Get All Access Info Of a Cluster Kubernetes Through API Key's User

[VanDuy91]

ISSUE TYPE

• Bug Report

COMPONENT NAME

API, Kubernetes

CLOUDSTACK VERSION

4.18.0.0

CONFIGURATION

• Apply role to the user: User role(default role on Cloustack)
• Generate keys for the user

OS / ENVIRONMENT

Ubuntu 22.04

SUMMARY

Any user can get access info of a cluster from another one if they have the ID of the cluster

STEPS TO REPRODUCE

- Set role to a user: Default User role on Cloudstack
- Generate keys for the user
- Get access  info of  a cluster from another user (e.g. xxx is the ID cluster of user A, but user B can get info of xxx cluster through API of user B (B has the ID cluster of A) )

EXPECTED RESULTS

Can't get info of a cluster Kubernetes if they not own

ACTUAL RESULTS

Get all of info of a cluster if we have ID of any cluster

[kiranchavala]

@VanDuy91

I am not able to reproduce this issue, The steps that i followed are

Could you please cross check again if they are correct

1. Create account of role type user ( Lets say Account 1 > User1)
2. Login as user 1 > Launch a k8s cluster
3. Execute api call with user 1 apikey and secret key
https://cloudstack.apache.org/api/apidocs-4.18/apis/listKubernetesClusters.html

list kubernetesclusters

Able to get the output of the api call 

4. Create account of role type user ( Lets say Account 2> User2)

5. Execute api call with user 2 apikey and secret key
https://cloudstack.apache.org/api/apidocs-4.18/apis/listKubernetesClusters.html

list kubernetesclusters

There is no response to the api call

[VanDuy91]

@VanDuy91

I am not able to reproduce this issue, The steps that i followed are

Could you please cross check again if they are correct

1. Create account of role type user ( Lets say Account 1 > User1)
2. Login as user 1 > Launch a k8s cluster
3. Execute api call with user 1 apikey and secret key
https://cloudstack.apache.org/api/apidocs-4.18/apis/listKubernetesClusters.html

list kubernetesclusters

Able to get the output of the api call 

4. Create account of role type user ( Lets say Account 2> User2)

5. Execute api call with user 2 apikey and secret key
https://cloudstack.apache.org/api/apidocs-4.18/apis/listKubernetesClusters.html

list kubernetesclusters

There is no response to the api call

Hi @kiranchavala ,
Following steps were what I did:

1. Create an account of role type user (Let's say Account 1 > User1)
2. Login as user 1 > Launch a k8s cluster
3. Execute API call with user 1 API key and secret key
https://cloudstack.apache.org/api/apidocs-4.18/apis/getKubernetesClusterConfig.html

get  Kubernetes clusters access infomation

Able to get the output of the API call (including the Kubernetes cluster config)

4. Create an account of role type user ( Lets say Account 2> User2)

5. Execute API call with user 2 API key and secret key and k8s cluster's ID get from User1 
https://cloudstack.apache.org/api/apidocs-4.18/apis/getKubernetesClusterConfig.html
Get Kubernetes clusters access infomation

Able to get the output of the API call (including the Kubernetes cluster config)

>> This means, you can get Kubernetes cluster config of any k8s cluster even if you are not the owner or do not have any permission on these clusters.

[kiranchavala]

@VanDuy91 thanks for the information

i am able to reproduce the issue

[kiranchavala]

@DaanHoogland @weizhouapache could you please look into this

[weizhouapache]

Maybe there is no access check in code

[weizhouapache]

fixed via #7854