listSystemVmsUsageHistory is available to Domain Admin by Default

[scottsignal]

ISSUE TYPE

• Bug Report

COMPONENT NAME

API/UI

CLOUDSTACK VERSION

4.19.1.3

CONFIGURATION

N/A

OS / ENVIRONMENT

Ubuntu 22.04
KVM

SUMMARY

We found that out of the box listSystemVmsUsageHistory is available to the Domain Admin Role with Type set to DomainAdmin by default. This feels like a bug since no other SystemVM API's are available. We worked around this issue by denying the API, however, I wanted to report it.

STEPS TO REPRODUCE

Create an account/user with the Domain Admin Role and set the Type to DomainAdmin.  Run listSystemVmsUsageHistory

EXPECTED RESULTS

listSystemVmsUsageHistory should not be available 

ACTUAL RESULTS

listSystemVmsUsageHistory returns results 

[DaanHoogland]

Do you really feel this is hurtful @scottsignal ?

[scottsignal]

Do you really feel this is hurtful @scottsignal ?

It's not hurtful, but it took us some time to figure out what the problem was. We created a Root Admin role that denied access to *SystemVM* (We needed them to be able to create Domain Admin Accounts & Networks w/VLANS). After doing some comparing of ListAPI this was the one that stood out.

Is there a valid reason a Doman Admin should be able to use listSystemVmsUsageHistory? It seems odd since a Domain Admin can't even run ListSystemVMs

[DaanHoogland]

Do you really feel this is hurtful @scottsignal ?

It's not hurtful, but it took us some time to figure out what the problem was. We created a Root Admin role that denied access to *SystemVM* (We needed them to be able to create Domain Admin Accounts & Networks w/VLANS). After doing some comparing of ListAPI this was the one that stood out.

Is there a valid reason a Doman Admin should be able to use listSystemVmsUsageHistory? It seems odd since a Domain Admin can't even run ListSystemVMs

I do not know of a reason. It might have been a slip of the keyboard, or someone wanted domain admins to be able to see the costs burned in their domain. I can imagine usage being of interest to a domain admin. So, yes, there might be a valid reason. I agree that it seems counter intuitive somewhat but not a bug. By the looks you found a valid way to deal with it.

I was asking because I wonder if we want this solved in code or "solved" in documentation.

[DaanHoogland]

@scottsignal , @shwstppr made a fix in #10032 . Can you test this?

[DaanHoogland]

fixed in #10032