Merge branch '4.16' into main

engine/schema/src/main/java/com/cloud/upgrade/RolePermissionChecker.java

@@ -0,0 +1,61 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.upgrade;
+
+import org.apache.log4j.Logger;
+
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+
+public class RolePermissionChecker {
+
+    final static Logger LOG = Logger.getLogger(RolePermissionChecker.class);
+
+    private static final String checkAnnotationRulesPermissionPreparedStatement =
+            "SELECT permission FROM `cloud`.`role_permissions` WHERE role_id = ? AND rule = ?";
+    private static final String insertAnnotationRulePermissionPreparedStatement =
+            "INSERT IGNORE INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), ?, ?, 'ALLOW')";
+
+    public RolePermissionChecker() {
+    }
+
+    public boolean existsRolePermissionByRoleIdAndRule(Connection conn, long roleId, String rule) {
+        try {
+            PreparedStatement pstmt = conn.prepareStatement(checkAnnotationRulesPermissionPreparedStatement);
+            pstmt.setLong(1, roleId);
+            pstmt.setString(2, rule);
+            ResultSet rs = pstmt.executeQuery();
+            return rs != null && rs.next();
+        } catch (SQLException e) {
+            LOG.error("Error on existsRolePermissionByRoleIdAndRule: " + e.getMessage(), e);
+            return false;
+        }
+    }
+
+    public void insertAnnotationRulePermission(Connection conn, long roleId, String rule) {
+        try {
+            PreparedStatement pstmt = conn.prepareStatement(insertAnnotationRulePermissionPreparedStatement);
+            pstmt.setLong(1, roleId);
+            pstmt.setString(2, rule);
+            pstmt.executeUpdate();
+        } catch (SQLException e) {
+            LOG.error("Error on insertAnnotationRulePermission: " + e.getMessage(), e);
+        }
+    }
+}

engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade41520to41600.java

@@ -22,8 +22,12 @@ import java.sql.Connection;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
+import java.util.Arrays;
+import java.util.List;
 
+import com.cloud.upgrade.RolePermissionChecker;
 import com.cloud.upgrade.SystemVmTemplateRegistration;
+import org.apache.cloudstack.acl.RoleType;
 import org.apache.log4j.Logger;
 
 import com.cloud.utils.exception.CloudRuntimeException;
@@ -32,6 +36,7 @@ public class Upgrade41520to41600 implements DbUpgrade, DbUpgradeSystemVmTemplate
 
     final static Logger LOG = Logger.getLogger(Upgrade41520to41600.class);
     private SystemVmTemplateRegistration systemVmTemplateRegistration;
+    private RolePermissionChecker rolePermissionChecker = new RolePermissionChecker();
 
     public Upgrade41520to41600() {
     }
@@ -65,6 +70,28 @@ public class Upgrade41520to41600 implements DbUpgrade, DbUpgradeSystemVmTemplate
     @Override
     public void performDataMigration(Connection conn) {
         generateUuidForExistingSshKeyPairs(conn);
+        populateAnnotationPermissions(conn);
+    }
+
+    private void populateAnnotationPermissions(Connection conn) {
+        List<String> annotationRules = Arrays.asList("listAnnotations", "addAnnotation", "removeAnnotation");
+        for (RoleType roleType : Arrays.asList(RoleType.ResourceAdmin, RoleType.DomainAdmin, RoleType.User)) {
+            checkAndPersistAnnotationPermissions(conn, roleType, annotationRules);
+        }
+    }
+
+    private void checkAndPersistAnnotationPermissions(Connection conn, RoleType roleType, List<String> rules) {
+        LOG.debug("Checking the annotation permissions for the role: " + roleType.getId());
+        for (String rule : rules) {
+            LOG.debug("Checking the annotation permissions for the role: " + roleType.getId() + " and rule: " + rule);
+            if (!rolePermissionChecker.existsRolePermissionByRoleIdAndRule(conn, roleType.getId(), rule)) {
+                LOG.debug("Inserting role permission for role: " + roleType.getId() + " and rule: " + rule);
+                rolePermissionChecker.insertAnnotationRulePermission(conn, roleType.getId(), rule);
+            } else {
+                LOG.debug("Found existing role permission for role: " + roleType.getId() + " and rule: " + rule +
+                        ", not updating it");
+            }
+        }
     }
 
     private void generateUuidForExistingSshKeyPairs(Connection conn) {

engine/schema/src/main/resources/META-INF/db/schema-41520to41600.sql

@@ -727,17 +727,6 @@ CREATE TABLE `cloud`.`resource_icon` (
 
 ALTER TABLE `cloud`.`annotations` ADD COLUMN `admins_only` tinyint(1) unsigned NOT NULL DEFAULT 1;
 
--- Allow annotations for resource admins, domain admins and users
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 2, 'listAnnotations', 'ALLOW');
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 2, 'addAnnotation', 'ALLOW');
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 2, 'removeAnnotation', 'ALLOW');
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 3, 'listAnnotations', 'ALLOW');
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 3, 'addAnnotation', 'ALLOW');
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 3, 'removeAnnotation', 'ALLOW');
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 4, 'listAnnotations', 'ALLOW');
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 4, 'addAnnotation', 'ALLOW');
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 4, 'removeAnnotation', 'ALLOW');
-
 -- Add uuid for ssh keypairs
 ALTER TABLE `cloud`.`ssh_keypairs` ADD COLUMN `uuid` varchar(40) AFTER `id`;
 

ui/public/config.json

@@ -57,5 +57,6 @@
   "plugins": [],
   "basicZoneEnabled": true,
   "multipleServer": false,
+  "allowSettingTheme": true,
   "docHelpMappings": {}
 }

ui/src/components/header/SamlDomainSwitcher.vue

@@ -103,7 +103,7 @@ export default {
         userid: account.userId,
         domainid: account.domainId
       }).then(response => {
-        store.dispatch('GetInfo').then(() => {
+        store.dispatch('GetInfo', true).then(() => {
           this.$message.success(`Switched to "${account.accountName} (${account.domainPath})"`)
           this.$router.go()
         })

ui/src/components/page/GlobalLayout.vue

@@ -65,7 +65,7 @@
         </a-drawer>
       </template>
 
-      <template v-if="isDevelopmentMode">
+      <template v-if="isDevelopmentMode || allowSettingTheme">
         <drawer :visible="showSetting" placement="right">
           <div slot="handler">
             <a-button type="primary" size="large">
@@ -146,6 +146,9 @@ export default {
     isDevelopmentMode () {
       return process.env.NODE_ENV === 'development'
     },
+    allowSettingTheme () {
+      return this.$config.allowSettingTheme
+    },
     contentPaddingLeft () {
       if (!this.fixSidebar || this.isMobile()) {
         return '0'

ui/src/store/modules/user.js

@@ -175,9 +175,9 @@ const user = {
       })
     },
 
-    GetInfo ({ commit }) {
+    GetInfo ({ commit }, switchDomain) {
       return new Promise((resolve, reject) => {
-        const cachedApis = Vue.ls.get(APIS, {})
+        const cachedApis = switchDomain ? {} : Vue.ls.get(APIS, {})
         const cachedZones = Vue.ls.get(ZONES, [])
         const cachedTimezoneOffset = Vue.ls.get(TIMEZONE_OFFSET, 0.0)
         const cachedUseBrowserTimezone = Vue.ls.get(USE_BROWSER_TIMEZONE, false)

ui/src/views/compute/DeployVM.vue

@@ -1542,7 +1542,7 @@ export default {
       return key.split('.').join('\\002E')
     },
     updateSecurityGroups (securitygroupids) {
-      this.securitygroupids = securitygroupids
+      this.securitygroupids = securitygroupids || []
     },
     getText (option) {
       return _.get(option, 'displaytext', _.get(option, 'name'))

ui/src/views/iam/AddUser.vue

@@ -93,7 +93,8 @@
             optionFilterProp="children"
             :filterOption="(input, option) => {
               return option.componentOptions.propsData.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
-            }" >
+            }"
+            @change="val => this.fetchAccount(val)" >
             <a-select-option v-for="domain in domainsList" :key="domain.id" :label="domain.path || domain.name || domain.description">
               <span>
                 <resource-icon v-if="domain && domain.icon" :image="domain.icon.base64image" size="1x" style="margin-right: 5px"/>
@@ -192,7 +193,6 @@ export default {
       timeZoneMap: [],
       domainLoading: false,
       domainsList: [],
-      selectedDomain: '',
       samlEnable: false,
       idpLoading: false,
       idps: [],
@@ -220,9 +220,6 @@ export default {
       if (!this.domianid) {
         this.fetchDomains()
       }
-      if (!this.account) {
-        this.fetchAccount()
-      }
       this.fetchTimeZone()
       if (this.samlAllowed) {
         this.fetchIdps()
@@ -230,26 +227,34 @@ export default {
     },
     fetchDomains () {
       this.domainLoading = true
-      api('listDomains', {
+      var params = {
         listAll: true,
         showicon: true,
         details: 'min'
-      }).then(response => {
+      }
+      api('listDomains', params).then(response => {
         this.domainsList = response.listdomainsresponse.domain || []
-        this.selectedDomain = this.domainsList[0].id || ''
       }).catch(error => {
         this.$notification.error({
           message: `${this.$t('label.error')} ${error.response.status}`,
           description: error.response.data.errorresponse.errortext
         })
       }).finally(() => {
+        const domainid = this.domainsList[0].id || ''
+        this.form.setFieldsValue({ domainid: domainid })
+        this.fetchAccount(domainid)
         this.domainLoading = false
       })
     },
-    fetchAccount () {
+    fetchAccount (domainid) {
       this.accountList = []
+      this.form.setFieldsValue({ account: null })
       this.loadingAccount = true
-      api('listAccounts', { listAll: true, showicon: true }).then(response => {
+      var params = { listAll: true, showicon: true }
+      if (domainid) {
+        params.domainid = domainid
+      }
+      api('listAccounts', params).then(response => {
         this.accountList = response.listaccountsresponse.account || []
       }).catch(error => {
         this.$notification.error({

ui/src/views/iam/ConfigureSamlSsoAuth.vue

@@ -108,6 +108,7 @@ export default {
           userid: this.resource.id,
           entityid: values.samlEntity
         }).then(response => {
+          this.$emit('refresh-data')
           this.$notification.success({
             message: values.samlEnable ? this.$t('label.saml.enable') : this.$t('label.saml.disable'),
             description: values.samlEnable ? `${this.$t('message.success.enable.saml.auth')} ${this.$t('label.for')} ${this.resource.username}`