Can't delete any resource tags when multiple accounts have tagged a resource #6623
Description
ISSUE TYPE
- Bug Report
COMPONENT NAME
Core
CLOUDSTACK VERSION
4.17.0.0
CONFIGURATION
N/A
OS / ENVIRONMENT
N/A
SUMMARY
This is somewhat related to my previously created issue #6620
Resource tags are always attached to an account. This means that an account can only delete its own tags. However, the permission check done inside the code is made on all tags belonging to the resource, regardless of whether the user asks for the tag to be deleted or not, which results in the deletion always failing.
Related code lines:
STEPS TO REPRODUCE
Using cmk:
# As account 1
associate ipaddress networkid=[...] vpcid=[...] id=86b1b359-1879-488b-ba9c-772cceeb6908
create tags resourcetype=publicipaddress resourceids=86b1b359-1879-488b-ba9c-772cceeb6908 tags[0].key=somekey1 tags[0].value=somevalue1
disassociate ipaddress id=86b1b359-1879-488b-ba9c-772cceeb6908
# As account 2
associate ipaddress networkid=[...] vpcid=[...] id=86b1b359-1879-488b-ba9c-772cceeb6908
create tags resourcetype=publicipaddress resourceids=86b1b359-1879-488b-ba9c-772cceeb6908 tags[0].key=somekey2 tags[0].value=somevalue2
disassociate ipaddress id=86b1b359-1879-488b-ba9c-772cceeb6908
# As account 1: try to delete my own tag
delete tags resourcetype=publicipaddress resourceids=86b1b359-1879-488b-ba9c-772cceeb6908 tags[0].key=somekey1
EXPECTED RESULTS
The tag somekey1 gets deleted
ACTUAL RESULTS
Account does not have permission
jobid = 3e9fd323-0175-4fd0-aaf5-9d6b32ecb62a
accountid = ca1015a8-d479-4327-9366-db44220dcb12
cmd = org.apache.cloudstack.api.command.user.tag.DeleteTagsCmd
jobstatus = 2
jobprocstatus = 0
jobresultcode = 530
jobresult = {"errorcode":530,"errortext":"Account account1 does not have permission to operate within domain id=XXXX"}
userid = 4c238098-36b5-4cf8-8ddf-e930c72b6eb0
jobresulttype = object
created = 2022-08-10T11:08:36+0200
completed = 2022-08-10T11:08:37+0200
Error: async API failed for job 3e9fd323-0175-4fd0-aaf5-9d6b32ecb62