cloudstack icon indicating copy to clipboard operation
cloudstack copied to clipboard

Published 20 hours ago verified publisher icon apache

Allow Domain Admins to deploy VMs in subdomain networks

Open rajujith opened this issue 2 years ago • 8 comments

ISSUE TYPE
  • Improvement Request
COMPONENT NAME
Component: API
CLOUDSTACK VERSION
4.17.2.0
SUMMARY

Currently, a parent domain admin can perform most of the operations in a subdomain such as Add/delete FW,PF rules, stop, start & destroy virtual machines but deploying a virtual machine is not allowed. This design is inconsistent and needs to be improved to allow VM deployment to subdomain networks.

STEPS TO REPRODUCE

Deploy Virtual Machine using API as a parent domain admin to a subdomain guest network. Deployment fails with 'permission denied'

Try destroying a VM in a subdomain as a parent domain admin, this works. These two are contradicting designs.

rajujith avatar Apr 03 '23 07:04 rajujith

Thanks for opening your first issue here! Be sure to follow the issue template!

boring-cyborg[bot] avatar Apr 03 '23 07:04 boring-cyborg[bot]

When picking up, this should keep the backward compatibility and make this feature configurable in the global settings (or so).

andrijapanicsb avatar Apr 03 '23 07:04 andrijapanicsb

I think historically we never want the domain admin to be able to do it. We need to check if this is a UI limitation (perhaps allowed in API?), I see https://cloudstack.apache.org/api/apidocs-4.18/apis/assignVirtualMachine.html allows domain admin to transfer VMs in the domain to accounts.

rohityadavcloud avatar Apr 03 '23 08:04 rohityadavcloud

@rajujith domain admin has the operate permission on the resources of users in the domain or sub-domains. But they cannot use the isolated network of account-scope shared network of users. this is expected behavior.

(root admin is exceptional)

weizhouapache avatar Apr 03 '23 10:04 weizhouapache

My 2 cents, there is a workaround for the design limitation by manually adding a record on the network_permissions table, mapping the domain admin account ID to the subdomain network ID. In case the domain admin should not be able to deploy on the subdomains networks in any case, I think the rest of the operations should be consistent and he shouldn't be allowed to stop/start/destroy VMs

nvazquez avatar Apr 03 '23 13:04 nvazquez

To make sure we clear (what seems to me as) the misunderstanding - it's not about domain admin being able to deploy a VM in another-users network alone - but to be able to deploy a VM for another user (in his/user's network). Any other use case (admin-owned VM deployed in another user's network must stay impossible like currently)

andrijapanicsb avatar Apr 03 '23 16:04 andrijapanicsb

@rajujith can you please mention your reproduction steps in detail (step-by-step)? In my testing I found the following scenarios (in a main branch env):

  • Both ROOT admin and domain admin can deploy a VM in a network owned by a user in a subdomain when user and domainid params are passed for that user
  • Both ROOT admin and domain admin can not deploy a VM in a network owned by a user in a subdomain when user and domainid params are not passed

My steps:

  • Create domain d1 and create a domain-admin account dadmin in this domain
  • Create subdomain d11 in domain d1 and create a normal user account user1 in it
  • Using user1 deploy an isolated network n2
  • Using ROOT admin admin and domain-admin dadmin try deploying VMs in network n2

cc @andrijapanicsb @weizhouapache

shwstppr avatar Apr 06 '23 06:04 shwstppr

@rajujith can you please mention your reproduction steps in detail (step-by-step)? In my testing I found the following scenarios (in a main branch env):

  • Both ROOT admin and domain admin can deploy a VM in a network owned by a user in a subdomain when user and domainid params are passed for that user
  • Both ROOT admin and domain admin can not deploy a VM in a network owned by a user in a subdomain when user and domainid params are not passed

My steps:

  • Create domain d1 and create a domain-admin account dadmin in this domain
  • Create subdomain d11 in domain d1 and create a normal user account user1 in it
  • Using user1 deploy an isolated network n2
  • Using ROOT admin admin and domain-admin dadmin try deploying VMs in network n2

cc @andrijapanicsb @weizhouapache

thanks @shwstppr the testing results are expected I think.

weizhouapache avatar Apr 06 '23 06:04 weizhouapache

@rajujith can you please mention your reproduction steps in detail (step-by-step)? In my testing I found the following scenarios (in a main branch env):

  • Both ROOT admin and domain admin can deploy a VM in a network owned by a user in a subdomain when user and domainid params are passed for that user
  • Both ROOT admin and domain admin can not deploy a VM in a network owned by a user in a subdomain when user and domainid params are not passed

My steps:

  • Create domain d1 and create a domain-admin account dadmin in this domain
  • Create subdomain d11 in domain d1 and create a normal user account user1 in it
  • Using user1 deploy an isolated network n2
  • Using ROOT admin admin and domain-admin dadmin try deploying VMs in network n2

cc @andrijapanicsb @weizhouapache

thanks @shwstppr the testing results are expected I think.

I could verify the same scenario and it is working fine. Following are the cases that I've tested 1. Domain admin can create a VM for a user in a subdomain of it (using the network created by the user) by passing "account" and "domainid" parameters. This VM will be owned by that user in that subdomain 2. Domain admin can create a VM in the network created by the user after setting the corresponding network permission to that domain admin. This VM will be owned by the domain admin.

@rajujith if you agree for this we can close this issue.

harikrishna-patnala avatar Jun 12 '24 05:06 harikrishna-patnala

thanks @harikrishna-patnala we can close this now.

rajujith avatar Jun 12 '24 10:06 rajujith