apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '4.20'

Browse Source
This commit is contained in:
Daan Hoogland 2025-05-27 18:18:39 +02:00
commit 650b5ec3da
27 changed files with 790 additions and 185 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
api/src/main/java/com/cloud/kubernetes/cluster/KubernetesServiceHelper.java
View File

@ -18,6 +18,7 @@ package com.cloud.kubernetes.cluster;
import org.apache.cloudstack.acl.ControlledEntity;
import com.cloud.user.Account;
import com.cloud.uservm.UserVm;
import com.cloud.utils.component.Adapter;
@ -26,4 +27,5 @@ public interface KubernetesServiceHelper extends Adapter {
ControlledEntity findByUuid(String uuid);
ControlledEntity findByVmId(long vmId);
void checkVmCanBeDestroyed(UserVm userVm);
void cleanupForAccount(Account account);
}

1
api/src/main/java/com/cloud/user/Account.java
View File

@ -71,6 +71,7 @@ public interface Account extends ControlledEntity, InternalIdentity, Identity {
}
public static final long ACCOUNT_ID_SYSTEM = 1;
public static final long ACCOUNT_ID_ADMIN = 2;
public String getAccountName();

1
engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
View File

@ -596,6 +596,7 @@ public class NetworkOrchestrator extends ManagerBase implements NetworkOrchestra
offering = _configMgr.createNetworkOffering(NetworkOffering.DefaultIsolatedNetworkOfferingForVpcNetworks,
"Offering for Isolated VPC networks with Source Nat service enabled", TrafficType.Guest, null, false, Availability.Optional, null,
defaultVPCOffProviders, true, Network.GuestType.Isolated, false, null, true, null, false, false, null, false, null, true, true, false, false, null, null, null,true, null, null, false);
}
//#6 - default vpc offering with no LB service

8
engine/schema/src/main/java/com/cloud/user/dao/AccountDao.java
View File

@ -16,6 +16,9 @@
// under the License.
package com.cloud.user.dao;
import java.util.Date;
import java.util.List;
import com.cloud.user.Account;
import com.cloud.user.AccountVO;
import com.cloud.user.User;
@ -23,9 +26,6 @@ import com.cloud.utils.Pair;
import com.cloud.utils.db.Filter;
import com.cloud.utils.db.GenericDao;
import java.util.Date;
import java.util.List;
public interface AccountDao extends GenericDao<AccountVO, Long> {
Pair<User, Account> findUserAccountByApiKey(String apiKey);
@ -33,6 +33,8 @@ public interface AccountDao extends GenericDao<AccountVO, Long> {
Pair<List<AccountVO>, Integer> findAccountsLike(String accountName, Filter filter);
List<AccountVO> findAccountsByName(String accountName);
List<AccountVO> findActiveAccounts(Long maxAccountId, Filter filter);
List<AccountVO> findRecentlyDeletedAccounts(Long maxAccountId, Date earliestRemovedDate, Filter filter);

25
engine/schema/src/main/java/com/cloud/user/dao/AccountDaoImpl.java
View File

@ -16,6 +16,14 @@
// under the License.
package com.cloud.user.dao;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.util.Date;
import java.util.List;
import org.apache.commons.lang3.StringUtils;
import org.springframework.stereotype.Component;
import com.cloud.user.Account;
import com.cloud.user.Account.State;
import com.cloud.user.AccountVO;
@ -30,14 +38,7 @@ import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
import com.cloud.utils.db.SearchCriteria.Func;
import com.cloud.utils.db.SearchCriteria.Op;
import org.apache.commons.lang3.StringUtils;
import com.cloud.utils.db.TransactionLegacy;
import org.springframework.stereotype.Component;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.util.Date;
import java.util.List;
@Component
public class AccountDaoImpl extends GenericDaoBase<AccountVO, Long> implements AccountDao {
@ -190,6 +191,16 @@ public class AccountDaoImpl extends GenericDaoBase<AccountVO, Long> implements A
return searchAndCount(sc, filter);
}
@Override
public List<AccountVO> findAccountsByName(String accountName) {
SearchBuilder<AccountVO> sb = createSearchBuilder();
sb.and("accountName", sb.entity().getAccountName(), SearchCriteria.Op.EQ);
sb.done();
SearchCriteria<AccountVO> sc = sb.create();
sc.setParameters("accountName", accountName);
return search(sc, null);
}
@Override
public Account findEnabledAccount(String accountName, Long domainId) {
SearchCriteria<AccountVO> sc = AllFieldsSearch.create("accountName", accountName);

2
plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaConfigureEmailCmd.java
View File

@ -17,6 +17,7 @@
package org.apache.cloudstack.api.command;
import com.cloud.utils.Pair;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseCmd;
@ -32,6 +33,7 @@ import javax.inject.Inject;
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class QuotaConfigureEmailCmd extends BaseCmd {
@ACL
@Parameter(name = ApiConstants.ACCOUNT_ID, type = CommandType.UUID, entityType = AccountResponse.class, required = true,
description = "Account ID for which to configure quota template email or min balance")
private long accountId;

5
plugins/database/quota/src/main/java/org/apache/cloudstack/api/command/QuotaListEmailConfigurationCmd.java
View File

@ -16,7 +16,7 @@
//under the License.
package org.apache.cloudstack.api.command;
import com.cloud.user.Account;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseCmd;
@ -32,6 +32,7 @@ import javax.inject.Inject;
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class QuotaListEmailConfigurationCmd extends BaseCmd {
@ACL
@Parameter(name = ApiConstants.ACCOUNT_ID, type = BaseCmd.CommandType.UUID, entityType = AccountResponse.class, required = true,
description = "Account ID for which to list quota template email configurations")
private long accountId;
@ -49,6 +50,6 @@ public class QuotaListEmailConfigurationCmd extends BaseCmd {
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM;
return accountId;
}
}

3
plugins/hypervisors/xenserver/src/main/java/com/cloud/hypervisor/xenserver/resource/wrapper/xenbase/CitrixStartCommandWrapper.java
View File

@ -23,6 +23,7 @@ import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import com.cloud.agent.resource.virtualnetwork.VRScripts;
@ -247,7 +248,7 @@ public final class CitrixStartCommandWrapper extends CommandWrapper<StartCommand
List<DiskTO> disks = new ArrayList<DiskTO>(vmSpec.getDisks().length);
int index = 0;
for (final DiskTO disk : vmSpec.getDisks()) {
if (Volume.Type.ISO.equals(disk.getType())) {
if (Volume.Type.ISO.equals(disk.getType()) && Objects.nonNull(disk.getPath())) {
disks.add(0, disk);
} else {
disks.add(index, disk);

254
plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java
View File

@ -44,6 +44,11 @@ import javax.naming.ConfigurationException;
import com.cloud.uservm.UserVm;
import com.cloud.vm.UserVmService;
import org.apache.cloudstack.acl.ControlledEntity;
import org.apache.cloudstack.acl.Role;
import org.apache.cloudstack.acl.RolePermissionEntity;
import org.apache.cloudstack.acl.RoleService;
import org.apache.cloudstack.acl.RoleType;
import org.apache.cloudstack.acl.Rule;
import org.apache.cloudstack.acl.SecurityChecker;
import org.apache.cloudstack.annotation.AnnotationService;
import org.apache.cloudstack.annotation.dao.AnnotationDao;
@ -52,6 +57,14 @@ import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiConstants.VMDetails;
import org.apache.cloudstack.api.BaseCmd;
import org.apache.cloudstack.api.ResponseObject.ResponseView;
import org.apache.cloudstack.api.command.user.address.AssociateIPAddrCmd;
import org.apache.cloudstack.api.command.user.address.DisassociateIPAddrCmd;
import org.apache.cloudstack.api.command.user.address.ListPublicIpAddressesCmd;
import org.apache.cloudstack.api.command.user.firewall.CreateFirewallRuleCmd;
import org.apache.cloudstack.api.command.user.firewall.DeleteFirewallRuleCmd;
import org.apache.cloudstack.api.command.user.firewall.ListFirewallRulesCmd;
import org.apache.cloudstack.api.command.user.firewall.UpdateFirewallRuleCmd;
import org.apache.cloudstack.api.command.user.job.QueryAsyncJobResultCmd;
import org.apache.cloudstack.api.command.user.kubernetes.cluster.AddVirtualMachinesToKubernetesClusterCmd;
import org.apache.cloudstack.api.command.user.kubernetes.cluster.CreateKubernetesClusterCmd;
import org.apache.cloudstack.api.command.user.kubernetes.cluster.DeleteKubernetesClusterCmd;
@ -62,6 +75,18 @@ import org.apache.cloudstack.api.command.user.kubernetes.cluster.ScaleKubernetes
import org.apache.cloudstack.api.command.user.kubernetes.cluster.StartKubernetesClusterCmd;
import org.apache.cloudstack.api.command.user.kubernetes.cluster.StopKubernetesClusterCmd;
import org.apache.cloudstack.api.command.user.kubernetes.cluster.UpgradeKubernetesClusterCmd;
import org.apache.cloudstack.api.command.user.loadbalancer.AssignToLoadBalancerRuleCmd;
import org.apache.cloudstack.api.command.user.loadbalancer.CreateLoadBalancerRuleCmd;
import org.apache.cloudstack.api.command.user.loadbalancer.DeleteLoadBalancerRuleCmd;
import org.apache.cloudstack.api.command.user.loadbalancer.ListLoadBalancerRuleInstancesCmd;
import org.apache.cloudstack.api.command.user.loadbalancer.ListLoadBalancerRulesCmd;
import org.apache.cloudstack.api.command.user.loadbalancer.RemoveFromLoadBalancerRuleCmd;
import org.apache.cloudstack.api.command.user.loadbalancer.UpdateLoadBalancerRuleCmd;
import org.apache.cloudstack.api.command.user.network.CreateNetworkACLCmd;
import org.apache.cloudstack.api.command.user.network.DeleteNetworkACLCmd;
import org.apache.cloudstack.api.command.user.network.ListNetworkACLsCmd;
import org.apache.cloudstack.api.command.user.network.ListNetworksCmd;
import org.apache.cloudstack.api.command.user.vm.ListVMsCmd;
import org.apache.cloudstack.api.response.KubernetesClusterConfigResponse;
import org.apache.cloudstack.api.response.KubernetesClusterResponse;
import org.apache.cloudstack.api.response.ListResponse;
@ -148,6 +173,8 @@ import com.cloud.offerings.dao.NetworkOfferingServiceMapDao;
import com.cloud.org.Cluster;
import com.cloud.org.Grouping;
import com.cloud.projects.Project;
import com.cloud.projects.ProjectAccount;
import com.cloud.projects.ProjectManager;
import com.cloud.resource.ResourceManager;
import com.cloud.service.ServiceOfferingVO;
import com.cloud.service.dao.ServiceOfferingDao;
@ -156,14 +183,17 @@ import com.cloud.storage.dao.VMTemplateDao;
import com.cloud.user.Account;
import com.cloud.user.AccountManager;
import com.cloud.user.AccountService;
import com.cloud.user.AccountVO;
import com.cloud.user.SSHKeyPairVO;
import com.cloud.user.User;
import com.cloud.user.UserAccount;
import com.cloud.user.UserVO;
import com.cloud.user.dao.AccountDao;
import com.cloud.user.dao.SSHKeyPairDao;
import com.cloud.user.dao.UserDao;
import com.cloud.utils.Pair;
import com.cloud.utils.Ternary;
import com.cloud.utils.UuidUtils;
import com.cloud.utils.component.ComponentContext;
import com.cloud.utils.component.ManagerBase;
import com.cloud.utils.concurrency.NamedThreadFactory;
@ -187,6 +217,32 @@ import org.apache.logging.log4j.Level;
public class KubernetesClusterManagerImpl extends ManagerBase implements KubernetesClusterService {
private static final String DEFAULT_NETWORK_OFFERING_FOR_KUBERNETES_SERVICE_NAME = "DefaultNetworkOfferingforKubernetesService";
private static final List<Class<?>> PROJECT_KUBERNETES_ACCOUNT_ROLE_ALLOWED_APIS = Arrays.asList(
QueryAsyncJobResultCmd.class,
ListVMsCmd.class,
ListNetworksCmd.class,
ListPublicIpAddressesCmd.class,
AssociateIPAddrCmd.class,
DisassociateIPAddrCmd.class,
ListLoadBalancerRulesCmd.class,
CreateLoadBalancerRuleCmd.class,
UpdateLoadBalancerRuleCmd.class,
DeleteLoadBalancerRuleCmd.class,
AssignToLoadBalancerRuleCmd.class,
RemoveFromLoadBalancerRuleCmd.class,
ListLoadBalancerRuleInstancesCmd.class,
ListFirewallRulesCmd.class,
CreateFirewallRuleCmd.class,
UpdateFirewallRuleCmd.class,
DeleteFirewallRuleCmd.class,
ListNetworkACLsCmd.class,
CreateNetworkACLCmd.class,
DeleteNetworkACLCmd.class,
ListKubernetesClustersCmd.class,
ScaleKubernetesClusterCmd.class
);
private static final String PROJECT_KUBERNETES_ACCOUNT_FIRST_NAME = "Kubernetes";
private static final String PROJECT_KUBERNETES_ACCOUNT_LAST_NAME = "Service User";
private static final String DEFAULT_NETWORK_OFFERING_FOR_KUBERNETES_SERVICE_DISPLAY_TEXT = "Network Offering used for CloudStack Kubernetes service";
private static final String DEFAULT_NSX_NETWORK_OFFERING_FOR_KUBERNETES_SERVICE_NAME = "DefaultNSXNetworkOfferingforKubernetesService";
private static final String DEFAULT_NSX_VPC_TIER_NETWORK_OFFERING_FOR_KUBERNETES_SERVICE_NAME = "DefaultNSXVPCNetworkOfferingforKubernetesService";
@ -264,11 +320,16 @@ public class KubernetesClusterManagerImpl extends ManagerBase implements Kuberne
public SecurityGroupService securityGroupService;
@Inject
public NetworkHelper networkHelper;
@Inject
private UserVmService userVmService;
@Inject
RoutedIpv4Manager routedIpv4Manager;
@Inject
public AccountDao accountDao;
@Inject
public ProjectManager projectManager;
@Inject
RoleService roleService;
private void logMessage(final Level logLevel, final String message, final Exception e) {
if (logLevel == Level.WARN) {
@ -1381,23 +1442,31 @@ public class KubernetesClusterManagerImpl extends ManagerBase implements Kuberne
}
}
private String[] getServiceUserKeys(KubernetesClusterVO kubernetesCluster) {
Account owner = accountService.getActiveAccountById(kubernetesCluster.getAccountId());
if (owner == null || owner.getType() == Account.Type.PROJECT) {
owner = CallContext.current().getCallingAccount();
protected String[] createUserApiKeyAndSecretKey(long userId) {
CallContext.register(User.UID_SYSTEM, Account.ACCOUNT_ID_SYSTEM);
try {
return accountService.createApiKeyAndSecretKey(userId);
} finally {
CallContext.unregister();
}
}
protected String[] getServiceUserKeys(Account owner) {
String username = owner.getAccountName();
if (!username.startsWith(KUBEADMIN_ACCOUNT_NAME + "-")) {
username += "-" + KUBEADMIN_ACCOUNT_NAME;
}
String username = owner.getAccountName() + "-" + KUBEADMIN_ACCOUNT_NAME;
UserAccount kubeadmin = accountService.getActiveUserAccount(username, owner.getDomainId());
String[] keys = null;
String[] keys;
if (kubeadmin == null) {
User kube = userDao.persist(new UserVO(owner.getAccountId(), username, UUID.randomUUID().toString(), owner.getAccountName(),
KUBEADMIN_ACCOUNT_NAME, "kubeadmin", null, UUID.randomUUID().toString(), User.Source.UNKNOWN));
keys = accountService.createApiKeyAndSecretKey(kube.getId());
KUBEADMIN_ACCOUNT_NAME, "kubeadmin", null, UUID.randomUUID().toString(), User.Source.UNKNOWN));
keys = createUserApiKeyAndSecretKey(kube.getId());
} else {
String apiKey = kubeadmin.getApiKey();
String secretKey = kubeadmin.getSecretKey();
if (StringUtils.isAnyEmpty(apiKey, secretKey)) {
keys = accountService.createApiKeyAndSecretKey(kubeadmin.getId());
keys = createUserApiKeyAndSecretKey(kubeadmin.getId());
} else {
keys = new String[]{apiKey, secretKey};
}
@ -1405,6 +1474,76 @@ public class KubernetesClusterManagerImpl extends ManagerBase implements Kuberne
return keys;
}
protected Role createProjectKubernetesAccountRole() {
Role role = roleService.createRole(PROJECT_KUBEADMIN_ACCOUNT_ROLE_NAME, RoleType.User,
PROJECT_KUBEADMIN_ACCOUNT_ROLE_NAME, false);
for (Class<?> allowedApi : PROJECT_KUBERNETES_ACCOUNT_ROLE_ALLOWED_APIS) {
final String apiName = BaseCmd.getCommandNameByClass(allowedApi);
roleService.createRolePermission(role, new Rule(apiName), RolePermissionEntity.Permission.ALLOW,
String.format("Allow %s", apiName));
}
roleService.createRolePermission(role, new Rule("*"), RolePermissionEntity.Permission.DENY,
"Deny all");
logger.debug(String.format("Created default role for Kubernetes service account in projects: %s", role));
return role;
}
public Role getProjectKubernetesAccountRole() {
List<Role> roles = roleService.findRolesByName(PROJECT_KUBEADMIN_ACCOUNT_ROLE_NAME);
if (CollectionUtils.isNotEmpty(roles)) {
Role role = roles.get(0);
logger.debug(String.format("Found default role for Kubernetes service account in projects: %s", role));
return role;
}
return createProjectKubernetesAccountRole();
}
protected Account createProjectKubernetesAccount(final Project project, final String accountName) {
CallContext.register(User.UID_SYSTEM, Account.ACCOUNT_ID_SYSTEM);
try {
Role role = getProjectKubernetesAccountRole();
UserAccount userAccount = accountService.createUserAccount(accountName,
UuidUtils.first(UUID.randomUUID().toString()), PROJECT_KUBERNETES_ACCOUNT_FIRST_NAME,
PROJECT_KUBERNETES_ACCOUNT_LAST_NAME, null, null, accountName, Account.Type.NORMAL, role.getId(),
project.getDomainId(), null, null, null, null, User.Source.NATIVE);
projectManager.assignAccountToProject(project, userAccount.getAccountId(), ProjectAccount.Role.Regular,
userAccount.getId(), null);
Account account = accountService.getAccount(userAccount.getAccountId());
logger.debug(String.format("Created Kubernetes service account in project %s: %s", project, account));
return account;
} finally {
CallContext.unregister();
}
}
protected Account getProjectKubernetesAccount(final Account callerAccount, final boolean create) {
Project project = ApiDBUtils.findProjectByProjectAccountId(callerAccount.getId());
final String accountName = String.format("%s-%s", KUBEADMIN_ACCOUNT_NAME, UuidUtils.first(project.getUuid()));
List<AccountVO> accounts = accountDao.findAccountsByName(accountName);
for (AccountVO account : accounts) {
if (projectManager.canAccessProjectAccount(account, project.getProjectAccountId())) {
logger.debug(String.format("Created Kubernetes service account in project %s: %s", project, account));
return account;
}
}
return create ? createProjectKubernetesAccount(project, accountName) : null;
}
protected Account getProjectKubernetesAccount(final Account callerAccount) {
return getProjectKubernetesAccount(callerAccount, true);
}
private String[] getServiceUserKeys(KubernetesClusterVO kubernetesCluster) {
Account owner = accountService.getActiveAccountById(kubernetesCluster.getAccountId());
if (owner == null) {
owner = CallContext.current().getCallingAccount();
}
if (owner.getType() == Account.Type.PROJECT) {
owner = getProjectKubernetesAccount(owner);
}
return getServiceUserKeys(owner);
}
@Override
@ActionEvent(eventType = KubernetesClusterEventTypes.EVENT_KUBERNETES_CLUSTER_STOP,
eventDescription = "stopping Kubernetes cluster", async = true)
@ -1449,15 +1588,13 @@ public class KubernetesClusterManagerImpl extends ManagerBase implements Kuberne
logAndThrow(Level.ERROR, "Kubernetes Service plugin is disabled");
}
Long kubernetesClusterId = cmd.getId();
KubernetesClusterVO cluster = kubernetesClusterDao.findById(kubernetesClusterId);
final KubernetesClusterVO cluster = kubernetesClusterDao.findById(kubernetesClusterId);
if (cluster == null) {
throw new InvalidParameterValueException("Invalid cluster id specified");
}
accountManager.checkAccess(CallContext.current().getCallingAccount(), SecurityChecker.AccessType.OperateEntry, false, cluster);
if (cluster.getClusterType() == KubernetesCluster.ClusterType.CloudManaged) {
KubernetesClusterDestroyWorker destroyWorker = new KubernetesClusterDestroyWorker(cluster, this);
destroyWorker = ComponentContext.inject(destroyWorker);
return destroyWorker.destroy();
return destroyKubernetesCluster(cluster);
} else {
boolean cleanup = cmd.getCleanup();
boolean expunge = cmd.getExpunge();
@ -1484,13 +1621,14 @@ public class KubernetesClusterManagerImpl extends ManagerBase implements Kuberne
}
}
}
return Transaction.execute(new TransactionCallback<Boolean>() {
@Override
public Boolean doInTransaction(TransactionStatus status) {
kubernetesClusterDetailsDao.removeDetails(kubernetesClusterId);
kubernetesClusterVmMapDao.removeByClusterId(kubernetesClusterId);
return kubernetesClusterDao.remove(kubernetesClusterId);
return Transaction.execute((TransactionCallback<Boolean>) status -> {
kubernetesClusterDetailsDao.removeDetails(kubernetesClusterId);
kubernetesClusterVmMapDao.removeByClusterId(kubernetesClusterId);
if (kubernetesClusterDao.remove(kubernetesClusterId)) {
deleteProjectKubernetesAccountIfNeeded(cluster);
return true;
}
return false;
});
}
}
@ -1753,6 +1891,66 @@ public class KubernetesClusterManagerImpl extends ManagerBase implements Kuberne
return responseList;
}
protected void deleteProjectKubernetesAccount(Account projectAccount) {
CallContext.register(User.UID_SYSTEM, Account.ACCOUNT_ID_SYSTEM);
try {
Account serviceAccount = getProjectKubernetesAccount(projectAccount, false);
if (serviceAccount != null) {
accountManager.deleteAccount(accountDao.findById(serviceAccount.getId()), User.UID_SYSTEM,
accountService.getSystemAccount());
}
} finally {
CallContext.unregister();
}
}
protected void deleteProjectKubernetesAccountIfNeeded(final KubernetesCluster kubernetesCluster) {
Account owner = accountService.getAccount(kubernetesCluster.getAccountId());
if (owner == null) {
return;
}
if (Account.Type.PROJECT.equals(owner.getType()) &&
kubernetesClusterDao.countNotForGCByAccount(owner.getAccountId()) == 0) {
deleteProjectKubernetesAccount(owner);
}
}
protected boolean destroyKubernetesCluster(KubernetesCluster kubernetesCluster, boolean deleteProjectAccount) {
KubernetesClusterDestroyWorker destroyWorker = new KubernetesClusterDestroyWorker(kubernetesCluster,
KubernetesClusterManagerImpl.this);
destroyWorker = ComponentContext.inject(destroyWorker);
boolean result = destroyWorker.destroy();
if (deleteProjectAccount) {
deleteProjectKubernetesAccountIfNeeded(kubernetesCluster);
}
return result;
}
protected boolean destroyKubernetesCluster(KubernetesCluster kubernetesCluster) {
return destroyKubernetesCluster(kubernetesCluster, true);
}
@Override
public void cleanupForAccount(Account account) {
List<KubernetesClusterVO> clusters = kubernetesClusterDao.listForCleanupByAccount(account.getId());
if (CollectionUtils.isEmpty(clusters)) {
return;
}
logger.debug(String.format("Cleaning up %d Kubernetes cluster for %s", clusters.size(), account));
for (KubernetesClusterVO cluster : clusters) {
try {
destroyKubernetesCluster(cluster, false);
} catch (CloudRuntimeException e) {
logger.warn(String.format("Failed to destroy Kubernetes cluster: %s during cleanup for %s",
cluster.getName(), account), e);
}
}
if (!Account.Type.PROJECT.equals(account.getType())) {
return;
}
deleteProjectKubernetesAccount(account);
}
@Override
public List<Class<?>> getCommands() {
List<Class<?>> cmdList = new ArrayList<Class<?>>();
@ -1804,12 +2002,8 @@ public class KubernetesClusterManagerImpl extends ManagerBase implements Kuberne
logger.info("Running Kubernetes cluster garbage collector on Kubernetes cluster: {}", kubernetesCluster);
}
try {
KubernetesClusterDestroyWorker destroyWorker = new KubernetesClusterDestroyWorker(kubernetesCluster, KubernetesClusterManagerImpl.this);
destroyWorker = ComponentContext.inject(destroyWorker);
if (destroyWorker.destroy()) {
if (logger.isInfoEnabled()) {
logger.info("Garbage collection complete for Kubernetes cluster: {}", kubernetesCluster);
}
if (destroyKubernetesCluster(kubernetesCluster)) {
logger.info("Garbage collection complete for Kubernetes cluster: {}", kubernetesCluster);
} else {
logger.warn("Garbage collection failed for Kubernetes cluster : {}, it will be attempted to garbage collected in next run", kubernetesCluster);
}
@ -1932,9 +2126,7 @@ public class KubernetesClusterManagerImpl extends ManagerBase implements Kuberne
logger.info("Running Kubernetes cluster state scanner on Kubernetes cluster: {} for state: {}", kubernetesCluster, KubernetesCluster.State.Destroying.toString());
}
try {
KubernetesClusterDestroyWorker destroyWorker = new KubernetesClusterDestroyWorker(kubernetesCluster, KubernetesClusterManagerImpl.this);
destroyWorker = ComponentContext.inject(destroyWorker);
destroyWorker.destroy();
destroyKubernetesCluster(kubernetesCluster);
} catch (Exception e) {
logger.warn("Failed to run Kubernetes cluster Destroying state scanner on Kubernetes cluster : {} status scanner", kubernetesCluster, e);
}
@ -1948,7 +2140,7 @@ public class KubernetesClusterManagerImpl extends ManagerBase implements Kuberne
}
// checks if Kubernetes cluster is in desired state
boolean isClusterVMsInDesiredState(KubernetesCluster kubernetesCluster, VirtualMachine.State state) {
private boolean isClusterVMsInDesiredState(KubernetesCluster kubernetesCluster, VirtualMachine.State state) {
List<KubernetesClusterVmMapVO> clusterVMs = kubernetesClusterVmMapDao.listByClusterId(kubernetesCluster.getId());
// check cluster is running at desired capacity include control nodes as well
@ -1986,6 +2178,8 @@ public class KubernetesClusterManagerImpl extends ManagerBase implements Kuberne
createNetworkOfferingForKubernetes(DEFAULT_NSX_VPC_TIER_NETWORK_OFFERING_FOR_KUBERNETES_SERVICE_NAME,
DEFAULT_NSX_VPC_NETWORK_OFFERING_FOR_KUBERNETES_SERVICE_DISPLAY_TEXT , true, true);
getProjectKubernetesAccountRole();
_gcExecutor.scheduleWithFixedDelay(new KubernetesClusterGarbageCollector(), 300, 300, TimeUnit.SECONDS);
_stateScanner.scheduleWithFixedDelay(new KubernetesClusterStatusScanner(), 300, 30, TimeUnit.SECONDS);

8
plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterService.java
View File

@ -16,6 +16,8 @@
// under the License.
package com.cloud.kubernetes.cluster;
import java.util.List;
import org.apache.cloudstack.api.command.user.kubernetes.cluster.AddVirtualMachinesToKubernetesClusterCmd;
import org.apache.cloudstack.api.command.user.kubernetes.cluster.CreateKubernetesClusterCmd;
import org.apache.cloudstack.api.command.user.kubernetes.cluster.DeleteKubernetesClusterCmd;
@ -34,16 +36,16 @@ import org.apache.cloudstack.framework.config.ConfigKey;
import org.apache.cloudstack.framework.config.Configurable;
import com.cloud.network.Network;
import com.cloud.user.Account;
import com.cloud.utils.component.PluggableService;
import com.cloud.utils.exception.CloudRuntimeException;
import java.util.List;
public interface KubernetesClusterService extends PluggableService, Configurable {
static final String MIN_KUBERNETES_VERSION_HA_SUPPORT = "1.16.0";
static final int MIN_KUBERNETES_CLUSTER_NODE_CPU = 2;
static final int MIN_KUBERNETES_CLUSTER_NODE_RAM_SIZE = 2048;
static final String KUBEADMIN_ACCOUNT_NAME = "kubeadmin";
String PROJECT_KUBEADMIN_ACCOUNT_ROLE_NAME = "Project Kubernetes Service Role";
static final ConfigKey<Boolean> KubernetesServiceEnabled = new ConfigKey<Boolean>("Advanced", Boolean.class,
"cloud.kubernetes.service.enabled",
@ -125,4 +127,6 @@ public interface KubernetesClusterService extends PluggableService, Configurable
List<RemoveVirtualMachinesFromKubernetesClusterResponse> removeVmsFromCluster(RemoveVirtualMachinesFromKubernetesClusterCmd cmd);
boolean isDirectAccess(Network network);
void cleanupForAccount(Account account);
}

8
plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesServiceHelperImpl.java
View File

@ -32,6 +32,7 @@ import com.cloud.kubernetes.cluster.dao.KubernetesClusterDao;
import com.cloud.kubernetes.cluster.dao.KubernetesClusterVmMapDao;
import com.cloud.kubernetes.version.KubernetesSupportedVersion;
import com.cloud.kubernetes.version.KubernetesVersionEventTypes;
import com.cloud.user.Account;
import com.cloud.uservm.UserVm;
import com.cloud.utils.component.AdapterBase;
import com.cloud.utils.exception.CloudRuntimeException;
@ -50,6 +51,8 @@ public class KubernetesServiceHelperImpl extends AdapterBase implements Kubernet
private KubernetesClusterDao kubernetesClusterDao;
@Inject
private KubernetesClusterVmMapDao kubernetesClusterVmMapDao;
@Inject
KubernetesClusterService kubernetesClusterService;
protected void setEventTypeEntityDetails(Class<?> eventTypeDefinedClass, Class<?> entityClass) {
Field[] declaredFields = eventTypeDefinedClass.getDeclaredFields();
@ -106,6 +109,11 @@ public class KubernetesServiceHelperImpl extends AdapterBase implements Kubernet
throw new CloudRuntimeException(msg);
}
@Override
public void cleanupForAccount(Account account) {
kubernetesClusterService.cleanupForAccount(account);
}
@Override
public String getConfigComponentName() {
return KubernetesServiceHelper.class.getSimpleName();

4
plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/dao/KubernetesClusterDao.java
View File

@ -25,8 +25,8 @@ import com.cloud.utils.fsm.StateDao;
public interface KubernetesClusterDao extends GenericDao<KubernetesClusterVO, Long>,
StateDao<KubernetesCluster.State, KubernetesCluster.Event, KubernetesCluster> {
List<KubernetesClusterVO> listByAccount(long accountId);
List<KubernetesClusterVO> listForCleanupByAccount(long accountId);
int countNotForGCByAccount(long accountId);
List<KubernetesClusterVO> findKubernetesClustersToGarbageCollect();
List<KubernetesClusterVO> findManagedKubernetesClustersInState(KubernetesCluster.State state);
List<KubernetesClusterVO> listByNetworkId(long networkId);

33
plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/dao/KubernetesClusterDaoImpl.java
View File

@ -30,16 +30,25 @@ import com.cloud.utils.db.TransactionLegacy;
@Component
public class KubernetesClusterDaoImpl extends GenericDaoBase<KubernetesClusterVO, Long> implements KubernetesClusterDao {
private final SearchBuilder<KubernetesClusterVO> AccountIdSearch;
private final SearchBuilder<KubernetesClusterVO> CleanupAccountIdSearch;
private final SearchBuilder<KubernetesClusterVO> NotForGCByAccountIDCount;
private final SearchBuilder<KubernetesClusterVO> GarbageCollectedSearch;
private final SearchBuilder<KubernetesClusterVO> ManagedStateSearch;
private final SearchBuilder<KubernetesClusterVO> SameNetworkSearch;
private final SearchBuilder<KubernetesClusterVO> KubernetesVersionSearch;
public KubernetesClusterDaoImpl() {
AccountIdSearch = createSearchBuilder();
AccountIdSearch.and("account", AccountIdSearch.entity().getAccountId(), SearchCriteria.Op.EQ);
AccountIdSearch.done();
CleanupAccountIdSearch = createSearchBuilder();
CleanupAccountIdSearch.and("account", CleanupAccountIdSearch.entity().getAccountId(), SearchCriteria.Op.EQ);
CleanupAccountIdSearch.and("cluster_type", CleanupAccountIdSearch.entity().getClusterType(), SearchCriteria.Op.EQ);
CleanupAccountIdSearch.done();
NotForGCByAccountIDCount = createSearchBuilder();
NotForGCByAccountIDCount.and("gc", NotForGCByAccountIDCount.entity().isCheckForGc(), SearchCriteria.Op.EQ);
NotForGCByAccountIDCount.and("account", NotForGCByAccountIDCount.entity().getAccountId(), SearchCriteria.Op.EQ);
NotForGCByAccountIDCount.and("cluster_type", NotForGCByAccountIDCount.entity().getClusterType(), SearchCriteria.Op.EQ);
NotForGCByAccountIDCount.select(null, SearchCriteria.Func.COUNT, null);
NotForGCByAccountIDCount.done();
GarbageCollectedSearch = createSearchBuilder();
GarbageCollectedSearch.and("gc", GarbageCollectedSearch.entity().isCheckForGc(), SearchCriteria.Op.EQ);
@ -62,10 +71,20 @@ public class KubernetesClusterDaoImpl extends GenericDaoBase<KubernetesClusterVO
}
@Override
public List<KubernetesClusterVO> listByAccount(long accountId) {
SearchCriteria<KubernetesClusterVO> sc = AccountIdSearch.create();
public List<KubernetesClusterVO> listForCleanupByAccount(long accountId) {
SearchCriteria<KubernetesClusterVO> sc = CleanupAccountIdSearch.create();
sc.setParameters("cluster_type", KubernetesCluster.ClusterType.CloudManaged);
sc.setParameters("account", accountId);
return listBy(sc, null);
return listBy(sc);
}
@Override
public int countNotForGCByAccount(long accountId) {
SearchCriteria<KubernetesClusterVO> sc = NotForGCByAccountIDCount.create();
sc.setParameters("cluster_type", KubernetesCluster.ClusterType.CloudManaged);
sc.setParameters("account", accountId);
sc.setParameters("gc", false);
return getCount(sc);
}
@Override

4
plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
View File

@ -533,4 +533,8 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
public UserAccount clearUserTwoFactorAuthenticationInSetupStateOnLogin(UserAccount user) {
return null;
}
@Override
public void verifyCallerPrivilegeForUserOrAccountOperations(Account userAccount) {
}
}

3
plugins/network-elements/vxlan/src/main/java/com/cloud/network/guru/VxlanGuestNetworkGuru.java
View File

@ -76,6 +76,9 @@ public class VxlanGuestNetworkGuru extends GuestNetworkGuru {
network.setBroadcastUri(BroadcastDomainType.Vxlan.toUri(vxlan));
}
network.setBroadcastDomainType(BroadcastDomainType.Vxlan);
getOrCreateIpv4SubnetForGuestNetwork(offering, network, userSpecified, owner);
return updateNetworkDesignForIPv6IfNeeded(network, userSpecified);
}

6
server/src/main/java/com/cloud/api/query/QueryManagerImpl.java
View File

@ -3723,7 +3723,9 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q
SearchCriteria<DiskOfferingVO> sc = diskOfferingSearch.create();
sc.setParameters("computeOnly", false);
sc.setParameters("activeState", DiskOffering.State.Active);
if (state != null) {
sc.setParameters("state", state);
}
sc.setJoinParameters("domainDetailsSearch", "domainId", domainId);
@ -4870,7 +4872,7 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q
if (!permittedAccounts.isEmpty()) {
domain = _domainDao.findById(permittedAccounts.get(0).getDomainId());
} else {
domain = _domainDao.findById(Domain.ROOT_DOMAIN);
domain = _domainDao.findById(caller.getDomainId());
}
setIdsListToSearchCriteria(sc, ids);

39
server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java
View File

@ -50,7 +50,7 @@ import java.util.stream.Collectors;
import javax.inject.Inject;
import javax.naming.ConfigurationException;
import com.cloud.resource.ResourceManager;
import org.apache.cloudstack.acl.RoleType;
import org.apache.cloudstack.acl.SecurityChecker;
import org.apache.cloudstack.affinity.AffinityGroup;
import org.apache.cloudstack.affinity.AffinityGroupService;
@ -254,6 +254,7 @@ import com.cloud.org.Grouping;
import com.cloud.org.Grouping.AllocationState;
import com.cloud.projects.Project;
import com.cloud.projects.ProjectManager;
import com.cloud.resource.ResourceManager;
import com.cloud.server.ConfigurationServer;
import com.cloud.server.ManagementService;
import com.cloud.service.ServiceOfferingDetailsVO;
@ -277,6 +278,7 @@ import com.cloud.user.Account;
import com.cloud.user.AccountDetailVO;
import com.cloud.user.AccountDetailsDao;
import com.cloud.user.AccountManager;
import com.cloud.user.AccountManagerImpl;
import com.cloud.user.AccountVO;
import com.cloud.user.ResourceLimitService;
import com.cloud.user.User;
@ -484,6 +486,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
private long _defaultPageSize = Long.parseLong(Config.DefaultPageSize.getDefaultValue());
private static final String DOMAIN_NAME_PATTERN = "^((?!-)[A-Za-z0-9-]{1,63}(?<!-)\\.)+[A-Za-z]{1,63}$";
private Set<String> configValuesForValidation = new HashSet<>();
private Set<String> configKeysAllowedOnlyForDefaultAdmin = new HashSet<>();
private Set<String> weightBasedParametersForValidation = new HashSet<>();
private Set<String> overprovisioningFactorsForValidation = new HashSet<>();
@ -548,6 +551,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
populateConfigValuesForValidationSet();
weightBasedParametersForValidation();
overProvisioningFactorsForValidation();
populateConfigKeysAllowedOnlyForDefaultAdmin();
initMessageBusListener();
return true;
}
@ -612,6 +616,11 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
overprovisioningFactorsForValidation.add(CapacityManager.StorageOverprovisioningFactor.key());
}
protected void populateConfigKeysAllowedOnlyForDefaultAdmin() {
configKeysAllowedOnlyForDefaultAdmin.add(AccountManagerImpl.listOfRoleTypesAllowedForOperationsOfSameRoleType.key());
configKeysAllowedOnlyForDefaultAdmin.add(AccountManagerImpl.allowOperationsOnUsersInSameAccount.key());
}
private void initMessageBusListener() {
messageBus.subscribe(EventTypes.EVENT_CONFIGURATION_VALUE_EDIT, new MessageSubscriber() {
@Override
@ -1227,6 +1236,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
logger.error("Missing configuration variable " + name + " in configuration table");
return "Invalid configuration variable.";
}
validateConfigurationAllowedOnlyForDefaultAdmin(name, value);
List<ConfigKey.Scope> configScope = cfg.getScopes();
if (scope != null) {
@ -1262,6 +1272,33 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
return validateValueRange(name, value, type, configuration);
}
protected void validateConfigurationAllowedOnlyForDefaultAdmin(String configName, String value) {
if (configKeysAllowedOnlyForDefaultAdmin.contains(configName)) {
final Long userId = CallContext.current().getCallingUserId();
if (userId != User.UID_ADMIN) {
throw new CloudRuntimeException("Only default admin is allowed to change this setting");
}
if (AccountManagerImpl.listOfRoleTypesAllowedForOperationsOfSameRoleType.key().equals(configName)) {
if (value != null && !value.isBlank()) {
List<String> validRoleTypes = Arrays.stream(RoleType.values())
.map(Enum::name)
.collect(Collectors.toList());
boolean allValid = Arrays.stream(value.split(","))
.map(String::trim)
.allMatch(validRoleTypes::contains);
if (!allValid) {
throw new CloudRuntimeException("Invalid role types provided in value");
}
} else {
throw new CloudRuntimeException("Value for role types must not be empty");
}
}
}
}
/**
* Returns whether a value is valid for a configuration of the provided type.
* Valid configuration values are:

25
server/src/main/java/com/cloud/network/guru/ExternalGuestNetworkGuru.java
View File

@ -24,8 +24,6 @@ import javax.inject.Inject;
import org.apache.cloudstack.api.ApiCommandResourceType;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
import org.apache.cloudstack.network.Ipv4GuestSubnetNetworkMap;
import org.apache.cloudstack.network.RoutedIpv4Manager;
import com.cloud.dc.DataCenter;
import com.cloud.dc.DataCenter.NetworkType;
@ -37,7 +35,6 @@ import com.cloud.event.EventTypes;
import com.cloud.event.EventVO;
import com.cloud.exception.InsufficientAddressCapacityException;
import com.cloud.exception.InsufficientVirtualNetworkCapacityException;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.network.IpAddressManager;
import com.cloud.network.Network;
import com.cloud.network.Network.GuestType;
@ -90,8 +87,6 @@ public class ExternalGuestNetworkGuru extends GuestNetworkGuru {
FirewallRulesDao _fwRulesDao;
@Inject
FirewallRulesCidrsDao _fwRulesCidrDao;
@Inject
RoutedIpv4Manager routedIpv4Manager;
public ExternalGuestNetworkGuru() {
super();
@ -126,23 +121,9 @@ public class ExternalGuestNetworkGuru extends GuestNetworkGuru {
/* In order to revert userSpecified network setup */
config.setState(State.Allocated);
}
if (NetworkOffering.NetworkMode.ROUTED.equals(offering.getNetworkMode()) && !offering.isForVpc()) {
if (userSpecified.getCidr() != null) {
routedIpv4Manager.getOrCreateIpv4SubnetForGuestNetwork(config, userSpecified.getCidr());
} else {
if (userSpecified.getNetworkCidrSize() == null) {
throw new InvalidParameterValueException("The network CIDR or CIDR size must be specified.");
}
Ipv4GuestSubnetNetworkMap subnet = routedIpv4Manager.getOrCreateIpv4SubnetForGuestNetwork(owner.getDomainId(), owner.getAccountId(), config.getDataCenterId(), userSpecified.getNetworkCidrSize());
if (subnet != null) {
final String[] cidrTuple = subnet.getSubnet().split("\\/");
config.setGateway(NetUtils.getIpRangeStartIpFromCidr(cidrTuple[0], Long.parseLong(cidrTuple[1])));
config.setCidr(subnet.getSubnet());
} else {
throw new InvalidParameterValueException("Failed to allocate a CIDR with requested size.");
}
}
}
getOrCreateIpv4SubnetForGuestNetwork(offering, config, userSpecified, owner);
return updateNetworkDesignForIPv6IfNeeded(config, userSpecified);
}

24
server/src/main/java/com/cloud/network/guru/GuestNetworkGuru.java
View File

@ -28,6 +28,8 @@ import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationSe
import org.apache.cloudstack.framework.config.ConfigKey;
import org.apache.cloudstack.framework.config.Configurable;
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
import org.apache.cloudstack.network.Ipv4GuestSubnetNetworkMap;
import org.apache.cloudstack.network.RoutedIpv4Manager;
import org.apache.commons.lang3.StringUtils;
import com.cloud.configuration.Config;
@ -121,6 +123,8 @@ public abstract class GuestNetworkGuru extends AdapterBase implements NetworkGur
Ipv6AddressManager ipv6AddressManager;
@Inject
DomainRouterDao domainRouterDao;
@Inject
RoutedIpv4Manager routedIpv4Manager;
Random _rand = new Random(System.currentTimeMillis());
@ -571,4 +575,24 @@ public abstract class GuestNetworkGuru extends AdapterBase implements NetworkGur
}
return network;
}
public void getOrCreateIpv4SubnetForGuestNetwork(NetworkOffering offering, NetworkVO config, Network userSpecified, Account owner) {
if (NetworkOffering.NetworkMode.ROUTED.equals(offering.getNetworkMode()) && !offering.isForVpc()) {
if (userSpecified.getCidr() != null) {
routedIpv4Manager.getOrCreateIpv4SubnetForGuestNetwork(config, userSpecified.getCidr());
} else {
if (userSpecified.getNetworkCidrSize() == null) {
throw new InvalidParameterValueException("The network CIDR or CIDR size must be specified.");
}
Ipv4GuestSubnetNetworkMap subnet = routedIpv4Manager.getOrCreateIpv4SubnetForGuestNetwork(owner.getDomainId(), owner.getAccountId(), config.getDataCenterId(), userSpecified.getNetworkCidrSize());
if (subnet != null) {
final String[] cidrTuple = subnet.getSubnet().split("\\/");
config.setGateway(NetUtils.getIpRangeStartIpFromCidr(cidrTuple[0], Long.parseLong(cidrTuple[1])));
config.setCidr(subnet.getSubnet());
} else {
throw new InvalidParameterValueException("Failed to allocate a CIDR with requested size.");
}
}
}
}
}

6
server/src/main/java/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
View File

@ -964,6 +964,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
} else {
_accountMgr.checkAccess(caller, null, true, account);
}
_accountMgr.verifyCallerPrivilegeForUserOrAccountOperations(account);
ownerType = ResourceOwnerType.Account;
ownerId = accountId;
@ -1133,6 +1134,11 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
throw new InvalidParameterValueException("Please specify a valid domain ID.");
}
_accountMgr.checkAccess(callerAccount, domain);
Account account = _entityMgr.findById(Account.class, accountId);
if (account == null) {
throw new InvalidParameterValueException("Unable to find account " + accountId);
}
_accountMgr.verifyCallerPrivilegeForUserOrAccountOperations(account);
if (resourceType != null) {
resourceTypes.add(resourceType);

1
server/src/main/java/com/cloud/user/AccountManager.java
View File

@ -206,4 +206,5 @@ public interface AccountManager extends AccountService, Configurable {
UserAccount clearUserTwoFactorAuthenticationInSetupStateOnLogin(UserAccount user);
void verifyCallerPrivilegeForUserOrAccountOperations(Account userAccount);
}

355
server/src/main/java/com/cloud/user/AccountManagerImpl.java
View File

@ -20,6 +20,7 @@ import java.net.InetAddress;
import java.net.URLEncoder;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
@ -120,6 +121,7 @@ import com.cloud.exception.OperationTimedoutException;
import com.cloud.exception.PermissionDeniedException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.host.dao.HostDao;
import com.cloud.kubernetes.cluster.KubernetesServiceHelper;
import com.cloud.network.IpAddress;
import com.cloud.network.IpAddressManager;
import com.cloud.network.Network;
@ -350,6 +352,9 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
private List<UserTwoFactorAuthenticator> userTwoFactorAuthenticationProviders;
private long validUserLastAuthTimeDurationInMs = 0L;
private static final long DEFAULT_USER_AUTH_TIME_DURATION_MS = 350L;
public static ConfigKey<Boolean> enableUserTwoFactorAuthentication = new ConfigKey<>("Advanced",
Boolean.class,
"enable.user.2fa",
@ -394,6 +399,22 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
true,
ConfigKey.Scope.Domain);
public static ConfigKey<String> listOfRoleTypesAllowedForOperationsOfSameRoleType = new ConfigKey<>("Hidden",
String.class,
"role.types.allowed.for.operations.on.accounts.of.same.role.type",
"Admin, ResourceAdmin, DomainAdmin",
"Comma separated list of role types that are allowed to do operations on accounts or users of the same role type within a domain.",
true,
ConfigKey.Scope.Domain);
public static ConfigKey<Boolean> allowOperationsOnUsersInSameAccount = new ConfigKey<>("Hidden",
Boolean.class,
"allow.operations.on.users.in.same.account",
"true",
"Allow operations on users among them in the same account",
true,
ConfigKey.Scope.Domain);
protected AccountManagerImpl() {
super();
}
@ -884,6 +905,16 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
return cleanupAccount(account, callerUserId, caller);
}
protected void cleanupPluginsResourcesIfNeeded(Account account) {
try {
KubernetesServiceHelper kubernetesServiceHelper =
ComponentContext.getDelegateComponentOfType(KubernetesServiceHelper.class);
kubernetesServiceHelper.cleanupForAccount(account);
} catch (NoSuchBeanDefinitionException ignored) {
logger.debug("No KubernetesServiceHelper bean found");
}
}
protected boolean cleanupAccount(AccountVO account, long callerUserId, Account caller) {
long accountId = account.getId();
boolean accountCleanupNeeded = false;
@ -965,6 +996,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
}
cleanupPluginsResourcesIfNeeded(account);
// Destroy the account's VMs
List<UserVmVO> vms = _userVmDao.listByAccountId(accountId);
if (logger.isDebugEnabled()) {
@ -1388,7 +1421,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
/**
* if there is any permission under the requested role that is not permitted for the caller, refuse
*/
private void checkRoleEscalation(Account caller, Account requested) {
protected void checkRoleEscalation(Account caller, Account requested) {
if (logger.isDebugEnabled()) {
logger.debug(String.format("Checking if user of account %s [%s] with role-id [%d] can create an account of type %s [%s] with role-id [%d]",
caller.getAccountName(),
@ -1494,6 +1527,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
assertUserNotAlreadyInAccount(duplicatedUser, account);
}
verifyCallerPrivilegeForUserOrAccountOperations(account);
UserVO user;
user = createUser(account.getId(), userName, password, firstName, lastName, email, timeZone, userUUID, source);
return user;
@ -1510,11 +1544,15 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
@ActionEvent(eventType = EventTypes.EVENT_USER_UPDATE, eventDescription = "Updating User")
public UserAccount updateUser(UpdateUserCmd updateUserCmd) {
UserVO user = retrieveAndValidateUser(updateUserCmd);
Account account = retrieveAndValidateAccount(user);
User caller = CallContext.current().getCallingUser();
checkAccess(caller, account);
verifyCallerPrivilegeForUserOrAccountOperations(user);
logger.debug("Updating user {}", user);
validateAndUpdateApiAndSecretKeyIfNeeded(updateUserCmd, user);
validateAndUpdateUserApiKeyAccess(updateUserCmd, user);
Account account = retrieveAndValidateAccount(user);
validateAndUpdateFirstNameIfNeeded(updateUserCmd, user);
validateAndUpdateLastNameIfNeeded(updateUserCmd, user);
@ -1537,6 +1575,85 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
return _userAccountDao.findById(user.getId());
}
@Override
public void verifyCallerPrivilegeForUserOrAccountOperations(Account userAccount) {
logger.debug(String.format("Verifying whether the caller has the correct privileges based on the user's role type and API permissions: %s", userAccount));
checkCallerRoleTypeAllowedForUserOrAccountOperations(userAccount, null);
checkCallerApiPermissionsForUserOrAccountOperations(userAccount);
}
protected void verifyCallerPrivilegeForUserOrAccountOperations(User user) {
logger.debug(String.format("Verifying whether the caller has the correct privileges based on the user's role type and API permissions: %s", user));
Account userAccount = getAccount(user.getAccountId());
checkCallerRoleTypeAllowedForUserOrAccountOperations(userAccount, user);
checkCallerApiPermissionsForUserOrAccountOperations(userAccount);
}
protected void checkCallerRoleTypeAllowedForUserOrAccountOperations(Account userAccount, User user) {
Account callingAccount = getCurrentCallingAccount();
RoleType callerRoleType = getRoleType(callingAccount);
RoleType userAccountRoleType = getRoleType(userAccount);
if (RoleType.Unknown == callerRoleType || RoleType.Unknown == userAccountRoleType) {
String errMsg = String.format("The role type of account [%s, %s] or [%s, %s] is unknown",
callingAccount.getName(), callingAccount.getUuid(), userAccount.getName(), userAccount.getUuid());
throw new PermissionDeniedException(errMsg);
}
boolean isCallerSystemOrDefaultAdmin = callingAccount.getId() == Account.ACCOUNT_ID_SYSTEM || callingAccount.getId() == Account.ACCOUNT_ID_ADMIN;
if (isCallerSystemOrDefaultAdmin) {
logger.trace(String.format("Admin account [%s, %s] performing this operation for user account [%s, %s] ", callingAccount.getName(), callingAccount.getUuid(), userAccount.getName(), userAccount.getUuid()));
} else if (callerRoleType.getId() < userAccountRoleType.getId()) {
logger.trace(String.format("The calling account [%s, %s] has a higher role type than the user account [%s, %s]",
callingAccount.getName(), callingAccount.getUuid(), userAccount.getName(), userAccount.getUuid()));
} else if (callerRoleType.getId() == userAccountRoleType.getId()) {
if (callingAccount.getId() != userAccount.getId()) {
String allowedRoleTypes = listOfRoleTypesAllowedForOperationsOfSameRoleType.valueInScope(ConfigKey.Scope.Domain, callingAccount.getDomainId());
boolean updateAllowed = allowedRoleTypes != null &&
Arrays.stream(allowedRoleTypes.split(","))
.map(String::trim)
.anyMatch(role -> role.equals(callerRoleType.toString()));
if (BooleanUtils.isFalse(updateAllowed)) {
String errMsg = String.format("The calling account [%s, %s] is not allowed to perform this operation on users from other accounts " +
"of the same role type within the domain", callingAccount.getName(), callingAccount.getUuid());
logger.error(errMsg);
throw new PermissionDeniedException(errMsg);
}
} else if ((callingAccount.getId() == userAccount.getId()) && user != null) {
Boolean allowOperationOnUsersinSameAccount = allowOperationsOnUsersInSameAccount.valueInScope(ConfigKey.Scope.Domain, callingAccount.getDomainId());
User callingUser = CallContext.current().getCallingUser();
if (callingUser.getId() != user.getId() && BooleanUtils.isFalse(allowOperationOnUsersinSameAccount)) {
String errMsg = "The user operations are not allowed by the users in the same account";
logger.error(errMsg);
throw new PermissionDeniedException(errMsg);
}
}
} else {
String errMsg = String.format("The calling account [%s, %s] has a lower role type than the user account [%s, %s]",
callingAccount.getName(), callingAccount.getUuid(), userAccount.getName(), userAccount.getUuid());
throw new PermissionDeniedException(errMsg);
}
}
protected void checkCallerApiPermissionsForUserOrAccountOperations(Account userAccount) {
Account callingAccount = getCurrentCallingAccount();
boolean isCallerRootAdmin = callingAccount.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(callingAccount.getId());
if (isCallerRootAdmin) {
logger.trace(String.format("Admin account [%s, %s] performing this operation for user account [%s, %s] ", callingAccount.getName(), callingAccount.getUuid(), userAccount.getName(), userAccount.getUuid()));
} else if (isRootAdmin(userAccount.getAccountId())) {
String errMsg = String.format("Account [%s, %s] cannot perform this operation for user account [%s, %s] ", callingAccount.getName(), callingAccount.getUuid(), userAccount.getName(), userAccount.getUuid());
logger.error(errMsg);
throw new PermissionDeniedException(errMsg);
} else {
logger.debug(String.format("Checking calling account [%s, %s] permission to perform this operation for user account [%s, %s] ", callingAccount.getName(), callingAccount.getUuid(), userAccount.getName(), userAccount.getUuid()));
checkRoleEscalation(callingAccount, userAccount);
logger.debug(String.format("Calling account [%s, %s] is allowed to perform this operation for user account [%s, %s] ", callingAccount.getName(), callingAccount.getUuid(), userAccount.getName(), userAccount.getUuid()));
}
}
/**
* Updates the password in the user POJO if needed. If no password is provided, then the password is not updated.
* The following validations are executed if 'password' is not null. Admins (root admins or domain admins) can execute password updates without entering the current password.
@ -1599,7 +1716,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
for (UserAuthenticator userAuthenticator : _userPasswordEncoders) {
Pair<Boolean, ActionOnFailedAuthentication> authenticationResult = userAuthenticator.authenticate(user.getUsername(), currentPassword, userAccount.getDomainId(), null);
if (authenticationResult == null) {
logger.trace(String.format("Authenticator [%s] is returning null for the authenticate mehtod.", userAuthenticator.getClass()));
logger.trace(String.format("Authenticator [%s] is returning null for the authenticate method.", userAuthenticator.getClass()));
continue;
}
if (BooleanUtils.toBoolean(authenticationResult.first())) {
@ -1816,6 +1933,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
checkAccess(caller, AccessType.OperateEntry, true, account);
verifyCallerPrivilegeForUserOrAccountOperations(user);
boolean success = doSetUserStatus(userId, State.DISABLED);
if (success) {
@ -1857,6 +1975,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
checkAccess(caller, AccessType.OperateEntry, true, account);
verifyCallerPrivilegeForUserOrAccountOperations(user);
boolean success = Transaction.execute(new TransactionCallback<>() {
@Override
@ -1909,6 +2028,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
checkAccess(caller, AccessType.OperateEntry, true, account);
verifyCallerPrivilegeForUserOrAccountOperations(user);
// make sure the account is enabled too
// if the user is either locked already or disabled already, don't change state...only lock currently enabled
@ -1972,6 +2092,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
checkIfAccountManagesProjects(accountId);
verifyCallerPrivilegeForUserOrAccountOperations(account);
CallContext.current().putContextParameter(Account.class, account.getUuid());
@ -2034,6 +2155,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
// Check if user performing the action is allowed to modify this account
Account caller = getCurrentCallingAccount();
checkAccess(caller, AccessType.OperateEntry, true, account);
verifyCallerPrivilegeForUserOrAccountOperations(account);
boolean success = enableAccount(account.getId());
if (success) {
@ -2067,6 +2189,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
checkAccess(caller, AccessType.OperateEntry, true, account);
verifyCallerPrivilegeForUserOrAccountOperations(account);
if (lockAccount(account.getId())) {
CallContext.current().putContextParameter(Account.class, account.getUuid());
@ -2097,6 +2220,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
checkAccess(caller, AccessType.OperateEntry, true, account);
verifyCallerPrivilegeForUserOrAccountOperations(account);
if (disableAccount(account.getId())) {
CallContext.current().putContextParameter(Account.class, account.getUuid());
@ -2142,6 +2266,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
// Check if user performing the action is allowed to modify this account
Account caller = getCurrentCallingAccount();
checkAccess(caller, _domainMgr.getDomain(account.getDomainId()));
verifyCallerPrivilegeForUserOrAccountOperations(account);
validateAndUpdateAccountApiKeyAccess(cmd, acctForUpdate);
@ -2233,6 +2358,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
// don't allow to delete the user from the account of type Project
checkAccountAndAccess(user, account);
verifyCallerPrivilegeForUserOrAccountOperations(user);
return _userDao.remove(id);
}
@ -2243,6 +2369,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
UserVO user = getValidUserVO(id);
Account oldAccount = _accountDao.findById(user.getAccountId());
checkAccountAndAccess(user, oldAccount);
verifyCallerPrivilegeForUserOrAccountOperations(user);
long domainId = oldAccount.getDomainId();
long newAccountId = getNewAccountId(domainId, cmd.getAccountName(), cmd.getAccountId());
@ -2580,6 +2707,11 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
}
if (!Account.Type.PROJECT.equals(accountType)) {
AccountVO newAccount = new AccountVO(accountName, domainId, networkDomain, accountType, roleId, uuid);
verifyCallerPrivilegeForUserOrAccountOperations(newAccount);
}
// Create the account
return Transaction.execute(new TransactionCallback<>() {
@Override
@ -2644,107 +2776,17 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
@Override
public UserAccount authenticateUser(final String username, final String password, final Long domainId, final InetAddress loginIpAddress, final Map<String, Object[]> requestParameters) {
long authStartTimeInMs = System.currentTimeMillis();
UserAccount user = null;
final String[] oAuthProviderArray = (String[])requestParameters.get(ApiConstants.PROVIDER);
final String[] secretCodeArray = (String[])requestParameters.get(ApiConstants.SECRET_CODE);
String oauthProvider = ((oAuthProviderArray == null) ? null : oAuthProviderArray[0]);
String secretCode = ((secretCodeArray == null) ? null : secretCodeArray[0]);
if ((password != null && !password.isEmpty()) || (oauthProvider != null && secretCode != null)) {
user = getUserAccount(username, password, domainId, requestParameters);
} else {
String key = _configDao.getValue("security.singlesignon.key");
if (key == null) {
// the SSO key is gone, don't authenticate
return null;
}
String singleSignOnTolerance = _configDao.getValue("security.singlesignon.tolerance.millis");
if (singleSignOnTolerance == null) {
// the SSO tolerance is gone (how much time before/after system time we'll allow the login request to be
// valid),
// don't authenticate
return null;
}
long tolerance = Long.parseLong(singleSignOnTolerance);
String signature = null;
long timestamp = 0L;
String unsignedRequest;
StringBuffer unsignedRequestBuffer = new StringBuffer();
// - build a request string with sorted params, make sure it's all lowercase
// - sign the request, verify the signature is the same
List<String> parameterNames = new ArrayList<>();
for (Object paramNameObj : requestParameters.keySet()) {
parameterNames.add((String)paramNameObj); // put the name in a list that we'll sort later
}
Collections.sort(parameterNames);
try {
for (String paramName : parameterNames) {
// parameters come as name/value pairs in the form String/String[]
String paramValue = ((String[])requestParameters.get(paramName))[0];
if ("signature".equalsIgnoreCase(paramName)) {
signature = paramValue;
} else {
if ("timestamp".equalsIgnoreCase(paramName)) {
String timestampStr = paramValue;
try {
// If the timestamp is in a valid range according to our tolerance, verify the request
// signature, otherwise return null to indicate authentication failure
timestamp = Long.parseLong(timestampStr);
long currentTime = System.currentTimeMillis();
if (Math.abs(currentTime - timestamp) > tolerance) {
if (logger.isDebugEnabled()) {
logger.debug("Expired timestamp passed in to login, current time = " + currentTime + ", timestamp = " + timestamp);
}
return null;
}
} catch (NumberFormatException nfe) {
if (logger.isDebugEnabled()) {
logger.debug("Invalid timestamp passed in to login: " + timestampStr);
}
return null;
}
}
if (unsignedRequestBuffer.length() != 0) {
unsignedRequestBuffer.append("&");
}
unsignedRequestBuffer.append(paramName).append("=").append(URLEncoder.encode(paramValue, "UTF-8"));
}
}
if ((signature == null) || (timestamp == 0L)) {
if (logger.isDebugEnabled()) {
logger.debug("Missing parameters in login request, signature = " + signature + ", timestamp = " + timestamp);
}
return null;
}
unsignedRequest = unsignedRequestBuffer.toString().toLowerCase().replaceAll("\\+", "%20");
Mac mac = Mac.getInstance("HmacSHA1");
SecretKeySpec keySpec = new SecretKeySpec(key.getBytes(), "HmacSHA1");
mac.init(keySpec);
mac.update(unsignedRequest.getBytes());
byte[] encryptedBytes = mac.doFinal();
String computedSignature = new String(Base64.encodeBase64(encryptedBytes));
boolean equalSig = ConstantTimeComparator.compareStrings(signature, computedSignature);
if (!equalSig) {
logger.info("User signature: " + signature + " is not equaled to computed signature: " + computedSignature);
} else {
user = _userAccountDao.getUserAccount(username, domainId);
}
} catch (Exception ex) {
logger.error("Exception authenticating user", ex);
return null;
}
user = getUserAccountForSSO(username, domainId, requestParameters);
}
if (user != null) {
@ -2778,18 +2820,35 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
}
ActionEventUtils.onActionEvent(user.getId(), user.getAccountId(), user.getDomainId(), EventTypes.EVENT_USER_LOGIN, "user has logged in from IP Address " + loginIpAddress, user.getId(), ApiCommandResourceType.User.toString());
validUserLastAuthTimeDurationInMs = System.currentTimeMillis() - authStartTimeInMs;
// Here all is fine!
if (logger.isDebugEnabled()) {
logger.debug("User: " + username + " in domain " + domainId + " has successfully logged in");
logger.debug(String.format("User: %s in domain %d has successfully logged in, auth time duration - %d ms", username, domainId, validUserLastAuthTimeDurationInMs));
}
ActionEventUtils.onActionEvent(user.getId(), user.getAccountId(), user.getDomainId(), EventTypes.EVENT_USER_LOGIN, "user has logged in from IP Address " + loginIpAddress, user.getId(), ApiCommandResourceType.User.toString());
return user;
} else {
if (logger.isDebugEnabled()) {
logger.debug("User: " + username + " in domain " + domainId + " has failed to log in");
}
long waitTimeDurationInMs;
long invalidUserAuthTimeDurationInMs = System.currentTimeMillis() - authStartTimeInMs;
if (validUserLastAuthTimeDurationInMs > 0) {
waitTimeDurationInMs = validUserLastAuthTimeDurationInMs - invalidUserAuthTimeDurationInMs;
} else {
waitTimeDurationInMs = DEFAULT_USER_AUTH_TIME_DURATION_MS - invalidUserAuthTimeDurationInMs;
}
if (waitTimeDurationInMs > 0) {
try {
Thread.sleep(waitTimeDurationInMs);
} catch (final InterruptedException e) {
}
}
return null;
}
}
@ -2827,7 +2886,6 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
boolean updateIncorrectLoginCount = actionsOnFailedAuthenticaion.contains(ActionOnFailedAuthentication.INCREMENT_INCORRECT_LOGIN_ATTEMPT_COUNT);
if (authenticated) {
Domain domain = _domainMgr.getDomain(domainId);
String domainName = null;
if (domain != null) {
@ -2869,6 +2927,99 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
}
private UserAccount getUserAccountForSSO(String username, Long domainId, Map<String, Object[]> requestParameters) {
String key = _configDao.getValue("security.singlesignon.key");
if (key == null) {
// the SSO key is gone, don't authenticate
return null;
}
String singleSignOnTolerance = _configDao.getValue("security.singlesignon.tolerance.millis");
if (singleSignOnTolerance == null) {
// the SSO tolerance is gone (how much time before/after system time we'll allow the login request to be
// valid),
// don't authenticate
return null;
}
UserAccount user = null;
long tolerance = Long.parseLong(singleSignOnTolerance);
String signature = null;
long timestamp = 0L;
String unsignedRequest;
StringBuffer unsignedRequestBuffer = new StringBuffer();
// - build a request string with sorted params, make sure it's all lowercase
// - sign the request, verify the signature is the same
List<String> parameterNames = new ArrayList<>();
for (Object paramNameObj : requestParameters.keySet()) {
parameterNames.add((String)paramNameObj); // put the name in a list that we'll sort later
}
Collections.sort(parameterNames);
try {
for (String paramName : parameterNames) {
// parameters come as name/value pairs in the form String/String[]
String paramValue = ((String[])requestParameters.get(paramName))[0];
if ("signature".equalsIgnoreCase(paramName)) {
signature = paramValue;
} else {
if ("timestamp".equalsIgnoreCase(paramName)) {
String timestampStr = paramValue;
try {
// If the timestamp is in a valid range according to our tolerance, verify the request
// signature, otherwise return null to indicate authentication failure
timestamp = Long.parseLong(timestampStr);
long currentTime = System.currentTimeMillis();
if (Math.abs(currentTime - timestamp) > tolerance) {
logger.debug("Expired timestamp passed in to login, current time = {}, timestamp = {}", currentTime, timestamp);
return null;
}
} catch (NumberFormatException nfe) {
logger.debug("Invalid timestamp passed in to login: {}", timestampStr);
return null;
}
}
if (unsignedRequestBuffer.length() != 0) {
unsignedRequestBuffer.append("&");
}
unsignedRequestBuffer.append(paramName).append("=").append(URLEncoder.encode(paramValue, "UTF-8"));
}
}
if ((signature == null) || (timestamp == 0L)) {
if (logger.isDebugEnabled()) {
logger.debug("Missing parameters in login request, signature = " + signature + ", timestamp = " + timestamp);
}
return null;
}
unsignedRequest = unsignedRequestBuffer.toString().toLowerCase().replaceAll("\\+", "%20");
Mac mac = Mac.getInstance("HmacSHA1");
SecretKeySpec keySpec = new SecretKeySpec(key.getBytes(), "HmacSHA1");
mac.init(keySpec);
mac.update(unsignedRequest.getBytes());
byte[] encryptedBytes = mac.doFinal();
String computedSignature = new String(Base64.encodeBase64(encryptedBytes));
boolean equalSig = ConstantTimeComparator.compareStrings(signature, computedSignature);
if (!equalSig) {
logger.info("User signature: " + signature + " is not equaled to computed signature: " + computedSignature);
} else {
user = _userAccountDao.getUserAccount(username, domainId);
}
} catch (Exception ex) {
logger.error("Exception authenticating user", ex);
return null;
}
return user;
}
protected void updateLoginAttemptsWhenIncorrectLoginAttemptsEnabled(UserAccount account, boolean updateIncorrectLoginCount,
int allowedLoginAttempts) {
int attemptsMade = account.getLoginAttempts() + 1;
@ -2904,8 +3055,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
final Account account = getAccount(getUserAccountById(userId).getAccountId()); //Extracting the Account from the userID of the requested user.
User caller = CallContext.current().getCallingUser();
preventRootDomainAdminAccessToRootAdminKeys(caller, account);
checkAccess(caller, account);
verifyCallerPrivilegeForUserOrAccountOperations(user);
Map<String, String> keys = new HashMap<>();
keys.put("apikey", user.getApiKey());
@ -2969,8 +3120,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
}
Account account = _accountDao.findById(user.getAccountId());
preventRootDomainAdminAccessToRootAdminKeys(user, account);
checkAccess(caller, null, true, account);
verifyCallerPrivilegeForUserOrAccountOperations(user);
// don't allow updating system user
if (user.getId() == User.UID_SYSTEM) {
@ -3426,7 +3577,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
public ConfigKey<?>[] getConfigKeys() {
return new ConfigKey<?>[] {UseSecretKeyInResponse, enableUserTwoFactorAuthentication,
userTwoFactorAuthenticationDefaultProvider, mandateUserTwoFactorAuthentication, userTwoFactorAuthenticationIssuer, apiKeyAccess,
userAllowMultipleAccounts};
userAllowMultipleAccounts, listOfRoleTypesAllowedForOperationsOfSameRoleType, allowOperationsOnUsersInSameAccount};
}
public List<UserTwoFactorAuthenticator> getUserTwoFactorAuthenticationProviders() {

46
server/src/test/java/com/cloud/configuration/ConfigurationManagerImplTest.java
View File

@ -45,10 +45,12 @@ import com.cloud.storage.StorageManager;
import com.cloud.storage.dao.VMTemplateZoneDao;
import com.cloud.storage.dao.VolumeDao;
import com.cloud.user.Account;
import com.cloud.user.AccountManagerImpl;
import com.cloud.user.User;
import com.cloud.utils.Pair;
import com.cloud.utils.db.EntityManager;
import com.cloud.utils.db.SearchCriteria;
import com.cloud.utils.exception.CloudRuntimeException;
import com.cloud.utils.net.NetUtils;
import com.cloud.vm.dao.VMInstanceDao;
import org.apache.cloudstack.annotation.dao.AnnotationDao;
@ -57,6 +59,7 @@ import org.apache.cloudstack.api.command.admin.network.CreateNetworkOfferingCmd;
import org.apache.cloudstack.api.command.admin.offering.UpdateDiskOfferingCmd;
import org.apache.cloudstack.api.command.admin.zone.DeleteZoneCmd;
import org.apache.cloudstack.config.Configuration;
import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.engine.subsystem.api.storage.ZoneScope;
import org.apache.cloudstack.framework.config.ConfigDepot;
import org.apache.cloudstack.framework.config.ConfigKey;
@ -192,6 +195,7 @@ public class ConfigurationManagerImplTest {
configurationManagerImplSpy.populateConfigValuesForValidationSet();
configurationManagerImplSpy.weightBasedParametersForValidation();
configurationManagerImplSpy.overProvisioningFactorsForValidation();
configurationManagerImplSpy.populateConfigKeysAllowedOnlyForDefaultAdmin();
ReflectionTestUtils.setField(configurationManagerImplSpy, "templateZoneDao", vmTemplateZoneDao);
ReflectionTestUtils.setField(configurationManagerImplSpy, "annotationDao", annotationDao);
@ -884,4 +888,46 @@ public class ConfigurationManagerImplTest {
Pair<Configuration, String> result = configurationManagerImplSpy.resetConfiguration(cmd);
Assert.assertEquals(".85", result.second());
}
@Test
public void testValidateConfigurationAllowedOnlyForDefaultAdmin_withAdminUser_shouldNotThrowException() {
CallContext callContext = mock(CallContext.class);
when(callContext.getCallingUserId()).thenReturn(User.UID_ADMIN);
try (MockedStatic<CallContext> ignored = Mockito.mockStatic(CallContext.class)) {
when(CallContext.current()).thenReturn(callContext);
configurationManagerImplSpy.validateConfigurationAllowedOnlyForDefaultAdmin(AccountManagerImpl.listOfRoleTypesAllowedForOperationsOfSameRoleType.key(), "Admin");
}
}
@Test
public void testValidateConfigurationAllowedOnlyForDefaultAdmin_withNonAdminUser_shouldThrowException() {
CallContext callContext = mock(CallContext.class);
when(callContext.getCallingUserId()).thenReturn(123L);
try (MockedStatic<CallContext> ignored = Mockito.mockStatic(CallContext.class)) {
when(CallContext.current()).thenReturn(callContext);
Assert.assertThrows(CloudRuntimeException.class, () ->
configurationManagerImplSpy.validateConfigurationAllowedOnlyForDefaultAdmin(AccountManagerImpl.allowOperationsOnUsersInSameAccount.key(), "Admin")
);
}
}
@Test
public void testValidateConfigurationAllowedOnlyForDefaultAdmin_withNonRestrictedKey_shouldNotThrowException() {
CallContext callContext = mock(CallContext.class);
try (MockedStatic<CallContext> ignored = Mockito.mockStatic(CallContext.class)) {
when(CallContext.current()).thenReturn(callContext);
configurationManagerImplSpy.validateConfigurationAllowedOnlyForDefaultAdmin("some.other.config.key", "Admin");
}
}
@Test(expected = CloudRuntimeException.class)
public void testValidateConfigurationAllowedOnlyForDefaultAdmin_withValidConfigNameAndInvalidValue_shouldThrowException() {
CallContext callContext = mock(CallContext.class);
try (MockedStatic<CallContext> mockedCallContext = Mockito.mockStatic(CallContext.class)) {
mockedCallContext.when(CallContext::current).thenReturn(callContext);
when(callContext.getCallingUserId()).thenReturn(User.UID_ADMIN);
String invalidValue = "Admin, SuperUser";
configurationManagerImplSpy.validateConfigurationAllowedOnlyForDefaultAdmin(AccountManagerImpl.listOfRoleTypesAllowedForOperationsOfSameRoleType.key(), invalidValue);
}
}
}

104
server/src/test/java/com/cloud/user/AccountManagerImplTest.java
View File

@ -16,6 +16,7 @@
// under the License.
package com.cloud.user;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.nullable;
import java.net.InetAddress;
@ -126,6 +127,9 @@ public class AccountManagerImplTest extends AccountManagetImplTestBase {
@Mock
ConfigKey<Boolean> enableUserTwoFactorAuthenticationMock;
@Mock
ConfigKey<Boolean> allowOperationsOnUsersInSameAccountMock;
@Mock
RoleService roleService;
@ -133,6 +137,9 @@ public class AccountManagerImplTest extends AccountManagetImplTestBase {
public void setUp() throws Exception {
enableUserTwoFactorAuthenticationMock = Mockito.mock(ConfigKey.class);
accountManagerImpl.enableUserTwoFactorAuthentication = enableUserTwoFactorAuthenticationMock;
allowOperationsOnUsersInSameAccountMock = Mockito.mock(ConfigKey.class);
accountManagerImpl.allowOperationsOnUsersInSameAccount = allowOperationsOnUsersInSameAccountMock;
}
@Before
@ -143,6 +150,8 @@ public class AccountManagerImplTest extends AccountManagetImplTestBase {
Mockito.doReturn(accountMockId).when(userVoMock).getAccountId();
Mockito.doReturn(userVoIdMock).when(userVoMock).getId();
Mockito.lenient().doNothing().when(accountManagerImpl).checkRoleEscalation(accountMock, accountMock);
}
@Test
@ -193,6 +202,7 @@ public class AccountManagerImplTest extends AccountManagetImplTestBase {
Mockito.when(_sshKeyPairDao.remove(Mockito.anyLong())).thenReturn(true);
Mockito.when(userDataDao.removeByAccountId(Mockito.anyLong())).thenReturn(222);
Mockito.doNothing().when(accountManagerImpl).deleteWebhooksForAccount(Mockito.anyLong());
Mockito.doNothing().when(accountManagerImpl).verifyCallerPrivilegeForUserOrAccountOperations((Account) any());
Assert.assertTrue(accountManagerImpl.deleteUserAccount(42l));
// assert that this was a clean delete
@ -213,6 +223,7 @@ public class AccountManagerImplTest extends AccountManagetImplTestBase {
Mockito.lenient().when(_domainMgr.getDomain(Mockito.anyLong())).thenReturn(domain);
Mockito.lenient().when(securityChecker.checkAccess(Mockito.any(Account.class), Mockito.any(Domain.class))).thenReturn(true);
Mockito.doNothing().when(accountManagerImpl).deleteWebhooksForAccount(Mockito.anyLong());
Mockito.doNothing().when(accountManagerImpl).verifyCallerPrivilegeForUserOrAccountOperations((Account) any());
Assert.assertTrue(accountManagerImpl.deleteUserAccount(42l));
// assert that this was NOT a clean delete
@ -247,6 +258,7 @@ public class AccountManagerImplTest extends AccountManagetImplTestBase {
Mockito.doReturn(2L).when(accountVoMock).getId();
Mockito.doReturn(true).when(accountManagerImpl).isDeleteNeeded(Mockito.any(), Mockito.anyLong(), Mockito.any());
Mockito.doReturn(new ArrayList<Long>()).when(_projectAccountDao).listAdministratedProjectIds(Mockito.anyLong());
Mockito.doNothing().when(accountManagerImpl).verifyCallerPrivilegeForUserOrAccountOperations((Account) any());
accountManagerImpl.deleteUserAccount(accountId);
}
@ -284,6 +296,7 @@ public class AccountManagerImplTest extends AccountManagetImplTestBase {
Mockito.doReturn(2L).when(userVoMock).getId();
Mockito.doNothing().when(accountManagerImpl).checkAccountAndAccess(Mockito.any(), Mockito.any());
Mockito.doNothing().when(accountManagerImpl).verifyCallerPrivilegeForUserOrAccountOperations(userVoMock);
accountManagerImpl.deleteUser(cmd);
}
}
@ -350,7 +363,6 @@ public class AccountManagerImplTest extends AccountManagetImplTestBase {
// Queried account - admin account
AccountVO adminAccountMock = Mockito.mock(AccountVO.class);
Mockito.when(adminAccountMock.getAccountId()).thenReturn(2L);
Mockito.when(_accountDao.findByIdIncludingRemoved(2L)).thenReturn(adminAccountMock);
Mockito.lenient().when(accountService.isRootAdmin(2L)).thenReturn(true);
Mockito.lenient().when(securityChecker.checkAccess(Mockito.any(Account.class),
@ -398,6 +410,12 @@ public class AccountManagerImplTest extends AccountManagetImplTestBase {
@Test
public void updateUserTestTimeZoneAndEmailNull() {
Mockito.when(userVoMock.getAccountId()).thenReturn(10L);
Mockito.doReturn(accountMock).when(accountManagerImpl).getAccount(10L);
Mockito.when(accountMock.getAccountId()).thenReturn(10L);
Mockito.doReturn(false).when(accountManagerImpl).isRootAdmin(10L);
Mockito.lenient().when(accountManagerImpl.getRoleType(Mockito.eq(accountMock))).thenReturn(RoleType.User);
prepareMockAndExecuteUpdateUserTest(0);
}
@ -405,6 +423,11 @@ public class AccountManagerImplTest extends AccountManagetImplTestBase {
public void updateUserTestTimeZoneAndEmailNotNull() {
Mockito.when(UpdateUserCmdMock.getEmail()).thenReturn("email");
Mockito.when(UpdateUserCmdMock.getTimezone()).thenReturn("timezone");
Mockito.when(userVoMock.getAccountId()).thenReturn(10L);
Mockito.doReturn(accountMock).when(accountManagerImpl).getAccount(10L);
Mockito.when(accountMock.getAccountId()).thenReturn(10L);
Mockito.doReturn(false).when(accountManagerImpl).isRootAdmin(10L);
Mockito.lenient().when(accountManagerImpl.getRoleType(Mockito.eq(accountMock))).thenReturn(RoleType.User);
prepareMockAndExecuteUpdateUserTest(1);
}
@ -422,14 +445,17 @@ public class AccountManagerImplTest extends AccountManagetImplTestBase {
Mockito.doReturn(true).when(userDaoMock).update(Mockito.anyLong(), Mockito.eq(userVoMock));
Mockito.doReturn(Mockito.mock(UserAccountVO.class)).when(userAccountDaoMock).findById(Mockito.anyLong());
Mockito.doNothing().when(accountManagerImpl).checkAccess(nullable(User.class), nullable(Account.class));
accountManagerImpl.updateUser(UpdateUserCmdMock);
Mockito.lenient().doNothing().when(accountManagerImpl).checkRoleEscalation(accountMock, accountMock);
InOrder inOrder = Mockito.inOrder(userVoMock, accountManagerImpl, userDaoMock, userAccountDaoMock);
inOrder.verify(accountManagerImpl).retrieveAndValidateUser(UpdateUserCmdMock);
inOrder.verify(accountManagerImpl).validateAndUpdateApiAndSecretKeyIfNeeded(UpdateUserCmdMock, userVoMock);
inOrder.verify(accountManagerImpl).retrieveAndValidateAccount(userVoMock);
inOrder.verify(accountManagerImpl).validateAndUpdateApiAndSecretKeyIfNeeded(UpdateUserCmdMock, userVoMock);
inOrder.verify(accountManagerImpl).validateAndUpdateFirstNameIfNeeded(UpdateUserCmdMock, userVoMock);
inOrder.verify(accountManagerImpl).validateAndUpdateLastNameIfNeeded(UpdateUserCmdMock, userVoMock);
@ -1341,8 +1367,8 @@ public class AccountManagerImplTest extends AccountManagetImplTestBase {
accountManagerImpl.validateRoleChange(account, newRole, caller);
}
@Test
public void checkIfAccountManagesProjectsTestNotThrowExceptionWhenTheAccountIsNotAProjectAdministrator() {
@Test
public void checkIfAccountManagesProjectsTestNotThrowExceptionWhenTheAccountIsNotAProjectAdministrator() {
long accountId = 1L;
List<Long> managedProjectIds = new ArrayList<>();
@ -1479,4 +1505,74 @@ public class AccountManagerImplTest extends AccountManagetImplTestBase {
accountManagerImpl.assertUserNotAlreadyInDomain(existingUser, originalAccount);
}
@Test
public void testCheckCallerRoleTypeAllowedToUpdateUserSameAccount() {
Mockito.lenient().when(accountManagerImpl.getCurrentCallingAccount()).thenReturn(accountMock);
Mockito.lenient().when(accountManagerImpl.getRoleType(Mockito.eq(accountMock))).thenReturn(RoleType.DomainAdmin);
accountManagerImpl.checkCallerRoleTypeAllowedForUserOrAccountOperations(accountMock, userVoMock);
}
@Test(expected = PermissionDeniedException.class)
public void testCheckCallerRoleTypeAllowedToUpdateUserLowerAccountRoleType() {
Account callingAccount = Mockito.mock(Account.class);
Mockito.lenient().when(callingAccount.getAccountId()).thenReturn(2L);
Mockito.lenient().doReturn(callingAccount).when(accountManagerImpl).getAccount(2L);
Mockito.lenient().when(accountManagerImpl.getCurrentCallingAccount()).thenReturn(callingAccount);
Mockito.lenient().when(accountManagerImpl.getRoleType(Mockito.eq(callingAccount))).thenReturn(RoleType.DomainAdmin);
Mockito.lenient().when(accountManagerImpl.getRoleType(Mockito.eq(accountMock))).thenReturn(RoleType.Admin);
accountManagerImpl.checkCallerRoleTypeAllowedForUserOrAccountOperations(accountMock, userVoMock);
}
@Test
public void testcheckCallerApiPermissionsForUserOperationsRootAdminSameCaller() {
Mockito.lenient().when(accountManagerImpl.getCurrentCallingAccount()).thenReturn(accountMock);
Mockito.when(accountMock.getId()).thenReturn(2L);
Mockito.doReturn(true).when(accountManagerImpl).isRootAdmin(2L);
accountManagerImpl.checkCallerApiPermissionsForUserOrAccountOperations(accountMock);
}
@Test(expected = PermissionDeniedException.class)
public void testcheckCallerApiPermissionsForUserOperationsRootAdminDifferentAccount() {
Mockito.lenient().when(accountManagerImpl.getCurrentCallingAccount()).thenReturn(callingAccount);
Mockito.lenient().when(callingAccount.getAccountId()).thenReturn(3L);
Mockito.lenient().doReturn(callingAccount).when(accountManagerImpl).getAccount(3L);
Mockito.lenient().doReturn(false).when(accountManagerImpl).isRootAdmin(3L);
Mockito.when(accountMock.getAccountId()).thenReturn(2L);
Mockito.doReturn(true).when(accountManagerImpl).isRootAdmin(2L);
accountManagerImpl.checkCallerApiPermissionsForUserOrAccountOperations(accountMock);
}
@Test
public void testcheckCallerApiPermissionsForUserOperationsAllowedApis() {
Mockito.lenient().when(accountManagerImpl.getCurrentCallingAccount()).thenReturn(callingAccount);
Mockito.lenient().when(callingAccount.getAccountId()).thenReturn(3L);
Mockito.lenient().doReturn(callingAccount).when(accountManagerImpl).getAccount(3L);
Mockito.lenient().doReturn(false).when(accountManagerImpl).isRootAdmin(3L);
Mockito.when(accountMock.getAccountId()).thenReturn(2L);
Mockito.doReturn(false).when(accountManagerImpl).isRootAdmin(2L);
Mockito.lenient().doNothing().when(accountManagerImpl).checkRoleEscalation(callingAccount, accountMock);
accountManagerImpl.checkCallerApiPermissionsForUserOrAccountOperations(accountMock);
}
@Test(expected = PermissionDeniedException.class)
public void testcheckCallerApiPermissionsForUserOperationsNotAllowedApis() {
Mockito.lenient().when(accountManagerImpl.getCurrentCallingAccount()).thenReturn(callingAccount);
Mockito.lenient().when(callingAccount.getAccountId()).thenReturn(3L);
Mockito.lenient().doReturn(callingAccount).when(accountManagerImpl).getAccount(3L);
Mockito.lenient().doReturn(false).when(accountManagerImpl).isRootAdmin(3L);
Mockito.when(accountMock.getAccountId()).thenReturn(2L);
Mockito.doReturn(false).when(accountManagerImpl).isRootAdmin(2L);
Mockito.lenient().doThrow(PermissionDeniedException.class).when(accountManagerImpl).checkRoleEscalation(callingAccount, accountMock);
accountManagerImpl.checkCallerApiPermissionsForUserOrAccountOperations(accountMock);
}
}

1
server/src/test/java/com/cloud/user/AccountManagerImplVolumeDeleteEventTest.java
View File

@ -192,6 +192,7 @@ public class AccountManagerImplVolumeDeleteEventTest extends AccountManagetImplT
public void destroyedVMRootVolumeUsageEvent()
throws SecurityException, IllegalArgumentException, ReflectiveOperationException, AgentUnavailableException, ConcurrentOperationException, CloudException {
lenient().doReturn(vm).when(_vmMgr).destroyVm(nullable(Long.class), nullable(Boolean.class));
Mockito.doNothing().when(accountManagerImpl).verifyCallerPrivilegeForUserOrAccountOperations((Account) any());
List<UsageEventVO> emittedEvents = deleteUserAccountRootVolumeUsageEvents(true);
Assert.assertEquals(0, emittedEvents.size());
}

3
server/src/test/java/com/cloud/user/AccountManagetImplTestBase.java
View File

@ -210,6 +210,9 @@ public class AccountManagetImplTestBase {
@Mock
RoutedIpv4Manager routedIpv4Manager;
@Mock
Account accountMock;
@Before
public void setup() {
accountManagerImpl.setUserAuthenticators(Arrays.asList(userAuthenticator));

4
server/src/test/java/com/cloud/user/MockAccountManagerImpl.java
View File

@ -503,4 +503,8 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco
public UserAccount clearUserTwoFactorAuthenticationInSetupStateOnLogin(UserAccount user) {
return null;
}
@Override
public void verifyCallerPrivilegeForUserOrAccountOperations(Account userAccount) {
}
}