This feature allows root administrators to define new roles and associate API
permissions to them.
A limited form of role-based access control for the CloudStack management server
API is provided through a properties file, commands.properties, embedded in the
WAR distribution. Therefore, customizing API permissions requires unpacking the
distribution and modifying this file consistently on all servers. The old system
also does not permit the specification of additional roles.
FS:
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Dynamic+Role+Based+API+Access+Checker+for+CloudStack
DB-Backed Dynamic Role Based API Access Checker for CloudStack brings following
changes, features and use-cases:
- Moves the API access definitions from commands.properties to the mgmt server DB
- Allows defining custom roles (such as a read-only ROOT admin) beyond the
current set of four (4) roles
- All roles will resolve to one of the four known roles types (Admin, Resource
Admin, Domain Admin and User) which maintains this association by requiring
all new defined roles to specify a role type.
- Allows changes to roles and API permissions per role at runtime including additions or
removal of roles and/or modifications of permissions, without the need
of restarting management server(s)
Upgrade/installation notes:
- The feature will be enabled by default for new installations, existing
deployments will continue to use the older static role based api access checker
with an option to enable this feature
- During fresh installation or upgrade, the upgrade paths will add four default
roles based on the four default role types
- For ease of migration, at the time of upgrade commands.properties will be used
to add existing set of permissions to the default roles. cloud.account
will have a new role_id column which will be populated based on default roles
as well
Dynamic-roles migration tool: scripts/util/migrate-dynamicroles.py
- Allows admins to migrate to the dynamic role based checker at a future date
- Performs a harder one-way migrate and update
- Migrates rules from existing commands.properties file into db and deprecates it
- Enables an internal hidden switch to enable dynamic role based checker feature
Deprecate commands.properties
- Fixes apidocs and marvin to be independent of commands.properties usage
- Removes bundling of commands.properties in deb/rpm packaging
- Removes file references across codebase
Reviewed-by: John Burwell <john.burwell@shapeblue.com>
QA-by: Boris Stoyanov <boris.stoyanov@shapeblue.com>
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
A number of BVT tests are not valid for LXC (e.g. migrating a VM), so this patch
ensures they skip if LXC is in use.
Signed-off-by: SrikanteswaraRao Talluri <talluri@apache.org>
Previously if you had a volume using a non customisable disk offering, and
attempted to resize it passing in the same disk offering id, the command would
be accepted, but it would actually be resized to its current size (i.e. the
provided size parameter was ignored). This is what the test used to check.
Commit de6a3112b6 modified the logic to check if
the provided diskofferingid was the same as the current one, and if so treat it
as if it hadn't been provided - this means the resize command now fails, which
is probably the more sensible thing to do (rather than giving the impression it
will be resized but actually not doing so).
This change therefore modifies the test logic to match.
Signed-off-by: Mike Tutkowski <mike.tutkowski@solidfire.com>
Rohit Yadav
SrikanteswaraRao Talluri
Ashutosh K
Gaurav Aradhye
Chandan Purushothama
Sangeetha Hariharan
Hugo Trippaers
Alex Brett
sailajamada
sanjeev
Koushik Das
Santhosh Edukulla
John Dilley
Doug Clark
Girish Shilamkar