cloudstack icon indicating copy to clipboard operation
cloudstack copied to clipboard

Published 20 hours ago verified publisher icon apache

Project role Allow rules doesn't have any effect

Open rajujith opened this issue 9 months ago • 1 comments

ISSUE TYPE
  • Bug Report
COMPONENT NAME
UI,API
CLOUDSTACK VERSION
4.19.0.0
SUMMARY

Project roles by design could only further restrict the access of users based on the RBAC. However, in the UI there is an option to 'Allow' more APIs however it doesn't take effect. This needs to be reviewed to either allow more access in project roles ( there are some use cases for it) otherwise remove the option to 'Allow' which does not work.

STEPS TO REPRODUCE
1. Create an account and user with 'user role'.
2. Create a new project and create a project role.
3. In the project role add a rule that allows an API that is restricted for the user role. 
4. Add the above user to the project assigning the above project role.
5. Verify whether the user has any elevated privileges to run the Allowed API.

https://www.shapeblue.com/cloudstack-feature-deep-dive-role-based-users-in-projects/

Screenshot 2024-05-10 at 11 00 08 AM

rajujith avatar May 10 '24 05:05 rajujith

Agree Jithin, worst case we can update the docs, to say " "allow" is there, but not really usable/doesn't work" or similar

andrijapanicsb avatar May 10 '24 11:05 andrijapanicsb

As far as I understand, Project roles are meant to be restrictive in nature, i.e., a user added to a project, should not be allowed to perform any operation that the user role doesn't allow it to perform. Say, you Create a user account and login as the user. Then as the user, create a project. In this context, when adding project role rules, one would only be able to list the APIs the userRole allows. I think we should document this behaviour clearly as what @andrijapanicsb mentioned, rather that allow to elevate a users permission to perform certain operations in a project..

Pearl1594 avatar May 22 '24 07:05 Pearl1594

I agree with @Pearl1594 , project roles cannot elevate rights of a user beyond what they are assigned in the first place. I say this is not a bug but a feature ;)

DaanHoogland avatar Jun 03 '24 07:06 DaanHoogland

Based on the discussion with @Pearl1594 @rohityadavcloud @rajujith I've closed the original PR that allowed elevating account with project roles. I've created a doc PR to document the behaviour https://github.com/apache/cloudstack-documentation/pull/403 Also, created a PR to change UI to not show allow option for project role permission, https://github.com/apache/cloudstack/pull/9185

shwstppr avatar Jun 06 '24 12:06 shwstppr

Closing since documentation PR (https://github.com/apache/cloudstack-documentation/pull/403) is merged and documents the behavior of project roles.

vishesh92 avatar Jun 11 '24 12:06 vishesh92