ISSUE TYPE
COMPONENT NAME
UI, Permissions, Access Controll
CLOUDSTACK VERSION
SUMMARY
The #4339 pull request allows CloudStack's domain admins to change their domains configurations. This option gives domain admins power to abuse CloudStack system IPs, create public templates, share their templates with other domains, and many more unwanted effects to the environments even though the root admin disallow these actions in the first place.
| Domain level settings |
| account.allow.expose.host.hostname |
| allow.public.user.templates |
| preferred.storage.pool |
| share.public.templates.with.other.domains |
| use.system.public.ips |
As of now there isn't a global setting to revert this changes. I have the following suggestions let me know what do you think.
- Add a global setting to override this behaviour.
- Move these setting to global level so domain admins can't change them.
- Give priority to the global level settings, so if domain admins override a setting.
STEPS TO REPRODUCE
1. Login as a root admin
2. Configure the domain
3. Log out
4. Login as a domain admin
5. Configure the domain
EXPECTED RESULTS
Root admin configurations are **NOT** overridden.
ACTUAL RESULTS
Root admin configurations are overridden.
ISSUE TYPE
COMPONENT NAME
CLOUDSTACK VERSION
SUMMARY
The #4339 pull request allows CloudStack's domain admins to change their domains configurations. This option gives domain admins power to abuse CloudStack system IPs, create public templates, share their templates with other domains, and many more unwanted effects to the environments even though the root admin disallow these actions in the first place.
As of now there isn't a global setting to revert this changes. I have the following suggestions let me know what do you think.
STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS