container-service-extension icon indicating copy to clipboard operation
container-service-extension copied to clipboard

Published 20 hours ago verified publisher icon vmware

Organization filter on Create cluster API

Open uvinc opened this issue 4 years ago • 4 comments

Hello, I don't know if it's an issue, but our security team find a strange behavior where the api accept the cluster creation request if you are setting org_name and ovdc_name of an other customer. The request is accepted (202) and a task appear in the user organisation(and stay indefinitely), but nothing is created in the other customer organisation, so it's not a big issue. They are asking me if it's possible to have a generic error or a deny if the "org_name" in the cluster create json is not the same than the login organization ?

Regards, ugo

uvinc avatar Jan 28 '20 16:01 uvinc

Can you please share the details of the command you run for cluster creation as

  1. vcd cse cluster create .....
  2. As what persona ( sys admin, org admin or tenant user: vcd pwd can give this info)
  3. cse version

Also, you probably know that, the system administrator can create cluster on any org regardless of who is the owner or user.

sakthisunda avatar Jan 31 '20 22:01 sakthisunda

I think what is happening in this case is as follows,

  1. CSE server accepts the request and starts processing it.
  2. The validation phase doesn't check if the org and ovdc are indeed related or not. And as a result a 202 is returned.
  3. CSE creates a vCD task to track the progress of the cluster deployment. And updates it periodically.
  4. When CSE tries to create cluster vApp on the wrong org vdc, vCD returns an error, and CSE terminates the job, updates the task status to Error, rolls back the operation, and logs the error in CSE logs. But the failed task itself is not purged immediately. The task will expire and purged naturally in about 1 week (default vCD task expiration duration).

Ideally the process that initiated the cluster create call, should be monitoring the task and update the caller about the failure. (fyi vcd-cli does monitor the task).

CSE can do the validation you are asking for. The only issue is that to validate user org and org sent as part of the request are one and same, CSE needs to make calls to vCD which will in turn increase the turn around time for the CSE request. We will evaluate and see if we can add the validation or not.

Regards Aritra Sen

rocknes avatar Feb 01 '20 00:02 rocknes

@sakthisunda We are using version 2.5.1 and mainly api to consume CSE, for the VCD extensibility UI or end user automation tool. We have validator on our extensibility UI to avoid this issue, but from direct API, security team prefer to avoid the possibility of a customer to obtain information (vdc name) of an other customer organization.

@rocknes Yes it's exactly that. Thanks for the clarification. i will wait for your result.

Regards Ugo

uvinc avatar Feb 03 '20 16:02 uvinc

Hi Ugo

Would you mind sharing with us the Cloud Provider you represent who is building an extensible UI?

Thanks Aashima

goelaashima avatar Feb 03 '20 18:02 goelaashima