Allow Domain Admins to deploy VMs in subdomain networks

[rajujith]

ISSUE TYPE

• Improvement Request

COMPONENT NAME

Component: API 

CLOUDSTACK VERSION

4.17.2.0

SUMMARY

Currently, a parent domain admin can perform most of the operations in a subdomain such as Add/delete FW,PF rules, stop, start & destroy virtual machines but deploying a virtual machine is not allowed. This design is inconsistent and needs to be improved to allow VM deployment to subdomain networks.

STEPS TO REPRODUCE

Deploy Virtual Machine using API as a parent domain admin to a subdomain guest network.
Deployment fails with 'permission denied'

Try destroying a VM in a subdomain as a parent domain admin, this works. These two are contradicting designs.

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template!

[andrijapanicsb]

When picking up, this should keep the backward compatibility and make this feature configurable in the global settings (or so).

[yadvr]

I think historically we never want the domain admin to be able to do it. We need to check if this is a UI limitation (perhaps allowed in API?), I see https://cloudstack.apache.org/api/apidocs-4.18/apis/assignVirtualMachine.html allows domain admin to transfer VMs in the domain to accounts.

[weizhouapache]

@rajujith
domain admin has the operate permission on the resources of users in the domain or sub-domains.
But they cannot use the isolated network of account-scope shared network of users.
this is expected behavior.

(root admin is exceptional)

[nvazquez]

My 2 cents, there is a workaround for the design limitation by manually adding a record on the network_permissions table, mapping the domain admin account ID to the subdomain network ID. In case the domain admin should not be able to deploy on the subdomains networks in any case, I think the rest of the operations should be consistent and he shouldn't be allowed to stop/start/destroy VMs

[andrijapanicsb]

To make sure we clear (what seems to me as) the misunderstanding - it's not about domain admin being able to deploy a VM in another-users network alone - but to be able to deploy a VM for another user (in his/user's network). Any other use case (admin-owned VM deployed in another user's network must stay impossible like currently)

[shwstppr]

@rajujith can you please mention your reproduction steps in detail (step-by-step)?
In my testing I found the following scenarios (in a main branch env):

• Both ROOT admin and domain admin can deploy a VM in a network owned by a user in a subdomain when user and domainid params are passed for that user
• Both ROOT admin and domain admin can not deploy a VM in a network owned by a user in a subdomain when user and domainid params are not passed

My steps:

• Create domain d1 and create a domain-admin account dadmin in this domain
• Create subdomain d11 in domain d1 and create a normal user account user1 in it
• Using user1 deploy an isolated network n2
• Using ROOT admin admin and domain-admin dadmin try deploying VMs in network n2

cc @andrijapanicsb @weizhouapache

[weizhouapache]

@rajujith can you please mention your reproduction steps in detail (step-by-step)? In my testing I found the following scenarios (in a main branch env):

• Both ROOT admin and domain admin can deploy a VM in a network owned by a user in a subdomain when user and domainid params are passed for that user
• Both ROOT admin and domain admin can not deploy a VM in a network owned by a user in a subdomain when user and domainid params are not passed

My steps:

• Create domain d1 and create a domain-admin account dadmin in this domain
• Create subdomain d11 in domain d1 and create a normal user account user1 in it
• Using user1 deploy an isolated network n2
• Using ROOT admin admin and domain-admin dadmin try deploying VMs in network n2

cc @andrijapanicsb @weizhouapache

thanks @shwstppr
the testing results are expected I think.