You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2022/04/21 17:41:57 UTC
[GitHub] [cloudstack] soreana opened a new pull request, #4774: Added configuration and Integration test to restrict public template …
soreana opened a new pull request, #4774:
URL: https://github.com/apache/cloudstack/pull/4774
### Description
As a cloud provider, we don't want our customers to see other templates. This pr limits template access to the domain.
<!-- For new features, provide link to FS, dev ML discussion etc. -->
<!-- In case of bug fix, the expected and actual behaviours, steps to reproduce. -->
<!-- When "Fixes: #<id>" is specified, the issue/PR will automatically be closed when this PR gets merged -->
<!-- For addressing multiple issues/PRs, use multiple "Fixes: #<id>" -->
<!-- Fixes: # -->
<!--- ********************************************************************************* -->
<!--- NOTE: AUTOMATATION USES THE DESCRIPTIONS TO SET LABELS AND PRODUCE DOCUMENTATION. -->
<!--- PLEASE PUT AN 'X' in only **ONE** box -->
<!--- ********************************************************************************* -->
### Types of changes
- [ ] Breaking change (fix or feature that would cause existing functionality to change)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] Enhancement (improves an existing feature and functionality)
- [ ] Cleanup (Code refactoring and cleanup, that may add test cases)
### Feature/Enhancement Scale or Bug Severity
#### Feature/Enhancement Scale
- [ ] Major
- [x] Minor
### How Has This Been Tested?
To test this feature, I created two domains named Test0, Test1 and Test2, each with their respective domain admins (test0, test1 and test2).
I used cloudmonkey command to list different combination of templateFilters ( **all**, **featured**, **self**, **selfexecutable**, **sharedexecutable**, **executable** and **community** ) and accounts ( **admin**, **test0**, **test1** and **test2** ).
#### Pre configuration:
1. Create three domain with their respective domain admin accounts.
2. Register new template for each account like the following table.
3. Follow the test cases.
Owner | Templates
-------|--------------
Admin | U20, SystemVM
Test0 | U0
Test1 | U1
Test2 | U2
#### Test case one.
1. Set `share.public.templates` to false for every domain
2. List templates in every account. You can't see any templates except the owneres templates.
#### Test case two
1. Set `share.public.templates` like the following table.
2. List templates in `test0` account. You should see combination of the `U20, U0, U2` with different `templatefilter` but not `U1`
Owner | share.public.templates
-------|--------------
Admin | true
Test0 | Doesn't matter
Test1 | false
Test2 | true
#### Test case three
1. Set `share.public.templates` like the test case two
2. List templates in `test0` with template id. You should be ablet to see the `U20, U0, U2` but empty result if you use `U1` id.
I wrote [this](https://gist.github.com/soreana/7c20dd1b5bca00cfdfee5018c13add6a) script to test this pr, you can find it in the following link. You need the `cmk` command and you should put `admin`, `test1`, and `test2` users info in the cmk configuration file. How to run this?
- Put account names in accounts array defined at top of the script
- ./listTemplates.sh will list all filter for all accounts
- ./listTemplates.sh <account name> list all templates using all possible filters for <account name>
- ./listTemplates.sh <template filter> list all templates for accounts in ('admin' 'test' 'test2') using <template filter>
- ./listTemplates.sh <account name> <template filter> list all templates for <accounts name> using <template filter>
<!-- Please read the [CONTRIBUTING](https://github.com/apache/cloudstack/blob/master/CONTRIBUTING.md) document -->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sureshanaparti commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
sureshanaparti commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1092803383
> Hi @nvazquez, I'm waiting for @sureshanaparti to test and approve the changes. We had a long discussion about what is the correct behavior. They have started [here](https://github.com/apache/cloudstack/pull/4774#issuecomment-932060180).
>
> Will update the test after that as soon as I get his approval.
>
> > Continued tests with domain level setting.
> > (i)
> >
> > * Domain1 config "restrict.public.template.access.to.domain": false and Domain2 config "restrict.public.template.access.to.domain": true
> > => The public templates of domain1 are not listed for domain2 admin.
> > => The public templates of domain2 are listed for domain1 admin.
> >
> > (ii)
> >
> > * Domain1 config "restrict.public.template.access.to.domain": true and Domain2 config "restrict.public.template.access.to.domain": false
> > => The public templates of domain1 are listed for domain2 admin.
> > => The public templates of domain2 are not listed for domain1 admin.
> >
> > (iii)
> >
> > * Set the Domain1 config "restrict.public.template.access.to.domain": false and Domain2 config "restrict.public.template.access.to.domain": false
> > => The public templates of domain1 are listed for domain2 admin
> > => The public templates of domain2 are listed for domain1 admin
> >
> > (iv)
> >
> > * Set the Domain1 config "restrict.public.template.access.to.domain": true and Domain2 config "restrict.public.template.access.to.domain": true
> > => The public templates of domain1 are not listed for domain2 admin
> > => The public templates of domain2 are not listed for domain1 admin
> >
> > @soreana tests (i) and (ii) above, should list the public templates when the respective domain config ""restrict.public.template.access.to.domain" is false, and it seems to be working in the other way. Please check.
@nvazquez @soreana will test this and update.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1094955634
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
DaanHoogland commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1087398355
> > I would not allow this type of cleanup
>
> @DaanHoogland is this a cleanup ?
@weizhouapache please see my comment on the code, it was marked resolved but it isn't (and I unresolved it). the marvin test is prone to leaving garbage behind this way.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1104647093
@nvazquez a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] soreana commented on a diff in pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
soreana commented on code in PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#discussion_r842513539
##########
test/integration/component/test_template_access_across_domains.py:
##########
@@ -0,0 +1,627 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Import Local Modules
+from nose.plugins.attrib import attr
+from marvin.cloudstackTestCase import cloudstackTestCase, unittest
+from marvin.cloudstackAPI import (listZones,
+ deleteTemplate,
+ listConfigurations,
+ updateConfiguration)
+from marvin.lib.utils import (cleanup_resources)
+from marvin.lib.base import (Account,
+ Domain,
+ Network,
+ NetworkOffering,
+ Template,
+ ServiceOffering,
+ VirtualMachine,
+ Snapshot,
+ Volume)
+from marvin.lib.common import (get_domain,
+ get_zone,
+ get_template,
+ get_builtin_template_info)
+# Import System modules
+import time
+import logging
+
+class TestTemplateAccessAcrossDomains(cloudstackTestCase):
+ @classmethod
+ def setUpClass(cls):
+ cls.testClient = super(TestTemplateAccessAcrossDomains, cls).getClsTestClient()
+ cls.apiclient = cls.testClient.getApiClient()
+
+ cls.services = cls.testClient.getParsedTestDataConfig()
+ # Get Zone, Domain and templates
+ cls.domain = get_domain(cls.apiclient)
+ cls.zone = get_zone(cls.apiclient, cls.testClient.getZoneForTests())
+ cls.services['mode'] = cls.zone.networktype
+ cls.logger = logging.getLogger("TestRouterResources")
+ cls._cleanup = []
+ cls.unsupportedHypervisor = False
+ cls.hypervisor = cls.testClient.getHypervisorInfo()
+ if cls.hypervisor.lower() in ['lxc']:
+ cls.unsupportedHypervisor = True
+ return
+ cls.services["virtual_machine"]["zoneid"] = cls.zone.id
+
+ # Create new domain1
+ cls.domain1 = Domain.create(
+ cls.apiclient,
+ services=cls.services["acl"]["domain1"],
+ parentdomainid=cls.domain.id)
+ cls._cleanup.append(cls.domain1)
+
+ # Create account1
+ cls.account1 = Account.create(
+ cls.apiclient,
+ cls.services["acl"]["accountD1"],
+ domainid=cls.domain1.id
+ )
+ cls._cleanup.append(cls.account1)
+
+ # Create new sub-domain
+ cls.sub_domain = Domain.create(
+ cls.apiclient,
+ services=cls.services["acl"]["domain11"],
+ parentdomainid=cls.domain1.id)
+ cls._cleanup.append(cls.sub_domain)
+
+ # Create account for sub-domain
+ cls.sub_account = Account.create(
+ cls.apiclient,
+ cls.services["acl"]["accountD11"],
+ domainid=cls.sub_domain.id
+ )
+ cls._cleanup.append(cls.sub_account)
+
+ # Create new domain2
+ cls.domain2 = Domain.create(
+ cls.apiclient,
+ services=cls.services["acl"]["domain2"],
+ parentdomainid=cls.domain.id)
+ cls._cleanup.append(cls.domain2)
+
+ # Create account2
+ cls.account2 = Account.create(
+ cls.apiclient,
+ cls.services["acl"]["accountD2"],
+ domainid=cls.domain2.id
+ )
+ cls._cleanup.append(cls.account2)
+
+ cls.service_offering = ServiceOffering.create(
+ cls.apiclient,
+ cls.services["service_offering"]
+ )
+ cls._cleanup.append(cls.service_offering)
+ if cls.hypervisor.lower() in ['kvm']:
+ # register template under ROOT domain
+ cls.root_template = Template.register(cls.apiclient,
+ cls.services["test_templates"]["kvm"],
+ zoneid=cls.zone.id,
+ domainid=cls.domain.id,
+ hypervisor=cls.hypervisor.lower())
+ cls.root_template.download(cls.apiclient)
+ cls._cleanup.append(cls.root_template)
+ cls.services["test_templates"]["kvm"]["name"] = cls.account1.name
+ cls.template1 = Template.register(cls.apiclient,
+ cls.services["test_templates"]["kvm"],
+ zoneid=cls.zone.id,
+ account=cls.account1.name,
+ domainid=cls.domain1.id,
+ hypervisor=cls.hypervisor.lower())
+ cls.template1.download(cls.apiclient)
+ cls._cleanup.append(cls.template1)
+ cls.services["test_templates"]["kvm"]["name"] = cls.sub_account.name
+ cls.sub_template = Template.register(cls.apiclient,
+ cls.services["test_templates"]["kvm"],
+ zoneid=cls.zone.id,
+ account=cls.sub_account.name,
+ domainid=cls.sub_domain.id,
+ hypervisor=cls.hypervisor.lower())
+ cls.sub_template.download(cls.apiclient)
+ cls._cleanup.append(cls.sub_template)
+ cls.template2 = Template.register(cls.apiclient,
+ cls.services["test_templates"]["kvm"],
+ zoneid=cls.zone.id,
+ account=cls.account2.name,
+ domainid=cls.domain2.id,
+ hypervisor=cls.hypervisor.lower())
+ cls.template2.download(cls.apiclient)
+ cls._cleanup.append(cls.template2)
+ else:
+ return
+
+ @classmethod
+ def tearDownClass(cls):
+ super(TestTemplateAccessAcrossDomains, cls).tearDownClass()
+
+ def setUp(self):
+ self.apiclient = self.testClient.getApiClient()
+ self.domain1_config = self.get_restrict_template_configuration(self.domain1.id)
+ self.domain2_config = self.get_restrict_template_configuration(self.domain2.id)
+ self.sub_domain_config = self.get_restrict_template_configuration(self.sub_domain.id)
+ self.cleanup = []
+ return
+
+ def tearDown(self):
+ try:
+ self.update_restrict_template_configuration(self.domain1.id, self.domain1_config)
+ self.update_restrict_template_configuration(self.domain2.id, self.domain2_config)
+ self.update_restrict_template_configuration(self.sub_domain.id, self.sub_domain_config)
+ cleanup_resources(self.apiclient, self.cleanup)
Review Comment:
👍
Applied the chagnes.
##########
test/integration/component/test_template_access_across_domains.py:
##########
@@ -0,0 +1,627 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Import Local Modules
+from nose.plugins.attrib import attr
+from marvin.cloudstackTestCase import cloudstackTestCase, unittest
+from marvin.cloudstackAPI import (listZones,
+ deleteTemplate,
+ listConfigurations,
+ updateConfiguration)
+from marvin.lib.utils import (cleanup_resources)
+from marvin.lib.base import (Account,
+ Domain,
+ Network,
+ NetworkOffering,
+ Template,
+ ServiceOffering,
+ VirtualMachine,
+ Snapshot,
+ Volume)
+from marvin.lib.common import (get_domain,
+ get_zone,
+ get_template,
+ get_builtin_template_info)
+# Import System modules
+import time
+import logging
+
+class TestTemplateAccessAcrossDomains(cloudstackTestCase):
+ @classmethod
+ def setUpClass(cls):
+ cls.testClient = super(TestTemplateAccessAcrossDomains, cls).getClsTestClient()
+ cls.apiclient = cls.testClient.getApiClient()
+
+ cls.services = cls.testClient.getParsedTestDataConfig()
+ # Get Zone, Domain and templates
+ cls.domain = get_domain(cls.apiclient)
+ cls.zone = get_zone(cls.apiclient, cls.testClient.getZoneForTests())
+ cls.services['mode'] = cls.zone.networktype
+ cls.logger = logging.getLogger("TestRouterResources")
+ cls._cleanup = []
+ cls.unsupportedHypervisor = False
+ cls.hypervisor = cls.testClient.getHypervisorInfo()
+ if cls.hypervisor.lower() in ['lxc']:
+ cls.unsupportedHypervisor = True
+ return
+ cls.services["virtual_machine"]["zoneid"] = cls.zone.id
+
+ # Create new domain1
+ cls.domain1 = Domain.create(
+ cls.apiclient,
+ services=cls.services["acl"]["domain1"],
+ parentdomainid=cls.domain.id)
+ cls._cleanup.append(cls.domain1)
+
+ # Create account1
+ cls.account1 = Account.create(
+ cls.apiclient,
+ cls.services["acl"]["accountD1"],
+ domainid=cls.domain1.id
+ )
+ cls._cleanup.append(cls.account1)
+
+ # Create new sub-domain
+ cls.sub_domain = Domain.create(
+ cls.apiclient,
+ services=cls.services["acl"]["domain11"],
+ parentdomainid=cls.domain1.id)
+ cls._cleanup.append(cls.sub_domain)
+
+ # Create account for sub-domain
+ cls.sub_account = Account.create(
+ cls.apiclient,
+ cls.services["acl"]["accountD11"],
+ domainid=cls.sub_domain.id
+ )
+ cls._cleanup.append(cls.sub_account)
+
+ # Create new domain2
+ cls.domain2 = Domain.create(
+ cls.apiclient,
+ services=cls.services["acl"]["domain2"],
+ parentdomainid=cls.domain.id)
+ cls._cleanup.append(cls.domain2)
+
+ # Create account2
+ cls.account2 = Account.create(
+ cls.apiclient,
+ cls.services["acl"]["accountD2"],
+ domainid=cls.domain2.id
+ )
+ cls._cleanup.append(cls.account2)
+
+ cls.service_offering = ServiceOffering.create(
+ cls.apiclient,
+ cls.services["service_offering"]
+ )
+ cls._cleanup.append(cls.service_offering)
+ if cls.hypervisor.lower() in ['kvm']:
+ # register template under ROOT domain
+ cls.root_template = Template.register(cls.apiclient,
+ cls.services["test_templates"]["kvm"],
+ zoneid=cls.zone.id,
+ domainid=cls.domain.id,
+ hypervisor=cls.hypervisor.lower())
+ cls.root_template.download(cls.apiclient)
+ cls._cleanup.append(cls.root_template)
+ cls.services["test_templates"]["kvm"]["name"] = cls.account1.name
+ cls.template1 = Template.register(cls.apiclient,
+ cls.services["test_templates"]["kvm"],
+ zoneid=cls.zone.id,
+ account=cls.account1.name,
+ domainid=cls.domain1.id,
+ hypervisor=cls.hypervisor.lower())
+ cls.template1.download(cls.apiclient)
+ cls._cleanup.append(cls.template1)
+ cls.services["test_templates"]["kvm"]["name"] = cls.sub_account.name
+ cls.sub_template = Template.register(cls.apiclient,
+ cls.services["test_templates"]["kvm"],
+ zoneid=cls.zone.id,
+ account=cls.sub_account.name,
+ domainid=cls.sub_domain.id,
+ hypervisor=cls.hypervisor.lower())
+ cls.sub_template.download(cls.apiclient)
+ cls._cleanup.append(cls.sub_template)
+ cls.template2 = Template.register(cls.apiclient,
+ cls.services["test_templates"]["kvm"],
+ zoneid=cls.zone.id,
+ account=cls.account2.name,
+ domainid=cls.domain2.id,
+ hypervisor=cls.hypervisor.lower())
+ cls.template2.download(cls.apiclient)
+ cls._cleanup.append(cls.template2)
+ else:
+ return
+
+ @classmethod
+ def tearDownClass(cls):
+ super(TestTemplateAccessAcrossDomains, cls).tearDownClass()
+
+ def setUp(self):
+ self.apiclient = self.testClient.getApiClient()
+ self.domain1_config = self.get_restrict_template_configuration(self.domain1.id)
+ self.domain2_config = self.get_restrict_template_configuration(self.domain2.id)
+ self.sub_domain_config = self.get_restrict_template_configuration(self.sub_domain.id)
+ self.cleanup = []
+ return
+
+ def tearDown(self):
+ try:
+ self.update_restrict_template_configuration(self.domain1.id, self.domain1_config)
+ self.update_restrict_template_configuration(self.domain2.id, self.domain2_config)
+ self.update_restrict_template_configuration(self.sub_domain.id, self.sub_domain_config)
+ cleanup_resources(self.apiclient, self.cleanup)
Review Comment:
👍
Applied the chagnes.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1088508298
> @DaanHoogland Sorry for the inconvenient. I rebase the pr with the main branch. As you can already guess, I'm not good at rebasing, and I missed the changes some how in the process. smile
@soreana
a tip: you can use 'git merge <main branch>'
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] acs-robot commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
acs-robot commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1105232317
## PR Coverage Report
|**CLASS**|**INSTRUCTION MISSED**|**INSTRUCTION COVERED**|**BRANCH MISSED**|**BRANCH COVERED**|**LINE MISSED**|**LINE COVERED**|
|-----|-----|-----|-----|-----|-----|-----|
||
||
||
||
||
||
|Network|554|0|42|0|107|0|
||
||
||
||
||
||
||
||
||
|Volume|109|0|2|0|44|0|
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
|NetworkOrchestrationService|0|101|0|0|0|10|
||
||
||
||
||
|StorageManager|0|211|0|0|0|18|
|AgentAttache|1042|0|124|0|219|0|
|AgentManagerImpl|3463|0|380|0|714|0|
|ClusteredAgentManagerImpl|2361|0|242|0|536|0|
|NetworkOrchestrator|9722|0|1198|0|1914|0|
|VolumeOrchestrator|5170|0|560|0|977|0|
||
|DataCenterVnetVO|58|0|0|0|24|0|
|VlanVO|186|0|2|0|72|0|
|AccountGuestVlanMapVO|46|0|0|0|19|0|
||
|NetworkDaoImpl|3307|0|116|0|467|0|
|NetworkOfferingVO|414|31|0|0|126|12|
|SnapshotVO|172|58|12|0|48|20|
|VolumeVO|529|133|4|0|179|39|
||
|SnapshotDaoImpl|768|0|8|0|128|0|
|Upgrade41610to41700|82|7|4|0|23|2|
|DomainRouterDaoImpl|1604|0|22|0|228|0|
||
|DirectDownloadCertificateHostMapDaoImpl|121|0|0|0|18|0|
|DirectDownloadCertificateHostMapVO|54|0|4|0|19|0|
||
||
|AncientDataMotionStrategy|1458|52|170|4|338|10|
|DefaultSnapshotStrategy|758|220|100|10|164|37|
|SnapshotDataFactoryImpl|152|58|15|5|37|13|
|DefaultVMSnapshotStrategy|486|677|52|30|100|140|
|ScaleIOVMSnapshotStrategy|1063|4|80|0|224|1|
||
|StorageStrategyFactoryImpl|37|77|1|5|8|18|
|SnapshotDataStoreDaoImpl|1683|60|44|2|292|13|
|DefaultHostListener|537|0|40|0|101|0|
|VolumeObject|773|665|77|39|178|117|
||
||
|LibvirtComputingResource|8927|1961|1096|140|1992|444|
|LibvirtVMDef|37|114|6|4|11|36|
|LibvirtMigrateCommandWrapper|977|383|158|36|228|98|
|LibvirtReadyCommandWrapper|8|37|2|2|1|10|
|LibvirtRevertSnapshotCommandWrapper|387|130|20|0|69|16|
|LibvirtUtilitiesHelper|115|58|4|2|27|8|
|IscsiAdmStorageAdaptor|981|0|52|0|178|0|
|IscsiAdmStoragePool|129|0|0|0|32|0|
|KVMStoragePoolManager|926|4|76|0|192|1|
|KVMStorageProcessor|5992|498|448|22|1239|71|
|LibvirtStorageAdaptor|3376|19|257|0|797|2|
|LibvirtStoragePool|239|89|15|9|64|29|
|LinstorStorageAdaptor|1076|0|50|0|246|0|
|ManagedNfsStorageAdaptor|446|0|20|0|125|0|
|ScaleIOStorageAdaptor|684|121|75|13|152|31|
||
|KVMHostInfo|150|146|10|4|30|38|
|QemuImg|674|0|64|0|160|0|
||
||
||
||
|MockVmManagerImpl|1495|0|90|0|338|0|
|VmwareServerDiscoverer|1586|0|182|0|378|0|
|VmwareManagerImpl|2613|528|296|38|615|117|
|VmwareResource|20060|0|2242|0|4330|0|
|VmwareStorageProcessor|9892|9|940|0|2122|2|
|XcpServerDiscoverer|1554|101|176|6|345|21|
|CitrixResourceBase|14566|557|1452|34|3160|122|
|CitrixReadyCommandWrapper|58|37|3|1|15|11|
||
|KubernetesClusterManagerImpl|4724|0|480|0|760|0|
|KubernetesClusterVO|298|0|6|0|109|0|
|KubernetesClusterActionWorker|1540|0|114|0|281|0|
|KubernetesClusterResourceModifierActionWorker|1843|0|140|0|325|0|
|KubernetesClusterStartWorker|2678|0|168|0|426|0|
|ListVMsMetricsCmd|39|0|0|0|10|0|
||
|MetricsServiceImpl|1673|0|98|0|337|0|
|NetScalerControlCenterResource|1943|0|144|0|468|0|
|NetscalerResource|6882|0|806|0|1623|0|
||
|ElastistorHostListener|150|0|14|0|30|0|
|DateraPrimaryDataStoreDriver|3195|0|283|0|748|0|
|DateraHostListener|635|0|74|0|136|0|
|CloudStackPrimaryDataStoreDriverImpl|903|0|114|0|229|0|
|LinstorPrimaryDataStoreDriverImpl|1442|0|91|0|348|0|
||
||
||
|ScaleIOPrimaryDataStoreDriver|2537|0|246|0|537|0|
|ScaleIOHostListener|196|0|14|0|43|0|
|SolidFirePrimaryDataStoreDriver|3347|0|284|0|697|0|
|SolidFireHostListener|545|0|60|0|112|0|
|SolidFireSharedHostListener|407|0|30|0|82|0|
|SAMLUtils|202|465|41|11|53|108|
||
||
|DomainChecker|1206|0|300|0|238|0|
|ApiDBUtils|2367|0|210|0|590|0|
|ApiResponseHelper|12144|0|1274|0|2779|0|
|ParamProcessWorker|1050|0|155|0|241|0|
|QueryManagerImpl|14233|0|1248|0|2403|0|
|ViewResponseHelper|1662|0|150|0|305|0|
||
|UserVmJoinDaoImpl|1531|0|184|0|328|0|
|VolumeJoinDaoImpl|770|0|94|0|171|0|
|VolumeJoinVO|267|0|0|0|93|0|
|Config|152|5162|30|6|42|342|
|ConfigurationManagerImpl|18104|0|3032|0|3570|0|
|LibvirtServerDiscoverer|988|0|116|0|218|0|
|IpAddressManagerImpl|4045|0|461|0|806|0|
|NetworkModelImpl|6182|0|838|0|1300|0|
|NetworkServiceImpl|13372|0|1862|0|2548|0|
|AutoScaleManagerImpl|3297|0|320|0|691|0|
|ConfigDriveNetworkElement|1466|0|173|0|306|0|
|FirewallManagerImpl|2522|0|391|0|455|0|
|GuestNetworkGuru|622|298|98|34|124|64|
|PrivateNetworkGuru|394|0|46|0|88|0|
|LoadBalancingRulesManagerImpl|6024|0|666|0|1254|0|
|NetworkHelperImpl|2019|0|264|0|428|0|
|RulesManagerImpl|4074|0|492|0|790|0|
|SecurityGroupManagerImpl|2330|0|260|0|497|0|
|NetworkACLServiceImpl|2698|0|302|0|520|0|
|VpcManagerImpl|6870|0|758|0|1311|0|
|ResourceManagerImpl|8512|0|982|0|1658|0|
|ConfigurationServerImpl|2075|0|178|0|499|0|
|ManagementServerImpl|11819|0|1052|0|2361|0|
|StatsCollector|1875|0|104|0|308|0|
|StorageManagerImpl|8547|0|974|0|1704|0|
|VolumeApiServiceImpl|10851|0|1500|0|2035|0|
|StoragePoolMonitor|427|0|72|0|107|0|
|SnapshotManager|107|0|0|0|9|0|
|SnapshotManagerImpl|4186|0|410|0|751|0|
|TaggedResourceManagerImpl|473|0|58|0|96|0|
|TemplateManagerImpl|4996|0|696|0|1042|0|
|AccountManagerImpl|6446|0|906|0|1351|0|
|UserVmManagerImpl|20798|0|2566|0|3869|0|
|VMSnapshotManagerImpl|3135|0|292|0|623|0|
|BackupManagerImpl|2776|0|224|0|488|0|
|DirectDownloadManagerImpl|1679|0|186|0|361|0|
|UnmanagedVMsManagerImpl|4881|0|542|0|800|0|
||
||
||
||
||
||
||
||
||
||
||
||
||
||
|MockNetworkManagerImpl|485|0|22|0|83|0|
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
||
|PremiumSecondaryStorageManagerImpl|775|0|64|0|116|0|
|SecondaryStorageManagerImpl|3494|149|343|11|623|32|
||
|VirtualMachineMO|8953|135|1063|17|1982|31|
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on a diff in pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on code in PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#discussion_r855121959
##########
.travis.yml:
##########
@@ -174,6 +174,7 @@ env:
component/test_stopped_vm
component/test_tags
component/test_templates
+ component/test_template_access_across_domains
Review Comment:
```suggestion
```
@nvazquez
let's remove the test from travis and add it back when it is fixed ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1104456989
Packaging result: :heavy_check_mark: el7 :heavy_multiplication_x: el8 :heavy_multiplication_x: debian :heavy_multiplication_x: suse15. SL-JID 3251
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1105203529
<b>Trillian test result (tid-3958)</b>
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 37433 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr4774-t3958-kvm-centos7.zip
Smoke tests completed. 95 look OK, 1 have errors
Only failed tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
test_01_nic | `Error` | 141.55 | test_nic.py
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1104627824
@nvazquez a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1094900361
@sureshanaparti a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1097912217
Packaging result: :heavy_check_mark: el7 :heavy_check_mark: el8 :heavy_check_mark: debian :heavy_check_mark: suse15. SL-JID 3157
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on a diff in pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
nvazquez commented on code in PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#discussion_r855123430
##########
.travis.yml:
##########
@@ -174,6 +174,7 @@ env:
component/test_stopped_vm
component/test_tags
component/test_templates
+ component/test_template_access_across_domains
Review Comment:
+1
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1103970377
@sureshanaparti please advise if this is ready after your testing, thanks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rohityadavcloud commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
rohityadavcloud commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1103990097
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1104039993
@rohityadavcloud a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rohityadavcloud commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
rohityadavcloud commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1104361910
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez closed pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
nvazquez closed pull request #4774: Added configuration and Integration test to restrict public template …
URL: https://github.com/apache/cloudstack/pull/4774
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez merged pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
nvazquez merged PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sureshanaparti commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
sureshanaparti commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1094899499
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sureshanaparti commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
sureshanaparti commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1105073555
> @sureshanaparti please advise if this is ready after your testing, thanks
@nvazquez @soreana test LGTM
Manually covered with the following tests, and verified the public templates access restricted to other domains when the global or the respective domain's config "share.public.templates.with.other.domains" is set to false.
- Created domains: Domain1 and Domain2.
- Created accounts/users: Domain1Admin and Domain2Admin.
- Registered public templates from macchinina-admin from Admin account.
- Registered public templates from macchinina-domain1, centos65-domain1 from Domain1Admin account.
- Registered public templates from macchinina-domain2, centos65-domain2 from Domain2Admin account.
**Tests with global level setting:**
(i) The global config "share.public.templates.with.other.domains" is set to true by default, and all the public templates of domain1/domain2 are listed for admin, domain1 admin, and domain2 admin.
(ii) Set the global config "restrict.public.template.access.to.domain" to false. Verified the public templates of domain1 are not listed for domain2 admin, and the public templates of domain2 are not listed for domain1 admin. All the public templates are listed for root admin.
**Tests with domain level setting:**
(i) Set Domain1 config "_share.public.templates.with.other.domains_": true and Domain2 config "_share.public.templates.with.other.domains_": false
=> All the public templates are listed for root admin.
=> The public templates of domain1 are listed for domain2 admin.
=> The public templates of domain2 are not listed for domain1 admin.
(ii) Set Domain1 config "_share.public.templates.with.other.domains_": false and Domain2 config "_share.public.templates.with.other.domains_": true
=> All the public templates are listed for root admin.
=> The public templates of domain1 are not listed for domain2 admin.
=> The public templates of domain2 are listed for domain1 admin.
(iii) Set Domain1 config "_share.public.templates.with.other.domains_": true and Domain2 config "_share.public.templates.with.other.domains_": true
=> All the public templates are listed for root admin.
=> The public templates of domain1 are listed for domain2 admin
=> The public templates of domain2 are listed for domain1 admin
(iv) Set Domain1 config "_share.public.templates.with.other.domains_": false and Domain2 config "_share.public.templates.with.other.domains_": false
=> All the public templates are listed for root admin.
=> The public templates of domain1 are not listed for domain2 admin
=> The public templates of domain2 are not listed for domain1 admin
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1103970885
@nvazquez a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1104362382
@rohityadavcloud a Jenkins job has been kicked to build packages. It will be bundled with
SystemVM template(s). I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1103970664
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] acs-robot commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
acs-robot commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1105184515
Found UI changes, kicking a new UI QA build
@blueorangutan ui
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache closed pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
weizhouapache closed pull request #4774: Added configuration and Integration test to restrict public template …
URL: https://github.com/apache/cloudstack/pull/4774
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1087389295
> I would not allow this type of cleanup
@DaanHoogland
is this a cleanup ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] soreana commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
soreana commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1090313232
Hi @nvazquez,
I'm waiting for @sureshanaparti to test and approve the changes. We had a long discussion about what is the correct behavior. They have started [here](https://github.com/apache/cloudstack/pull/4774#issuecomment-932060180).
Will update the test after that as soon as I get his approval.
> Continued tests with domain level setting.
>
> (i)
>
> * Domain1 config "restrict.public.template.access.to.domain": false and Domain2 config "restrict.public.template.access.to.domain": true
> => The public templates of domain1 are not listed for domain2 admin.
> => The public templates of domain2 are listed for domain1 admin.
>
> (ii)
>
> * Domain1 config "restrict.public.template.access.to.domain": true and Domain2 config "restrict.public.template.access.to.domain": false
> => The public templates of domain1 are listed for domain2 admin.
> => The public templates of domain2 are not listed for domain1 admin.
>
> (iii)
>
> * Set the Domain1 config "restrict.public.template.access.to.domain": false and Domain2 config "restrict.public.template.access.to.domain": false
> => The public templates of domain1 are listed for domain2 admin
> => The public templates of domain2 are listed for domain1 admin
>
> (iv)
>
> * Set the Domain1 config "restrict.public.template.access.to.domain": true and Domain2 config "restrict.public.template.access.to.domain": true
> => The public templates of domain1 are not listed for domain2 admin
> => The public templates of domain2 are not listed for domain1 admin
>
> @soreana tests (i) and (ii) above, should list the public templates when the respective domain config ""restrict.public.template.access.to.domain" is false, and it seems to be working in the other way. Please check.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1094935739
Packaging result: :heavy_check_mark: el7 :heavy_check_mark: el8 :heavy_check_mark: debian :heavy_check_mark: suse15. SL-JID 3115
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] soreana commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
soreana commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1088425570
@DaanHoogland Sorry for the inconvenient. I rebase the pr with the main branch. As you can already guess, I'm not good at rebasing, and I missed the changes some how in the process. 😄
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1097864494
@weizhouapache a Jenkins job has been kicked to build packages. It will be bundled with
SystemVM template(s). I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on a diff in pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on code in PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#discussion_r855165619
##########
.travis.yml:
##########
@@ -174,6 +174,7 @@ env:
component/test_stopped_vm
component/test_tags
component/test_templates
+ component/test_template_access_across_domains
Review Comment:
@soreana
I have committed the change , now we can go forward and merge it if travis tests pass.
cc @nvazquez
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1104627158
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1104646872
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1105128490
Hi @soreana all looking good except travis that is still failing in all these cases:
````
==== Marvin Init Successful ====
=== TestName: test_01_check_cross_domain_template_access | Status : EXCEPTION ===
=== TestName: test_02_create_template | Status : EXCEPTION ===
=== TestName: test_03_check_subdomain_template_access | Status : EXCEPTION ===
=== TestName: test_04_check_non_public_template_access | Status : EXCEPTION ===
=== TestName: test_05_check_non_public_template_subdomain_access | Status : EXCEPTION ===
=== TestName: test_06_check_sub_public_template_sub_domain_access | Status : EXCEPTION ===
=== TestName: test_07_check_default_public_template_sub_domain_access | Status : EXCEPTION ===
=== TestName: test_08_check_non_public_template_sub_domain_access | Status : EXCEPTION ===
````
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1103991147
@rohityadavcloud a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1104069206
Packaging result: :heavy_multiplication_x: el7 :heavy_multiplication_x: el8 :heavy_multiplication_x: debian :heavy_multiplication_x: suse15. SL-JID 3244
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1097864152
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1090096483
Hi @soreana - can you please check the Travis results? Seems like all the added tests are failing:
````
+------------------------+--------------------+-------+------------------------+
| Test | Result | Time | Test file |
+========================+====================+=======+========================+
| test_01_check_cross_do | builtins.TypeError | 0.021 | test_template_access_a |
| main_template_access | | | cross_domains |
+------------------------+--------------------+-------+------------------------+
| test_02_create_templat | builtins.TypeError | 0.016 | test_template_access_a |
| e | | | cross_domains |
+------------------------+--------------------+-------+------------------------+
| test_03_check_subdomai | builtins.TypeError | 0.016 | test_template_access_a |
| n_template_access | | | cross_domains |
+------------------------+--------------------+-------+------------------------+
| test_04_check_non_publ | builtins.TypeError | 0.016 | test_template_access_a |
| ic_template_access | | | cross_domains |
+------------------------+--------------------+-------+------------------------+
| test_05_check_non_publ | builtins.TypeError | 0.018 | test_template_access_a |
| ic_template_subdomain_ | | | cross_domains |
| access | | | |
+------------------------+--------------------+-------+------------------------+
| test_06_check_sub_publ | builtins.TypeError | 0.018 | test_template_access_a |
| ic_template_sub_domain | | | cross_domains |
| _access | | | |
+------------------------+--------------------+-------+------------------------+
| test_07_check_default_ | builtins.TypeError | 0.017 | test_template_access_a |
| public_template_sub_do | | | cross_domains |
| main_access | | | |
+------------------------+--------------------+-------+------------------------+
| test_08_check_non_publ | builtins.TypeError | 0.016 | test_template_access_a |
| ic_template_sub_domain | | | cross_domains |
| _access | | | |
+------------------------+--------------------+-------+------------------------+
````
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1104035460
Packaging result: :heavy_multiplication_x: el7 :heavy_multiplication_x: el8 :heavy_multiplication_x: debian :heavy_multiplication_x: suse15. SL-JID 3241
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rohityadavcloud commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
rohityadavcloud commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1104038358
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on a diff in pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on code in PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#discussion_r855120318
##########
test/integration/component/test_template_access_across_domains.py:
##########
@@ -0,0 +1,626 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Import Local Modules
+from nose.plugins.attrib import attr
+from marvin.cloudstackTestCase import cloudstackTestCase, unittest
+from marvin.cloudstackAPI import (listZones,
+ deleteTemplate,
+ listConfigurations,
+ updateConfiguration)
+from marvin.lib.utils import (cleanup_resources)
+from marvin.lib.base import (Account,
+ Domain,
+ Network,
+ NetworkOffering,
+ Template,
+ ServiceOffering,
+ VirtualMachine,
+ Snapshot,
+ Volume)
+from marvin.lib.common import (get_domain,
+ get_zone,
+ get_template,
+ get_builtin_template_info)
+# Import System modules
+import time
+import logging
+
+class TestTemplateAccessAcrossDomains(cloudstackTestCase):
+ @classmethod
+ def setUpClass(cls):
+ cls.testClient = super(TestTemplateAccessAcrossDomains, cls).getClsTestClient()
+ cls.apiclient = cls.testClient.getApiClient()
+
+ cls.services = cls.testClient.getParsedTestDataConfig()
+ # Get Zone, Domain and templates
+ cls.domain = get_domain(cls.apiclient)
+ cls.zone = get_zone(cls.apiclient, cls.testClient.getZoneForTests())
+ cls.services['mode'] = cls.zone.networktype
+ cls.logger = logging.getLogger("TestRouterResources")
+ cls._cleanup = []
+ cls.unsupportedHypervisor = False
+ cls.hypervisor = cls.testClient.getHypervisorInfo()
+ if cls.hypervisor.lower() in ['lxc']:
+ cls.unsupportedHypervisor = True
+ return
+ cls.services["virtual_machine"]["zoneid"] = cls.zone.id
+
+ # Create new domain1
+ cls.domain1 = Domain.create(
+ cls.apiclient,
+ services=cls.services["acl"]["domain1"],
+ parentdomainid=cls.domain.id)
+ cls._cleanup.append(cls.domain1)
+
+ # Create account1
+ cls.account1 = Account.create(
+ cls.apiclient,
+ cls.services["acl"]["accountD1"],
+ domainid=cls.domain1.id
+ )
+ cls._cleanup.append(cls.account1)
+
+ # Create new sub-domain
+ cls.sub_domain = Domain.create(
+ cls.apiclient,
+ services=cls.services["acl"]["domain11"],
+ parentdomainid=cls.domain1.id)
+ cls._cleanup.append(cls.sub_domain)
+
+ # Create account for sub-domain
+ cls.sub_account = Account.create(
+ cls.apiclient,
+ cls.services["acl"]["accountD11"],
+ domainid=cls.sub_domain.id
+ )
+ cls._cleanup.append(cls.sub_account)
+
+ # Create new domain2
+ cls.domain2 = Domain.create(
+ cls.apiclient,
+ services=cls.services["acl"]["domain2"],
+ parentdomainid=cls.domain.id)
+ cls._cleanup.append(cls.domain2)
+
+ # Create account2
+ cls.account2 = Account.create(
+ cls.apiclient,
+ cls.services["acl"]["accountD2"],
+ domainid=cls.domain2.id
+ )
+ cls._cleanup.append(cls.account2)
+
+ cls.service_offering = ServiceOffering.create(
+ cls.apiclient,
+ cls.services["service_offering"]
+ )
+ cls._cleanup.append(cls.service_offering)
+ if cls.hypervisor.lower() in ['kvm']:
+ # register template under ROOT domain
+ cls.root_template = Template.register(cls.apiclient,
+ cls.services["test_templates"]["kvm"],
+ zoneid=cls.zone.id,
+ domainid=cls.domain.id,
+ hypervisor=cls.hypervisor.lower())
+ cls.root_template.download(cls.apiclient)
+ cls._cleanup.append(cls.root_template)
+ cls.services["test_templates"]["kvm"]["name"] = cls.account1.name
+ cls.template1 = Template.register(cls.apiclient,
+ cls.services["test_templates"]["kvm"],
+ zoneid=cls.zone.id,
+ account=cls.account1.name,
+ domainid=cls.domain1.id,
+ hypervisor=cls.hypervisor.lower())
+ cls.template1.download(cls.apiclient)
+ cls._cleanup.append(cls.template1)
+ cls.services["test_templates"]["kvm"]["name"] = cls.sub_account.name
+ cls.sub_template = Template.register(cls.apiclient,
+ cls.services["test_templates"]["kvm"],
+ zoneid=cls.zone.id,
+ account=cls.sub_account.name,
+ domainid=cls.sub_domain.id,
+ hypervisor=cls.hypervisor.lower())
+ cls.sub_template.download(cls.apiclient)
+ cls._cleanup.append(cls.sub_template)
+ cls.template2 = Template.register(cls.apiclient,
+ cls.services["test_templates"]["kvm"],
+ zoneid=cls.zone.id,
+ account=cls.account2.name,
+ domainid=cls.domain2.id,
+ hypervisor=cls.hypervisor.lower())
+ cls.template2.download(cls.apiclient)
+ cls._cleanup.append(cls.template2)
+ else:
+ return
+
+ @classmethod
+ def tearDownClass(cls):
+ super(TestTemplateAccessAcrossDomains, cls).tearDownClass()
+
+ def setUp(self):
+ self.apiclient = self.testClient.getApiClient()
+ self.domain1_config = self.get_restrict_template_configuration(self.domain1.id)
+ self.domain2_config = self.get_restrict_template_configuration(self.domain2.id)
+ self.sub_domain_config = self.get_restrict_template_configuration(self.sub_domain.id)
+ self.cleanup = []
+ return
+
+ def tearDown(self):
+ try:
+ self.update_restrict_template_configuration(self.domain1.id, self.domain1_config)
+ self.update_restrict_template_configuration(self.domain2.id, self.domain2_config)
+ self.update_restrict_template_configuration(self.sub_domain.id, self.sub_domain_config)
+ super(TestTemplateAccessAcrossDomains, self).tearDown()
+ except Exception as e:
+ raise Exception("Warning: Exception during cleanup : %s" % e)
+ return
+
+ @attr(tags=["advanced", "basic", "sg"], required_hardware="false")
+ def test_01_check_cross_domain_template_access(self):
+ """
+ Verify that templates belonging to one domain should not be accessible
+ by other domains except for parent and ROOT domains
+
+ Steps:
+ 1. Set global setting restrict.public.access.to.templates to true
+ 2. Make sure template of domain2 should not be accessible by domain1
+ 3. Make sure template of domain1 should not be accessible by domain2
+ 4. Make sure parent and ROOT domain can still access above templates
+ :return:
+ """
+
+ # Step 1
+ self.update_restrict_template_configuration(self.domain1.id, "true")
+ self.update_restrict_template_configuration(self.domain2.id, "true")
+ self.validate_uploaded_template(self.apiclient, self.template1.id)
+
+ # Step 2
+ self.validate_template_ownership(self.template2, self.domain1, self.domain2, False)
+
+ self.validate_uploaded_template(self.apiclient, self.template2.id)
+
+ # Step 3
+ self.validate_template_ownership(self.template1, self.domain2, self.domain1, False)
+
+ # Make sure root domain can still access all subdomain templates
+ # Step 4
+ self.validate_template_ownership(self.template1, self.domain, self.domain1, True)
+ self.validate_template_ownership(self.template2, self.domain, self.domain2, True)
+
+
+ @attr(tags=["advanced", "basic", "sg"], required_hardware="false")
+ def test_02_create_template(self):
+ """
+ Verify that templates belonging to one domain can be accessible
+ by other domains by default
+
+ Steps:
+ 1. Set global setting restrict.public.access.to.templates to false (default behavior)
+ 2. Make sure template of domain2 can be accessible by domain1
+ 3. Make sure template of domain1 can be accessible by domain2
+ 4. Make sure parent and ROOT domain can still access above templates
+ 5. Deploy virtual machine in domain1 using template from domain2
+ 6. Make sure that virtual machine can be deployed and is in running state
+ :return:
+ """
+
+ # Step 1
+ self.update_restrict_template_configuration(self.domain1.id, "false")
+ self.update_restrict_template_configuration(self.domain2.id, "false")
+
+ # Step 2
+ self.validate_template_ownership(self.template2, self.domain1, self.domain2, True)
+
+ # Step 3
+ self.validate_template_ownership(self.template1, self.domain2, self.domain1, True)
+
+ # Step 4
+ # Make sure root domain can still access all subdomain templates
+ self.validate_template_ownership(self.template1, self.domain, self.domain1, True)
+ self.validate_template_ownership(self.template2, self.domain, self.domain2, True)
+
+ # Step 5
+ # Deploy new virtual machine using template
+ self.virtual_machine = VirtualMachine.create(
+ self.apiclient,
+ self.services["virtual_machine"],
+ templateid=self.template2.id,
+ accountid=self.account1.name,
+ domainid=self.account1.domainid,
+ serviceofferingid=self.service_offering.id,
+ )
+ self.cleanup.append(self.virtual_machine)
+ self.debug("creating an instance with template ID: %s" % self.template2.id)
+ vm_response = VirtualMachine.list(self.apiclient,
+ id=self.virtual_machine.id,
+ account=self.account1.name,
+ domainid=self.account1.domainid)
+ self.assertEqual(
+ isinstance(vm_response, list),
+ True,
+ "Check for list VMs response after VM deployment"
+ )
+ # Verify VM response to check whether VM deployment was successful
+ self.assertNotEqual(
+ len(vm_response),
+ 0,
+ "Check VMs available in List VMs response"
+ )
+
+ # Step 6
+ vm = vm_response[0]
+ self.assertEqual(
+ vm.state,
+ 'Running',
+ "Check the state of VM created from Template"
+ )
+
+ @attr(tags=["advanced", "basic", "sg"], required_hardware="false")
+ def test_03_check_subdomain_template_access(self):
+ """
+ Verify that templates belonging to parent domain can be accessible
+ by sub domains
+
+ Steps:
+ 1. Set global setting restrict.public.access.to.templates to true
+ 2. Make sure template of ROOT domain can be accessible by domain1
+ 3. Make sure template of ROOT domain can be accessible by domain2
+ """
+
+ # Step 1
+ self.update_restrict_template_configuration(self.domain1.id, "true")
+ self.update_restrict_template_configuration(self.domain2.id, "true")
+ # Make sure child domains can still access parent domain templates
+ self.validate_uploaded_template(self.apiclient, self.root_template.id)
+
+ # Step 2
+ self.validate_template_ownership(self.root_template, self.domain1, self.domain, True)
+
+ # Step 3
+ self.validate_template_ownership(self.root_template, self.domain2, self.domain, True)
+
+ @attr(tags=["advanced", "basic", "sg"], required_hardware="false")
+ def test_04_check_non_public_template_access(self):
+ """
+ Verify that non public templates belonging to one domain
+ should not be accessible by other domains by default
+
+ Steps:
+ 1. Set global setting restrict.public.access.to.templates to true
+ 2. Change the permission level of "ispublic" of template to false
+ 3. Make sure other domains should not be able to access the template
+ 4. Make sure that ONLY ROOT domain can access the non public template
+ 5. Set global setting restrict.public.access.to.templates to false
+ 6. Repeat the steps 3 and 4
+ """
+
+ # Step 1
+ self.update_restrict_template_configuration(self.domain1.id, "true")
+ self.update_restrict_template_configuration(self.domain2.id, "true")
+
+ # Step 2
+ self.template2.updatePermissions(self.apiclient,
+ ispublic="False")
+
+ list_template_response = self.list_templates('all', self.domain2)
+ self.assertEqual(
+ isinstance(list_template_response, list),
+ True,
+ "Check list response returns a valid list"
+ )
+ for template_response in list_template_response:
+ if template_response.id == self.template2.id:
+ break
+
+ self.assertIsNotNone(
+ template_response,
+ "Check template %s failed" % self.template2.id
+ )
+ self.assertEqual(
+ template_response.ispublic,
+ int(False),
+ "Check ispublic permission of template"
+ )
+
+ # Step 3
+ # Other domains should not access non public template
+ self.validate_template_ownership(self.template2, self.domain1, self.domain2, False)
+
+ # Step 4
+ # Only ROOT domain can access non public templates of child domain
+ self.validate_template_ownership(self.template2, self.domain, self.domain2, True)
+
+ # Step 5
+ self.update_restrict_template_configuration(self.domain1.id, "false")
+ self.update_restrict_template_configuration(self.domain2.id, "false")
+
+ # Step 6
+ self.validate_template_ownership(self.template2, self.domain1, self.domain2, False)
+ self.validate_template_ownership(self.template2, self.domain, self.domain2, True)
+
+ @attr(tags=["advanced", "basic", "sg"], required_hardware="false")
+ def test_05_check_non_public_template_subdomain_access(self):
+ """
+ Verify that non public templates belonging to ROOT domain
+ should not be accessible by sub domains by default
+
+ Steps:
+ 1. Set global setting restrict.public.access.to.templates to true
+ 2. Change the permission level of "ispublic" of template to false
+ 3. Make sure other domains should not be able to access the template
+ 4. Make sure that ONLY ROOT domain can access the non public template
+ 5. Set global setting restrict.public.access.to.templates to false
+ 6. Repeat the steps 3 and 4
+ """
+ self.update_restrict_template_configuration(self.domain1.id, "true")
+ self.update_restrict_template_configuration(self.domain2.id, "true")
+ self.root_template.updatePermissions(self.apiclient,
+ ispublic="False")
+
+ list_template_response = self.list_templates('all', self.domain)
+ self.assertEqual(
+ isinstance(list_template_response, list),
+ True,
+ "Check list response returns a valid list"
+ )
+ for template_response in list_template_response:
+ if template_response.id == self.root_template.id:
+ break
+
+ self.assertIsNotNone(
+ template_response,
+ "Check template %s failed" % self.root_template.id
+ )
+ self.assertEqual(
+ template_response.ispublic,
+ int(False),
+ "Check ispublic permission of template"
+ )
+
+ # Other domains should not access non public template
+ self.validate_template_ownership(self.root_template, self.domain1, self.domain, False)
+ # Only ROOT domain can access non public templates of child domain
+ self.validate_template_ownership(self.root_template, self.domain2, self.domain, False)
+
+ self.update_restrict_template_configuration(self.domain1.id, "false")
+ self.update_restrict_template_configuration(self.domain2.id, "false")
+ self.validate_template_ownership(self.root_template, self.domain1, self.domain2, False)
+ self.validate_template_ownership(self.root_template, self.domain2, self.domain2, False)
+
+ @attr(tags=["advanced", "basic", "sg"], required_hardware="false")
+ def test_06_check_sub_public_template_sub_domain_access(self):
+ """
+ Verify that non root admin sub-domains can access parents templates
+
+ Steps:
+ 1. Set global setting restrict.public.access.to.templates to true
+ 2. Make sure that sub-domain account can access root templates
+ 3. Make sure that sub-domain account can access parent templates
+ 4. Make sure that ROOT domain can access the sub-domain template
+ 5. Make sure that sibling domain cannot access templates of sub-domain
+ """
+
+ self.root_template.updatePermissions(self.apiclient,
+ ispublic="True")
+ # Step 1
+ self.update_restrict_template_configuration(self.domain1.id, "true")
+ self.update_restrict_template_configuration(self.domain2.id, "true")
+ # Make sure child domains can still access parent domain templates
+ self.validate_uploaded_template(self.apiclient, self.sub_template.id)
+
+ # Step 2
+ self.validate_template_ownership(self.root_template, self.sub_domain, self.domain, True)
+
+ # Step 3
+ self.validate_template_ownership(self.template1, self.sub_domain, self.domain1, True)
+
+ # Step 4
+ self.validate_template_ownership(self.sub_template, self.domain, self.sub_domain, True)
+
+ # Step 5
+ self.validate_template_ownership(self.sub_template, self.domain2, self.sub_domain, False)
+
+ @attr(tags=["advanced", "basic", "sg"], required_hardware="false")
+ def test_07_check_default_public_template_sub_domain_access(self):
+ """
+ Verify that non root admin sub-domains can access parents templates by default
+
+ Steps:
+ 1. Set global setting restrict.public.access.to.templates to false
+ 2. Make sure that sub-domain account can access root templates
+ 3. Make sure that sub-domain account can access parent templates
+ 4. Make sure that ROOT domain can access the sub-domain template
+ 5. Make sure that sibling domain cannot access templates of sub-domain
+ """
+
+ # Step 1
+ self.update_restrict_template_configuration(self.domain1.id, "false")
+ self.update_restrict_template_configuration(self.domain2.id, "false")
+ # Make sure child domains can still access parent domain templates
+ self.validate_uploaded_template(self.apiclient, self.sub_template.id)
+
+ # Step 2
+ self.validate_template_ownership(self.root_template, self.sub_domain, self.domain, True)
+
+ # Step 3
+ self.validate_template_ownership(self.template1, self.sub_domain, self.domain1, True)
+
+ # Step 4
+ self.validate_template_ownership(self.sub_template, self.domain, self.sub_domain, True)
+
+ # Step 5
+ self.validate_template_ownership(self.sub_template, self.domain2, self.sub_domain, True)
+
+ @attr(tags=["advanced", "basic", "sg"], required_hardware="false")
+ def test_08_check_non_public_template_sub_domain_access(self):
+ """
+ Verify that non public templates belonging to one domain
+ should not be accessible by other domains by default except ROOT domain
+
+ Steps:
+ 1. Set global setting restrict.public.access.to.templates to true
+ 2. Change the permission level of "ispublic" of template1 to false
+ 3. Make sure other domains should not be able to access the template
+ 4. Make sure that ONLY ROOT domain can access the non public template
+ 5. Set global setting restrict.public.access.to.templates to false
+ 6. Repeat the steps 3 and 4
+ """
+
+ # Step 1
+ self.update_restrict_template_configuration(self.domain1.id, "true")
+ self.update_restrict_template_configuration(self.domain2.id, "true")
+
+ # Step 2
+ self.template1.updatePermissions(self.apiclient,
+ ispublic="False")
+
+ list_template_response = self.list_templates('all', self.domain1)
+ for template_response in list_template_response:
+ if template_response.id == self.template1.id:
+ break
+
+ self.assertEqual(
+ isinstance(list_template_response, list),
+ True,
+ "Check list response returns a valid list"
+ )
+ self.assertIsNotNone(
+ template_response,
+ "Check template %s failed" % self.template1.id
+ )
+ self.assertEqual(
+ template_response.ispublic,
+ int(False),
+ "Check ispublic permission of template"
+ )
+
+ # Step 3
+ # Other domains should not access non public template
+ self.validate_template_ownership(self.template1, self.domain2, self.domain1, False)
+
+ # Even child domain should not access non public template
+ self.validate_template_ownership(self.template1, self.sub_domain, self.domain1, False)
+
+ # Step 4
+ # Only ROOT domain can access non public templates of child domain
+ self.validate_template_ownership(self.template1, self.domain, self.domain1, True)
+
+ # Step 5
+ self.update_restrict_template_configuration(self.domain1.id, "false")
+ self.update_restrict_template_configuration(self.domain2.id, "false")
+
+ # Step 6
+ self.validate_template_ownership(self.template1, self.domain2, self.domain1, False)
+ self.validate_template_ownership(self.template1, self.sub_domain, self.domain1, False)
+ self.validate_template_ownership(self.template1, self.domain, self.domain1, True)
+
+ def validate_uploaded_template(self, apiclient, template_id, retries=70, interval=5):
+ """Check if template download will finish in 1 minute"""
+ while retries > -1:
+ time.sleep(interval)
+ template_response = Template.list(
+ apiclient,
+ id=template_id,
+ zoneid=self.zone.id,
+ templatefilter='self'
+ )
+
+ if isinstance(template_response, list):
+ template = template_response[0]
+ if not hasattr(template, 'status') or not template or not template.status:
+ retries = retries - 1
+ continue
+ if 'Failed' in template.status:
+ raise Exception(
+ "Failed to download template: status - %s" %
+ template.status)
+
+ elif template.status == 'Download Complete' and template.isready:
+ return
+
+ elif 'Downloaded' in template.status:
+ retries = retries - 1
+ continue
+
+ elif 'Installing' not in template.status:
+ if retries >= 0:
+ retries = retries - 1
+ continue
+ raise Exception(
+ "Error in downloading template: status - %s" %
+ template.status)
+
+ else:
+ retries = retries - 1
+ raise Exception("Template download failed exception.")
+
+ def list_templates(self, templatefilter, domain):
+ return Template.list(
+ self.apiclient,
+ templatefilter=templatefilter,
+ zoneid=self.zone.id,
+ domainid=domain.id)
+
+ def validate_template_ownership(self, template, owner, nonowner, include_cross_domain_template):
+ """List the template belonging to domain which created it
+ Make sure that other domain can't access it.
+ """
+ list_template_response = self.list_templates('all', owner)
+ if list_template_response is not None:
+ """If global setting is false then public templates of any domain should
+ be accessible by any other domain
+ """
+ if include_cross_domain_template:
+ for temp in list_template_response:
+ if template.name == temp.name:
+ return
+
+ raise Exception("Template %s belonging to domain %s should "
+ "be accessible by domain %s"
+ % (template.name, nonowner.name, owner.name))
+ else:
+ """If global setting is true then public templates of any domain should not
+ be accessible by any other domain except for root domain
+ """
+ for temp in list_template_response:
+ if template.name == temp.name:
+ raise Exception("Template %s belonging to domain %s should "
+ "not be accessible by domain %s"
+ % (template.name, nonowner.name, owner.name))
+
+ def get_restrict_template_configuration(self, domain_id):
+ """
+ Function to get the global setting "restrict.public.access.to.templates" for domain
+ """
+ list_configurations_cmd = listConfigurations.listConfigurationsCmd()
+ list_configurations_cmd.name = "restrict.public.template.access.to.domain"
+ list_configurations_cmd.scopename = "domain"
+ list_configurations_cmd.scopeid = domain_id
+ response = self.apiclient.listConfigurations(list_configurations_cmd)
+ return response[0].value
+
+ def update_restrict_template_configuration(self, domain_id, value):
+ """
+ Function to update the global setting "restrict.public.access.to.templates" for domain
+ """
+ update_configuration_cmd = updateConfiguration.updateConfigurationCmd()
+ update_configuration_cmd.name = "restrict.public.template.access.to.domain"
Review Comment:
@soreana
since you have changed the name of global configuration to `share.public.templates.with.other.domains`, can you change the name in component test ? (maybe the value as well)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1104646546
Packaging result: :heavy_check_mark: el7 :heavy_check_mark: el8 :heavy_check_mark: debian :heavy_check_mark: suse15. SL-JID 3255
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on a diff in pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
nvazquez commented on code in PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#discussion_r855123859
##########
.travis.yml:
##########
@@ -174,6 +174,7 @@ env:
component/test_stopped_vm
component/test_tags
component/test_templates
+ component/test_template_access_across_domains
Review Comment:
@soreana can you please add this temporary fix? Then we can add it back when fixed
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on pull request #4774: Added configuration and Integration test to restrict public template …
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on PR #4774:
URL: https://github.com/apache/cloudstack/pull/4774#issuecomment-1087420514
> > > I would not allow this type of cleanup
> >
> >
> > @DaanHoogland is this a cleanup ?
>
> @weizhouapache please see my comment on the code, it was marked resolved but it isn't (and I unresolved it). the marvin test is prone to leaving garbage behind this way.
@DaanHoogland
ok you meant the cleanup in the smoke test.
agree with you.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org