search

apache / cloudstack

Apache CloudStack is an opensource Infrastructure as a Service (IaaS) cloud computing platform
https://cloudstack.apache.org/
Apache License 2.0
2.09k stars 1.11k forks source link

use.system.public.ips does nothing when domain doesn't have a range #7608

Open soreana opened 1 year ago

soreana commented 1 year ago
ISSUE TYPE
COMPONENT NAME
IP assignment
CLOUDSTACK VERSION
4.17,
4.18,
main (*)

(*): Although I didn't test that on main branch, the code pard didn't change so it should be there as well.

SUMMARY

By default when user use all of their assigned public IPs, they can use system public IPs. Although by using the use.system.public.ips setting admins can prevent that action, the setting doesn't have any affect when user doesn't have any reserved range.

STEPS TO REPRODUCE
  1. Login as a root admin
  2. Create a domain and a domain admin account for the domain.
  3. Set use.system.public.ips to false in the account, the domain or globally.
  4. Assign an IP range to the domain or the account. [Range 1]
  5. Login as a domain admin and create an isolated network in domain.
  6. Go to the isolated network page and click on the Public IP addresses then click on Acquire new IP.
  7. The list shows only the IPs in the assinged IP range [Range 1]
  8. Logout and login as a root admin again
  9. Remove the [Range1] IP range assignment.
  10. Repeat step 5, 6, and 7. The output list now includes the system IPs.
EXPECTED RESULTS
User can NOT see the system's public IP addresses.
ACTUAL RESULTS
User can see the system's public IP addresses.
kiranchavala commented 1 year ago

@DaanHoogland able to reproduce the issue

DaanHoogland commented 1 year ago

@soreana are you creating a PR for this?

soreana commented 1 year ago

Hey @DaanHoogland Yes, I'm going to create a PR for this issue. Any suggestion appreciated :)

weizhouapache commented 1 year ago

this seems to be expected behaviour. (at least it behaves like it from many years ago)

I suggest not to change it, otherwise it will cause backwards compatilbility, and impact some existing environments.

soreana commented 1 year ago

@weizhouapache Honestly, Before double checking the global setting definition I wasn't agree with you. But now it makes sense not to touch the global settings behaviour.

Shall I add a new setting called restric.system.public.ips.access which restricts public IP access even if user doesn't have the dedicated range? 

Definition of "use.system.public.ips"
If true, when account has dedicated public ip range(s), once the ips dedicated to the account have been consumed ips will be acquired from the system pool
weizhouapache commented 1 year ago

@weizhouapache Honestly, Before double checking the global setting definition I wasn't agree with you. But now it makes sense not to touch the global settings behaviour.

Shall I add a new setting called restric.system.public.ips.access which restricts public IP access even if user doesn't have the dedicated range?

Definition of "use.system.public.ips"
If true, when account has dedicated public ip range(s), once the ips dedicated to the account have been consumed ips will be acquired from the system pool

@soreana good idea. go for it.

can we close this ticket as it is not a real issue ?

soreana commented 1 year ago

@weizhouapache Honestly, Before double checking the global setting definition I wasn't agree with you. But now it makes sense not to touch the global settings behaviour. Shall I add a new setting called restric.system.public.ips.access which restricts public IP access even if user doesn't have the dedicated range?

Definition of "use.system.public.ips"
If true, when account has dedicated public ip range(s), once the ips dedicated to the account have been consumed ips will be acquired from the system pool

@soreana good idea. go for it.

can we close this ticket as it is not a real issue ?

I would create a PR for that.

Btw, I think it is better to keep it open. I would change it in a way that it reflects our discussion.