cloudstack icon indicating copy to clipboard operation
cloudstack copied to clipboard

Published 20 hours ago verified publisher icon apache

Templates owned by Project Account not allowed to share templates

Open damonb123 opened this issue 2 years ago • 3 comments

ISSUE TYPE
  • Bug Report
COMPONENT NAME
API
CLOUDSTACK VERSION
4.17.1.0
4.17.2.0

public boolean updateTemplateOrIsoPermissions(BaseUpdateTemplateOrIsoPermissionsCmd cmd) {

      <...>

        if (owner.getType() == Account.Type.PROJECT) {
            // Currently project owned templates cannot be shared outside project but is available to all users within project by default.
            throw new InvalidParameterValueException("Update template permissions is an invalid operation on template " + template.getName() +
                    ". Project owned templates cannot be shared outside template.");
        }

      <...>
SUMMARY

Templates owned by a project account are not allowed to exectute updateTemplatePermissions API. This prevents projects from sharing templates between them selves that are in the same Domain as stated by the API docs. It seems to indicate that only templates created by a users in the "admin" or other non-project group are allowed to mark templates shared outside of the project structure.

EXPECTED RESULTS

Allowing users in the same domain to share templates would seem to be an expected behavior.

damonb123 avatar Mar 17 '23 16:03 damonb123

Hi @damonb123

Could you please let me know what's role typer of the account

  1. The account type you created (domain-admin , user, etc)

account type

  1. What is the project role type you selected , when adding account to the project

project- type

kiranchavala avatar Mar 20 '23 09:03 kiranchavala

@weizhouapache @rohityadavcloud @harikrishna-patnala does it make sense to allow ROOT admin to change the owner of the templates using updateTemplate API? Or should we allow project-owned templates to be shared outside the project?

shwstppr avatar Apr 06 '23 08:04 shwstppr

This is by design, template registered in a project are owned by it so not accessible to others. However, like any account they should be allowed to be shared to others.

rohityadavcloud avatar Apr 30 '24 10:04 rohityadavcloud

I added a simple change in #9196 . A domain admin can share with the PR at least. Normal users never own their own template in a project as it belongs to the project account. I am not sure if this is as intended, but it seems some extra work is needed.

DaanHoogland avatar Jun 11 '24 11:06 DaanHoogland

@kiranchavala @rohityadavcloud @damonb123 , My take on this is that if the user has access to the template thay can adjust the sharing rights as well. I do not have clear yet if there should be some restrictions to what they can do, beyond what is programmatically possible at this moment. I.E. are restrictions and extra checks needed?

DaanHoogland avatar Jun 14 '24 06:06 DaanHoogland

@damonb123 #9196 implements your request . as @vishesh92 shows in https://github.com/apache/cloudstack/pull/9196#issuecomment-2178872690 this is not much help yet for UI users but may help you if you want to share for use in the API. I will look at a furhter UI fix.

DaanHoogland avatar Jun 19 '24 15:06 DaanHoogland

fixed in #9196

DaanHoogland avatar Jun 21 '24 09:06 DaanHoogland