There was a major change in a way how our list* api commands work in 3.0 vs 2.2.x (Bug 12306 - Make all listXXX default to "My" resources)
1) When no parameters are passed in to the call, the caller sees only HIS resources (even when the caller is the admin). This is the main difference from how it used to work before - before admin was seeing everyone else's resources by default.
2) When accountName/domainId are passed in, the caller sees the resources dedicated to the account specified.
* If the call is executed by the regular user, he is authorized to specify only his own account/domainId.
* If the caller is a domain admin, we perform authorization check to see if the caller can see account/domainId resources.
3) When projectId is passed in, only resources belonging to that project are being listed.
4) When domainId is passed in, we return only resources belonging to the domain specified. To see the resources of subdomains, isRecursive=true parameter has to be specified. Again, regular user can see only his own resources, Root admin can list anything, and domain admin is authorized to see only resources of his domain and subdomains.
5) To see all resources the caller is authorized to see, except for Project resources, listAll=true parameter has to be passed in.
6) To see all Project resources the caller is authorized to see, projectId=-1 has to be passed in.
There are 2 API command that doesn't fall under the rules above completely -
listTemplates command. This command has its own flags defining the list rules:
featured, // returns templates that have been marked as featured and public
self, // returns templates that have been registered or created by the calling user
selfexecutable, // same as self, but only returns templates that are ready to be deployed with
sharedexecutable, // ready templates that have been granted to the calling user by another user
executable, // templates that are owned by the calling user, or public templates, that can be used to deploy a new VM
community, // returns templates that have been marked as public but not featured
all // returns all templates (only usable by admins)
and listNetworks command.
1) When account/domainId or projectId are passed in:
* list all account specific networks of the account/project
* list all domain level networks from the domainId + subdomains if the targeted network has allowSubdomainAccess = true
In other words, we use all the networks that can be used for vm deployment by account/domainId.
If listAll is not specified in the request, account/domainId are being defaulted to the account/domainId of the caller
listAll is ignored if the call is being done by the regular user.
2) listAll is passed in by the Root admin, we list:
* all Account specific networks in the system
* all domain specific networks in the system
3) listAll is passed by the Domain admin, we list:
* All Account specific networks belonging to domain/subdomains of the domain admin.
* All domain specific networks belonging to domain/subdomains of the domain admin
* All domain specific networks allowing subdomain access belonging to the parent domain.
4) domainId - can be passed either with or without listAll. We list:
* all account specific networks belonging to the domain
* all domain specific networks of the domain
* all domain specific networks of the subdomains if isRecursive = true is passed in
The rules above apply only for managed resources - that belong to account/domain/project. They are irrelavant for the list* commands displaying unmanaged(system) resources - hosts, clusters, external network resources.
CloudStack UI on a general view will display all resources that logged in user is authorized to see, except for project resources. To see the project resources, you have to select project view.
Overview
Content Tools
Apps