You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2022/03/23 04:49:48 UTC
[GitHub] [cloudstack] Pearl1594 opened a new pull request #6156: api: Update account type when updating account role
Pearl1594 opened a new pull request #6156:
URL: https://github.com/apache/cloudstack/pull/6156
### Description
This PR fixes: #6155 - updates account type to a value corresponding to the role.
<!--- Describe your changes in DETAIL - And how has behaviour functionally changed. -->
<!-- For new features, provide link to FS, dev ML discussion etc. -->
<!-- In case of bug fix, the expected and actual behaviours, steps to reproduce. -->
<!-- When "Fixes: #<id>" is specified, the issue/PR will automatically be closed when this PR gets merged -->
<!-- For addressing multiple issues/PRs, use multiple "Fixes: #<id>" -->
<!-- Fixes: # -->
<!--- ********************************************************************************* -->
<!--- NOTE: AUTOMATATION USES THE DESCRIPTIONS TO SET LABELS AND PRODUCE DOCUMENTATION. -->
<!--- PLEASE PUT AN 'X' in only **ONE** box -->
<!--- ********************************************************************************* -->
### Types of changes
- [ ] Breaking change (fix or feature that would cause existing functionality to change)
- [ ] New feature (non-breaking change which adds functionality)
- [X] Bug fix (non-breaking change which fixes an issue)
- [ ] Enhancement (improves an existing feature and functionality)
- [ ] Cleanup (Code refactoring and cleanup, that may add test cases)
### Feature/Enhancement Scale or Bug Severity
#### Feature/Enhancement Scale
- [ ] Major
- [ ] Minor
#### Bug Severity
- [ ] BLOCKER
- [ ] Critical
- [ ] Major
- [ ] Minor
- [ ] Trivial
### Screenshots (if appropriate):
### How Has This Been Tested?
Updated role and attempted to login - successfully able to login with new rolw
<!-- Please read the [CONTRIBUTING](https://github.com/apache/cloudstack/blob/main/CONTRIBUTING.md) document -->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Pearl1594 commented on pull request #6156: api: Update account type when updating account role
Posted by GitBox <gi...@apache.org>.
Pearl1594 commented on pull request #6156:
URL: https://github.com/apache/cloudstack/pull/6156#issuecomment-1082699289
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Pearl1594 removed a comment on pull request #6156: api: Update account type when updating account role
Posted by GitBox <gi...@apache.org>.
Pearl1594 removed a comment on pull request #6156:
URL: https://github.com/apache/cloudstack/pull/6156#issuecomment-1075928575
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #6156: api: Update account type when updating account role
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #6156:
URL: https://github.com/apache/cloudstack/pull/6156#issuecomment-1083453625
<b>Trillian test result (tid-3759)</b>
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 31525 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr6156-t3759-kvm-centos7.zip
Smoke tests completed. 92 look OK, 0 have errors
Only failed tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #6156: api: Update account type when updating account role
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #6156:
URL: https://github.com/apache/cloudstack/pull/6156#issuecomment-1075927781
Packaging result: :heavy_check_mark: el7 :heavy_check_mark: el8 :heavy_check_mark: debian :heavy_check_mark: suse15. SL-JID 2960
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Pearl1594 commented on pull request #6156: api: Update account type when updating account role
Posted by GitBox <gi...@apache.org>.
Pearl1594 commented on pull request #6156:
URL: https://github.com/apache/cloudstack/pull/6156#issuecomment-1075938386
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rohityadavcloud commented on pull request #6156: api: Update account type when updating account role
Posted by GitBox <gi...@apache.org>.
rohityadavcloud commented on pull request #6156:
URL: https://github.com/apache/cloudstack/pull/6156#issuecomment-1077389362
@Pearl1594 I think the update API shouldn't be allowed to switch an account to a role that is incompatible with the account type. For example, if it's allowed to update a normal user account's role to a root admin role, that shouldn't be allowed. That means the UI/client should filter and allow only roles of matching types, and/or in the backend this must be checked. (this is assuming that updateAccount doesn't explicitly allows updating the account type)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Pearl1594 commented on pull request #6156: api: Update account type when updating account role
Posted by GitBox <gi...@apache.org>.
Pearl1594 commented on pull request #6156:
URL: https://github.com/apache/cloudstack/pull/6156#issuecomment-1082702764
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #6156: api: Update account type when updating account role
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #6156:
URL: https://github.com/apache/cloudstack/pull/6156#issuecomment-1082810508
@Pearl1594 a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #6156: api: Update account type when updating account role
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #6156:
URL: https://github.com/apache/cloudstack/pull/6156#issuecomment-1075912580
@Pearl1594 a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #6156: api: Update account type when updating account role
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #6156:
URL: https://github.com/apache/cloudstack/pull/6156#issuecomment-1075939552
@Pearl1594 a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Pearl1594 commented on pull request #6156: api: Update account type when updating account role
Posted by GitBox <gi...@apache.org>.
Pearl1594 commented on pull request #6156:
URL: https://github.com/apache/cloudstack/pull/6156#issuecomment-1077352603
@rohityadavcloud I don't think there was support to change account type - However, I am not sure if that was left out as mere oversight or by design. However, if we do allow updating user role, wouldn't it be required that the account type be mapped to the corresponding role's account type - for it to function correctly. In terms of security, the rules associated with the role would govern what the user in concern is allowed (or not allowed) to access.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Pearl1594 commented on pull request #6156: api: Update account type when updating account role
Posted by GitBox <gi...@apache.org>.
Pearl1594 commented on pull request #6156:
URL: https://github.com/apache/cloudstack/pull/6156#issuecomment-1082810244
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #6156: api: Update account type when updating account role
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #6156:
URL: https://github.com/apache/cloudstack/pull/6156#issuecomment-1082735332
Packaging result: :heavy_check_mark: el7 :heavy_check_mark: el8 :heavy_check_mark: debian :heavy_check_mark: suse15. SL-JID 3015
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #6156: api: Update account type when updating account role
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #6156:
URL: https://github.com/apache/cloudstack/pull/6156#issuecomment-1076455143
<b>Trillian test result (tid-3702)</b>
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 30812 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr6156-t3702-kvm-centos7.zip
Smoke tests completed. 92 look OK, 0 have errors
Only failed tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rohityadavcloud commented on pull request #6156: api: Update account type when updating account role
Posted by GitBox <gi...@apache.org>.
rohityadavcloud commented on pull request #6156:
URL: https://github.com/apache/cloudstack/pull/6156#issuecomment-1077342134
cc @Pearl1594 pl see my comment above.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rohityadavcloud edited a comment on pull request #6156: api: Update account type when updating account role
Posted by GitBox <gi...@apache.org>.
rohityadavcloud edited a comment on pull request #6156:
URL: https://github.com/apache/cloudstack/pull/6156#issuecomment-1077389362
@Pearl1594 I think the update API shouldn't be allowed to switch an account to a role that is incompatible with the account type. For example, if you can update a normal user account's role to a root admin role, that shouldn't be allowed. That means the UI/client should filter and allow only roles of matching types, and/or in the backend this must be checked. (this is assuming that updateAccount doesn't explicitly allows updating the account type)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #6156: api: Update account type when updating account role
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #6156:
URL: https://github.com/apache/cloudstack/pull/6156#issuecomment-1082703352
@Pearl1594 a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland commented on a change in pull request #6156: api: Update account type when updating account role
Posted by GitBox <gi...@apache.org>.
DaanHoogland commented on a change in pull request #6156:
URL: https://github.com/apache/cloudstack/pull/6156#discussion_r838338655
##########
File path: server/src/main/java/com/cloud/user/AccountManagerImpl.java
##########
@@ -1897,7 +1897,17 @@ public AccountVO updateAccount(UpdateAccountCmd cmd) {
"in the domain '" + domainId + "'.");
}
+ Role role = roleService.findRole(roleId);
+ Long currentAccRoleId = account.getRoleId();
+ Role currentRole = roleService.findRole(currentAccRoleId);
+
+ if (role.getRoleType().ordinal() < currentRole.getRoleType().ordinal() && ((account.getType() == Account.Type.NORMAL && role.getRoleType().getAccountType().ordinal() > Account.Type.NORMAL.ordinal()) ||
+ account.getType().ordinal() > Account.Type.NORMAL.ordinal() && role.getRoleType().getAccountType().ordinal() < account.getType().ordinal() && role.getRoleType().getAccountType().ordinal() > 0)) {
Review comment:
This condition is hard to read,
Can you extract it to a method like `isRoleEscalation(...)` and indent according to the logic of it, please?
It would make sense to extract the entire block as well, i.e. `checkForRoleEscalation(...)`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Pearl1594 commented on pull request #6156: api: Update account type when updating account role
Posted by GitBox <gi...@apache.org>.
Pearl1594 commented on pull request #6156:
URL: https://github.com/apache/cloudstack/pull/6156#issuecomment-1075912419
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rohityadavcloud commented on pull request #6156: api: Update account type when updating account role
Posted by GitBox <gi...@apache.org>.
rohityadavcloud commented on pull request #6156:
URL: https://github.com/apache/cloudstack/pull/6156#issuecomment-1076316164
Prior to the roles feature, was updating of account type supported? The roles feature allowed admins to map a set of allowed/denies apis/rules for an account; maybe we should restrict changing roles for an account matching the role/account type? (it depends if changing the type of an account is an allowed feature - this must be tested for both domain admin and root admin cases, i.e. anybody/whoever can create or update accounts)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Pearl1594 commented on pull request #6156: api: Update account type when updating account role
Posted by GitBox <gi...@apache.org>.
Pearl1594 commented on pull request #6156:
URL: https://github.com/apache/cloudstack/pull/6156#issuecomment-1075928575
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Pearl1594 commented on pull request #6156: api: Update account type when updating account role
Posted by GitBox <gi...@apache.org>.
Pearl1594 commented on pull request #6156:
URL: https://github.com/apache/cloudstack/pull/6156#issuecomment-1078638750
I understood @rohityadavcloud . So, would you say that an account's role can be changed to another role with the same account type and with that of lower privileges or we do not want to allow the latter case as well?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org