getting applied when a tier in VPC is created.
fix ensures, VpcRoutingPolicyUpdate is send when network rules are
programmed when network tier in VPC is created
This patch is for KVM
1. Local testing on KVM
2. Successfully got up system VMs
3. Successfully created a CentOS VM
4. Snapshots are not supported for KVM
Signed off by :- Nitin Mehta<nitin.mehta@citrix.com>
the provider only if at least one capability is specified
Fix avoids the check, and only if the createNetworkOffering
'StrechedL2'Subnet' capability is specified then it should match against
'Connectivity' service provider
Changes:
- CS 4.3 handled Network entity in two ways:
a) Specified "UseNetwork" access and did a strict check w.r.t who can use this network. Regular users and Domain Admin went through the strict check. Root admin got access always.
b) Specified "null" access and that meant admins can access this network for the calling API that passes null access.
- Fixing CS 4.4 IAM to handle this behavior:
a) "UseNetwork" is mapped to "UseEntry" and IAM check will be done only for domain admin and regular users when this access is specified. Root Admin is grated access.
b) If "null" access is specified, root and domain admin both are granted access. Regular users still go through IAM.
Changes:
- IAM was applying ordering on accessTypes. Thus if an account had Operate, he got USe access as well. So even if IAM schema did not have 'UseEntry" permission for IpAddress, some other 'OperateEntry' permission on IpAddress was letting this operation go through.
- Fixed IAM to NOT do ordering of access types anymore. IAm will perform strict accessType check only.
- This fix is needed so that admin does not get permission to USE resources from other account just becase he has OPERATE access on those resources due to some other APIs.
- However due to this fix, we break backwards compatibilty with CS 4.3.
- CS 4.3 allowed root admin to do the createPF operation for a user by passing in networkId of the user.
- Same was the case for domain admins within their domains
- Why this worked was due to CS 4.3 simply returning true for root admin/domain admin
- So to maintain backwards compatibilty, we are adding the logic to return "true" for root admin and domain admin just like CS 4.3.
- Exception is: For Network, AffinityGroup and Templates, we still call IAM even for root admin/domain admin, since thats what CS 4.3 did. Just for these 3 resource_types, it used to perform access checks even for root admin/domain admin.
affinity groups available for regular users by passing account and
domainId paramater. This is to revert IAM way of implementing
listAffinityGroupsCmd, will bring it back when we have implemented real
impersonation.
templatefilter="shared" is used , we see public templates also being
included in the list. This commit reverts listTemplates behavior to 4.3
old logic without using consistent interpretation of list parameters
adopted in new IAM model.
However, for SSVM, the value from configuration server overrides the default in Config.java. Work around is to change in global properties.
Local testing, checking a fresh install has the above property false by default.
Signed-off-by: Nitin Mehta<nitin.mehta@citrix.com>
(cherry picked from commit 05802004e2)
Made changes so that uploading custom certificate works for ssvm.
1. Reboot ssvm only when private key is passed meaning the server cert is passed. This is because while uploading the server cert is the last to be uploaded. And we want to propagate the entire chain once uploading is done.
2. Change the SecStorageSetupCommand sent to ssvm so that it also carries the root cert apart from having the chain and the server cert and key.
3. Change ssvm agent code to be able to configure root cert to the java key store.
4. Change ssvm configure ssl script to insert the chain certs correctly.
5. Fix order of chain certificates for apache webserver in SSVM
6. Remove double encoding and decoding for uploadCustomCertificate API from UI and server code respectively, so that API call without UI works fine
7. Java 1.7 - disable using SNI since copyTemplate doesnt work for SSL.
In case some environments has different performance or we found some commands
would took too long to execute, one global configuration item is introduced to
specify "time out in seconds per one command in aggregation commands".
By default it's 3 seconds. If admin feel it's too long, it can be adjust to as
low as 1 seconds, which runs still well in my machine.
Min Chen
Murali Reddy
Daan Hoogland
Alena Prokharchyk
Amogh Vasekar
Jayapal
Devdeep Singh
Prachi Damle
Kelven Yang
Rajani Karuturi
wrodrigues
Tanner Danzey
Mike Tutkowski
Sam Schmit
Sebastien Goasguen
Nitin Mehta
Sanjay Tripathi
Sheng Yang