CA-406402/XSI-2128: Ignore RBAC when destroying internal tasks#6885
Merged
robhoes merged 1 commit intoxapi-project:masterfrom Feb 5, 2026
Merged
CA-406402/XSI-2128: Ignore RBAC when destroying internal tasks#6885robhoes merged 1 commit intoxapi-project:masterfrom
robhoes merged 1 commit intoxapi-project:masterfrom
Conversation
Contributor
|
How can we be sure this is only used for internal tasks? |
robhoes
approved these changes
Feb 4, 2026
Member
robhoes
left a comment
robhoes
left a comment
There was a problem hiding this comment.
I think this is correct. The task is indeed created on the remote host, so a non-root context on the coordinator would not be allowed to destroy it. Nice discovery!
lindig
approved these changes
Feb 4, 2026
Contributor
|
I looked at the code again. It is explicit that this is an internal async operation - hence, something that needs a task, which must be cleaned up. I now also believe that this is correct. The code that is being called is: @robhoes comment suggests this could be simplified to |
When calling `VDI.copy` or `VDI.pool_migrate` with `vm_power_admin` role, xapi may forward the operation to a remote host. In this case, xapi creates a pool session on the remote host and create a new task. When the operation completes, `try_internal_async` uses the user's session to destroy the task that was created by an internal pool session, but the user doesn't have the permission to destory other user's task (task.destroy/any), so it fails. Solution: This is an internal cleanup operation, so it doesn't need user RBAC restriction and checking. Ignore RBAC when destroying internal tasks by calling Db_actions.DB_Action.Task.destroy directly. Signed-off-by: Bengang Yuan <bengang.yuan@citrix.com>
BengangY
force-pushed
the
private/bengangy/xsi-2128
branch
from
09975cc to
57adc22
Compare
Contributor
Author
|
robhoes
approved these changes
Feb 5, 2026
github-merge-queue bot
pushed a commit
that referenced
this pull request
Feb 5, 2026
When calling `VDI.copy` or `VDI.pool_migrate` with `vm_power_admin` role, xapi may forward the operation to a remote host. In this case, xapi creates a pool session on the remote host and create a new task. When the operation completes, `try_internal_async` uses the user's session to destroy the task that was created by an internal pool session, but the user doesn't have the permission to destory other user's task (task.destroy/any), so it fails. Solution: This is an internal cleanup operation, so it doesn't need user RBAC restriction and checking. Ignore RBAC when destroying internal tasks by calling Db_actions.DB_Action.Task.destroy directly. Backport the [PR](#6885) (cherry picked from commit [57adc22](57adc22))
BengangY
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When calling
VDI.copyorVDI.pool_migratewithvm_power_adminrole, xapi may forward the operation to a remote host. In this case, xapi creates a pool session on the remote host and create a new task. When the operation completes,try_internal_asyncuses the user's session to destroy the task that was created by an internal pool session, but the user doesn’t have the permission to destory other user’s task (task.destroy/any), so it fails.Solution:
This is an internal cleanup operation, so it doesn’t need user RBAC restriction and checking. Ignore RBAC when destroying internal tasks by calling Db_actions.DB_Action.Task.destroy directly.