[
https://issues.apache.org/jira/browse/CLOUDSTACK-10236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16337473#comment-16337473
]
ASF GitHub Bot commented on CLOUDSTACK-10236:
---------------------------------------------
rhtyd closed pull request #2426: CLOUDSTACK-10236: Enable dynamic roles for
missing props file
URL: https://github.com/apache/cloudstack/pull/2426
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java
b/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java
index 53c2340665f..20294d16518 100644
--- a/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java
+++ b/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java
@@ -31,6 +31,7 @@
import org.apache.log4j.Logger;
import com.cloud.hypervisor.Hypervisor;
+import com.cloud.utils.PropertiesUtil;
import com.cloud.utils.exception.CloudRuntimeException;
public class Upgrade41000to41100 implements DbUpgrade {
@@ -65,10 +66,27 @@ public boolean supportsRollingUpgrade() {
@Override
public void performDataMigration(Connection conn) {
+ checkAndEnableDynamicRoles(conn);
validateUserDataInBase64(conn);
updateSystemVmTemplates(conn);
}
+ private void checkAndEnableDynamicRoles(final Connection conn) {
+ final Map<String, String> apiMap =
PropertiesUtil.processConfigFile(new String[] { "commands.properties" });
+ if (apiMap == null || apiMap.isEmpty()) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("No commands.properties file was found, enabling
dynamic roles by setting dynamic.apichecker.enabled to true if not already
enabled.");
+ }
+ try (final PreparedStatement updateStatement =
conn.prepareStatement("INSERT INTO cloud.configuration (category, instance,
name, default_value, value) VALUES ('Advanced', 'DEFAULT',
'dynamic.apichecker.enabled', 'false', 'true') ON DUPLICATE KEY UPDATE
value='true'")) {
+ updateStatement.executeUpdate();
+ } catch (SQLException e) {
+ LOG.error("Failed to set dynamic.apichecker.enabled to true,
please run migrate-dynamicroles.py script to manually migrate to dynamic
roles.", e);
+ }
+ } else {
+ LOG.warn("Old commands.properties static checker is deprecated,
please use migrate-dynamicroles.py to migrate to dynamic roles. Refer
http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/latest/accounts.html#using-dynamic-roles";);
+ }
+ }
+
private void validateUserDataInBase64(Connection conn) {
try (final PreparedStatement selectStatement =
conn.prepareStatement("SELECT `id`, `user_data` FROM `cloud`.`user_vm` WHERE
`user_data` IS NOT NULL;");
final ResultSet selectResultSet = selectStatement.executeQuery())
{
diff --git
a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
index fc78268fc62..f3dc3a3b8d7 100644
---
a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
+++
b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
@@ -39,6 +39,7 @@
// This is the default API access checker that grab's the user's account
// based on the account type, access is granted
+@Deprecated
public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements
APIChecker {
protected static final Logger LOGGER =
Logger.getLogger(StaticRoleBasedAPIAccessChecker.class);
diff --git a/scripts/util/migrate-dynamicroles.py
b/scripts/util/migrate-dynamicroles.py
index cbb83f91783..35dfe662513 100755
--- a/scripts/util/migrate-dynamicroles.py
+++ b/scripts/util/migrate-dynamicroles.py
@@ -55,6 +55,14 @@ def migrateApiRolePermissions(apis, conn):
if (octetKey[role] & int(apis[api])) > 0:
runSql(conn, "INSERT INTO `cloud`.`role_permissions` (`uuid`,
`role_id`, `rule`, `permission`, `sort_order`) values (UUID(), %d, '%s',
'ALLOW', %d);" % (role, api, sortOrder))
sortOrder += 1
+ print("Static role permissions from commands.properties have been migrated
into the db")
+
+
+def enableDynamicApiChecker(conn):
+ runSql(conn, "UPDATE `cloud`.`configuration` SET value='true' where
name='dynamic.apichecker.enabled'")
+ conn.commit()
+ conn.close()
+ print("Dynamic role based API checker has been enabled!")
def main():
@@ -71,6 +79,8 @@ def main():
help="Host or IP of the MySQL server")
parser.add_option("-f", "--properties-file", action="store",
type="string", dest="commandsfile",
default="/etc/cloudstack/management/commands.properties",
help="The commands.properties file")
+ parser.add_option("-D", "--default", action="store_true",
dest="defaultRules", default=False,
+ help="")
parser.add_option("-d", "--dryrun", action="store_true", dest="dryrun",
default=False,
help="Dry run and debug operations this tool will
perform")
(options, args) = parser.parse_args()
@@ -89,8 +99,14 @@ def main():
port=int(options.port),
db=options.db)
+ if options.defaultRules:
+ print("Applying the default role permissions, ignoring any provided
properties files(s).")
+ enableDynamicApiChecker(conn)
+ sys.exit(0)
+
if not os.path.isfile(options.commandsfile):
- print("Provided commands.properties cannot be accessed or does not
exist, please check check permissions")
+ print("Provided commands.properties cannot be accessed or does not
exist.")
+ print("Please check passed options, or run only with --default option
to use the default role permissions.")
sys.exit(1)
while True:
@@ -122,15 +138,8 @@ def main():
# Migrate rules from commands.properties to cloud.role_permissions
migrateApiRolePermissions(apiMap, conn)
- print("Static role permissions from commands.properties have been migrated
into the db")
-
- # Enable dynamic role based API checker
- runSql(conn, "UPDATE `cloud`.`configuration` SET value='true' where
name='dynamic.apichecker.enabled'")
- conn.commit()
- conn.close()
-
- print("Dynamic role based API checker has been enabled!")
+ enableDynamicApiChecker(conn)
if __name__ == '__main__':
main()
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Unable to login to ACS after upgrading 4.5 -> 4.11
> ---------------------------------------------------
>
> Key: CLOUDSTACK-10236
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10236
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Management Server
> Affects Versions: 4.11.0.0
> Reporter: Boris Stoyanov
> Assignee: Rohit Yadav
> Priority: Blocker
> Fix For: 4.11.0.0
>
>
> I've upgraded my CentOS6 env from 4.5 to 4.11 and ended up not being able to
> login. I'm getting 'Session expired' message right after I enter my admin
> username and password. Here's the management log output:
>
> {code:java}
> 2018-01-17 13:07:47,383 DEBUG [c.c.u.AccountManagerImpl]
> (qtp1310540333-19:ctx-404c4037) (logid:2d1dd5ba) Attempting to log in user:
> admin in domain 1
> 2018-01-17 13:07:47,389 DEBUG [o.a.c.s.a.PBKDF2UserAuthenticator]
> (qtp1310540333-19:ctx-404c4037) (logid:2d1dd5ba) Retrieving user: admin
> 2018-01-17 13:07:48,248 DEBUG [c.c.u.AccountManagerImpl]
> (qtp1310540333-19:ctx-404c4037) (logid:2d1dd5ba) CIDRs from which account
> 'Acct[3daa963c-fb6a-11e7-ae7e-06efa8010701-admin]' is allowed to perform API
> calls: 0.0.0.0/0,::/0
> 2018-01-17 13:07:48,249 DEBUG [c.c.u.AccountManagerImpl]
> (qtp1310540333-19:ctx-404c4037) (logid:2d1dd5ba) User: admin in domain 1 has
> successfully logged in
> 2018-01-17 13:07:48,260 INFO [c.c.a.ApiServer]
> (qtp1310540333-19:ctx-404c4037) (logid:2d1dd5ba) Current user logged in under
> UTC timezone
> 2018-01-17 13:07:48,260 INFO [c.c.a.ApiServer]
> (qtp1310540333-19:ctx-404c4037) (logid:2d1dd5ba) Timezone offset from UTC is:
> 0.0
> 2018-01-17 13:07:48,267 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-19:ctx-404c4037) (logid:2d1dd5ba) ===END=== 10.1.0.1 – POST
> 2018-01-17 13:07:48,340 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-16:ctx-390d3282) (logid:b98a9144) ===START=== 10.1.0.1 – GET
> command=listCapabilities&response=json&_=1516194514030
> 2018-01-17 13:07:48,349 DEBUG [c.c.a.ApiServer]
> (qtp1310540333-16:ctx-390d3282 ctx-0509900f) (logid:b98a9144) CIDRs from
> which account 'Acct[3daa963c-fb6a-11e7-ae7e-06efa8010701-admin]' is allowed
> to perform API calls: 0.0.0.0/0,::/0
> 2018-01-17 13:07:48,372 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-16:ctx-390d3282 ctx-0509900f) (logid:b98a9144) ===END===
> 10.1.0.1 – GET command=listCapabilities&response=json&_=1516194514030
> 2018-01-17 13:07:48,439 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-19:ctx-495f6fd0) (logid:67992211) ===START=== 10.1.0.1 – GET
> command=listZones&response=json&_=1516194514137
> 2018-01-17 13:07:48,449 DEBUG [c.c.a.ApiServer]
> (qtp1310540333-19:ctx-495f6fd0 ctx-606dcc84) (logid:67992211) CIDRs from
> which account 'Acct[3daa963c-fb6a-11e7-ae7e-06efa8010701-admin]' is allowed
> to perform API calls: 0.0.0.0/0,::/0
> 2018-01-17 13:07:48,474 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-19:ctx-495f6fd0 ctx-606dcc84) (logid:67992211) ===END===
> 10.1.0.1 – GET command=listZones&response=json&_=1516194514137
> 2018-01-17 13:07:48,549 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-16:ctx-f2bcf13f) (logid:f73a6f0c) ===START=== 10.1.0.1 – GET
> command=cloudianIsEnabled&response=json&_=1516194514249
> 2018-01-17 13:07:48,556 DEBUG [c.c.a.ApiServer]
> (qtp1310540333-16:ctx-f2bcf13f ctx-3e6a3a41) (logid:f73a6f0c) CIDRs from
> which account 'Acct[3daa963c-fb6a-11e7-ae7e-06efa8010701-admin]' is allowed
> to perform API calls: 0.0.0.0/0,::/0
> 2018-01-17 13:07:48,579 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-16:ctx-f2bcf13f ctx-3e6a3a41) (logid:f73a6f0c) ===END===
> 10.1.0.1 – GET command=cloudianIsEnabled&response=json&_=1516194514249
> 2018-01-17 13:07:48,645 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-19:ctx-560f926e) (logid:62a5cb2f) ===START=== 10.1.0.1 – GET
> command=quotaIsEnabled&response=json&_=1516194514343
> 2018-01-17 13:07:48,653 DEBUG [c.c.a.ApiServer]
> (qtp1310540333-19:ctx-560f926e ctx-c9a2914a) (logid:62a5cb2f) CIDRs from
> which account 'Acct[3daa963c-fb6a-11e7-ae7e-06efa8010701-admin]' is allowed
> to perform API calls: 0.0.0.0/0,::/0
> 2018-01-17 13:07:48,658 DEBUG [c.c.a.ApiServer]
> (qtp1310540333-19:ctx-560f926e ctx-c9a2914a) (logid:62a5cb2f) The given
> command 'quotaIsEnabled' either does not exist, is not available for user, or
> not available from ip address '/10.1.0.1'.
> 2018-01-17 13:07:48,660 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-19:ctx-560f926e ctx-c9a2914a) (logid:62a5cb2f) ===END===
> 10.1.0.1 – GET command=quotaIsEnabled&response=json&_=1516194514343
> 2018-01-17 13:07:48,738 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-16:ctx-9b8e4337) (logid:3c2cd5ee) ===START=== 10.1.0.1 – GET
> command=listProjectInvitations&response=json&state=Pending&_=1516194514436
> 2018-01-17 13:07:48,739 DEBUG [c.c.a.ApiServer]
> (qtp1310540333-16:ctx-9b8e4337 ctx-9814e0e7) (logid:3c2cd5ee) Expired
> session, missing signature, or missing apiKey – ignoring request. Signature:
> null, apiKey: null
> 2018-01-17 13:07:48,741 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-20:ctx-a4668354) (logid:337ae399) ===START=== 10.1.0.1 – GET
> command=listProjects&response=json&accountId=3daaa51e-fb6a-11e7-ae7e-06efa8010701&listAll=true&page=1&pageSize=500&_=1516194514440
> 2018-01-17 13:07:48,742 DEBUG [c.c.a.ApiServer]
> (qtp1310540333-20:ctx-a4668354 ctx-b627f275) (logid:337ae399) Expired
> session, missing signature, or missing apiKey – ignoring request. Signature:
> null, apiKey: null
> 2018-01-17 13:07:48,743 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-19:ctx-17bae500) (logid:1e7476c3) ===START=== 10.1.0.1 – GET
> command=listZones&response=json&_=1516194514435
> 2018-01-17 13:07:48,745 DEBUG [c.c.a.ApiServer]
> (qtp1310540333-19:ctx-17bae500 ctx-de5c59c7) (logid:1e7476c3) Expired
> session, missing signature, or missing apiKey – ignoring request. Signature:
> null, apiKey: null
> 2018-01-17 13:07:48,745 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-20:ctx-a4668354 ctx-b627f275) (logid:337ae399) ===END===
> 10.1.0.1 – GET
> command=listProjects&response=json&accountId=3daaa51e-fb6a-11e7-ae7e-06efa8010701&listAll=true&page=1&pageSize=500&_=1516194514440
> 2018-01-17 13:07:48,741 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-16:ctx-9b8e4337 ctx-9814e0e7) (logid:3c2cd5ee) ===END===
> 10.1.0.1 – GET
> command=listProjectInvitations&response=json&state=Pending&_=1516194514436
> 2018-01-17 13:07:48,743 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-13:ctx-4605c852) (logid:3328fe07) ===START=== 10.1.0.1 – GET
> command=listRegions&response=json&_=1516194514439
> 2018-01-17 13:07:48,747 DEBUG [c.c.a.ApiServer]
> (qtp1310540333-13:ctx-4605c852 ctx-31295f73) (logid:3328fe07) Expired
> session, missing signature, or missing apiKey – ignoring request. Signature:
> null, apiKey: null
> 2018-01-17 13:07:48,749 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-13:ctx-4605c852 ctx-31295f73) (logid:3328fe07) ===END===
> 10.1.0.1 – GET command=listRegions&response=json&_=1516194514439
> 2018-01-17 13:07:48,752 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-19:ctx-17bae500 ctx-de5c59c7) (logid:1e7476c3) ===END===
> 10.1.0.1 – GET command=listZones&response=json&_=1516194514435
> 2018-01-17 13:07:48,826 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-14:ctx-eaa9e2e9) (logid:4694b0ed) ===START=== 10.1.0.1 – GET
> command=listCaCertificate&response=json&_=1516194514527
> 2018-01-17 13:07:48,827 DEBUG [c.c.a.ApiServer]
> (qtp1310540333-14:ctx-eaa9e2e9 ctx-8ca6348b) (logid:4694b0ed) Expired
> session, missing signature, or missing apiKey – ignoring request. Signature:
> null, apiKey: null
> 2018-01-17 13:07:48,828 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-14:ctx-eaa9e2e9 ctx-8ca6348b) (logid:4694b0ed) ===END===
> 10.1.0.1 – GET command=listCaCertificate&response=json&_=1516194514527
> 2018-01-17 13:07:49,451 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-18:ctx-3ae768fb) (logid:f282b164) ===START=== 10.1.0.1 – GET
> command=logout&response=json&_=1516194515151
> 2018-01-17 13:07:49,458 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-18:ctx-3ae768fb) (logid:f282b164) ===END=== 10.1.0.1 – GET
> command=logout&response=json&_=1516194515151
> 2018-01-17 13:07:50,152 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-18:ctx-54681ff2) (logid:728ae178) ===START=== 10.1.0.1 – GET
> command=listCapabilities&response=json&_=1516194515849
> 2018-01-17 13:07:50,154 DEBUG [c.c.a.ApiServer]
> (qtp1310540333-18:ctx-54681ff2 ctx-1f30d250) (logid:728ae178) Expired
> session, missing signature, or missing apiKey – ignoring request. Signature:
> null, apiKey: null
> 2018-01-17 13:07:50,157 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-18:ctx-54681ff2 ctx-1f30d250) (logid:728ae178) ===END===
> 10.1.0.1 – GET command=listCapabilities&response=json&_=1516194515849
> 2018-01-17 13:07:50,220 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-14:ctx-9ac0ae73) (logid:a44d0074) ===START=== 10.1.0.1 – GET
> command=listConfigurations&response=json&name=default.ui.page.size&_=1516194515919
> 2018-01-17 13:07:50,220 DEBUG [c.c.a.ApiServer]
> (qtp1310540333-14:ctx-9ac0ae73 ctx-5e4487a3) (logid:a44d0074) Expired
> session, missing signature, or missing apiKey – ignoring request. Signature:
> null, apiKey: null
> 2018-01-17 13:07:50,222 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-14:ctx-9ac0ae73 ctx-5e4487a3) (logid:a44d0074) ===END===
> 10.1.0.1 – GET
> command=listConfigurations&response=json&name=default.ui.page.size&_=1516194515919
> 2018-01-17 13:07:50,284 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-18:ctx-dcbc8682) (logid:c5813f96) ===START=== 10.1.0.1 – GET
> command=listIdps&response=json&_=1516194515984
> 2018-01-17 13:07:50,285 DEBUG [c.c.a.ApiServer]
> (qtp1310540333-18:ctx-dcbc8682 ctx-454308e2) (logid:c5813f96) The given
> command listIdps either does not exist, is not available for user, or not
> available from ip address '10.1.0.1'.
> 2018-01-17 13:07:50,285 DEBUG [c.c.a.ApiServlet]
> (qtp1310540333-18:ctx-dcbc8682 ctx-454308e2) (logid:c5813f96) ===END===
> 10.1.0.1 – GET command=listIdps&response=json&_=1516194515984
> 2018-01-17 13:07:50,567 DEBUG [c.c.c.ConsoleProxyManagerImpl]
> (consoleproxy-1:ctx-bf5139f9) (logid:9aeed140) Zone 1 is not ready to launch
> console proxy yet
> 2018-01-17 13:07:50,625 DEBUG [o.a.c.s.SecondaryStorageManagerImpl]
> (secstorage-1:ctx-cfb5cf98) (logid:55fc36ee) Zone 1 is not ready to launch
> secondary storage VM yet
> 2018-01-17 13:07:51,558 DEBUG [c.c.a.m.AgentManagerImpl]
> (AgentManager-Handler-5:null) (logid SeqA 2-2139: Processing Seq 2-2139: {
> Cmd , MgmtId: -1, via: 2, Ver: v1, Flags: 11,
> [{"com.cloud.agent.api.ConsoleProxyLoadReportCommand":{"_proxyVmId":1,"_loadInfo":"
> {\n \"connections\": []\n}
> ","wait":0}}] }
> 2018-01-17 13:07:51,567 DEBUG [c.c.a.m.AgentManagerImpl]
> (AgentManager-Handler-5:null) (logid SeqA 2-2139: Sending Seq 2-2139: { Ans:
> , MgmtId: 7626385590017, via: 2, Ver: v1, Flags: 100010,
> [{"com.cloud.agent.api.AgentControlAnswer":{"result":true,"wait":0}}] }{code}
>
> Some details about the env:
> Advanced zone
> 1 kvm host on CentOS 6
> NFS storage
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
