apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow root admin to deploy in VPCs in child domains (#6832)

Browse Source 
and make root admin permissions configurable
This commit is contained in:
dahn 2022-12-20 03:39:04 -08:00 committed by GitHub
parent 6d74815798
commit 575fffc097
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 232 additions and 203 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
api/src/main/java/com/cloud/network/NetworkModel.java
View File

@ -89,9 +89,12 @@ public interface NetworkModel {
List<String> metadataFileNames = new ArrayList<>(Arrays.asList(SERVICE_OFFERING_FILE, AVAILABILITY_ZONE_FILE, LOCAL_HOSTNAME_FILE, LOCAL_IPV4_FILE, PUBLIC_HOSTNAME_FILE, PUBLIC_IPV4_FILE,
INSTANCE_ID_FILE, VM_ID_FILE, PUBLIC_KEYS_FILE, CLOUD_IDENTIFIER_FILE, HYPERVISOR_HOST_NAME_FILE));
static final ConfigKey<Integer> MACIdentifier = new ConfigKey<Integer>("Advanced",Integer.class, "mac.identifier", "0",
static final ConfigKey<Integer> MACIdentifier = new ConfigKey<>("Advanced",Integer.class, "mac.identifier", "0",
"This value will be used while generating the mac addresses for isolated and shared networks. The hexadecimal equivalent value will be present at the 2nd octet of the mac address. Default value is null which means this feature is disabled.Its scope is global.", true, ConfigKey.Scope.Global);
static final ConfigKey<Boolean> AdminIsAllowedToDeployAnywhere = new ConfigKey<>("Advanced",Boolean.class, "admin.is.allowed.to.deploy.anywhere", "false",
"This will determine if the root admin is allowed to deploy in networks in subdomains.", true, ConfigKey.Scope.Global);
/**
* Lists IP addresses that belong to VirtualNetwork VLANs
*

79
server/src/main/java/com/cloud/network/NetworkModelImpl.java
View File

@ -147,6 +147,7 @@ import com.cloud.vm.dao.VMInstanceDao;
public class NetworkModelImpl extends ManagerBase implements NetworkModel, Configurable {
static final Logger s_logger = Logger.getLogger(NetworkModelImpl.class);
public static final String UNABLE_TO_USE_NETWORK = "Unable to use network with id= %s, permission denied";
@Inject
EntityManager _entityMgr;
@Inject
@ -1665,39 +1666,49 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel, Confi
}
@Override
public void checkNetworkPermissions(Account caller, Network network) {
// dahn 20140310: I was thinking of making this an assert but
// as we hardly ever test with asserts I think
// we better make sure at runtime.
if (network == null) {
throw new CloudRuntimeException("cannot check permissions on (Network) <null>");
}
// Perform account permission check
if (network.getGuestType() != GuestType.Shared || network.getAclType() == ACLType.Account) {
AccountVO networkOwner = _accountDao.findById(network.getAccountId());
if (networkOwner == null)
throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO)network).getUuid() +
", network does not have an owner");
if (!Account.Type.PROJECT.equals(caller.getType()) && Account.Type.PROJECT.equals(networkOwner.getType())) {
checkProjectNetworkPermissions(caller, networkOwner, network);
} else {
List<NetworkVO> networkMap = _networksDao.listBy(caller.getId(), network.getId());
NetworkPermissionVO networkPermission = _networkPermissionDao.findByNetworkAndAccount(network.getId(), caller.getId());
if (CollectionUtils.isEmpty(networkMap) && networkPermission == null) {
throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO)network).getUuid() +
", permission denied");
}
public final void checkNetworkPermissions(Account caller, Network network) {
if (_accountMgr.isRootAdmin(caller.getAccountId()) && Boolean.TRUE.equals(AdminIsAllowedToDeployAnywhere.value())) {
if (s_logger.isDebugEnabled()) {
s_logger.debug("root admin is permitted to do stuff on every network");
}
} else {
if (!isNetworkAvailableInDomain(network.getId(), caller.getDomainId())) {
DomainVO callerDomain = _domainDao.findById(caller.getDomainId());
if (callerDomain == null) {
throw new CloudRuntimeException("cannot check permission on account " + caller.getAccountName() + " whose domain does not exist");
}
throw new PermissionDeniedException("Shared network id=" + ((NetworkVO)network).getUuid() + " is not available in domain id=" +
callerDomain.getUuid());
if (network == null) {
throw new CloudRuntimeException("cannot check permissions on (Network) <null>");
}
s_logger.info(String.format("Checking permission for account %s (%s) on network %s (%s)", caller.getAccountName(), caller.getUuid(), network.getName(), network.getUuid()));
if (network.getGuestType() != GuestType.Shared || network.getAclType() == ACLType.Account) {
checkAccountNetworkPermissions(caller, network);
} else {
checkDomainNetworkPermissions(caller, network);
}
}
}
private void checkAccountNetworkPermissions(Account caller, Network network) {
AccountVO networkOwner = _accountDao.findById(network.getAccountId());
if (networkOwner == null)
throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO) network).getUuid() +
", network does not have an owner");
if (!Account.Type.PROJECT.equals(caller.getType()) && Account.Type.PROJECT.equals(networkOwner.getType())) {
checkProjectNetworkPermissions(caller, networkOwner, network);
} else {
List<NetworkVO> networkMap = _networksDao.listBy(caller.getId(), network.getId());
NetworkPermissionVO networkPermission = _networkPermissionDao.findByNetworkAndAccount(network.getId(), caller.getId());
if (CollectionUtils.isEmpty(networkMap) && networkPermission == null) {
throw new PermissionDeniedException(String.format(UNABLE_TO_USE_NETWORK, ((NetworkVO) network).getUuid()));
}
}
}
private void checkDomainNetworkPermissions(Account caller, Network network) {
if (!isNetworkAvailableInDomain(network.getId(), caller.getDomainId())) {
DomainVO callerDomain = _domainDao.findById(caller.getDomainId());
if (callerDomain == null) {
throw new CloudRuntimeException("cannot check permission on account " + caller.getAccountName() + " whose domain does not exist");
}
throw new PermissionDeniedException("Shared network id=" + ((NetworkVO) network).getUuid() + " is not available in domain id=" +
callerDomain.getUuid());
}
}
@ -1710,13 +1721,11 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel, Confi
ProjectAccount projectAccountUser = _projectAccountDao.findByProjectIdUserId(project.getId(), user.getAccountId(), user.getId());
if (projectAccountUser != null) {
if (!_projectAccountDao.canUserAccessProjectAccount(user.getAccountId(), user.getId(), networkOwner.getId())) {
throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO)network).getUuid() +
", permission denied");
throw new PermissionDeniedException(String.format(UNABLE_TO_USE_NETWORK, ((NetworkVO)network).getUuid()));
}
} else {
if (!_projectAccountDao.canAccessProjectAccount(owner.getAccountId(), networkOwner.getId())) {
throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO) network).getUuid() +
", permission denied");
throw new PermissionDeniedException(String.format(UNABLE_TO_USE_NETWORK, ((NetworkVO) network).getUuid()));
}
}
}
@ -2663,7 +2672,7 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel, Confi
@Override
public ConfigKey<?>[] getConfigKeys() {
return new ConfigKey<?>[] {MACIdentifier};
return new ConfigKey<?>[] {MACIdentifier, AdminIsAllowedToDeployAnywhere};
}
@Override

2
server/src/main/java/com/cloud/network/NetworkServiceImpl.java
View File

@ -1938,7 +1938,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService, C
Boolean isSystem = cmd.getIsSystem();
String aclType = cmd.getAclType();
Long projectId = cmd.getProjectId();
List<Long> permittedAccounts = new ArrayList<Long>();
List<Long> permittedAccounts = new ArrayList<>();
String path = null;
Long physicalNetworkId = cmd.getPhysicalNetworkId();
List<String> supportedServicesStr = cmd.getSupportedServices();

18
server/src/test/java/com/cloud/network/NetworkModelTest.java
View File

@ -33,6 +33,7 @@ import java.util.Collections;
import java.util.List;
import java.util.Set;
import com.cloud.user.AccountManager;
import org.apache.cloudstack.network.NetworkPermissionVO;
import org.apache.cloudstack.network.dao.NetworkPermissionDao;
import org.junit.Before;
@ -114,6 +115,8 @@ public class NetworkModelTest {
private DomainDao domainDao;
@Mock
private ProjectDao projectDao;
@Mock
private AccountManager _accountMgr;
private static final long ZONE_1_ID = 1L;
private static final long ZONE_2_ID = 2L;
@ -307,6 +310,21 @@ public class NetworkModelTest {
networkModel.checkNetworkPermissions(caller, network);
}
@Test
public void testCheckNetworkPermissionsForAdmin() {
long accountId = 1L;
AccountVO caller = mock(AccountVO.class);
when(caller.getId()).thenReturn(accountId);
when(caller.getType()).thenReturn(Account.Type.ADMIN);
NetworkVO network = mock(NetworkVO.class);
when(network.getGuestType()).thenReturn(Network.GuestType.Isolated);
when(network.getAccountId()).thenReturn(accountId);
when(accountDao.findById(accountId)).thenReturn(caller);
when(networkDao.listBy(caller.getId(), network.getId())).thenReturn(List.of(network));
when(networkPermissionDao.findByNetworkAndAccount(network.getId(), caller.getId())).thenReturn(mock(NetworkPermissionVO.class));
networkModel.checkNetworkPermissions(caller, network);
}
@Test(expected = CloudRuntimeException.class)
public void testCheckNetworkPermissionsNullNetwork() {
AccountVO caller = mock(AccountVO.class);

311
test/integration/component/test_acl_sharednetwork.py
View File

@ -59,7 +59,7 @@ class TestSharedNetwork(cloudstackTestCase):
cls.acldata = cls.testdata["acl"]
cls.domain_1 = None
cls.domain_2 = None
cls.cleanup = []
cls._cleanup = []
try:
@ -72,25 +72,30 @@ class TestSharedNetwork(cloudstackTestCase):
cls.apiclient,
cls.acldata["domain1"]
)
cls._cleanup.append(cls.domain_1)
cls.domain_11 = Domain.create(
cls.apiclient,
cls.acldata["domain11"],
parentdomainid=cls.domain_1.id
)
cls._cleanup.append(cls.domain_11)
cls.domain_111 = Domain.create(
cls.apiclient,
cls.acldata["domain111"],
parentdomainid=cls.domain_11.id,
)
cls._cleanup.append(cls.domain_111)
cls.domain_12 = Domain.create(
cls.apiclient,
cls.acldata["domain12"],
parentdomainid=cls.domain_1.id
)
cls._cleanup.append(cls.domain_12)
cls.domain_2 = Domain.create(
cls.apiclient,
cls.acldata["domain2"]
)
cls._cleanup.append(cls.domain_2)
# Create 1 admin account and 2 user accounts for doamin_1
cls.account_d1 = Account.create(
cls.apiclient,
@ -98,6 +103,7 @@ class TestSharedNetwork(cloudstackTestCase):
admin=True,
domainid=cls.domain_1.id
)
cls._cleanup.append(cls.account_d1)
user = cls.generateKeysForUser(cls.apiclient,cls.account_d1)
cls.user_d1_apikey = user.apikey
@ -109,6 +115,7 @@ class TestSharedNetwork(cloudstackTestCase):
admin=False,
domainid=cls.domain_1.id
)
cls._cleanup.append(cls.account_d1a)
user = cls.generateKeysForUser(cls.apiclient,cls.account_d1a)
cls.user_d1a_apikey = user.apikey
cls.user_d1a_secretkey = user.secretkey
@ -120,6 +127,7 @@ class TestSharedNetwork(cloudstackTestCase):
admin=False,
domainid=cls.domain_1.id
)
cls._cleanup.append(cls.account_d1b)
user = cls.generateKeysForUser(cls.apiclient,cls.account_d1b)
cls.user_d1b_apikey = user.apikey
@ -132,6 +140,7 @@ class TestSharedNetwork(cloudstackTestCase):
admin=True,
domainid=cls.domain_11.id
)
cls._cleanup.append(cls.account_d11)
user = cls.generateKeysForUser(cls.apiclient,cls.account_d11)
cls.user_d11_apikey = user.apikey
cls.user_d11_secretkey = user.secretkey
@ -142,6 +151,7 @@ class TestSharedNetwork(cloudstackTestCase):
admin=False,
domainid=cls.domain_11.id
)
cls._cleanup.append(cls.account_d11a)
user = cls.generateKeysForUser(cls.apiclient,cls.account_d11a)
cls.user_d11a_apikey = user.apikey
cls.user_d11a_secretkey = user.secretkey
@ -152,6 +162,7 @@ class TestSharedNetwork(cloudstackTestCase):
admin=False,
domainid=cls.domain_11.id
)
cls._cleanup.append(cls.account_d11b)
user = cls.generateKeysForUser(cls.apiclient,cls.account_d11b)
cls.user_d11b_apikey = user.apikey
cls.user_d11b_secretkey = user.secretkey
@ -164,6 +175,7 @@ class TestSharedNetwork(cloudstackTestCase):
admin=True,
domainid=cls.domain_111.id
)
cls._cleanup.append(cls.account_d111)
user = cls.generateKeysForUser(cls.apiclient,cls.account_d111)
cls.user_d111_apikey = user.apikey
cls.user_d111_secretkey = user.secretkey
@ -174,6 +186,7 @@ class TestSharedNetwork(cloudstackTestCase):
admin=False,
domainid=cls.domain_111.id
)
cls._cleanup.append(cls.account_d111a)
user = cls.generateKeysForUser(cls.apiclient,cls.account_d111a)
cls.user_d111a_apikey = user.apikey
cls.user_d111a_secretkey = user.secretkey
@ -184,6 +197,7 @@ class TestSharedNetwork(cloudstackTestCase):
admin=False,
domainid=cls.domain_111.id
)
cls._cleanup.append(cls.account_d111b)
user = cls.generateKeysForUser(cls.apiclient,cls.account_d111b)
cls.user_d111b_apikey = user.apikey
cls.user_d111b_secretkey = user.secretkey
@ -195,6 +209,7 @@ class TestSharedNetwork(cloudstackTestCase):
admin=False,
domainid=cls.domain_12.id
)
cls._cleanup.append(cls.account_d12a)
user = cls.generateKeysForUser(cls.apiclient,cls.account_d12a)
cls.user_d12a_apikey = user.apikey
cls.user_d12a_secretkey = user.secretkey
@ -205,6 +220,7 @@ class TestSharedNetwork(cloudstackTestCase):
admin=False,
domainid=cls.domain_12.id
)
cls._cleanup.append(cls.account_d12b)
user = cls.generateKeysForUser(cls.apiclient,cls.account_d12b)
cls.user_d12b_apikey = user.apikey
@ -218,6 +234,7 @@ class TestSharedNetwork(cloudstackTestCase):
admin=False,
domainid=cls.domain_2.id
)
cls._cleanup.append(cls.account_d2a)
user = cls.generateKeysForUser(cls.apiclient,cls.account_d2a)
cls.user_d2a_apikey = user.apikey
@ -231,6 +248,7 @@ class TestSharedNetwork(cloudstackTestCase):
cls.acldata["accountROOTA"],
admin=False,
)
cls._cleanup.append(cls.account_roota)
user = cls.generateKeysForUser(cls.apiclient,cls.account_roota)
cls.user_roota_apikey = user.apikey
@ -241,6 +259,7 @@ class TestSharedNetwork(cloudstackTestCase):
cls.acldata["accountROOTA"],
admin=True,
)
cls._cleanup.append(cls.account_root)
user = cls.generateKeysForUser(cls.apiclient,cls.account_root)
cls.user_root_apikey = user.apikey
@ -251,6 +270,7 @@ class TestSharedNetwork(cloudstackTestCase):
cls.apiclient,
cls.acldata["service_offering"]["small"]
)
cls._cleanup.append(cls.service_offering)
cls.zone = get_zone(cls.apiclient,cls.testclient.getZoneForTests())
cls.acldata['mode'] = cls.zone.networktype
@ -279,6 +299,7 @@ class TestSharedNetwork(cloudstackTestCase):
networkofferingid=cls.shared_network_offering_id,
zoneid=cls.zone.id
)
cls._cleanup.append(cls.shared_network_all)
cls.shared_network_domain_d11 = Network.create(
cls.apiclient,
@ -288,6 +309,7 @@ class TestSharedNetwork(cloudstackTestCase):
domainid=cls.domain_11.id,
subdomainaccess=False
)
cls._cleanup.append(cls.shared_network_domain_d11)
cls.shared_network_domain_with_subdomain_d11 = Network.create(
cls.apiclient,
@ -297,6 +319,7 @@ class TestSharedNetwork(cloudstackTestCase):
domainid=cls.domain_11.id,
subdomainaccess=True
)
cls._cleanup.append(cls.shared_network_domain_with_subdomain_d11)
cls.shared_network_account_d111a = Network.create(
cls.apiclient,
@ -306,40 +329,35 @@ class TestSharedNetwork(cloudstackTestCase):
domainid=cls.domain_111.id,
accountid=cls.account_d111a.user[0].username
)
cls._cleanup.append(cls.shared_network_account_d111a)
cls.vmdata = {"name": "test",
"displayname" : "test"
}
cls.cleanup = [
cls.account_root,
cls.account_roota,
cls.shared_network_all,
cls.service_offering,
]
except Exception as e:
cls.domain_1.delete(cls.apiclient,cleanup="true")
cls.domain_2.delete(cls.apiclient,cleanup="true")
cleanup_resources(cls.apiclient, cls.cleanup)
raise Exception("Failed to create the setup required to execute the test cases: %s" % e)
cls.tearDownClass()
raise Exception("Failed to create the setup required to execute the test cases: %s" % e)
@classmethod
def tearDownClass(cls):
cls.apiclient = super(TestSharedNetwork, cls).getClsTestClient().getApiClient()
cls.apiclient.connection.apiKey = cls.default_apikey
cls.apiclient.connection.securityKey = cls.default_secretkey
cls.domain_1.delete(cls.apiclient,cleanup="true")
cls.domain_2.delete(cls.apiclient,cleanup="true")
cleanup_resources(cls.apiclient, cls.cleanup)
return
# super(TestSharedNetwork, cls).tearDownClass()
def setUp(cls):
cls.apiclient = cls.testClient.getApiClient()
cls.dbclient = cls.testClient.getDbConnection()
def setUp(self):
self.debug(f"===setup===")
self.apiclient = self.testClient.getApiClient()
self.dbclient = self.testClient.getDbConnection()
self.cleanup = []
def tearDown(cls):
def tearDown(self):
# restore back default apikey and secretkey
cls.apiclient.connection.apiKey = cls.default_apikey
cls.apiclient.connection.securityKey = cls.default_secretkey
return
self.apiclient.connection.apiKey = self.default_apikey
self.apiclient.connection.securityKey = self.default_secretkey
self.debug(f"===tearDown=== cleanup list length {self.cleanup.len()}")
super(TestSharedNetwork, self).tearDown()
## Test cases relating to deploying Virtual Machine in shared network with scope=all
@ -355,7 +373,7 @@ class TestSharedNetwork(cloudstackTestCase):
self.vmdata["name"] = self.acldata["vmD1A"]["name"] +"-shared-scope-all"
self.vmdata["displayname"] = self.acldata["vmD1A"]["displayname"] +"-shared-scope-all"
vm_d1a = VirtualMachine.create(
vm = VirtualMachine.create(
self.apiclient,
self.vmdata,
zoneid=self.zone.id,
@ -363,17 +381,16 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_all.id
)
self.cleanup.append(vm)
self.assertEqual(vm_d1a.state == "Running",
self.assertEqual(vm.state == "Running",
True,
"User in a domain under ROOT failed to deploy VM in a shared network with scope=all")
@attr("simulator_only",tags=["advanced"],required_hardware="false")
def test_deployVM_in_sharedNetwork_scope_all_domainadminuser(self):
"""
Validate that regular user in "ROOT" domain is allowed to deploy VM in a shared network created with scope="all"
"""
# deploy VM as an admin user in a domain under ROOT
@ -390,25 +407,24 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_all.id
)
self.cleanup.append(vm)
self.assertEqual(vm.state == "Running",
True,
"Admin User in a domain under ROOT failed to deploy VM in a shared network with scope=all")
@attr("simulator_only",tags=["advanced"],required_hardware="false")
def test_deployVM_in_sharedNetwork_scope_all_subdomainuser(self):
"""
Validate that regular user in any subdomain is allowed to deploy VM in a shared network created with scope="all"
"""
# deploy VM as user in a subdomain under ROOT
self.apiclient.connection.apiKey = self.user_d11a_apikey
self.apiclient.connection.securityKey = self.user_d11a_secretkey
self.vmdata["name"] = self.acldata["vmD11A"]["name"] +"-shared-scope-all"
self.vmdata["displayname"] = self.acldata["vmD11A"]["displayname"] +"-shared-scope-all"
vm_d11a = VirtualMachine.create(
vm = VirtualMachine.create(
self.apiclient,
self.vmdata,
zoneid=self.zone.id,
@ -416,8 +432,9 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_all.id
)
self.cleanup.append(vm)
self.assertEqual(vm_d11a.state == "Running",
self.assertEqual(vm.state == "Running",
True,
"User in a domain under ROOT failed to deploy VM in a shared network with scope=all")
@ -425,7 +442,6 @@ class TestSharedNetwork(cloudstackTestCase):
def test_deployVM_in_sharedNetwork_scope_all_subdomainadminuser(self):
"""
Validate that regular user in a subdomain under ROOT is allowed to deploy VM in a shared network created with scope="all"
"""
# deploy VM as an admin user in a subdomain under ROOT
@ -441,17 +457,16 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_all.id
)
self.cleanup.append(vm)
self.assertEqual(vm.state == "Running",
True,
"Admin User in a domain under ROOT failed to deploy VM in a shared network with scope=all")
@attr("simulator_only",tags=["advanced"],required_hardware="false")
def test_deployVM_in_sharedNetwork_scope_all_ROOTuser(self):
"""
Validate that regular user in ROOT domain is allowed to deploy VM in a shared network created with scope="all"
"""
# deploy VM as user in ROOT domain
@ -467,6 +482,7 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_all.id
)
self.cleanup.append(vm)
self.assertEqual(vm.state == "Running",
True,
@ -491,6 +507,7 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_all.id
)
self.cleanup.append(vm)
self.assertEqual(vm.state == "Running",
True,
@ -503,7 +520,6 @@ class TestSharedNetwork(cloudstackTestCase):
"""
Validate that regular user in a domain is allowed to deploy VM in a shared network created with scope="domain" and no subdomain access
"""
# deploy VM as user in a domain that has shared network with no subdomain access
self.apiclient.connection.apiKey = self.user_d11a_apikey
@ -519,17 +535,16 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_domain_d11.id
)
self.cleanup.append(vm)
self.assertEqual(vm.state == "Running",
True,
"User in a domain that has a shared network with no subdomain access failed to deploy VM in a shared network with scope=domain with no subdomain access")
@attr("simulator_only",tags=["advanced"],required_hardware="false")
def test_deployVM_in_sharedNetwork_scope_domain_nosubdomainaccess_domainadminuser(self):
"""
Validate that admin user in a domain is allowed to deploy VM in a shared network created with scope="domain" and no subdomain access
"""
#deploy VM as an admin user in a domain that has shared network with no subdomain access
@ -546,6 +561,7 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_domain_d11.id
)
self.cleanup.append(vm)
self.assertEqual(vm.state == "Running",
True,
@ -555,7 +571,6 @@ class TestSharedNetwork(cloudstackTestCase):
def test_deployVM_in_sharedNetwork_scope_domain_nosubdomainaccess_subdomainuser(self):
"""
Validate that regular user in a subdomain is NOT allowed to deploy VM in a shared network created with scope="domain" and no subdomain access
"""
# deploy VM as user in a subdomain under a domain that has shared network with no subdomain access
@ -564,7 +579,7 @@ class TestSharedNetwork(cloudstackTestCase):
self.vmdata["name"] = self.acldata["vmD111A"]["name"] +"-shared-scope-domain-nosubdomainaccess"
self.vmdata["displayname"] = self.acldata["vmD111A"]["displayname"] +"-shared-scope-domain-nosubdomainaccess"
try:
vm = VirtualMachine.create(
vm = VirtualMachine.create(
self.apiclient,
self.vmdata,
zoneid=self.zone.id,
@ -572,17 +587,17 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_domain_d11.id
)
self.fail("Subdomain user is able to deploy VM in a shared network with scope=domain with no subdomain access ")
self.cleanup.append(vm)
self.fail("Subdomain user is able to deploy VM in a shared network with scope=domain with no subdomain access ")
except Exception as e:
self.debug ("When a user from a subdomain deploys a VM in a shared network with scope=domain with no subdomain access %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.NOT_AVAILABLE_IN_DOMAIN):
self.fail("Error message validation failed when Subdomain user tries to deploy VM in a shared network with scope=domain with no subdomain access")
self.debug ("When a user from a subdomain deploys a VM in a shared network with scope=domain with no subdomain access %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.NOT_AVAILABLE_IN_DOMAIN):
self.fail("Error message validation failed when Subdomain user tries to deploy VM in a shared network with scope=domain with no subdomain access")
@attr("simulator_only",tags=["advanced"],required_hardware="false")
def test_deployVM_in_sharedNetwork_scope_domain_nosubdomainaccess_subdomainadminuser(self):
"""
Validate that admin user in a subdomain is NOT allowed to deploy VM in a shared network created with scope="domain" and no subdomain access
"""
# deploy VM as an admin user in a subdomain under a domain that has shared network with no subdomain access
@ -591,7 +606,7 @@ class TestSharedNetwork(cloudstackTestCase):
self.vmdata["name"] = self.acldata["vmD111"]["name"] +"-shared-scope-domain-nosubdomainaccess"
self.vmdata["displayname"] = self.acldata["vmD111"]["displayname"] +"-shared-scope-domain-nosubdomainaccess"
try:
vm = VirtualMachine.create(
vm = VirtualMachine.create(
self.apiclient,
self.vmdata,
zoneid=self.zone.id,
@ -599,19 +614,17 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_domain_d11.id
)
self.fail("Subdomain admin user is able to deploy VM in a shared network with scope=domain with no subdomain access ")
self.cleanup.append(vm)
self.fail("Subdomain admin user is able to deploy VM in a shared network with scope=domain with no subdomain access ")
except Exception as e:
self.debug ("When a admin user from a subdomain deploys a VM in a shared network with scope=domain with no subdomain access %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.NOT_AVAILABLE_IN_DOMAIN):
self.fail("Error message validation failed when Subdomain admin user tries to deploy VM in a shared network with scope=domain with no subdomain access")
self.debug ("When a admin user from a subdomain deploys a VM in a shared network with scope=domain with no subdomain access %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.NOT_AVAILABLE_IN_DOMAIN):
self.fail("Error message validation failed when Subdomain admin user tries to deploy VM in a shared network with scope=domain with no subdomain access")
@attr("simulator_only",tags=["advanced"],required_hardware="false")
def test_deployVM_in_sharedNetwork_scope_domain_nosubdomainaccess_parentdomainuser(self):
"""
Validate that user in the parent domain is NOT allowed to deploy VM in a shared network created with scope="domain" and no subdomain access
"""
# deploy VM as user in parentdomain of a domain that has shared network with no subdomain access
@ -620,7 +633,7 @@ class TestSharedNetwork(cloudstackTestCase):
self.vmdata["name"] = self.acldata["vmD1A"]["name"] +"-shared-scope-domain-nosubdomainaccess"
self.vmdata["displayname"] = self.acldata["vmD1A"]["displayname"] +"-shared-scope-domain-nosubdomainaccess"
try:
vm = VirtualMachine.create(
vm = VirtualMachine.create(
self.apiclient,
self.vmdata,
zoneid=self.zone.id,
@ -628,18 +641,17 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_domain_d11.id
)
self.fail("Parent domain user is able to deploy VM in a shared network with scope=domain with no subdomain access ")
self.cleanup.append(vm)
self.fail("Parent domain user is able to deploy VM in a shared network with scope=domain with no subdomain access ")
except Exception as e:
self.debug ("When a user from parent domain deploys a VM in a shared network with scope=domain with no subdomain access %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.NOT_AVAILABLE_IN_DOMAIN):
self.fail("Error message validation failed when Parent domain user tries to deploy VM in a shared network with scope=domain with no subdomain access")
self.debug ("When a user from parent domain deploys a VM in a shared network with scope=domain with no subdomain access %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.NOT_AVAILABLE_IN_DOMAIN):
self.fail("Error message validation failed when Parent domain user tries to deploy VM in a shared network with scope=domain with no subdomain access")
@attr("simulator_only",tags=["advanced"],required_hardware="false")
def test_deployVM_in_sharedNetwork_scope_domain_nosubdomainaccess_parentdomainadminuser(self):
"""
Validate that admin user in the parent domain is NOT allowed to deploy VM in a shared network created with scope="domain" and no subdomain access
"""
# deploy VM as an admin user in parentdomain of a domain that has shared network with no subdomain access
@ -648,7 +660,7 @@ class TestSharedNetwork(cloudstackTestCase):
self.vmdata["name"] = self.acldata["vmD1"]["name"] +"-shared-scope-domain-nosubdomainaccess"
self.vmdata["displayname"] = self.acldata["vmD1"]["displayname"] +"-shared-scope-domain-nosubdomainaccess"
try:
vm = VirtualMachine.create(
vm = VirtualMachine.create(
self.apiclient,
self.vmdata,
zoneid=self.zone.id,
@ -656,20 +668,18 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_domain_d11.id
)
self.fail("Parent domain's admin user is able to deploy VM in a shared network with scope=domain with no subdomain access ")
self.cleanup.append(vm)
self.fail("Parent domain's admin user is able to deploy VM in a shared network with scope=domain with no subdomain access ")
except Exception as e:
self.debug ("When an admin user from parent domain deploys a VM in a shared network with scope=domain with no subdomain access %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.NOT_AVAILABLE_IN_DOMAIN):
self.fail("Error message validation failed when Parent domain's admin user tries to deploy VM in a shared network with scope=domain with no subdomain access")
self.debug ("When an admin user from parent domain deploys a VM in a shared network with scope=domain with no subdomain access %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.NOT_AVAILABLE_IN_DOMAIN):
self.fail("Error message validation failed when Parent domain's admin user tries to deploy VM in a shared network with scope=domain with no subdomain access")
@attr("simulator_only",tags=["advanced"],required_hardware="false")
def test_deployVM_in_sharedNetwork_scope_domain_nosubdomainaccess_ROOTuser(self):
"""
Validate that user in ROOT domain is NOT allowed to deploy VM in a shared network created with scope="domain" and no subdomain access
"""
# deploy VM as user in ROOT domain
self.apiclient.connection.apiKey = self.user_roota_apikey
@ -677,7 +687,7 @@ class TestSharedNetwork(cloudstackTestCase):
self.vmdata["name"] = self.acldata["vmROOTA"]["name"] + "-shared-scope-domain-nosubdomainaccess"
self.vmdata["displayname"] = self.acldata["vmROOTA"]["displayname"] + "-shared-scope-domain-nosubdomainaccess"
try:
vm = VirtualMachine.create(
vm = VirtualMachine.create(
self.apiclient,
self.vmdata,
zoneid=self.zone.id,
@ -685,19 +695,17 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_domain_d11.id
)
self.fail("ROOT domain's user is able to deploy VM in a shared network with scope=domain with no subdomain access ")
self.cleanup.append(vm)
self.fail("ROOT domain's user is able to deploy VM in a shared network with scope=domain with no subdomain access ")
except Exception as e:
self.debug ("When a regular user from ROOT domain deploys a VM in a shared network with scope=domain with no subdomain access %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.NOT_AVAILABLE_IN_DOMAIN):
self.fail("Error message validation failed when ROOT domain's user tries to deploy VM in a shared network with scope=domain with no subdomain access")
self.debug ("When a regular user from ROOT domain deploys a VM in a shared network with scope=domain with no subdomain access %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.NOT_AVAILABLE_IN_DOMAIN):
self.fail("Error message validation failed when ROOT domain's user tries to deploy VM in a shared network with scope=domain with no subdomain access")
@attr("simulator_only",tags=["advanced"],required_hardware="false")
@attr("simulator_only",tags=["advanced", "bla"],required_hardware="false")
def test_deployVM_in_sharedNetwork_scope_domain_nosubdomainaccess_ROOTadmin(self):
"""
Validate that admin in ROOT domain is NOT allowed to deploy VM in a shared network created with scope="domain" and no subdomain access
"""
# deploy VM as admin user in ROOT domain
@ -706,21 +714,21 @@ class TestSharedNetwork(cloudstackTestCase):
self.vmdata["name"] = self.acldata["vmROOT"]["name"] + "-shared-scope-domain-nosubdomainaccess"
self.vmdata["displayname"] = self.acldata["vmROOT"]["displayname"] + "-shared-scope-domain-nosubdomainaccess"
try:
vm = VirtualMachine.create(
vm = VirtualMachine.create(
self.apiclient,
self.vmdata,
zoneid=self.zone.id,
serviceofferingid=self.service_offering.id,
templateid=self.template.id,
networkids=self.shared_network_domain_d11.id
)
self.fail("ROOT domain's admin user is able to deploy VM in a shared network with scope=domain with no subdomain access ")
networkids=self.shared_network_domain_d11.id)
self.cleanup.append(vm)
vm.stop(self.apiclient, forced=True)
vm.assign_virtual_machine(self.apiclient, self.account_d11.name, self.domain_11.id)
self.fail("ROOT domain's admin user is able to deploy VM in a shared network with scope=domain with no subdomain access ")
except Exception as e:
self.debug ("When a admin user from ROOT domain deploys a VM in a shared network with scope=domain with no subdomain access %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.NOT_AVAILABLE_IN_DOMAIN):
self.fail("Error message validation failed when ROOT domain's admin user tries to deploy VM in a shared network with scope=domain with no subdomain access")
self.debug ("When a admin user from ROOT domain deploys a VM in a shared network with scope=domain with no subdomain access %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.NOT_AVAILABLE_IN_DOMAIN):
self.fail("Error message validation failed when ROOT domain's admin user tries to deploy VM in a shared network with scope=domain with no subdomain access")
## Test cases relating to deploying Virtual Machine in shared network with scope=Domain and with subdomain access
@ -728,7 +736,6 @@ class TestSharedNetwork(cloudstackTestCase):
def test_deployVM_in_sharedNetwork_scope_domain_withsubdomainaccess_domainuser(self):
"""
Validate that regular user in a domain is allowed to deploy VM in a shared network created with scope="domain" and with subdomain access for the domain
"""
# deploy VM as user in a domain that has shared network with subdomain access
@ -745,18 +752,17 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_domain_with_subdomain_d11.id
)
self.cleanup.append(vm)
self.assertEqual(vm.state == "Running",
True,
"User in a domain that has a shared network with subdomain access failed to deploy VM in a shared network with scope=domain with no subdomain access")
@attr("simulator_only",tags=["advanced"],required_hardware="false")
def test_deployVM_in_sharedNetwork_scope_domain_withsubdomainaccess_domainadminuser(self):
"""
Validate that admin user in a domain is allowed to deploy VM in a shared network created with scope="domain" and with subdomain access for the domain
"""
# deploy VM as an admin user in a domain that has shared network with subdomain access
self.apiclient.connection.apiKey = self.user_d11_apikey
@ -772,6 +778,7 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_domain_with_subdomain_d11.id
)
self.cleanup.append(vm)
self.assertEqual(vm.state == "Running",
True,
@ -782,7 +789,6 @@ class TestSharedNetwork(cloudstackTestCase):
"""
Validate that regular user in a subdomain is allowed to deploy VM in a shared network created with scope="domain" and with subdomain access for the parent domain
"""
# deploy VM as user in a subdomain under a domain that has shared network with subdomain access
self.apiclient.connection.apiKey = self.user_d111a_apikey
@ -797,6 +803,7 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_domain_with_subdomain_d11.id
)
self.cleanup.append(vm)
self.assertEqual(vm.state == "Running",
True,
@ -807,7 +814,6 @@ class TestSharedNetwork(cloudstackTestCase):
"""
Validate that an admin user in a subdomain is allowed to deploy VM in a shared network created with scope="domain" and with subdomain access for the parent domain
"""
# deploy VM as an admin user in a subdomain under a domain that has shared network with subdomain access
self.apiclient.connection.apiKey = self.user_d111_apikey
@ -822,6 +828,7 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_domain_with_subdomain_d11.id
)
self.cleanup.append(vm)
self.assertEqual(vm.state == "Running",
True,
@ -832,7 +839,6 @@ class TestSharedNetwork(cloudstackTestCase):
"""
Validate that regular user in a parent domain is NOT allowed to deploy VM in a shared network created with scope="domain" and with subdomain access for the domain
"""
# deploy VM as user in parentdomain of a domain that has shared network with subdomain access
self.apiclient.connection.apiKey = self.user_d1a_apikey
@ -840,7 +846,7 @@ class TestSharedNetwork(cloudstackTestCase):
self.vmdata["name"] = self.acldata["vmD1A"]["name"] +"-shared-scope-domain-withsubdomainaccess"
self.vmdata["displayname"] = self.acldata["vmD1A"]["displayname"] +"-shared-scope-domain-withsubdomainaccess"
try:
vm = VirtualMachine.create(
vm = VirtualMachine.create(
self.apiclient,
self.vmdata,
zoneid=self.zone.id,
@ -848,19 +854,18 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_domain_with_subdomain_d11.id
)
self.fail("Parent domain's user is able to deploy VM in a shared network with scope=domain with subdomain access ")
self.cleanup.append(vm)
self.fail("Parent domain's user is able to deploy VM in a shared network with scope=domain with subdomain access ")
except Exception as e:
self.debug ("When a user from parent domain deploys a VM in a shared network with scope=domain with subdomain access %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.NOT_AVAILABLE_IN_DOMAIN):
self.fail("Error message validation failed when Parent domain's user tries to deploy VM in a shared network with scope=domain with subdomain access ")
self.debug ("When a user from parent domain deploys a VM in a shared network with scope=domain with subdomain access %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.NOT_AVAILABLE_IN_DOMAIN):
self.fail("Error message validation failed when Parent domain's user tries to deploy VM in a shared network with scope=domain with subdomain access ")
@attr("simulator_only",tags=["advanced"],required_hardware="false")
def test_deployVM_in_sharedNetwork_scope_domain_withsubdomainaccess_parentdomainadminuser(self):
"""
Validate that admin user in a parent domain is NOT allowed to deploy VM in a shared network created with scope="domain" and with subdomain access for any domain
"""
# deploy VM as an admin user in parentdomain of a domain that has shared network with subdomain access
self.apiclient.connection.apiKey = self.user_d1_apikey
@ -868,7 +873,7 @@ class TestSharedNetwork(cloudstackTestCase):
self.vmdata["name"] = self.acldata["vmD1"]["name"] +"-shared-scope-domain-withsubdomainaccess"
self.vmdata["displayname"] = self.acldata["vmD1"]["displayname"] +"-shared-scope-domain-withsubdomainaccess"
try:
vm = VirtualMachine.create(
vm = VirtualMachine.create(
self.apiclient,
self.vmdata,
zoneid=self.zone.id,
@ -876,20 +881,18 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_domain_with_subdomain_d11.id
)
self.fail("Parent domain's admin user is able to deploy VM in a shared network with scope=domain with subdomain access ")
self.cleanup.append(vm)
self.fail("Parent domain's admin user is able to deploy VM in a shared network with scope=domain with subdomain access ")
except Exception as e:
self.debug ("When an admin user from parent domain deploys a VM in a shared network with scope=domain with subdomain access %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.NOT_AVAILABLE_IN_DOMAIN):
self.fail("Error message validation failed when Parent domain's admin user tries to deploy VM in a shared network with scope=domain with subdomain access")
self.debug ("When an admin user from parent domain deploys a VM in a shared network with scope=domain with subdomain access %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.NOT_AVAILABLE_IN_DOMAIN):
self.fail("Error message validation failed when Parent domain's admin user tries to deploy VM in a shared network with scope=domain with subdomain access")
@attr("simulator_only",tags=["advanced"],required_hardware="false")
def test_deployVM_in_sharedNetwork_scope_domain_withsubdomainaccess_ROOTuser(self):
"""
Validate that regular user in ROOT domain is NOT allowed to deploy VM in a shared network created with scope="domain" and with subdomain access for any domain
"""
# deploy VM as user in ROOT domain
self.apiclient.connection.apiKey = self.user_roota_apikey
@ -897,7 +900,7 @@ class TestSharedNetwork(cloudstackTestCase):
self.vmdata["name"] = self.acldata["vmROOTA"]["name"] + "-shared-scope-domain-withsubdomainaccess"
self.vmdata["displayname"] = self.acldata["vmROOTA"]["displayname"] + "-shared-scope-domain-withsubdomainaccess"
try:
vm = VirtualMachine.create(
vm = VirtualMachine.create(
self.apiclient,
self.vmdata,
zoneid=self.zone.id,
@ -905,19 +908,18 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_domain_with_subdomain_d11.id
)
self.fail("ROOT domain's user is able to deploy VM in a shared network with scope=domain with subdomain access ")
self.cleanup.append(vm)
self.fail("ROOT domain's user is able to deploy VM in a shared network with scope=domain with subdomain access ")
except Exception as e:
self.debug ("When a user from ROOT domain deploys a VM in a shared network with scope=domain with subdomain access %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.NOT_AVAILABLE_IN_DOMAIN):
self.fail("Error message validation failed when ROOT domain's user tries to deploy VM in a shared network with scope=domain with subdomain access")
self.debug ("When a user from ROOT domain deploys a VM in a shared network with scope=domain with subdomain access %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.NOT_AVAILABLE_IN_DOMAIN):
self.fail("Error message validation failed when ROOT domain's user tries to deploy VM in a shared network with scope=domain with subdomain access")
@attr("simulator_only",tags=["advanced"],required_hardware="false")
@attr("simulator_only",tags=["advanced", "bla"],required_hardware="false")
def test_deployVM_in_sharedNetwork_scope_domain_withsubdomainaccess_ROOTadmin(self):
"""
Validate that admin user in ROOT domain is NOT allowed to deploy VM in a shared network created with scope="domain" and with subdomain access for any domain
"""
# deploy VM as admin user in ROOT domain
self.apiclient.connection.apiKey = self.user_root_apikey
@ -925,7 +927,7 @@ class TestSharedNetwork(cloudstackTestCase):
self.vmdata["name"] = self.acldata["vmROOT"]["name"] + "-shared-scope-domain-withsubdomainaccess"
self.vmdata["displayname"] = self.acldata["vmROOT"]["displayname"] + "-shared-scope-domain-withsubdomainaccess"
try:
vm = VirtualMachine.create(
vm = VirtualMachine.create(
self.apiclient,
self.vmdata,
zoneid=self.zone.id,
@ -933,13 +935,14 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_domain_with_subdomain_d11.id
)
self.fail("ROOT domain's admin user is able to deploy VM in a shared network with scope=domain with subdomain access ")
self.cleanup.append(vm)
vm.stop(self.apiclient, forced=True)
vm.assign_virtual_machine(self.apiclient, self.account_d11.name, self.domain_11.id)
self.fail("ROOT domain's admin user is able to deploy VM in a shared network with scope=domain with subdomain access ")
except Exception as e:
self.debug ("When an admin user from ROOT domain deploys a VM in a shared network with scope=domain with subdomain access %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.NOT_AVAILABLE_IN_DOMAIN):
self.fail("Error message validation failed when ROOT domain's admin user tries to deploy VM in a shared network with scope=domain with subdomain access")
self.debug ("When an admin user from ROOT domain deploys a VM in a shared network with scope=domain with subdomain access %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.NOT_AVAILABLE_IN_DOMAIN):
self.fail("Error message validation failed when ROOT domain's admin user tries to deploy VM in a shared network with scope=domain with subdomain access")
## Test cases relating to deploying Virtual Machine in shared network with scope=account
@ -948,7 +951,6 @@ class TestSharedNetwork(cloudstackTestCase):
"""
Validate that any other user in same domain is NOT allowed to deploy VM in a shared network created with scope="account" for an account
"""
# deploy VM as user under the same domain but belonging to a different account from the acount that has a shared network with scope=account
self.apiclient.connection.apiKey = self.user_d111b_apikey
@ -956,7 +958,7 @@ class TestSharedNetwork(cloudstackTestCase):
self.vmdata["name"] = self.acldata["vmD111B"]["name"] +"-shared-scope-domain-withsubdomainaccess"
self.vmdata["displayname"] = self.acldata["vmD111B"]["displayname"] +"-shared-scope-domain-withsubdomainaccess"
try:
vm = VirtualMachine.create(
vm = VirtualMachine.create(
self.apiclient,
self.vmdata,
zoneid=self.zone.id,
@ -964,19 +966,17 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_account_d111a.id
)
self.fail("User from same domain but different account is able to deploy VM in a shared network with scope=account")
self.cleanup.append(vm)
self.fail("User from same domain but different account is able to deploy VM in a shared network with scope=account")
except Exception as e:
self.debug ("When a user from same domain but different account deploys a VM in a shared network with scope=account %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.UNABLE_TO_USE_NETWORK):
self.fail("Error message validation failed when User from same domain but different account tries to deploy VM in a shared network with scope=account")
self.debug ("When a user from same domain but different account deploys a VM in a shared network with scope=account %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.UNABLE_TO_USE_NETWORK):
self.fail("Error message validation failed when User from same domain but different account tries to deploy VM in a shared network with scope=account")
@attr("simulator_only",tags=["advanced"],required_hardware="false")
def test_deployVM_in_sharedNetwork_scope_account_domainadminuser(self):
"""
Validate that an admin user under the same domain but belonging to a different account is allowed to deploy VM in a shared network created with scope="account" for an account
"""
# deploy VM as admin user for a domain that has an account with shared network with scope=account
@ -985,7 +985,7 @@ class TestSharedNetwork(cloudstackTestCase):
self.vmdata["name"] = self.acldata["vmD111"]["name"] +"-shared-scope-domain-withsubdomainaccess"
self.vmdata["displayname"] = self.acldata["vmD111"]["displayname"] +"-shared-scope-domain-withsubdomainaccess"
try:
vm = VirtualMachine.create(
vm = VirtualMachine.create(
self.apiclient,
self.vmdata,
zoneid=self.zone.id,
@ -993,19 +993,18 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_account_d111a.id
)
self.fail("User from same domain but different account is able to deploy VM in a shared network with scope=account")
self.cleanup.append(vm)
self.fail("User from same domain but different account is able to deploy VM in a shared network with scope=account")
except Exception as e:
self.debug ("When a user from same domain but different account deploys a VM in a shared network with scope=account %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.UNABLE_TO_USE_NETWORK):
self.fail("Error message validation failed when User from same domain but different account tries to deploy VM in a shared network with scope=account")
self.debug ("When a user from same domain but different account deploys a VM in a shared network with scope=account %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.UNABLE_TO_USE_NETWORK):
self.fail("Error message validation failed when User from same domain but different account tries to deploy VM in a shared network with scope=account")
@attr("simulator_only",tags=["advanced"],required_hardware="false")
def test_deployVM_in_sharedNetwork_scope_account_user(self):
"""
Validate that regular user in the account is allowed to deploy VM in a shared network created with scope="account" for an account
"""
# deploy VM as account with shared network with scope=account
self.apiclient.connection.apiKey = self.user_d111a_apikey
@ -1021,6 +1020,7 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_account_d111a.id
)
self.cleanup.append(vm)
self.assertEqual(vm.state == "Running",
True,
@ -1031,7 +1031,6 @@ class TestSharedNetwork(cloudstackTestCase):
"""
Validate that regular user from a domain different from that of the account is NOT allowed to deploy VM in a shared network created with scope="account" for an account
"""
# deploy VM as a user in a subdomain under ROOT
self.apiclient.connection.apiKey = self.user_d2a_apikey
@ -1039,7 +1038,7 @@ class TestSharedNetwork(cloudstackTestCase):
self.vmdata["name"] = self.acldata["vmD2A"]["name"] +"-shared-scope-account"
self.vmdata["displayname"] = self.acldata["vmD2A"]["displayname"] +"-shared-scope-account"
try:
vm = VirtualMachine.create(
vm = VirtualMachine.create(
self.apiclient,
self.vmdata,
zoneid=self.zone.id,
@ -1047,19 +1046,17 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_account_d111a.id
)
self.fail("User from different domain is able to deploy VM in a shared network with scope=account ")
self.cleanup.append(vm)
self.fail("User from different domain is able to deploy VM in a shared network with scope=account ")
except Exception as e:
self.debug ("When a user from different domain deploys a VM in a shared network with scope=account %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.UNABLE_TO_USE_NETWORK):
self.fail("Error message validation failed when User from different domain tries to deploy VM in a shared network with scope=account")
self.debug ("When a user from different domain deploys a VM in a shared network with scope=account %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.UNABLE_TO_USE_NETWORK):
self.fail("Error message validation failed when User from different domain tries to deploy VM in a shared network with scope=account")
@attr("simulator_only",tags=["advanced"],required_hardware="false")
def test_deployVM_in_sharedNetwork_scope_account_ROOTuser(self):
"""
Validate that user in ROOT domain is NOT allowed to deploy VM in a shared network created with scope="account" for an account
"""
# deploy VM as user in ROOT domain
@ -1068,7 +1065,7 @@ class TestSharedNetwork(cloudstackTestCase):
self.vmdata["name"] = self.acldata["vmROOTA"]["name"] + "-shared-scope-account"
self.vmdata["displayname"] = self.acldata["vmROOTA"]["displayname"] + "-shared-scope-account"
try:
vm = VirtualMachine.create(
vm = VirtualMachine.create(
self.apiclient,
self.vmdata,
zoneid=self.zone.id,
@ -1076,19 +1073,18 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_account_d111a.id
)
self.fail("ROOT domain's user is able to deploy VM in a shared network with scope=account ")
self.cleanup.append(vm)
self.fail("ROOT domain's user is able to deploy VM in a shared network with scope=account ")
except Exception as e:
self.debug ("When a user from ROOT domain deploys a VM in a shared network with scope=account %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.UNABLE_TO_USE_NETWORK):
self.fail("Error message validation failed when ROOT domain's user tries to deploy VM in a shared network with scope=account ")
self.debug ("When a user from ROOT domain deploys a VM in a shared network with scope=account %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.UNABLE_TO_USE_NETWORK):
self.fail("Error message validation failed when ROOT domain's user tries to deploy VM in a shared network with scope=account ")
@attr("simulator_only",tags=["advanced"],required_hardware="false")
@attr("simulator_only",tags=["advanced", "bla"],required_hardware="false")
def test_deployVM_in_sharedNetwork_scope_account_ROOTadmin(self):
"""
Validate that admin user in ROOT domain is NOT allowed to deploy VM in a shared network created with scope="account" for an account
"""
# deploy VM as admin user in ROOT domain
self.apiclient.connection.apiKey = self.user_root_apikey
@ -1096,7 +1092,7 @@ class TestSharedNetwork(cloudstackTestCase):
self.vmdata["name"] = self.acldata["vmROOT"]["name"] + "-shared-scope-account"
self.vmdata["displayname"] = self.acldata["vmROOT"]["displayname"] + "-shared-scope-account"
try:
vm = VirtualMachine.create(
vm = VirtualMachine.create(
self.apiclient,
self.vmdata,
zoneid=self.zone.id,
@ -1104,11 +1100,14 @@ class TestSharedNetwork(cloudstackTestCase):
templateid=self.template.id,
networkids=self.shared_network_account_d111a.id
)
self.fail("ROOT domain's admin user is able to deploy VM in a shared network with scope=account ")
self.cleanup.append(vm)
vm.stop(self.apiclient, forced=True)
vm.assign_virtual_machine(self.apiclient, self.account_d111a.name, self.domain_111.id)
self.fail("ROOT domain's admin user is able to deploy VM in a shared network with scope=account ")
except Exception as e:
self.debug ("When an admin user from ROOT domain deploys a VM in a shared network with scope=account %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.UNABLE_TO_USE_NETWORK):
self.fail("Error message validation failed when ROOT domain's admin user tries to deploy VM in a shared network with scope=account")
self.debug ("When an admin user from ROOT domain deploys a VM in a shared network with scope=account %s" %e)
if not CloudstackAclException.verifyMsginException(e,CloudstackAclException.UNABLE_TO_USE_NETWORK):
self.fail("Error message validation failed when ROOT domain's admin user tries to deploy VM in a shared network with scope=account")

20
utils/src/main/java/com/cloud/utils/StringUtils.java
View File

@ -249,16 +249,16 @@ public class StringUtils {
final boolean applyPagination = startIndex != null && pageSizeVal != null
&& startIndex <= Integer.MAX_VALUE && startIndex >= 0 && pageSizeVal <= Integer.MAX_VALUE
&& pageSizeVal > 0;
List<T> listWPagination = null;
if (applyPagination) {
listWPagination = new ArrayList<>();
final int index = startIndex.intValue() == 0 ? 0 : startIndex.intValue() / pageSizeVal.intValue();
final List<List<T>> partitions = StringUtils.partitionList(originalList, pageSizeVal.intValue());
if (index < partitions.size()) {
listWPagination = partitions.get(index);
}
}
return listWPagination;
List<T> listWPagination = null;
if (applyPagination) {
listWPagination = new ArrayList<>();
final int index = startIndex.intValue() == 0 ? 0 : startIndex.intValue() / pageSizeVal.intValue();
final List<List<T>> partitions = StringUtils.partitionList(originalList, pageSizeVal.intValue());
if (index < partitions.size()) {
listWPagination = partitions.get(index);
}
}
return listWPagination;
}
private static <T> List<List<T>> partitionList(final List<T> originalList, final int chunkSize) {