From 95c001079b8af368c7ac7922f4724b6b3f23ddab Mon Sep 17 00:00:00 2001 From: Daan Hoogland Date: Wed, 26 Jan 2022 16:07:38 +0100 Subject: [PATCH 1/4] note on dynamic roles caveat --- source/adminguide/accounts.rst | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/source/adminguide/accounts.rst b/source/adminguide/accounts.rst index a7e699a97d..10d0a9c9b9 100644 --- a/source/adminguide/accounts.rst +++ b/source/adminguide/accounts.rst @@ -135,6 +135,17 @@ allows CloudStack root admins to create new roles with customized permissions. The allow/deny rules can be configured dynamically during runtime without restarting the management server(s). +.. Note:: Any user given the custom roles that include permission to + create and/or update accounts will have the ability to + assign new custom roles to themsevles or other users, + irrspective of the privialges given in those roles. This + could allow such a user to escalate their own privalges to + include any API they might not have had before. Thereofre, + the dynamic roles should be carefully designed and the + `createAccount` and `updateAccount` priviledges should only + be given to users who you are content to have this level of + privilage + For backward compatiblity, all roles resolve to one of the four role types: admin, resource admin, domain admin and user. A new role can be created using the roles tab in the UI and specifying a name, either a role type or ID of existing From da248260f0a4fc2ef16cee7c6d71cca3c99f880b Mon Sep 17 00:00:00 2001 From: dahn Date: Thu, 27 Jan 2022 06:35:10 +0100 Subject: [PATCH 2/4] Apply suggestions from code review Co-authored-by: sureshanaparti <12028987+sureshanaparti@users.noreply.github.com> --- source/adminguide/accounts.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/source/adminguide/accounts.rst b/source/adminguide/accounts.rst index 10d0a9c9b9..78c7dd87c8 100644 --- a/source/adminguide/accounts.rst +++ b/source/adminguide/accounts.rst @@ -138,11 +138,11 @@ restarting the management server(s). .. Note:: Any user given the custom roles that include permission to create and/or update accounts will have the ability to assign new custom roles to themsevles or other users, - irrspective of the privialges given in those roles. This - could allow such a user to escalate their own privalges to - include any API they might not have had before. Thereofre, + irrespective of the privileges given in those roles. This + could allow such a user to escalate their own privileges to + include any API they might not have had before. Therefore, the dynamic roles should be carefully designed and the - `createAccount` and `updateAccount` priviledges should only + `createAccount` and `updateAccount` privileges should only be given to users who you are content to have this level of privilage From de4d537e53612dad7a06d97f33d9b68a0006f4ca Mon Sep 17 00:00:00 2001 From: dahn Date: Thu, 27 Jan 2022 08:47:40 +0100 Subject: [PATCH 3/4] Update source/adminguide/accounts.rst Co-authored-by: sureshanaparti <12028987+sureshanaparti@users.noreply.github.com> --- source/adminguide/accounts.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/adminguide/accounts.rst b/source/adminguide/accounts.rst index 78c7dd87c8..0a92c691aa 100644 --- a/source/adminguide/accounts.rst +++ b/source/adminguide/accounts.rst @@ -144,7 +144,7 @@ restarting the management server(s). the dynamic roles should be carefully designed and the `createAccount` and `updateAccount` privileges should only be given to users who you are content to have this level of - privilage + privilege For backward compatiblity, all roles resolve to one of the four role types: admin, resource admin, domain admin and user. A new role can be created using From 43671bb76c85074f2c78a0e6a5de235a6bd58470 Mon Sep 17 00:00:00 2001 From: Daan Hoogland Date: Mon, 31 Jan 2022 14:16:08 +0100 Subject: [PATCH 4/4] saveguard implementation note added --- source/adminguide/accounts.rst | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/source/adminguide/accounts.rst b/source/adminguide/accounts.rst index 0a92c691aa..093332deef 100644 --- a/source/adminguide/accounts.rst +++ b/source/adminguide/accounts.rst @@ -135,16 +135,21 @@ allows CloudStack root admins to create new roles with customized permissions. The allow/deny rules can be configured dynamically during runtime without restarting the management server(s). -.. Note:: Any user given the custom roles that include permission to - create and/or update accounts will have the ability to - assign new custom roles to themsevles or other users, - irrespective of the privileges given in those roles. This - could allow such a user to escalate their own privileges to - include any API they might not have had before. Therefore, - the dynamic roles should be carefully designed and the - `createAccount` and `updateAccount` privileges should only - be given to users who you are content to have this level of - privilege +.. Note:: in versions before 4.16.1, any user given the custom roles + that include permission to create and/or update accounts + will have the ability to assign new custom roles to + themsevles or other users, irrespective of the privileges + given in those roles. This could allow such a user to + escalate their own privileges to include any API they might + not have had before. Therefore, the dynamic roles should be + carefully designed and the `createAccount` and + `updateAccount` privileges should only be given to users who + you are content to have this level of privilege. + + Since 4.16.1 a user will be prevented to create an account + with a role that has any permissions that they do not have + themselves. This check will also be performed, since that + version, on updating an account-role. For backward compatiblity, all roles resolve to one of the four role types: admin, resource admin, domain admin and user. A new role can be created using