use.system.public.ips does nothing when domain doesn't have a range

[soreana]

ISSUE TYPE

• Bug Report

COMPONENT NAME

IP assignment

CLOUDSTACK VERSION

4.17,
4.18,
main (*)

(*): Although I didn't test that on main branch, the code pard didn't change so it should be there as well.

SUMMARY

By default when user use all of their assigned public IPs, they can use system public IPs. Although by using the use.system.public.ips setting admins can prevent that action, the setting doesn't have any affect when user doesn't have any reserved range.

STEPS TO REPRODUCE

1. Login as a root admin
2. Create a domain and a domain admin account for the domain.
3. Set use.system.public.ips to false in the account, the domain or globally.
4. Assign an IP range to the domain or the account. [Range 1]
5. Login as a domain admin and create an isolated network in domain.
6. Go to the isolated network page and click on the Public IP addresses then click on Acquire new IP.
7. The list shows only the IPs in the assinged IP range [Range 1]
8. Logout and login as a root admin again
9. Remove the [Range1] IP range assignment.
10. Repeat step 5, 6, and 7. The output list now includes the system IPs.

EXPECTED RESULTS

User can NOT see the system's public IP addresses.

ACTUAL RESULTS

User can see the system's public IP addresses.

[kiranchavala]

@DaanHoogland able to reproduce the issue

[DaanHoogland]

@soreana are you creating a PR for this?

[soreana]

Hey @DaanHoogland Yes, I'm going to create a PR for this issue. Any suggestion appreciated :)

[weizhouapache]

this seems to be expected behaviour.
(at least it behaves like it from many years ago)

I suggest not to change it, otherwise it will cause backwards compatilbility, and impact some existing environments.

[soreana]

@weizhouapache Honestly, Before double checking the global setting definition I wasn't agree with you. But now it makes sense not to touch the global settings behaviour.

Shall I add a new setting called restric.system.public.ips.access which restricts public IP access even if user doesn't have the dedicated range?

Definition of "use.system.public.ips"
If true, when account has dedicated public ip range(s), once the ips dedicated to the account have been consumed ips will be acquired from the system pool

[weizhouapache]

@weizhouapache Honestly, Before double checking the global setting definition I wasn't agree with you. But now it makes sense not to touch the global settings behaviour.

Shall I add a new setting called restric.system.public.ips.access which restricts public IP access even if user doesn't have the dedicated range?

Definition of "use.system.public.ips"
If true, when account has dedicated public ip range(s), once the ips dedicated to the account have been consumed ips will be acquired from the system pool

@soreana good idea. go for it.

can we close this ticket as it is not a real issue ?

[soreana]

@weizhouapache Honestly, Before double checking the global setting definition I wasn't agree with you. But now it makes sense not to touch the global settings behaviour.
Shall I add a new setting called restric.system.public.ips.access which restricts public IP access even if user doesn't have the dedicated range?

Definition of "use.system.public.ips"
If true, when account has dedicated public ip range(s), once the ips dedicated to the account have been consumed ips will be acquired from the system pool

@soreana good idea. go for it.

can we close this ticket as it is not a real issue ?

I would create a PR for that.

Btw, I think it is better to keep it open. I would change it in a way that it reflects our discussion.