cloudstack icon indicating copy to clipboard operation
cloudstack copied to clipboard

Published 20 hours ago verified publisher icon apache

Created tags are not deleted whenever a public IP is disassociated

Open vdombrovski opened this issue 2 years ago • 2 comments

ISSUE TYPE
  • Bug Report
COMPONENT NAME
Core
CLOUDSTACK VERSION
4.17.0.0
CONFIGURATION

N/A

OS / ENVIRONMENT

N/A

SUMMARY

Created tags are not deleted when the user releases an public IP address. If the public IP is then assigned to another user, it will still contain all the previous tags. This interferes with automation tools that expect a clean resource, and could allow other accounts to access potentially sensitive metadata.

I understand that in some cases this would be considered a feature, however this makes it unusable to provide shared IP pools that could be used by several accounts. (at least while the permission to edit tags is granted)

STEPS TO REPRODUCE
# using cmk
associate ipaddress domainid=[...] networkid=[...] vpcid=[...]
[...]

list tags resourcetype=publicipaddress resourceid=86b1b359-1879-488b-ba9c-772cceeb6908  listall=true

create tags resourcetype=publicipaddress resourceids=86b1b359-1879-488b-ba9c-772cceeb6908 tags[0].key=somekey tags[0].value=somevalue
success = true

list tags resourcetype=publicipaddress resourceid=86b1b359-1879-488b-ba9c-772cceeb6908  listall=true
count = 1
tag:
domain = XXX
key = somekey
value = somevalue
resourcetype = PublicIpAddress
resourceid = 86b1b359-1879-488b-ba9c-772cceeb6908
account = XXX
domainid =XXX

disassociate  ipaddress id=86b1b359-1879-488b-ba9c-772cceeb6908
success = true

list tags resourcetype=publicipaddress resourceid=86b1b359-1879-488b-ba9c-772cceeb6908  listall=true
count = 1
tag:
domain = XXX
key = somekey
value = somevalue
resourcetype = PublicIpAddress
resourceid = 86b1b359-1879-488b-ba9c-772cceeb6908
account = XXX
domainid =XXX
EXPECTED RESULTS

Expected the tags to be removed when the IP is disassociated (freed)

ACTUAL RESULTS

Tags are still present, and will continue to exist until they are deleted manually via "deleteTags"

vdombrovski avatar Aug 09 '22 13:08 vdombrovski

@rohityadavcloud @DaanHoogland @nvazquez @borisstoyanov should we delete tags while disassociating a public IP address?

shwstppr avatar Aug 12 '22 05:08 shwstppr

To add to the discussion, public IPs are currently the only shared resource that can be tagged. The issue does not arise for other resource types because those will never change ownership, as in you can't really "release" a VM or a volume for some other account to use it.

As such, the disassociate and/or release calls should logically perform the proper cleanup so that other accounts may use it.

vdombrovski avatar Aug 12 '22 06:08 vdombrovski

Fixed with #6642 @vdombrovski you may test new nightly https://download.cloudstack.org/testing/nightly/ (tomorrow's build should have the fix) and re-open if needed

shwstppr avatar Aug 19 '22 13:08 shwstppr