1. Adding the missing Template/Volume URLs expiration functionality
2. Improvement - While deleting the volume during expiration use rm -rf as vmware now contains directoy
3. Improvement - Use standard Answer so that the error gets logged in case deletion of expiration link didnt work fine.
4. Improvement - In case of domain change, expire the old urls
Changes:
- IAM was applying ordering on accessTypes. Thus if an account had Operate, he got USe access as well. So even if IAM schema did not have 'UseEntry" permission for IpAddress, some other 'OperateEntry' permission on IpAddress was letting this operation go through.
- Fixed IAM to NOT do ordering of access types anymore. IAm will perform strict accessType check only.
- This fix is needed so that admin does not get permission to USE resources from other account just becase he has OPERATE access on those resources due to some other APIs.
- However due to this fix, we break backwards compatibilty with CS 4.3.
- CS 4.3 allowed root admin to do the createPF operation for a user by passing in networkId of the user.
- Same was the case for domain admins within their domains
- Why this worked was due to CS 4.3 simply returning true for root admin/domain admin
- So to maintain backwards compatibilty, we are adding the logic to return "true" for root admin and domain admin just like CS 4.3.
- Exception is: For Network, AffinityGroup and Templates, we still call IAM even for root admin/domain admin, since thats what CS 4.3 did. Just for these 3 resource_types, it used to perform access checks even for root admin/domain admin.
Made changes so that uploading custom certificate works for ssvm.
1. Reboot ssvm only when private key is passed meaning the server cert is passed. This is because while uploading the server cert is the last to be uploaded. And we want to propagate the entire chain once uploading is done.
2. Change the SecStorageSetupCommand sent to ssvm so that it also carries the root cert apart from having the chain and the server cert and key.
3. Change ssvm agent code to be able to configure root cert to the java key store.
4. Change ssvm configure ssl script to insert the chain certs correctly.
5. Fix order of chain certificates for apache webserver in SSVM
6. Remove double encoding and decoding for uploadCustomCertificate API from UI and server code respectively, so that API call without UI works fine
7. Java 1.7 - disable using SNI since copyTemplate doesnt work for SSL.
Changes:
- On startup the root domain group should be created
- Also the SYSTEM and Root Admin accounts should be added to that group
- This will make sure that the root domain shared network's policy gets attached to the root domain group
listAll=true, show all resources that caller (or impersonater) has
ListEntry access type; otherwise, show all resources that caller (or
impersonater) has UseEntry access type.
Changes:
- Caused due to a MySql error during 'Project' account cleanup. The MySql error hits a deadlock bug in the MessageBus code that does not release the lock/decrement the counter Eventually all callers on the MessageBus end up waiting to enter
- This fixes the account cleanup MySql error.
Moving default transport for console proxy, SSVM to http.
See
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Realhost+IP+changes
for more info.
jlk ported Amogh's patch for 4.3 to master - code base is different
enough that patch has multiple issues.
Author: Amogh Vasekar <Amogh Vasekar <amogh.vasekar@citrix.com>
Signed-off-by: John Kinsella <jlk@stratosec.co> 1394398017 -0700
Nitin Mehta
Min Chen
Prachi Damle
edison
John Kinsella
Alena Prokharchyk
Kelven Yang