Prevent upgrade failures if there are existing annotations permissions (#5846)

* Do not fail if there are existing role permissions for annotations * Refactor * Improve refactor * Do not update if there are existing role permissions for annotations * Fix exception on upgrade * Remove extra space from suggestion * Apply suggestions from code review Co-authored-by: sureshanaparti <12028987+sureshanaparti@users.noreply.github.com>
2025-10-26 08:42:29 +01:00 · 2022-01-18 02:50:00 -03:00 · 2022-01-18 02:50:00 -03:00 · e18ff602f8
commit e18ff602f8
parent f5b0d2f056
3 changed files with 88 additions and 11 deletions
--- a/engine/schema/src/main/java/com/cloud/upgrade/RolePermissionChecker.java
+++ b/engine/schema/src/main/java/com/cloud/upgrade/RolePermissionChecker.java
@ -0,0 +1,61 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.upgrade;
+
+import org.apache.log4j.Logger;
+
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+
+public class RolePermissionChecker {
+
+    final static Logger LOG = Logger.getLogger(RolePermissionChecker.class);
+
+    private static final String checkAnnotationRulesPermissionPreparedStatement =
+            "SELECT permission FROM `cloud`.`role_permissions` WHERE role_id = ? AND rule = ?";
+    private static final String insertAnnotationRulePermissionPreparedStatement =
+            "INSERT IGNORE INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), ?, ?, 'ALLOW')";
+
+    public RolePermissionChecker() {
+    }
+
+    public boolean existsRolePermissionByRoleIdAndRule(Connection conn, long roleId, String rule) {
+        try {
+            PreparedStatement pstmt = conn.prepareStatement(checkAnnotationRulesPermissionPreparedStatement);
+            pstmt.setLong(1, roleId);
+            pstmt.setString(2, rule);
+            ResultSet rs = pstmt.executeQuery();
+            return rs != null && rs.next();
+        } catch (SQLException e) {
+            LOG.error("Error on existsRolePermissionByRoleIdAndRule: " + e.getMessage(), e);
+            return false;
+        }
+    }
+
+    public void insertAnnotationRulePermission(Connection conn, long roleId, String rule) {
+        try {
+            PreparedStatement pstmt = conn.prepareStatement(insertAnnotationRulePermissionPreparedStatement);
+            pstmt.setLong(1, roleId);
+            pstmt.setString(2, rule);
+            pstmt.executeUpdate();
+        } catch (SQLException e) {
+            LOG.error("Error on insertAnnotationRulePermission: " + e.getMessage(), e);
+        }
+    }
+}
--- a/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade41520to41600.java
+++ b/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade41520to41600.java
@ -22,8 +22,12 @@ import java.sql.Connection;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
+import java.util.Arrays;
+import java.util.List;

+import com.cloud.upgrade.RolePermissionChecker;
 import com.cloud.upgrade.SystemVmTemplateRegistration;
+import org.apache.cloudstack.acl.RoleType;
 import org.apache.log4j.Logger;

 import com.cloud.utils.exception.CloudRuntimeException;
@ -32,6 +36,7 @@ public class Upgrade41520to41600 implements DbUpgrade, DbUpgradeSystemVmTemplate

    final static Logger LOG = Logger.getLogger(Upgrade41520to41600.class);
    private SystemVmTemplateRegistration systemVmTemplateRegistration;
+    private RolePermissionChecker rolePermissionChecker = new RolePermissionChecker();

    public Upgrade41520to41600() {
    }
@ -65,6 +70,28 @@ public class Upgrade41520to41600 implements DbUpgrade, DbUpgradeSystemVmTemplate
    @Override
    public void performDataMigration(Connection conn) {
        generateUuidForExistingSshKeyPairs(conn);
+        populateAnnotationPermissions(conn);
+    }
+
+    private void populateAnnotationPermissions(Connection conn) {
+        List<String> annotationRules = Arrays.asList("listAnnotations", "addAnnotation", "removeAnnotation");
+        for (RoleType roleType : Arrays.asList(RoleType.ResourceAdmin, RoleType.DomainAdmin, RoleType.User)) {
+            checkAndPersistAnnotationPermissions(conn, roleType, annotationRules);
+        }
+    }
+
+    private void checkAndPersistAnnotationPermissions(Connection conn, RoleType roleType, List<String> rules) {
+        LOG.debug("Checking the annotation permissions for the role: " + roleType.getId());
+        for (String rule : rules) {
+            LOG.debug("Checking the annotation permissions for the role: " + roleType.getId() + " and rule: " + rule);
+            if (!rolePermissionChecker.existsRolePermissionByRoleIdAndRule(conn, roleType.getId(), rule)) {
+                LOG.debug("Inserting role permission for role: " + roleType.getId() + " and rule: " + rule);
+                rolePermissionChecker.insertAnnotationRulePermission(conn, roleType.getId(), rule);
+            } else {
+                LOG.debug("Found existing role permission for role: " + roleType.getId() + " and rule: " + rule +
+                        ", not updating it");
+            }
+        }
    }

    private void generateUuidForExistingSshKeyPairs(Connection conn) {
--- a/engine/schema/src/main/resources/META-INF/db/schema-41520to41600.sql
+++ b/engine/schema/src/main/resources/META-INF/db/schema-41520to41600.sql
@ -727,17 +727,6 @@ CREATE TABLE `cloud`.`resource_icon` (

 ALTER TABLE `cloud`.`annotations` ADD COLUMN `admins_only` tinyint(1) unsigned NOT NULL DEFAULT 1;

-- Allow annotations for resource admins, domain admins and users
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 2, 'listAnnotations', 'ALLOW');
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 2, 'addAnnotation', 'ALLOW');
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 2, 'removeAnnotation', 'ALLOW');
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 3, 'listAnnotations', 'ALLOW');
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 3, 'addAnnotation', 'ALLOW');
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 3, 'removeAnnotation', 'ALLOW');
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 4, 'listAnnotations', 'ALLOW');
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 4, 'addAnnotation', 'ALLOW');
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 4, 'removeAnnotation', 'ALLOW');
-
 -- Add uuid for ssh keypairs
 ALTER TABLE `cloud`.`ssh_keypairs` ADD COLUMN `uuid` varchar(40) AFTER `id`;