. > >>4. Project account should be able to see resources assigned to that >>project. > >Project account can't make the calls. Any CS account assigned to the >project + admin can list project resources. When listAll is passed in, all >resources except project resources, will be returned to the caller. When >projectId=-1 is passed in, all resources of all projects in the system >that caller is authorized to see, will be returned to the caller. > >>Based on current AccountManager.buildACLSearchParameters implementation, >>we are not observing the passed "listAll" and "recursive" value at all, >>seems always treating "listAll=true" and "recursive=true". > >recursive=false is respected when passed along with the domainId. In this >case, it will list all the resources under this domain only, without >subdomains. When recursive=true is passed with domainId, the resources of >domains + subdomains will be returned. > >>Thus, I am proposing that we change the default value of "listAll" and >>"recursive" to TRUE instead of current FALSE. Any objections? > > >The main objection - it will break all the partners/third party apps/UIs >built on the current CS behavior. > >> >>Thanks >>-min >> > >Min, >
