Fixes domain-admin access check to prevent unauthorized access.
Introduces a new non-dynamic global setting - api.allow.internal.db.ids
to control whether to allow using internal DB IDs as API parameters or
not. Default value for the global setting is false.
Co-authored-by: Fabricio Duarte <fabricio.duarte.jr@gmail.com>
Co-authored-by: nvazquez <nicovazquez90@gmail.com>
Co-authored-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
Using XenServer as the hypervisor, when deleting a snapshot that has a parent, that parent will also get erased on storage, causing data loss. This behavior was introduced with #7873, where the list of snapshot states that can be deleted was changed to add BackedUp snapshots.
This PR changes the states list back to the original list, and swaps the while loop for a do while loop to account for the changes in #7873.
Fixes#9446
This PR fixes#9379
Fix missing keys in listZonesMetrics.
We use BeanUtils.copyProperties to copy the properties of ZoneResponse to ZoneMetricsResponse. Fields with missing getters are skipped from the response because of this.
The metrics for VMs and VM disks in CloudStack depend on the hypervisor plugin used for each hypervisor. The behavior can vary across different hypervisors. For VMware, metrics are retrieved as average value for the time interval defined in the global configuration - vmware.stats.time.window.
Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
* Move and copy files to new filenames
* Adjust bash scripts to support arm64
* change preseed for arm64 to create EFI partition
* change packer template files to support arm64
* Correct preseed file name in x86_64 packer template
* fixes
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
* try different machine cpu
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
* don't accelerate KVM for different arch (arm64 vm on amd64 host)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
* fix building arm64 on x86
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
* Update README.md
---------
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
Co-authored-by: StepBee <stephan@bienek.org>
Adminstrators should ensure that IDP configuration has a signing certificate for the actual signature check to be performed. In addition to this, this change introduces a new global setting saml2.check.signature, with the default value of true, which can deliberately fail a SAML login attempt when the SAML response has a missing signature.
Purges the SAML token upon handling the first SAML response.
Authored-by: Rohit Yadav <rohit.yadav@shapeblue.com>
Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
Adminstrators should ensure that IDP configuration has a signing certificate for the actual signature check to be performed. In addition to this, this change introduces a new global setting saml2.check.signature, with the default value of true, which can deliberately fail a SAML login attempt when the SAML response has a missing signature.
Purges the SAML token upon handling the first SAML response.
Authored-by: Rohit Yadav <rohit.yadav@shapeblue.com>
Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
Fixes#9331
Only those VMs should be considered network VM which have a NIC entry
that is not marked removed.
Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
* saml: purge token after first response and improve setting description
This improves the description of a saml signature checking global
setting, and purges the SAML token upon handling the first SAML
response.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
* fix failing unit test
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
---------
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
* config.json: make configuration names consistent with other
Makes login related config param to be consistent with the original
`loginFooter`. Group them together.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
* ui: assorted UI fixes and copy console URL fix
This brings in related buttons across some infra views and new columns
which are missing. Also fixes the copy console URL issue on some
browsers.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
---------
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
Try to intercept test calss methods in new CallContext to prevent
getting any leftover data during assertions.
Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
This improves upon #9219, to make the signature checks mandatory by
default but allows for users to relax the setting if they really must.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
- mTLS implementation for cluster service communication
- Listen only on the specified cluster node IP address instead of all interfaces
- Validate incoming cluster service requests are from peer management servers based on the server's certificate dns name which can be through global config - ca.framework.cert.management.custom.san
- Hardening of KVM command wrapper script exeicution
- Improve API server integration port check
- cloudstack-management.default: don't have JMX configuration if not needed. JMX is used for instrumentation; users who need to use it should enable it explicitly
Co-authored-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
Co-authored-by: Wei Zhou <weizhou@apache.org>
Co-authored-by: Rohit Yadav <rohit.yadav@shapeblue.com>
Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
- mTLS implementation for cluster service communication
- Listen only on the specified cluster node IP address instead of all interfaces
- Validate incoming cluster service requests are from peer management servers based on the server's certificate dns name which can be through global config - ca.framework.cert.management.custom.san
- Hardening of KVM command wrapper script execution
- Improve API server integration port check
- cloudstack-management.default: don't have JMX configuration if not needed. JMX is used for instrumentation; users who need to use it should enable it explicitly
Co-authored-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
Co-authored-by: Wei Zhou <weizhou@apache.org>
Co-authored-by: Rohit Yadav <rohit.yadav@shapeblue.com>
Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
- mTLS implementation for cluster service communication
- Listen only on the specified cluster node IP address instead of all interfaces
- Validate incoming cluster service requests are from peer management servers based on the server's certificate dns name which can be through global config - ca.framework.cert.management.custom.san
- Hardening of KVM command wrapper script execution
- Improve API server integration port check
- cloudstack-management.default: don't have JMX configuration if not needed. JMX is used for instrumentation; users who need to use it should enable it explicitly
Co-authored-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
Co-authored-by: Wei Zhou <weizhou@apache.org>
Co-authored-by: Rohit Yadav <rohit.yadav@shapeblue.com>
Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
* test_primary_storage_scope should only run with kvm, vmware and simulator
* move cluster create and storage pool create from setup to test so that they are cleaned up in case of failure
* fixed lint failure
* using super class' tearDown
The client.setBasePath() would overwrite the Linstor controller IP/host
for all current client users. This is basically a race condition
that triggered as soon as you had configured 2 different primary storages
with different Linstor controllers.
