-
Notifications
You must be signed in to change notification settings - Fork 510
Description
/!\ To report a security issue please follow this procedure:
[https://github.com/OpenNebula/one/wiki/Vulnerability-Management-Process]
Description
When we try to instantiate a template using a user who does not have "CREATE" permissions on the Template VMs, we receive the following error:
"ERROR: "[one.template.instantiate] User [5] : Not authorized to perform CREATE TEMPLATE.""
NOTE: Only affects sunstone, it is possible to instantiate a VM via CLI using the template.
The user's ACL set is as follows (group @100):
oneadmin@opennebula:~$ oneacl list
ID USER RES_VHNIUTGDCOZSvRMAPtB RID OPE_UMAC ZONE
0 @1 V--I-T---O-S----P-B * ---c *
3 @1 -H----------------- * -m-- #0
4 @1 --N---------------- * u--- #0
5 @1 -------D----------- * u--- #0
36 @100 -HN----D----------- * um-- #0
37 @100 -----T------------- * u--- #0
38 @100 V------------------ * umac #0
1 * ----------Z-------- * u--- *
2 * --------------MA--- * u--- *
13 * -HNI---D----------- * um-- #0
Since the group has "USE" permissions on VM Templates, it should be able to instantiate them through Sunstone.
To Reproduce
-
Create new group:
onegroup create test
-
Create new user:
oneuser create testuser opennebula --group test
-
Delete default ACLs (required because by default the user is given CREATE permissions on the VM Templates):
oneacl delete <newgroup_acls_range>
-
Create Group ACLs:
oneacl create "@<group_id> HOST+NET+DATASTORE/* USE+MANAGE #0"
oneacl create "@<group_id> TEMPLATE/* USE #0"
oneacl create "@<group_id> VM/* USE+MANAGE+ADMIN+CREATE #0"
- Try to instantiate VM from a template via sunstone:
ERROR: "[one.template.instantiate] User [5] : Not authorized to perform CREATE TEMPLATE."
- Try to instantiate VM from a template via CLI:
oneadmin@opennebula:~$ onetemplate instantiate 20 --user testuser
Password:
VM ID: 103
Expected behavior
Just like with the CLI, the template should be able to be instantiated only with "USE" permissions and should not require "CREATE" permissions.
Details
- Affected Component: Sunstone
- Hypervisor: NA
- Version: 6.10.3
Additional context
Add any other context about the problem here.
Progress Status
- Code committed
- Testing - QA
- Documentation (Release notes - resolved issues, compatibility, known issues)