You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2023/01/11 16:42:24 UTC
[GitHub] [cloudstack] RodrigoDLopez opened a new pull request, #7080: updates roles read-only
RodrigoDLopez opened a new pull request, #7080:
URL: https://github.com/apache/cloudstack/pull/7080
### Description
The ACS default rules for read-only accounts (Read-Only Admin - Default and Read-Only User - Default) do not allow accounts created with these rules to execute the `quotaStatement` and `quotaBalance` commands; for this reason, quota consumption history is not displayed for user-accounts created with these roles.
This PR introduces an update to the default rules to allow read-only accounts to cal these APIs
### Types of changes
- [ ] Breaking change (fix or feature that would cause existing functionality to change)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] Enhancement (improves an existing feature and functionality)
- [ ] Cleanup (Code refactoring and cleanup, that may add test cases)
### Feature/Enhancement Scale or Bug Severity
#### Feature/Enhancement Scale
- [ ] Major
- [x] Minor
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7080: updates roles read-only
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7080:
URL: https://github.com/apache/cloudstack/pull/7080#issuecomment-1380548578
Packaging result: :heavy_check_mark: el7 :heavy_check_mark: el8 :heavy_check_mark: el9 :heavy_check_mark: debian :heavy_check_mark: suse15. SL-JID 5249
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland commented on a diff in pull request #7080: updates roles read-only
Posted by GitBox <gi...@apache.org>.
DaanHoogland commented on code in PR #7080:
URL: https://github.com/apache/cloudstack/pull/7080#discussion_r1068935302
##########
engine/schema/src/main/resources/META-INF/db/schema-41720to41800.sql:
##########
@@ -998,6 +998,38 @@ BEGIN
CALL `cloud`.`IDEMPOTENT_ADD_KEY`('i_user_ip_address_state','user_ip_address', '(state)');
+UPDATE `cloud`.`role_permissions`
+SET sort_order = sort_order + 2
+WHERE rule = '*'
+AND permission = 'DENY'
+AND role_id in (SELECT id FROM `cloud`.`roles` WHERE name = 'Read-Only Admin - Default');
+
+INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission, sort_order)
+SELECT UUID(), role_id, 'quotaStatement', 'ALLOW', MAX(sort_order)-1
+FROM `cloud`.`role_permissions` RP
+WHERE role_id = (SELECT id FROM `cloud`.`roles` WHERE name = 'Read-Only Admin - Default');
+
+INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission, sort_order)
+SELECT UUID(), role_id, 'quotaBalance', 'ALLOW', MAX(sort_order)-2
+FROM `cloud`.`role_permissions` RP
+WHERE role_id = (SELECT id FROM `cloud`.`roles` WHERE name = 'Read-Only Admin - Default');
+
+UPDATE `cloud`.`role_permissions`
+SET sort_order = sort_order + 2
+WHERE rule = '*'
+AND permission = 'DENY'
+AND role_id in (SELECT id FROM `cloud`.`roles` WHERE name = 'Read-Only User - Default');
+
+INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission, sort_order)
+SELECT UUID(), role_id, 'quotaStatement', 'ALLOW', MAX(sort_order)-1
+FROM `cloud`.`role_permissions` RP
+WHERE role_id = (SELECT id FROM `cloud`.`roles` WHERE name = 'Read-Only User - Default');
+
+INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission, sort_order)
+SELECT UUID(), role_id, 'quotaBalance', 'ALLOW', MAX(sort_order)-2
+FROM `cloud`.`role_permissions` RP
+WHERE role_id = (SELECT id FROM `cloud`.`roles` WHERE name = 'Read-Only User - Default');
Review Comment:
tried again in a new environment and it worked.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sonarcloud[bot] commented on pull request #7080: updates roles read-only
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #7080:
URL: https://github.com/apache/cloudstack/pull/7080#issuecomment-1379292133
Kudos, SonarCloud Quality Gate passed! [](https://sonarcloud.io/dashboard?id=apache_cloudstack&pullRequest=7080)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7080&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7080&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7080&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7080&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7080&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7080&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7080&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7080&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7080&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7080&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7080&resolved=false&types=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7080&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7080&metric=coverage&view=list) No Coverage information
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7080&metric=duplicated_lines_density&view=list) No Duplication information
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] codecov[bot] commented on pull request #7080: updates roles read-only
Posted by GitBox <gi...@apache.org>.
codecov[bot] commented on PR #7080:
URL: https://github.com/apache/cloudstack/pull/7080#issuecomment-1379269368
# [Codecov](https://codecov.io/gh/apache/cloudstack/pull/7080?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) Report
> Merging [#7080](https://codecov.io/gh/apache/cloudstack/pull/7080?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (e9ad8fa) into [main](https://codecov.io/gh/apache/cloudstack/commit/c1b17d2c42b38207dffef405cc8f76cb08ccc4b7?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (c1b17d2) will **increase** coverage by `0.00%`.
> The diff coverage is `n/a`.
```diff
@@ Coverage Diff @@
## main #7080 +/- ##
=========================================
Coverage 11.76% 11.76%
+ Complexity 7661 7660 -1
=========================================
Files 2503 2503
Lines 245960 245960
Branches 38375 38375
=========================================
+ Hits 28946 28949 +3
+ Misses 213250 213247 -3
Partials 3764 3764
```
| [Impacted Files](https://codecov.io/gh/apache/cloudstack/pull/7080?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | Coverage Δ | |
|---|---|---|
| [...dstack/network/contrail/model/ModelObjectBase.java](https://codecov.io/gh/apache/cloudstack/pull/7080?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cGx1Z2lucy9uZXR3b3JrLWVsZW1lbnRzL2p1bmlwZXItY29udHJhaWwvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL2Nsb3Vkc3RhY2svbmV0d29yay9jb250cmFpbC9tb2RlbC9Nb2RlbE9iamVjdEJhc2UuamF2YQ==) | `21.15% <0.00%> (-7.70%)` | :arrow_down: |
| [...om/cloud/deploy/DeploymentPlanningManagerImpl.java](https://codecov.io/gh/apache/cloudstack/pull/7080?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-c2VydmVyL3NyYy9tYWluL2phdmEvY29tL2Nsb3VkL2RlcGxveS9EZXBsb3ltZW50UGxhbm5pbmdNYW5hZ2VySW1wbC5qYXZh) | `28.92% <0.00%> (+0.75%)` | :arrow_up: |
:mega: We’re building smart automated test selection to slash your CI/CD build times. [Learn more](https://about.codecov.io/iterative-testing/?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rohityadavcloud commented on a diff in pull request #7080: updates roles read-only
Posted by GitBox <gi...@apache.org>.
rohityadavcloud commented on code in PR #7080:
URL: https://github.com/apache/cloudstack/pull/7080#discussion_r1067814077
##########
engine/schema/src/main/resources/META-INF/db/schema-41720to41800.sql:
##########
@@ -998,7 +998,37 @@ BEGIN
CALL `cloud`.`IDEMPOTENT_ADD_KEY`('i_user_ip_address_state','user_ip_address', '(state)');
--- Add permission for domain admins to call isAccountAllowedToCreateOfferingsWithTags API
Review Comment:
could you move the comment to the bottom, than remove it?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland merged pull request #7080: updates roles read-only
Posted by GitBox <gi...@apache.org>.
DaanHoogland merged PR #7080:
URL: https://github.com/apache/cloudstack/pull/7080
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland commented on pull request #7080: updates roles read-only
Posted by GitBox <gi...@apache.org>.
DaanHoogland commented on PR #7080:
URL: https://github.com/apache/cloudstack/pull/7080#issuecomment-1380565313
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7080: updates roles read-only
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7080:
URL: https://github.com/apache/cloudstack/pull/7080#issuecomment-1380436960
@DaanHoogland a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7080: updates roles read-only
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7080:
URL: https://github.com/apache/cloudstack/pull/7080#issuecomment-1381322065
<b>Trillian test result (tid-5817)</b>
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 47840 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7080-t5817-kvm-centos7.zip
Smoke tests completed. 106 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
test_07_deploy_kubernetes_ha_cluster | `Failure` | 3616.73 | test_kubernetes_clusters.py
test_08_upgrade_kubernetes_ha_cluster | `Failure` | 0.06 | test_kubernetes_clusters.py
test_09_delete_kubernetes_ha_cluster | `Failure` | 0.05 | test_kubernetes_clusters.py
ContextSuite context=TestKubernetesCluster>:teardown | `Error` | 70.24 | test_kubernetes_clusters.py
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7080: updates roles read-only
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7080:
URL: https://github.com/apache/cloudstack/pull/7080#issuecomment-1380565949
@DaanHoogland a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sonarcloud[bot] commented on pull request #7080: updates roles read-only
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #7080:
URL: https://github.com/apache/cloudstack/pull/7080#issuecomment-1380427881
Kudos, SonarCloud Quality Gate passed! [](https://sonarcloud.io/dashboard?id=apache_cloudstack&pullRequest=7080)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7080&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7080&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7080&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7080&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7080&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7080&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7080&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7080&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7080&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7080&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7080&resolved=false&types=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7080&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7080&metric=coverage&view=list) No Coverage information
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7080&metric=duplicated_lines_density&view=list) No Duplication information
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland commented on a diff in pull request #7080: updates roles read-only
Posted by GitBox <gi...@apache.org>.
DaanHoogland commented on code in PR #7080:
URL: https://github.com/apache/cloudstack/pull/7080#discussion_r1068186871
##########
engine/schema/src/main/resources/META-INF/db/schema-41720to41800.sql:
##########
@@ -998,6 +998,38 @@ BEGIN
CALL `cloud`.`IDEMPOTENT_ADD_KEY`('i_user_ip_address_state','user_ip_address', '(state)');
+UPDATE `cloud`.`role_permissions`
+SET sort_order = sort_order + 2
+WHERE rule = '*'
+AND permission = 'DENY'
+AND role_id in (SELECT id FROM `cloud`.`roles` WHERE name = 'Read-Only Admin - Default');
+
+INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission, sort_order)
+SELECT UUID(), role_id, 'quotaStatement', 'ALLOW', MAX(sort_order)-1
+FROM `cloud`.`role_permissions` RP
+WHERE role_id = (SELECT id FROM `cloud`.`roles` WHERE name = 'Read-Only Admin - Default');
+
+INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission, sort_order)
+SELECT UUID(), role_id, 'quotaBalance', 'ALLOW', MAX(sort_order)-2
+FROM `cloud`.`role_permissions` RP
+WHERE role_id = (SELECT id FROM `cloud`.`roles` WHERE name = 'Read-Only Admin - Default');
+
+UPDATE `cloud`.`role_permissions`
+SET sort_order = sort_order + 2
+WHERE rule = '*'
+AND permission = 'DENY'
+AND role_id in (SELECT id FROM `cloud`.`roles` WHERE name = 'Read-Only User - Default');
+
+INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission, sort_order)
+SELECT UUID(), role_id, 'quotaStatement', 'ALLOW', MAX(sort_order)-1
+FROM `cloud`.`role_permissions` RP
+WHERE role_id = (SELECT id FROM `cloud`.`roles` WHERE name = 'Read-Only User - Default');
+
+INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission, sort_order)
+SELECT UUID(), role_id, 'quotaBalance', 'ALLOW', MAX(sort_order)-2
+FROM `cloud`.`role_permissions` RP
+WHERE role_id = (SELECT id FROM `cloud`.`roles` WHERE name = 'Read-Only User - Default');
Review Comment:
executing this sec i get:
```
Error occurred during SQL script execution
Reason:
SQL Error [1140] [42000]: (conn=130) In aggregated query without GROUP BY, expression #2 of SELECT list contains nonaggregated column 'cloud.RP.role_id'; this is incompatible with sql_mode=only_full_group_by
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland commented on pull request #7080: updates roles read-only
Posted by GitBox <gi...@apache.org>.
DaanHoogland commented on PR #7080:
URL: https://github.com/apache/cloudstack/pull/7080#issuecomment-1380434920
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org