[cloudstack] branch 4.11 updated: CLOUDSTACK-10236: Enable dynamic roles for missing props file (#2426)

[rohit]

This is an automated email from the ASF dual-hosted git repository.

rohit pushed a commit to branch 4.11
in repository https://gitbox.apache.org/repos/asf/cloudstack.git


The following commit(s) were added to refs/heads/4.11 by this push:
     new 170b6ce  CLOUDSTACK-10236: Enable dynamic roles for missing props file 
(#2426)
170b6ce is described below

commit 170b6ce20dd4fc2f1fd3ad84833f440d955d2987
Author: Rohit Yadav <ro...@apache.org>
AuthorDate: Wed Jan 24 13:11:08 2018 +0100

    CLOUDSTACK-10236: Enable dynamic roles for missing props file (#2426)
    
    Automate dynamic roles migration for missing props file
    
    - In case commands.properties file is missing, enables dynamic roles.
    - Adds a new -D or --default flag to migrate-dynamicroles.py script
      to simply update the global setting and use the default role-rule
      permissions.
    - Add warning message, ask admins to move to dynamic roles during upgrade
    
    Signed-off-by: Rohit Yadav <rohit.ya...@shapeblue.com>
---
 .../com/cloud/upgrade/dao/Upgrade41000to41100.java | 18 +++++++++++++++
 .../acl/StaticRoleBasedAPIAccessChecker.java       |  1 +
 scripts/util/migrate-dynamicroles.py               | 27 ++++++++++++++--------
 3 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java 
b/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java
index 53c2340..20294d1 100644
--- a/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java
+++ b/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java
@@ -31,6 +31,7 @@ import org.apache.commons.codec.binary.Base64;
 import org.apache.log4j.Logger;
 
 import com.cloud.hypervisor.Hypervisor;
+import com.cloud.utils.PropertiesUtil;
 import com.cloud.utils.exception.CloudRuntimeException;
 
 public class Upgrade41000to41100 implements DbUpgrade {
@@ -65,10 +66,27 @@ public class Upgrade41000to41100 implements DbUpgrade {
 
     @Override
     public void performDataMigration(Connection conn) {
+        checkAndEnableDynamicRoles(conn);
         validateUserDataInBase64(conn);
         updateSystemVmTemplates(conn);
     }
 
+    private void checkAndEnableDynamicRoles(final Connection conn) {
+        final Map<String, String> apiMap = 
PropertiesUtil.processConfigFile(new String[] { "commands.properties" });
+        if (apiMap == null || apiMap.isEmpty()) {
+            if (LOG.isDebugEnabled()) {
+                LOG.debug("No commands.properties file was found, enabling 
dynamic roles by setting dynamic.apichecker.enabled to true if not already 
enabled.");
+            }
+            try (final PreparedStatement updateStatement = 
conn.prepareStatement("INSERT INTO cloud.configuration (category, instance, 
name, default_value, value) VALUES ('Advanced', 'DEFAULT', 
'dynamic.apichecker.enabled', 'false', 'true') ON DUPLICATE KEY UPDATE 
value='true'")) {
+                updateStatement.executeUpdate();
+            } catch (SQLException e) {
+                LOG.error("Failed to set dynamic.apichecker.enabled to true, 
please run migrate-dynamicroles.py script to manually migrate to dynamic 
roles.", e);
+            }
+        } else {
+            LOG.warn("Old commands.properties static checker is deprecated, 
please use migrate-dynamicroles.py to migrate to dynamic roles. Refer 
http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/latest/accounts.html#using-dynamic-roles";);
+        }
+    }
+
     private void validateUserDataInBase64(Connection conn) {
         try (final PreparedStatement selectStatement = 
conn.prepareStatement("SELECT `id`, `user_data` FROM `cloud`.`user_vm` WHERE 
`user_data` IS NOT NULL;");
              final ResultSet selectResultSet = selectStatement.executeQuery()) 
{
diff --git 
a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
 
b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
index fc78268..f3dc3a3 100644
--- 
a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
+++ 
b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
@@ -39,6 +39,7 @@ import com.cloud.utils.component.PluggableService;
 
 // This is the default API access checker that grab's the user's account
 // based on the account type, access is granted
+@Deprecated
 public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements 
APIChecker {
 
     protected static final Logger LOGGER = 
Logger.getLogger(StaticRoleBasedAPIAccessChecker.class);
diff --git a/scripts/util/migrate-dynamicroles.py 
b/scripts/util/migrate-dynamicroles.py
index cbb83f9..35dfe66 100755
--- a/scripts/util/migrate-dynamicroles.py
+++ b/scripts/util/migrate-dynamicroles.py
@@ -55,6 +55,14 @@ def migrateApiRolePermissions(apis, conn):
             if (octetKey[role] & int(apis[api])) > 0:
                 runSql(conn, "INSERT INTO `cloud`.`role_permissions` (`uuid`, 
`role_id`, `rule`, `permission`, `sort_order`) values (UUID(), %d, '%s', 
'ALLOW', %d);" % (role, api, sortOrder))
                 sortOrder += 1
+    print("Static role permissions from commands.properties have been migrated 
into the db")
+
+
+def enableDynamicApiChecker(conn):
+    runSql(conn, "UPDATE `cloud`.`configuration` SET value='true' where 
name='dynamic.apichecker.enabled'")
+    conn.commit()
+    conn.close()
+    print("Dynamic role based API checker has been enabled!")
 
 
 def main():
@@ -71,6 +79,8 @@ def main():
                         help="Host or IP of the MySQL server")
     parser.add_option("-f", "--properties-file", action="store", 
type="string", dest="commandsfile", 
default="/etc/cloudstack/management/commands.properties",
                         help="The commands.properties file")
+    parser.add_option("-D", "--default", action="store_true", 
dest="defaultRules", default=False,
+                        help="")
     parser.add_option("-d", "--dryrun", action="store_true", dest="dryrun", 
default=False,
                         help="Dry run and debug operations this tool will 
perform")
     (options, args) = parser.parse_args()
@@ -89,8 +99,14 @@ def main():
             port=int(options.port),
             db=options.db)
 
+    if options.defaultRules:
+        print("Applying the default role permissions, ignoring any provided 
properties files(s).")
+        enableDynamicApiChecker(conn)
+        sys.exit(0)
+
     if not os.path.isfile(options.commandsfile):
-        print("Provided commands.properties cannot be accessed or does not 
exist, please check check permissions")
+        print("Provided commands.properties cannot be accessed or does not 
exist.")
+        print("Please check passed options, or run only with --default option 
to use the default role permissions.")
         sys.exit(1)
 
     while True:
@@ -122,15 +138,8 @@ def main():
 
     # Migrate rules from commands.properties to cloud.role_permissions
     migrateApiRolePermissions(apiMap, conn)
-    print("Static role permissions from commands.properties have been migrated 
into the db")
-
-    # Enable dynamic role based API checker
-    runSql(conn, "UPDATE `cloud`.`configuration` SET value='true' where 
name='dynamic.apichecker.enabled'")
-    conn.commit()
-    conn.close()
-
-    print("Dynamic role based API checker has been enabled!")
 
+    enableDynamicApiChecker(conn)
 
 if __name__ == '__main__':
     main()

-- 
To stop receiving notification emails like this one, please contact
ro...@apache.org.