cloudstack
cloudstack copied to clipboard
Published
20 hours ago •
apache
apache
Global setting to disallow domain admin to change domain and account settings
ISSUE TYPE
- Bug Report
COMPONENT NAME
UI, Permissions, Access Controll
CLOUDSTACK VERSION
4.17 onwards
SUMMARY
The https://github.com/apache/cloudstack/pull/4339 pull request allows CloudStack's domain admins to change their domains configurations. This option gives domain admins power to abuse CloudStack system IPs, create public templates, share their templates with other domains, and many more unwanted effects to the environments even though the root admin disallow these actions in the first place.
| Domain level settings |
|---|
| account.allow.expose.host.hostname |
| allow.public.user.templates |
| preferred.storage.pool |
| share.public.templates.with.other.domains |
| use.system.public.ips |
As of now there isn't a global setting to revert this changes. I have the following suggestions let me know what do you think.
- Add a global setting to override this behaviour.
- Move these setting to global level so domain admins can't change them.
- Give priority to the global level settings, so if domain admins override a setting.
STEPS TO REPRODUCE
1. Login as a root admin
2. Configure the domain
3. Log out
4. Login as a domain admin
5. Configure the domain
EXPECTED RESULTS
Root admin configurations are **NOT** overridden.
ACTUAL RESULTS
Root admin configurations are overridden.
