Domain Admin cannot update resource limits of its account

[kiranchavala]

problem

Domain Admin cannot update resource limits of its account

versions

ACS 4.20, 4.19

The steps to reproduce the bug

1. Create domain under the root ( let's say d1)
2. Create a domain admin account( da1) under the domain 1
3. Create another domain admin account( da2) under the domain 1
4. Login as domain admin account (da1)
5. Navigate accounts > select domain admin account( da2) > configure limits > Change the max user instance to 21 > success
6. Perform the same action on da1
   Navigate accounts > select domain admin account( da1) > configure limits > Change the max user instance to 21 > failure

Exception

Unable to update resource limit for their own account 5, permission denied

Logs

Domain admin da1 trying to update the resource limits of it own account

2025-05-27 05:50:16,301 DEBUG [c.c.a.ApiServlet] (qtp1390913202-25:[ctx-00360073]) (logid:c905d200) ===START===  10.0.3.251 -- GET  account=user1domain1&domainid=4c8f9bce-458e-492e-87ea-90067e9d4dd4&resourcetype=5&max=10&command=updateResourceLimit&response=json&sessionkey=hTOoi-3wkfkXjUI3Q4GpuFzna7c
2025-05-27 05:50:16,301 DEBUG [c.c.a.ApiServlet] (qtp1390913202-25:[ctx-00360073]) (logid:c905d200) Two factor authentication is already verified for the user 5, so skipping
2025-05-27 05:50:16,317 DEBUG [c.c.a.ApiServer] (qtp1390913202-25:[ctx-00360073, ctx-c531902f]) (logid:c905d200) CIDRs from which account 'Account [{"accountName":"user1domain1","id":5,"uuid":"55289255-54be-4515-a8c5-1288e9a7742b"}]' is allowed to perform API calls: 0.0.0.0/0,::/0
2025-05-27 05:50:16,330 DEBUG [o.a.c.a.StaticRoleBasedAPIAccessChecker] (qtp1390913202-25:[ctx-00360073, ctx-c531902f]) (logid:c905d200) RoleService is enabled. We will use it instead of StaticRoleBasedAPIAccessChecker.
2025-05-27 05:50:16,330 DEBUG [o.a.c.r.ApiRateLimitServiceImpl] (qtp1390913202-25:[ctx-00360073, ctx-c531902f]) (logid:c905d200) API rate limiting is disabled. We will not use ApiRateLimitService.
2025-05-27 05:50:16,351 INFO  [c.c.a.ApiServer] (qtp1390913202-25:[ctx-00360073, ctx-c531902f]) (logid:c905d200) PermissionDenied: Unable to update resource limit for their own account 5, permission denied on objs: []
2025-05-27 05:50:16,351 INFO  [c.c.a.ApiServlet] (qtp1390913202-25:[ctx-00360073, ctx-c531902f]) (logid:c905d200) (userId=5 accountId=5 sessionId=node012lrf9410vgpra42wupop3i2f10) 10.0.3.251 -- GET account=user1domain1&domainid=4c8f9bce-458e-492e-87ea-90067e9d4dd4&resourcetype=5&max=10&command=updateResourceLimit&response=json&sessionkey=hTOoi-3wkfkXjUI3Q4GpuFzna7c 531 Unable to update resource limit for their own account 5, permission denied
2025-05-27 05:50:16,351 DEBUG [c.c.a.ApiServlet] (qtp1390913202-25:[ctx-00360073, ctx-c531902f]) (logid:c905d200) ===END===  10.0.3.251 -- GET  account=user1domain1&domainid=4c8f9bce-458e-492e-87ea-90067e9d4dd4&resourcetype=5&max=10&command=updateResourceLimit&response=json&sessionkey=hTOoi-3wkfkXjUI3Q4GpuFzna7c

Domain admin da1 trying to update the resource limits of other domain admin account

[root@ref-trl-8570-k-Mol8-kiran-chavala-mgmt1 ~]# cat  /var/log/cloudstack/management/management-server.log |grep -i "logid:47cbb57a"
2025-05-27 05:56:24,983 DEBUG [c.c.a.ApiServlet] (qtp1390913202-446:[ctx-7819ab2e]) (logid:47cbb57a) ===START===  10.0.3.251 -- GET  account=user1domain1&domainid=4c8f9bce-458e-492e-87ea-90067e9d4dd4&resourcetype=2&max=20&command=updateResourceLimit&response=json&sessionkey=wpTP1fHRUE9hbHl8TmCpVBT4DrA
2025-05-27 05:56:24,983 DEBUG [c.c.a.ApiServlet] (qtp1390913202-446:[ctx-7819ab2e]) (logid:47cbb57a) Two factor authentication is already verified for the user 6, so skipping
2025-05-27 05:56:25,029 DEBUG [c.c.a.ApiServer] (qtp1390913202-446:[ctx-7819ab2e, ctx-4e080d07]) (logid:47cbb57a) CIDRs from which account 'Account [{"accountName":"user2domain1","id":6,"uuid":"2689f76a-a6c0-458d-8e5d-25007eba12d1"}]' is allowed to perform API calls: 0.0.0.0/0,::/0
2025-05-27 05:56:25,038 DEBUG [o.a.c.a.StaticRoleBasedAPIAccessChecker] (qtp1390913202-446:[ctx-7819ab2e, ctx-4e080d07]) (logid:47cbb57a) RoleService is enabled. We will use it instead of StaticRoleBasedAPIAccessChecker.
2025-05-27 05:56:25,038 DEBUG [o.a.c.r.ApiRateLimitServiceImpl] (qtp1390913202-446:[ctx-7819ab2e, ctx-4e080d07]) (logid:47cbb57a) API rate limiting is disabled. We will not use ApiRateLimitService.
2025-05-27 05:56:25,069 DEBUG [c.c.u.AccountManagerImpl] (qtp1390913202-446:[ctx-7819ab2e, ctx-4e080d07]) (logid:47cbb57a) Access to Account [{"accountName":"user1domain1","id":5,"uuid":"55289255-54be-4515-a8c5-1288e9a7742b"}] granted to Account [{"accountName":"user2domain1","id":6,"uuid":"2689f76a-a6c0-458d-8e5d-25007eba12d1"}] by DomainChecker
2025-05-27 05:56:25,112 INFO  [c.c.a.ApiServlet] (qtp1390913202-446:[ctx-7819ab2e, ctx-4e080d07]) (logid:47cbb57a) (userId=6 accountId=6 sessionId=node0x7mtcktao4uahjw82l98xv6411) 10.0.3.251 -- GET account=user1domain1&domainid=4c8f9bce-458e-492e-87ea-90067e9d4dd4&resourcetype=2&max=20&command=updateResourceLimit&response=json&sessionkey=wpTP1fHRUE9hbHl8TmCpVBT4DrA 200 {"updateresourcelimitresponse":{"resourcelimit":{"account":"user1domain1","domainid":"4c8f9bce-458e-492e-87ea-90067e9d4dd4","domain":"domain1","domainpath":"/domain1/","resourcetype":"2","resourcetypename":"volume","max":20}}}
2025-05-27 05:56:25,113 DEBUG [c.c.a.ApiServlet] (qtp1390913202-446:[ctx-7819ab2e, ctx-4e080d07]) (logid:47cbb57a) ===END===  10.0.3.251 -- GET  account=user1domain1&domainid=4c8f9bce-458e-492e-87ea-90067e9d4dd4&resourcetype=2&max=20&command=updateResourceLimit&response=json&sessionkey=wpTP1fHRUE9hbHl8TmCpVBT4Dr

...

What to do about it?

Domain admin account user should be able to update the resource limits of its own account

[sudo87]

It seems that this restriction is by Design to avoid modification to be made to domain admin's own limits.

From the code:

// If the admin is trying to update their own account, disallow.

However should other Domain Admin be allowed to update peer domain admin's limit, that needs to be answered.

[kiranchavala]

@sudo87 @DaanHoogland

With the recent 4.20.1 release, there is new global setting parameter

"role.types.allowed.for.operations.on.accounts.of.same.role.type" setting the value to only Admin

Then the domain admin user will not be able to update their peer domain admin resource limit

---

But the question should we allow a domain admin account to update it's own resource limits or depend on the default Admin Account to do the job.?

As @DaanHoogland suggested, this is by design

if ((caller.getAccountId() == accountId.longValue()) && (_accountMgr.isDomainAdmin(caller.getId()) || caller.getType() == Account.Type.RESOURCE_DOMAIN_ADMIN)) {
                // If the admin is trying to update their own account, disallow.
                throw new PermissionDeniedException(String.format("Unable to update resource limit for their own account %s, permission denied", account));
            }

cc @harikrishna-patnala

[DaanHoogland]

@kiranchavala , this design is from before dynamic roles, and I think we can reconsider. adhering to the setting you mention makes sense but as we are now not talking of an operation on the role itself a separate mech could be chosen as well.