Can't create DomainAdmin Account to Domain

[hiblinux]

ISSUE TYPE

• Questions

COMPONENT NAME

Create Account And Users

CLOUDSTACK VERSION

CloudStack 4.19.1.1 

SUMMARY

I have a Role named Domain Admin L2 with the Role Type of Admin and linked to the "admin l2" account in the ROOT domain (Csv rules attached).

The problem I encounter is that when I want to create a new account in the Sub-domain, let's call it ROOT/CS/Customer1, using the available default role named Domain Admin with Role Type DomainAdmin, an error appears stating 'can not create an account with access to more privileges they have themself.'

From the CSV i see the Domain Admin L2 role has more privileges than Domain Admin role.

What is wrong with what I'm doing?

Domain Admin_DomainAdmin.csv
Domain Admin L2_Admin.csv

[boring-cyborg[bot]]

Thanks for opening your first issue here! Be sure to follow the issue template!

[DaanHoogland]

@hiblinux at first sight it doesn't look like you are doing anything wrong. Can you create the new account from a user in the root admin account?

[hiblinux]

@DaanHoogland Yes i can create new account from the Root Admin.

But the situation need me to seperate the privileges of account, thats the reason i create new Role name "Domain Admin L2".

[DaanHoogland]

Understood, there is a related PR out (that needs a volunteer to test it) #9173 . Maybe it solves your issue...

[BryanMLima]

Hello, @hiblinux

First, I just want to clarify how ACS checks if a given role has permission to create another account. It will check if the caller account has permission (i.e., allow) to all APIs in the role used by the target account.

Using a diff checker tool, I managed to encounter some inconsistencies, that would fail this verification. The following APIs are denied for the role Domain Admin L2 and are allowed for the role DomainAdmin:

• createDiskOffering
• createServiceOffering
• deleteDiskOffering
• deleteServiceOffering
• updateDiskOffering
• updateServiceOffering
• updateConfiguration

Even though the type of the role Domain Admin L2 is Admin and the role Domain Admin is of type DomainAdmin, ACS will fail in the validation of the APIs above; that's why you are receiving the message can not create an account with access to more privileges they have themself.

Now, about the why ACS does not allow this: escalation of privileges. If a user could create an account with more privileges than its own, then this is a security concern. Consider a scenario where a custom Root Admin was created with just read permissions. If ACS allowed this role to create another account with more permissions just because it is of type Admin, an attacker could you this to create a Root Admin with all permissions, which is not desired.

To tackle your problem specifically, you'll need to normalize the permissions of the APIs mentioned above (and others, if I missed something) for the custom role Domain Admin L2.

@DaanHoogland, I don't think this is a bug, it is working as expected.

[DaanHoogland]

Good find @BryanMLima , @hiblinux please see the explanation above. It makes sense.