diff --git a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java index 5e86bb6daf0..ee517c1ccf9 100644 --- a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java +++ b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java @@ -216,6 +216,33 @@ import org.apache.logging.log4j.Level; public class KubernetesClusterManagerImpl extends ManagerBase implements KubernetesClusterService { private static final String DEFAULT_NETWORK_OFFERING_FOR_KUBERNETES_SERVICE_NAME = "DefaultNetworkOfferingforKubernetesService"; + private static final List> PROJECT_KUBERNETES_ACCOUNT_ROLE_ALLOWED_APIS = Arrays.asList( + QueryAsyncJobResultCmd.class, + ListVMsCmd.class, + ListNetworksCmd.class, + ListPublicIpAddressesCmd.class, + AssociateIPAddrCmd.class, + DisassociateIPAddrCmd.class, + ListLoadBalancerRulesCmd.class, + CreateLoadBalancerRuleCmd.class, + UpdateLoadBalancerRuleCmd.class, + DeleteLoadBalancerRuleCmd.class, + AssignToLoadBalancerRuleCmd.class, + RemoveFromLoadBalancerRuleCmd.class, + ListLoadBalancerRuleInstancesCmd.class, + ListFirewallRulesCmd.class, + CreateFirewallRuleCmd.class, + UpdateFirewallRuleCmd.class, + DeleteFirewallRuleCmd.class, + ListNetworkACLsCmd.class, + CreateNetworkACLCmd.class, + DeleteNetworkACLCmd.class, + ListKubernetesClustersCmd.class, + ScaleKubernetesClusterCmd.class + ); + private static final String PROJECT_KUBERNETES_ACCOUNT_FIRST_NAME = "Kubernetes"; + private static final String PROJECT_KUBERNETES_ACCOUNT_LAST_NAME = "Service User"; + private static final String DEFAULT_NETWORK_OFFERING_FOR_KUBERNETES_SERVICE_DISPLAY_TEXT = "Network Offering used for CloudStack Kubernetes service"; private static final String DEFAULT_NSX_NETWORK_OFFERING_FOR_KUBERNETES_SERVICE_NAME = "DefaultNSXNetworkOfferingforKubernetesService"; diff --git a/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java b/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java index c8ab6b4b069..51e79ae72c4 100644 --- a/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java +++ b/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java @@ -1512,6 +1512,33 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati return true; } + protected void validateConfigurationAllowedOnlyForDefaultAdmin(String configName, String value) { + if (configKeysAllowedOnlyForDefaultAdmin.contains(configName)) { + final Long userId = CallContext.current().getCallingUserId(); + if (userId != User.UID_ADMIN) { + throw new CloudRuntimeException("Only default admin is allowed to change this setting"); + } + + if (AccountManagerImpl.listOfRoleTypesAllowedForOperationsOfSameRoleType.key().equals(configName)) { + if (value != null && !value.isBlank()) { + List validRoleTypes = Arrays.stream(RoleType.values()) + .map(Enum::name) + .collect(Collectors.toList()); + + boolean allValid = Arrays.stream(value.split(",")) + .map(String::trim) + .allMatch(validRoleTypes::contains); + + if (!allValid) { + throw new CloudRuntimeException("Invalid role types provided in value"); + } + } else { + throw new CloudRuntimeException("Value for role types must not be empty"); + } + } + } + } + /** * A valid value should be an integer between min and max (the values from the range). */