Just simple listVMsCmd with page information, passing listAll=true or not passing listAll returns the same set of data.
Thanks -min On 10/8/13 5:55 PM, "Alena Prokharchyk" <alena.prokharc...@citrix.com> wrote: >On 10/8/13 5:48 PM, "Min Chen" <min.c...@citrix.com> wrote: > >>Thanks Alena for the clarification. >> >>If you try ListVMsCmd as a domain admin, if I pass listAll=false, what >>should be the expected behavior? > >The same as if you don't pass anything. The domain admin will see his own >resources (the ones that belong to his account) > > >>Should he be able to see VMs under his domain but not owned by him? The >>current CloudStack behavior will >>show all VMs under his domain. This seems contradictory to the meaning of >>listAll. > >Do you pass anything else to the call besides listAll=false? Is the result >the same when you don't pass listAll=false to the call? If so, what other >parameters do you pass in > >> >>Thanks >>-min >> >> >> >>>On 10/8/13 4:28 PM, "Min Chen" <min.c...@citrix.com> wrote: >>> >>>>Hi there, >>>> >>>>In working with RBAC design, I am really puzzled by the two query >>>>parameter "listAll" and "recursive" for all BaseListDomainResourceCmd. >>>> >>>> >>>> @Parameter(name = ApiConstants.LIST_ALL, type = >>>>CommandType.BOOLEAN, >>>>description = "If set to false, " + >>>> >>>> "list only resources belonging to the command's caller; if >>>>set to true - list resources that the caller is authorized to see. >>>>Default value is false") >>>> >>>> private Boolean listAll; >>>> >>>> >>>> @Parameter(name = ApiConstants.IS_RECURSIVE, type = >>>>CommandType.BOOLEAN, description = "defaults to false," + >>>> >>>> " but if true, lists all resources from the parent >>>>specified >>>>by the domainId till leaves.") >>>> >>>> private Boolean recursive; >>>> >>>> >>>>IMHO, if a caller invokes a list API without passing any specific query >>>>parameter, he/she should see all resources that he/she is authorized to >>>>see. In CloudStack, we have implicit authorization rules as follows: >>>>1. Root admin should be able to see all the resources under Root >>>>domain. >>>>2. Domain admin should be able to see all the resources under its own >>>>domain tree. >>>>3. Normal user should only see the resources owned by him. >>> >>>listAll doesn't impact user calls. >>> >>>>4. Project account should be able to see resources assigned to that >>>>project. >>> >>>Project account can't make the calls. Any CS account assigned to the >>>project + admin can list project resources. When listAll is passed in, >>>all >>>resources except project resources, will be returned to the caller. When >>>projectId=-1 is passed in, all resources of all projects in the system >>>that caller is authorized to see, will be returned to the caller. >>> >>>>Based on current AccountManager.buildACLSearchParameters >>>>implementation, >>>>we are not observing the passed "listAll" and "recursive" value at all, >>>>seems always treating "listAll=true" and "recursive=true". >>> >>>recursive=false is respected when passed along with the domainId. In >>>this >>>case, it will list all the resources under this domain only, without >>>subdomains. When recursive=true is passed with domainId, the resources >>>of >>>domains + subdomains will be returned. >>> >>>>Thus, I am proposing that we change the default value of "listAll" and >>>>"recursive" to TRUE instead of current FALSE. Any objections? >>> >>> >>>The main objection - it will break all the partners/third party apps/UIs >>>built on the current CS behavior. >>> >>>> >>>>Thanks >>>>-min >>>> >>> >>>Min, >>> >> >> > >
