On 10/8/13 5:48 PM, "Min Chen" <min.c...@citrix.com> wrote:
>Thanks Alena for the clarification. > >If you try ListVMsCmd as a domain admin, if I pass listAll=false, what >should be the expected behavior? The same as if you don't pass anything. The domain admin will see his own resources (the ones that belong to his account) >Should he be able to see VMs under his domain but not owned by him? The >current CloudStack behavior will >show all VMs under his domain. This seems contradictory to the meaning of >listAll. Do you pass anything else to the call besides listAll=false? Is the result the same when you don't pass listAll=false to the call? If so, what other parameters do you pass in > >Thanks >-min > > > >>On 10/8/13 4:28 PM, "Min Chen" <min.c...@citrix.com> wrote: >> >>>Hi there, >>> >>>In working with RBAC design, I am really puzzled by the two query >>>parameter "listAll" and "recursive" for all BaseListDomainResourceCmd. >>> >>> >>> @Parameter(name = ApiConstants.LIST_ALL, type = CommandType.BOOLEAN, >>>description = "If set to false, " + >>> >>> "list only resources belonging to the command's caller; if >>>set to true - list resources that the caller is authorized to see. >>>Default value is false") >>> >>> private Boolean listAll; >>> >>> >>> @Parameter(name = ApiConstants.IS_RECURSIVE, type = >>>CommandType.BOOLEAN, description = "defaults to false," + >>> >>> " but if true, lists all resources from the parent specified >>>by the domainId till leaves.") >>> >>> private Boolean recursive; >>> >>> >>>IMHO, if a caller invokes a list API without passing any specific query >>>parameter, he/she should see all resources that he/she is authorized to >>>see. In CloudStack, we have implicit authorization rules as follows: >>>1. Root admin should be able to see all the resources under Root domain. >>>2. Domain admin should be able to see all the resources under its own >>>domain tree. >>>3. Normal user should only see the resources owned by him. >> >>listAll doesn't impact user calls. >> >>>4. Project account should be able to see resources assigned to that >>>project. >> >>Project account can't make the calls. Any CS account assigned to the >>project + admin can list project resources. When listAll is passed in, >>all >>resources except project resources, will be returned to the caller. When >>projectId=-1 is passed in, all resources of all projects in the system >>that caller is authorized to see, will be returned to the caller. >> >>>Based on current AccountManager.buildACLSearchParameters implementation, >>>we are not observing the passed "listAll" and "recursive" value at all, >>>seems always treating "listAll=true" and "recursive=true". >> >>recursive=false is respected when passed along with the domainId. In this >>case, it will list all the resources under this domain only, without >>subdomains. When recursive=true is passed with domainId, the resources of >>domains + subdomains will be returned. >> >>>Thus, I am proposing that we change the default value of "listAll" and >>>"recursive" to TRUE instead of current FALSE. Any objections? >> >> >>The main objection - it will break all the partners/third party apps/UIs >>built on the current CS behavior. >> >>> >>>Thanks >>>-min >>> >> >>Min, >> > >
