...
Current implementation of the list APIs is tied tightly with the default roles (root admin,domainadmin, regular user), and we have hard-coded logic baked in to handle these three out-of-box roles differently.The List APIs do not interpret the listing parameters in a standard way across board. Depending on which role is invoking the call, the logic assumes some default behavior in the given context and provides results by ignoring the passed listing parameter. Most contradictory parameters are these four: listall, isrecursive, domainid, account. Here is a summary of current API behavior in handling these four APIs;
Category | listAll | isRecursive | Result |
Both domainId and account are provided | IGNORED | IGNORED | Only list resources owned by the given account, even though the specified account is a root admin or domain admin. Basically listAll and isRecursive flags are totally ignored. |
Neither domainId nor account is provided (caller = NORMAL USER) | IGNORED | IGNORED | Only list resources owned by the caller. Basically listAll and isRecursive flags are totally ignored. |
Neither domainId nor account is provided (caller = ROOT ADMIN) | TRUE | IGNORED | Always list all the authorized resources for the root admin, isRecursive flag is ignored. |
| FALSE | IGNORED | Only list resources owned by the root admin |
Neither domainid nor account is provided (caller = DOMAIN ADMIN) | TRUE | IGNORED | Always list all the authorized resource along the domain tree, ignore passed isRecursive flag and internally set it to always TRUE. |
| FALSE | IGNORED | Only list resources owned by the domain admin. isRecursive flag is not taking effect |
Only domainId is provided (caller = NORMAL USER) | IGNORED | IGNORED | Only list resources owned by the caller. |
Only domainId is provided (caller = ROOT/DOMAIN ADMIN) | IGNORED | TRUE | List the authorized resources along the domain tree. |
| IGNORED | FALSE | List the authorized resources only for the given domain. |
There are several issues with current behavior:
...
With this hard-coded baked logic specific to each account type, the implementation will be very hard to extend to handle true IAM usecases with customized roles introduced, since we need to define what the meaning of these parameters for those customized roles. With real IAM, the listing should follow a standard pattern and work with the list API parameters irrespective of who is the caller - the IAM policies attached to the caller should drive the results.
B]For
...
...
...
Example: AssociateIpAddress from a Network, always sets the Network owner as the owner of the IpAddress acquired newly. This implicit derivation will break IAM granting across accounts. Since if Account A grants her network to Account B, the IpAddress Account B acquires will still be owned by account A. So the grant does not really work.
...
Few CS APIs accept account-domain parameters and do impersonation based on these parameters. But as a way to indicate impersonation, but this is not followed across all APIs. So to support impersonation via IAM, we need to change APIs to deprecate these (account, domainId) impersonation and come up with a new impersonate API to have a standard impersonation mechanism.
In order to make them compatible with IAM, we need changes to the API semantics which will break backwards compatibility for existing deployments. So we need a API version change to accommodate IAM support.