Skip to content

Sunstone VM instantiation requires VM Template CREATE ACL #7020

New issue
New issue
Open
Bug
Open
Sunstone VM instantiation requires VM Template CREATE ACL#7020
Bug
Labels
Category: SunstoneStatus: Pending
Milestone
Release 7.0.1
@OpenNebulaSupport

Description

@OpenNebulaSupport
OpenNebulaSupport
opened on Apr 7, 2025

/!\ To report a security issue please follow this procedure:
[https://github.com/OpenNebula/one/wiki/Vulnerability-Management-Process]

Description

When we try to instantiate a template using a user who does not have "CREATE" permissions on the Template VMs, we receive the following error:
"ERROR: "[one.template.instantiate] User [5] : Not authorized to perform CREATE TEMPLATE.""

NOTE: Only affects sunstone, it is possible to instantiate a VM via CLI using the template.

The user's ACL set is as follows (group @100):

oneadmin@opennebula:~$ oneacl list

  ID     USER RES_VHNIUTGDCOZSvRMAPtB   RID OPE_UMAC  ZONE
   0       @1     V--I-T---O-S----P-B     *     ---c     *
   3       @1     -H-----------------     *     -m--    #0
   4       @1     --N----------------     *     u---    #0
   5       @1     -------D-----------     *     u---    #0
  36     @100     -HN----D-----------     *     um--    #0
  37     @100     -----T-------------     *     u---    #0
  38     @100     V------------------     *     umac    #0
   1        *     ----------Z--------     *     u---     *
   2        *     --------------MA---     *     u---     *
  13        *     -HNI---D-----------     *     um--    #0

Since the group has "USE" permissions on VM Templates, it should be able to instantiate them through Sunstone.

To Reproduce

  1. Create new group:
    onegroup create test

  2. Create new user:
    oneuser create testuser opennebula --group test

  3. Delete default ACLs (required because by default the user is given CREATE permissions on the VM Templates):
    oneacl delete <newgroup_acls_range>

  4. Create Group ACLs:

oneacl create "@<group_id> HOST+NET+DATASTORE/* USE+MANAGE #0"
oneacl create "@<group_id> TEMPLATE/* USE #0"
oneacl create "@<group_id> VM/* USE+MANAGE+ADMIN+CREATE #0"
  1. Try to instantiate VM from a template via sunstone:

Image

ERROR: "[one.template.instantiate] User [5] : Not authorized to perform CREATE TEMPLATE."

  1. Try to instantiate VM from a template via CLI:
oneadmin@opennebula:~$ onetemplate instantiate 20 --user testuser
Password: 
VM ID: 103

Expected behavior

Just like with the CLI, the template should be able to be instantiated only with "USE" permissions and should not require "CREATE" permissions.

Details

  • Affected Component: Sunstone
  • Hypervisor: NA
  • Version: 6.10.3

Additional context
Add any other context about the problem here.

Progress Status

  • Code committed
  • Testing - QA
  • Documentation (Release notes - resolved issues, compatibility, known issues)

Metadata

Metadata

Assignees

No one assigned

    Labels

    Category: SunstoneStatus: Pending

    Type

    Bug

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions