[jira] [Commented] (CLOUDSTACK-9337) [CI] Enhance vcenter library to add datacenter programmatically

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9337?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15251322#comment-15251322
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9337:


Github user sanju1010 commented on the pull request:

https://github.com/apache/cloudstack/pull/1464#issuecomment-212756206
  
These changes will not have any impact on cloudstack code since it is 
purely to orchestrate the vcenter Server to create datacenter->cluster->hosts. 
Can we merge this without waiting for CI to run?


> [CI] Enhance vcenter library to add datacenter programmatically
> ---
>
> Key: CLOUDSTACK-9337
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9337
> Project: CloudStack
>  Issue Type: Test
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Sanjeev N
>Assignee: Sanjeev N
>
> Enhance vcenter.py to create data centers in vCenter server automatically by 
> reading the configuration from a json file.
> Added few methods to create data center, cluster and hosts in it.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9162) Unable to add VPN user via API with Required Parameters

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9162?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15251321#comment-15251321
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9162:


Github user jayapalu commented on the pull request:

https://github.com/apache/cloudstack/pull/1241#issuecomment-212754454
  
@kansal Can you please rebase it with the master once. Code changes are 
fine, I will test once rebased branch.


> Unable to add VPN user via API with Required Parameters
> ---
>
> Key: CLOUDSTACK-9162
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9162
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Kshitij Kansal
>Assignee: Kshitij Kansal
>
> With the following API request 
> 127.0.0.1:8096/client/api?command=addVpnUser=password111=api123
>  VPN user fails with following reason : Failed to apply vpn for user api123, 
> accountId=1



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8855) Improve Error Message for Host Alert State

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15251320#comment-15251320
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8855:


Github user bvbharatk commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/837#discussion_r60529246
  
--- Diff: 
engine/orchestration/src/com/cloud/agent/manager/AgentManagerImpl.java ---
@@ -971,33 +971,28 @@ public Answer easySend(final Long hostId, final 
Command cmd) {
 }
 
 @Override
-public boolean reconnect(final long hostId) {
+public void reconnect(final long hostId) throws CloudRuntimeException, 
AgentUnavailableException{
 HostVO host;
 
 host = _hostDao.findById(hostId);
 if (host == null || host.getRemoved() != null) {
-s_logger.warn("Unable to find host " + hostId);
-return false;
+throw new CloudRuntimeException("Unable to find host " + 
hostId);
 }
 
 if (host.getStatus() == Status.Disconnected) {
-s_logger.info("Host is already disconnected, no work to be 
done");
-return true;
+throw new CloudRuntimeException("Host is already disconnected, 
no work to be done");
 }
 
 if (host.getStatus() != Status.Up && host.getStatus() != 
Status.Alert && host.getStatus() != Status.Rebalancing) {
-s_logger.info("Unable to disconnect host because it is not in 
the correct state: host=" + hostId + "; Status=" + host.getStatus());
-return false;
+throw  new CloudRuntimeException("Unable to disconnect host 
because it is not in the correct state: host=" + hostId + "; Status=" + 
host.getStatus());
 }
 
 final AgentAttache attache = findAttache(hostId);
 if (attache == null) {
-s_logger.info("Unable to disconnect host because it is not 
connected to this server: " + hostId);
-return false;
+throw new CloudRuntimeException("Unable to disconnect host 
because it is not connected to this server: " + hostId);
 }
 
 disconnectWithoutInvestigation(attache, Event.ShutdownRequested);
-return true;
 }
 
 public boolean executeUserRequest(final long hostId, final Event 
event) throws AgentUnavailableException {
--- End diff --

@rodrigo93 
This method is already a void. 


> Improve Error Message for Host Alert State
> --
>
> Key: CLOUDSTACK-8855
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8855
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Affects Versions: 4.6.0
>Reporter: Bharat Kumar
>Assignee: Bharat Kumar
>




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (CLOUDSTACK-8830) [VMware] VM snapshot fails for 12 min after instance creation

2016-04-20 Thread Suresh Kumar Anaparti (JIRA) 

 [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8830?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Suresh Kumar Anaparti updated CLOUDSTACK-8830:
--
Description: 
ISSUE

[VMware] VM snapshot fails for 12 min after instance creation

Environment
==
Product Name: Cloudstack
Hypervisor: VMWare VSphere 6

VM DETAILS
==
i-84987-16119-VM

TROUBLESHOOTING
==
I see that the following failure and immediate success result for the 
CreateVMSnapshot call
{noformat}
2015-07-24 08:20:55,363 DEBUG [c.c.a.t.Request] 
(Work-Job-Executor-61:ctx-03fad7f2 job-64835/job-64836 ctx-746f3965) 
(logid:8b87ab8a) Seq 80-6161487240196259878: Sending  { Cmd , MgmtId: 
345051581208, via: 80(ussfoldcsesx112.adslab.local), Ver: v1, Flags: 100011, 
[{"com.cloud.agent.api.CreateVMSnapshotCommand":{"volumeTOs":[{"uuid":"a89b4ad5-f23f-4df6-84a8-89c4f40b2edb","volumeType":"ROOT","volumeState":"Ready","dataStore":{"org.apache.cloudstack.storage.to.PrimaryDataStoreTO":{"uuid":"346b381a-8543-3f7b-9eff-fa909ad243c7","id":205,"poolType":"NetworkFilesystem","host":"10.144.35.110","path":"/tintri/ECS-SR-CLD200","port":2049,"url":"NetworkFilesystem://10.144.35.110/tintri/ECS-SR-CLD200/?ROLE=Primary=346b381a-8543-3f7b-9eff-fa909ad243c7"}},"name":"ROOT-16119","size":1073741824,"path":"ROOT-16119","volumeId":19311,"vmName":"i-84987-16119-VM","vmState":"Running","accountId":84987,"chainInfo":"{\"diskDeviceBusName\":\"ide0:1\",\"diskChain\":[\"[346b381a85433f7b9efffa909ad243c7]
 i-84987-16119-VM/ROOT-16119.vmdk\",\"[346b381a85433f7b9efffa909ad243c7] 
49f59e1a4ce23fec8890c8b9e5891d56/49f59e1a4ce23fec8890c8b9e5891d56.vmdk\"]}","format":"OVA","provisioningType":"THIN","id":19311,"deviceId":0,"cacheMode":"NONE","hypervisorType":"VMware"}],"target":{"id":962,"snapshotName":"i-84987-16119-VM_VS_20150724152053","type":"Disk","current":false,"description":"unit-test-instance-snapshot","quiescevm":false},"vmName":"i-84987-16119-VM","guestOSType":"None","wait":1800}}]
 }
2015-07-24 08:20:55,373 DEBUG [c.c.a.t.Request] 
(Work-Job-Executor-61:ctx-03fad7f2 job-64835/job-64836 ctx-746f3965) 
(logid:8b87ab8a) Seq 80-6161487240196259878: Executing:  { Cmd , MgmtId: 
345051581208, via: 80(ussfoldcsesx112.adslab.local), Ver: v1, Flags: 100011, 
[{"com.cloud.agent.api.CreateVMSnapshotCommand":{"volumeTOs":[{"uuid":"a89b4ad5-f23f-4df6-84a8-89c4f40b2edb","volumeType":"ROOT","volumeState":"Ready","dataStore":{"org.apache.cloudstack.storage.to.PrimaryDataStoreTO":{"uuid":"346b381a-8543-3f7b-9eff-fa909ad243c7","id":205,"poolType":"NetworkFilesystem","host":"10.144.35.110","path":"/tintri/ECS-SR-CLD200","port":2049,"url":"NetworkFilesystem://10.144.35.110/tintri/ECS-SR-CLD200/?ROLE=Primary=346b381a-8543-3f7b-9eff-fa909ad243c7"}},"name":"ROOT-16119","size":1073741824,"path":"ROOT-16119","volumeId":19311,"vmName":"i-84987-16119-VM","vmState":"Running","accountId":84987,"chainInfo":"{\"diskDeviceBusName\":\"ide0:1\",\"diskChain\":[\"[346b381a85433f7b9efffa909ad243c7]
 i-84987-16119-VM/ROOT-16119.vmdk\",\"[346b381a85433f7b9efffa909ad243c7] 
49f59e1a4ce23fec8890c8b9e5891d56/49f59e1a4ce23fec8890c8b9e5891d56.vmdk\"]}","format":"OVA","provisioningType":"THIN","id":19311,"deviceId":0,"cacheMode":"NONE","hypervisorType":"VMware"}],"target":{"id":962,"snapshotName":"i-84987-16119-VM_VS_20150724152053","type":"Disk","current":false,"description":"unit-test-instance-snapshot","quiescevm":false},"vmName":"i-84987-16119-VM","guestOSType":"None","wait":1800}}]
 }
2015-07-24 08:20:55,374 DEBUG [c.c.a.m.DirectAgentAttache] 
(DirectAgent-66:ctx-5fbdccd8) (logid:710814a5) Seq 80-6161487240196259878: 
Executing request
2015-07-24 08:20:55,523 ERROR [c.c.h.v.m.VmwareStorageManagerImpl] 
(DirectAgent-66:ctx-5fbdccd8 ussfoldcsesx112.adslab.local, job-64835/job-64836, 
cmd: CreateVMSnapshotCommand) (logid:8b87ab8a) failed to create snapshot for 
vm:i-84987-16119-VM due to null
2015-07-24 08:20:55,524 DEBUG [c.c.a.m.DirectAgentAttache] 
(DirectAgent-66:ctx-5fbdccd8) (logid:8b87ab8a) Seq 80-6161487240196259878: 
Response Received: 
2015-07-24 08:20:55,525 DEBUG [c.c.a.t.Request] (DirectAgent-66:ctx-5fbdccd8) 
(logid:8b87ab8a) Seq 80-6161487240196259878: Processing:  { Ans: , MgmtId: 
345051581208, via: 80, Ver: v1, Flags: 10, 
[{"com.cloud.agent.api.CreateVMSnapshotAnswer":{"result":false,"wait":0}}] }
2015-07-24 08:20:55,525 DEBUG [c.c.a.t.Request] 
(Work-Job-Executor-61:ctx-03fad7f2 job-64835/job-64836 ctx-746f3965) 
(logid:8b87ab8a) Seq 80-6161487240196259878: Received:  { Ans: , MgmtId: 
345051581208, via: 80, Ver: v1, Flags: 10, { CreateVMSnapshotAnswer } }
2015-07-24 08:20:55,525 ERROR [o.a.c.s.v.DefaultVMSnapshotStrategy] 
(Work-Job-Executor-61:ctx-03fad7f2 job-64835/job-64836 ctx-746f3965) 
(logid:8b87ab8a) Creating VM snapshot: i-84987-16119-VM_VS_20150724152053 failed
2015-07-24 08:20:55,531 DEBUG [c.c.v.s.VMSnapshotManagerImpl]

[jira] [Updated] (CLOUDSTACK-8830) [VMware] VM snapshot fails for 12 min after instance creation

2016-04-20 Thread Suresh Kumar Anaparti (JIRA) 

 [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8830?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Suresh Kumar Anaparti updated CLOUDSTACK-8830:
--
Description: 
ISSUE

[VMware] VM snapshot fails for 12 min after instance creation

Environment
==
Product Name: Cloudstack
Hypervisor: VMWare VSphere 6

VM DETAILS
==
i-84987-16119-VM

TROUBLESHOOTING
==
I see that the following failure and immediate success result for the 
CreateVMSnapshot call
{noformat}
2015-07-24 08:20:55,363 DEBUG [c.c.a.t.Request] 
(Work-Job-Executor-61:ctx-03fad7f2 job-64835/job-64836 ctx-746f3965) 
(logid:8b87ab8a) Seq 80-6161487240196259878: Sending  { Cmd , MgmtId: 
345051581208, via: 80(ussfoldcsesx112.adslab.local), Ver: v1, Flags: 100011, 
[{"com.cloud.agent.api.CreateVMSnapshotCommand":{"volumeTOs":[{"uuid":"a89b4ad5-f23f-4df6-84a8-89c4f40b2edb","volumeType":"ROOT","volumeState":"Ready","dataStore":{"org.apache.cloudstack.storage.to.PrimaryDataStoreTO":{"uuid":"346b381a-8543-3f7b-9eff-fa909ad243c7","id":205,"poolType":"NetworkFilesystem","host":"10.144.35.110","path":"/tintri/ECS-SR-CLD200","port":2049,"url":"NetworkFilesystem://10.144.35.110/tintri/ECS-SR-CLD200/?ROLE=Primary=346b381a-8543-3f7b-9eff-fa909ad243c7"}},"name":"ROOT-16119","size":1073741824,"path":"ROOT-16119","volumeId":19311,"vmName":"i-84987-16119-VM","vmState":"Running","accountId":84987,"chainInfo":"{\"diskDeviceBusName\":\"ide0:1\",\"diskChain\":[\"[346b381a85433f7b9efffa909ad243c7]
 i-84987-16119-VM/ROOT-16119.vmdk\",\"[346b381a85433f7b9efffa909ad243c7] 
49f59e1a4ce23fec8890c8b9e5891d56/49f59e1a4ce23fec8890c8b9e5891d56.vmdk\"]}","format":"OVA","provisioningType":"THIN","id":19311,"deviceId":0,"cacheMode":"NONE","hypervisorType":"VMware"}],"target":{"id":962,"snapshotName":"i-84987-16119-VM_VS_20150724152053","type":"Disk","current":false,"description":"unit-test-instance-snapshot","quiescevm":false},"vmName":"i-84987-16119-VM","guestOSType":"None","wait":1800}}]
 }
2015-07-24 08:20:55,373 DEBUG [c.c.a.t.Request] 
(Work-Job-Executor-61:ctx-03fad7f2 job-64835/job-64836 ctx-746f3965) 
(logid:8b87ab8a) Seq 80-6161487240196259878: Executing:  { Cmd , MgmtId: 
345051581208, via: 80(ussfoldcsesx112.adslab.local), Ver: v1, Flags: 100011, 
[{"com.cloud.agent.api.CreateVMSnapshotCommand":{"volumeTOs":[{"uuid":"a89b4ad5-f23f-4df6-84a8-89c4f40b2edb","volumeType":"ROOT","volumeState":"Ready","dataStore":{"org.apache.cloudstack.storage.to.PrimaryDataStoreTO":{"uuid":"346b381a-8543-3f7b-9eff-fa909ad243c7","id":205,"poolType":"NetworkFilesystem","host":"10.144.35.110","path":"/tintri/ECS-SR-CLD200","port":2049,"url":"NetworkFilesystem://10.144.35.110/tintri/ECS-SR-CLD200/?ROLE=Primary=346b381a-8543-3f7b-9eff-fa909ad243c7"}},"name":"ROOT-16119","size":1073741824,"path":"ROOT-16119","volumeId":19311,"vmName":"i-84987-16119-VM","vmState":"Running","accountId":84987,"chainInfo":"{\"diskDeviceBusName\":\"ide0:1\",\"diskChain\":[\"[346b381a85433f7b9efffa909ad243c7]
 i-84987-16119-VM/ROOT-16119.vmdk\",\"[346b381a85433f7b9efffa909ad243c7] 
49f59e1a4ce23fec8890c8b9e5891d56/49f59e1a4ce23fec8890c8b9e5891d56.vmdk\"]}","format":"OVA","provisioningType":"THIN","id":19311,"deviceId":0,"cacheMode":"NONE","hypervisorType":"VMware"}],"target":{"id":962,"snapshotName":"i-84987-16119-VM_VS_20150724152053","type":"Disk","current":false,"description":"unit-test-instance-snapshot","quiescevm":false},"vmName":"i-84987-16119-VM","guestOSType":"None","wait":1800}}]
 }
2015-07-24 08:20:55,374 DEBUG [c.c.a.m.DirectAgentAttache] 
(DirectAgent-66:ctx-5fbdccd8) (logid:710814a5) Seq 80-6161487240196259878: 
Executing request
2015-07-24 08:20:55,523 ERROR [c.c.h.v.m.VmwareStorageManagerImpl] 
(DirectAgent-66:ctx-5fbdccd8 ussfoldcsesx112.adslab.local, job-64835/job-64836, 
cmd: CreateVMSnapshotCommand) (logid:8b87ab8a) failed to create snapshot for 
vm:i-84987-16119-VM due to null
2015-07-24 08:20:55,524 DEBUG [c.c.a.m.DirectAgentAttache] 
(DirectAgent-66:ctx-5fbdccd8) (logid:8b87ab8a) Seq 80-6161487240196259878: 
Response Received: 
2015-07-24 08:20:55,525 DEBUG [c.c.a.t.Request] (DirectAgent-66:ctx-5fbdccd8) 
(logid:8b87ab8a) Seq 80-6161487240196259878: Processing:  { Ans: , MgmtId: 
345051581208, via: 80, Ver: v1, Flags: 10, 
[{"com.cloud.agent.api.CreateVMSnapshotAnswer":{"result":false,"wait":0}}] }
2015-07-24 08:20:55,525 DEBUG [c.c.a.t.Request] 
(Work-Job-Executor-61:ctx-03fad7f2 job-64835/job-64836 ctx-746f3965) 
(logid:8b87ab8a) Seq 80-6161487240196259878: Received:  { Ans: , MgmtId: 
345051581208, via: 80, Ver: v1, Flags: 10, { CreateVMSnapshotAnswer } }
2015-07-24 08:20:55,525 ERROR [o.a.c.s.v.DefaultVMSnapshotStrategy] 
(Work-Job-Executor-61:ctx-03fad7f2 job-64835/job-64836 ctx-746f3965) 
(logid:8b87ab8a) Creating VM snapshot: i-84987-16119-VM_VS_20150724152053 failed
2015-07-24 08:20:55,531 DEBUG [c.c.v.s.VMSnapshotManagerImpl]

[jira] [Commented] (CLOUDSTACK-8826) XenServer - Use device id passed as part of attach volume API properly

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8826?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15251316#comment-15251316
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8826:


Github user koushik-das commented on the pull request:

https://github.com/apache/cloudstack/pull/792#issuecomment-212753295
  
@pdion891 This wasn't tested with HVM VMs.




> XenServer - Use device id passed as part of attach volume API properly
> --
>
> Key: CLOUDSTACK-8826
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8826
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: XenServer
>Affects Versions: 4.6.0
>Reporter: Koushik Das
>Assignee: Koushik Das
> Fix For: 4.6.0
>
>
> Random failures were seen in XS attach/detach volume test scenarios (many 
> attach/detach were performed on the same VM over a span of 24 hrs).
> The failures happened as the device id for attaching volume wasn't available 
> in HV. Some detached volume didn't got cleaned up properly and so the device 
> id wasn't released.
> The fix would be clean up stale volumes before attaching new ones so the 
> device slots are released. Also using the device id should be best effort and 
> if that particular id is not available in XS, it should fallback on using an 
> id that is available and automatically assigned.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (CLOUDSTACK-8830) [VMware] VM snapshot fails for 12 min after instance creation

2016-04-20 Thread Suresh Kumar Anaparti (JIRA) 

 [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8830?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Suresh Kumar Anaparti updated CLOUDSTACK-8830:
--
Summary: [VMware] VM snapshot fails for 12 min after instance creation  
(was: VM snapshot fails for 12 min after instance creation)

> [VMware] VM snapshot fails for 12 min after instance creation
> -
>
> Key: CLOUDSTACK-8830
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8830
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Maneesha
>Assignee: Maneesha
>
> ISSUE
> 
> VM snapshot fails for 12 min after instance creation
> Environment
> ==
> Product Name: Cloudstack
> Hypervisor: VMWare VSphere 6
> VM DETAILS
> ==
> i-84987-16119-VM
> STORAGE CONFIGURATION
> ==
> NA
> TROUBLESHOOTING
> ==
> I see that the following failure and immediate success result for the 
> CreateVMSnapshot call
> {noformat}
> 2015-07-24 08:20:55,363 DEBUG [c.c.a.t.Request] 
> (Work-Job-Executor-61:ctx-03fad7f2 job-64835/job-64836 ctx-746f3965) 
> (logid:8b87ab8a) Seq 80-6161487240196259878: Sending  { Cmd , MgmtId: 
> 345051581208, via: 80(ussfoldcsesx112.adslab.local), Ver: v1, Flags: 100011, 
> [{"com.cloud.agent.api.CreateVMSnapshotCommand":{"volumeTOs":[{"uuid":"a89b4ad5-f23f-4df6-84a8-89c4f40b2edb","volumeType":"ROOT","volumeState":"Ready","dataStore":{"org.apache.cloudstack.storage.to.PrimaryDataStoreTO":{"uuid":"346b381a-8543-3f7b-9eff-fa909ad243c7","id":205,"poolType":"NetworkFilesystem","host":"10.144.35.110","path":"/tintri/ECS-SR-CLD200","port":2049,"url":"NetworkFilesystem://10.144.35.110/tintri/ECS-SR-CLD200/?ROLE=Primary=346b381a-8543-3f7b-9eff-fa909ad243c7"}},"name":"ROOT-16119","size":1073741824,"path":"ROOT-16119","volumeId":19311,"vmName":"i-84987-16119-VM","vmState":"Running","accountId":84987,"chainInfo":"{\"diskDeviceBusName\":\"ide0:1\",\"diskChain\":[\"[346b381a85433f7b9efffa909ad243c7]
>  i-84987-16119-VM/ROOT-16119.vmdk\",\"[346b381a85433f7b9efffa909ad243c7] 
> 49f59e1a4ce23fec8890c8b9e5891d56/49f59e1a4ce23fec8890c8b9e5891d56.vmdk\"]}","format":"OVA","provisioningType":"THIN","id":19311,"deviceId":0,"cacheMode":"NONE","hypervisorType":"VMware"}],"target":{"id":962,"snapshotName":"i-84987-16119-VM_VS_20150724152053","type":"Disk","current":false,"description":"unit-test-instance-snapshot","quiescevm":false},"vmName":"i-84987-16119-VM","guestOSType":"None","wait":1800}}]
>  }
> 2015-07-24 08:20:55,373 DEBUG [c.c.a.t.Request] 
> (Work-Job-Executor-61:ctx-03fad7f2 job-64835/job-64836 ctx-746f3965) 
> (logid:8b87ab8a) Seq 80-6161487240196259878: Executing:  { Cmd , MgmtId: 
> 345051581208, via: 80(ussfoldcsesx112.adslab.local), Ver: v1, Flags: 100011, 
> [{"com.cloud.agent.api.CreateVMSnapshotCommand":{"volumeTOs":[{"uuid":"a89b4ad5-f23f-4df6-84a8-89c4f40b2edb","volumeType":"ROOT","volumeState":"Ready","dataStore":{"org.apache.cloudstack.storage.to.PrimaryDataStoreTO":{"uuid":"346b381a-8543-3f7b-9eff-fa909ad243c7","id":205,"poolType":"NetworkFilesystem","host":"10.144.35.110","path":"/tintri/ECS-SR-CLD200","port":2049,"url":"NetworkFilesystem://10.144.35.110/tintri/ECS-SR-CLD200/?ROLE=Primary=346b381a-8543-3f7b-9eff-fa909ad243c7"}},"name":"ROOT-16119","size":1073741824,"path":"ROOT-16119","volumeId":19311,"vmName":"i-84987-16119-VM","vmState":"Running","accountId":84987,"chainInfo":"{\"diskDeviceBusName\":\"ide0:1\",\"diskChain\":[\"[346b381a85433f7b9efffa909ad243c7]
>  i-84987-16119-VM/ROOT-16119.vmdk\",\"[346b381a85433f7b9efffa909ad243c7] 
> 49f59e1a4ce23fec8890c8b9e5891d56/49f59e1a4ce23fec8890c8b9e5891d56.vmdk\"]}","format":"OVA","provisioningType":"THIN","id":19311,"deviceId":0,"cacheMode":"NONE","hypervisorType":"VMware"}],"target":{"id":962,"snapshotName":"i-84987-16119-VM_VS_20150724152053","type":"Disk","current":false,"description":"unit-test-instance-snapshot","quiescevm":false},"vmName":"i-84987-16119-VM","guestOSType":"None","wait":1800}}]
>  }
> 2015-07-24 08:20:55,374 DEBUG [c.c.a.m.DirectAgentAttache] 
> (DirectAgent-66:ctx-5fbdccd8) (logid:710814a5) Seq 80-6161487240196259878: 
> Executing request
> 2015-07-24 08:20:55,523 ERROR [c.c.h.v.m.VmwareStorageManagerImpl] 
> (DirectAgent-66:ctx-5fbdccd8 ussfoldcsesx112.adslab.local, 
> job-64835/job-64836, cmd: CreateVMSnapshotCommand) (logid:8b87ab8a) failed to 
> create snapshot for vm:i-84987-16119-VM due to null
> 2015-07-24 08:20:55,524 DEBUG [c.c.a.m.DirectAgentAttache] 
> (DirectAgent-66:ctx-5fbdccd8) (logid:8b87ab8a) Seq 80-6161487240196259878: 
> Response Received: 
> 2015-07-24 08:20:55,525 DEBUG [c.c.a.t.Request] (DirectAgent-66:ctx-5fbdccd8) 
> (logid:8b87ab8a) Seq 80-6161487240196259878: Processing:  { Ans: ,

[jira] [Commented] (CLOUDSTACK-8910) The reserved_capacity field increases suddenly after a vmware host failure

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8910?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15251269#comment-15251269
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8910:


Github user SudharmaJain commented on the pull request:

https://github.com/apache/cloudstack/pull/892#issuecomment-212745452
  
Rebased the branch.


> The reserved_capacity field increases suddenly after a vmware host failure
> --
>
> Key: CLOUDSTACK-8910
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8910
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: sudharma jain
>




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8906) /var/log/cloud/ doesn't get logrotated on xenserver

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15251262#comment-15251262
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8906:


Github user SudharmaJain commented on the pull request:

https://github.com/apache/cloudstack/pull/883#issuecomment-212742630
  
The existing implementation for logrotation that works with xenserver 6.0 
and earlier does not works with 6.0.2 and later. That is the reason I have 
added this implentation. With #861 we are changing the database to point to 
XenServer600Resource, but this change has no impact on log rotation 
implementation.  Here is an article that described the problem and the solution 
that I implemented.


[http://support.en.ctx.org.cn/ctx138064.citrix](http://support.en.ctx.org.cn/ctx138064.citrix)

@harikrishna-patnala can you comment if #861 is going to help in log 
rotation problem.


> /var/log/cloud/ doesn't get logrotated on xenserver 
> 
>
> Key: CLOUDSTACK-8906
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8906
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: sudharma jain
>




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8865) Adding SR doesn't create Storage_pool_host_ref entry for disabled host

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15251206#comment-15251206
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8865:


Github user SudharmaJain commented on the pull request:

https://github.com/apache/cloudstack/pull/876#issuecomment-212725838
  
Rebased with master.


> Adding SR doesn't create Storage_pool_host_ref entry for disabled host
> --
>
> Key: CLOUDSTACK-8865
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8865
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Affects Versions: 4.5.0
>Reporter: sudharma jain
>
> When we add Primary Storage into XS cluster which has a host in disabled 
> state the mapping info about each host and each storage pool on 
> storage_pool_host_ref is not created for the disabled host. However from XS 
> side SR is added in the pool elvel so SR can be seen from all hosts. James 
> wants mapping info populated in db.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8901) PrepareTemplate job thread hard-coded to max 8 threads

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8901?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15251195#comment-15251195
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8901:


Github user SudharmaJain commented on the pull request:

https://github.com/apache/cloudstack/pull/880#issuecomment-212724576
  
@bhaisaab I pushed it again.


> PrepareTemplate job thread hard-coded to max 8 threads
> --
>
> Key: CLOUDSTACK-8901
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8901
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: sudharma jain
>
>  The thread pool is hardcoded to use 8 threads,
> com.cloud.template.TemplateManagerImpl.configure(String, Map):
> _preloadExecutor = Executors.newFixedThreadPool(8, new 
> NamedThreadFactory("Template-Preloader"));
> Need to make it configurable.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8970) Centos 6.{1,2,3,4,5} guest OS mapping for vmware is not available

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15251187#comment-15251187
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8970:


Github user SudharmaJain commented on the pull request:

https://github.com/apache/cloudstack/pull/956#issuecomment-212718578
  
@bhaisaab Thanks for the comment. I  have updated with the latest now.


> Centos 6.{1,2,3,4,5} guest OS mapping for vmware is not available
> -
>
> Key: CLOUDSTACK-8970
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8970
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: sudharma jain
>
> "Dynamically Scale" fails everytime because the setting of the guest OS in 
> VMware is not correctly set. When we set the OS Type of a 
> VM(account1-centos1) to "CentOS 6.5 (64-bit)". Then the value of the guest OS 
> in VMware is set to "Other (64-bit) and memory size is displayed by a grayed 
> out.
> If the OS type of VM is "CentOS 6.4 (64-bit)" , "CentOS 6.3 (64-bit)" 
> ,"CentOS 6.2 (64-bit)" or "CentOS 6.1 (64-bit)", the same issue happen.
> However, for "CentOS 6.0 (64-bit)", the value of the guest OS in VMware is 
> set to "Linux CentOS4/5/6/7(64-bit)" and memory size is not displayed by a 
> grayed out, we were able to "Dynamically Scale" the VM.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9172) Templates registered with CrossZones cannot be deleted in UI

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15250658#comment-15250658
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9172:


Github user pdion891 commented on the pull request:

https://github.com/apache/cloudstack/pull/1505#issuecomment-212595733
  
tested with 4.7.2 + swift as Secondary Storage. with Swift,zoneid of 
template is empty.  this should go in master too.

LGTM.


> Templates registered with CrossZones cannot be deleted in UI
> 
>
> Key: CLOUDSTACK-9172
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9172
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: UI
>Reporter: Remi Bergsma
> Fix For: Future
>
> Attachments: Screen Shot 2015-12-15 at 15.32.12.png
>
>
> The zoneid is missing and the API call fails. See screenshot.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9172) Templates registered with CrossZones cannot be deleted in UI

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15250641#comment-15250641
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9172:


Github user swill commented on the pull request:

https://github.com/apache/cloudstack/pull/1505#issuecomment-212588764
  
Since this is a UI change, is it possible to supply screenshots to show 
this behaves as expected?  For UI changes we tend to use visual proof since we 
can't do CI.  Thanks...


> Templates registered with CrossZones cannot be deleted in UI
> 
>
> Key: CLOUDSTACK-9172
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9172
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: UI
>Reporter: Remi Bergsma
> Fix For: Future
>
> Attachments: Screen Shot 2015-12-15 at 15.32.12.png
>
>
> The zoneid is missing and the API call fails. See screenshot.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9172) Templates registered with CrossZones cannot be deleted in UI

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15250636#comment-15250636
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9172:


Github user pdube commented on the pull request:

https://github.com/apache/cloudstack/pull/1504#issuecomment-212587181
  
Pushing towards 4.7


> Templates registered with CrossZones cannot be deleted in UI
> 
>
> Key: CLOUDSTACK-9172
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9172
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: UI
>Reporter: Remi Bergsma
> Fix For: Future
>
> Attachments: Screen Shot 2015-12-15 at 15.32.12.png
>
>
> The zoneid is missing and the API call fails. See screenshot.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9172) Templates registered with CrossZones cannot be deleted in UI

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15250634#comment-15250634
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9172:


Github user pdube closed the pull request at:

https://github.com/apache/cloudstack/pull/1504


> Templates registered with CrossZones cannot be deleted in UI
> 
>
> Key: CLOUDSTACK-9172
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9172
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: UI
>Reporter: Remi Bergsma
> Fix For: Future
>
> Attachments: Screen Shot 2015-12-15 at 15.32.12.png
>
>
> The zoneid is missing and the API call fails. See screenshot.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9172) Templates registered with CrossZones cannot be deleted in UI

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15250629#comment-15250629
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9172:


GitHub user pdube opened a pull request:

https://github.com/apache/cloudstack/pull/1504

CLOUDSTACK-9172 Added cross zones check to delete template and iso

Added a check to ignore the zoneid, in the delete template UI, if the 
template is cross zones.

reference : CLOUDSTACK-9172

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/pdube/cloudstack 
CLOUDSTACK-9172-delete-cross-zones-template

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/cloudstack/pull/1504.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #1504


commit cfd2ce71edbab431412f48b14011c8a137df1d22
Author: Patrick Dube 
Date:   2016-04-20T20:16:32Z

CLOUDSTACK-9172 Added cross zones check to delete template and iso




> Templates registered with CrossZones cannot be deleted in UI
> 
>
> Key: CLOUDSTACK-9172
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9172
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: UI
>Reporter: Remi Bergsma
> Fix For: Future
>
> Attachments: Screen Shot 2015-12-15 at 15.32.12.png
>
>
> The zoneid is missing and the API call fails. See screenshot.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9172) Templates registered with CrossZones cannot be deleted in UI

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15250631#comment-15250631
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9172:


GitHub user pdube opened a pull request:

https://github.com/apache/cloudstack/pull/1505

CLOUDSTACK-9172 Added cross zones check to delete template and iso

Added a check to ignore the zoneid, in the delete template UI, if the 
template is cross zones.

reference : CLOUDSTACK-9172

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/pdube/cloudstack 
CLOUDSTACK-9172-delete-cross-zones-template

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/cloudstack/pull/1505.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #1505


commit cfd2ce71edbab431412f48b14011c8a137df1d22
Author: Patrick Dube 
Date:   2016-04-20T20:16:32Z

CLOUDSTACK-9172 Added cross zones check to delete template and iso




> Templates registered with CrossZones cannot be deleted in UI
> 
>
> Key: CLOUDSTACK-9172
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9172
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: UI
>Reporter: Remi Bergsma
> Fix For: Future
>
> Attachments: Screen Shot 2015-12-15 at 15.32.12.png
>
>
> The zoneid is missing and the API call fails. See screenshot.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9172) Templates registered with CrossZones cannot be deleted in UI

2016-04-20 Thread Pierre-Luc Dion (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15250605#comment-15250605
 ] 

Pierre-Luc Dion commented on CLOUDSTACK-9172:
-

fix in progress.

> Templates registered with CrossZones cannot be deleted in UI
> 
>
> Key: CLOUDSTACK-9172
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9172
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: UI
>Reporter: Remi Bergsma
> Fix For: Future
>
> Attachments: Screen Shot 2015-12-15 at 15.32.12.png
>
>
> The zoneid is missing and the API call fails. See screenshot.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8826) XenServer - Use device id passed as part of attach volume API properly

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8826?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15250556#comment-15250556
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8826:


Github user simongodard commented on the pull request:

https://github.com/apache/cloudstack/pull/792#issuecomment-212573040
  
I confirm what @pdion891 described in the previous comment. 
http://markmail.org/thread/4nmyra6aofxtu3o2


> XenServer - Use device id passed as part of attach volume API properly
> --
>
> Key: CLOUDSTACK-8826
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8826
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: XenServer
>Affects Versions: 4.6.0
>Reporter: Koushik Das
>Assignee: Koushik Das
> Fix For: 4.6.0
>
>
> Random failures were seen in XS attach/detach volume test scenarios (many 
> attach/detach were performed on the same VM over a span of 24 hrs).
> The failures happened as the device id for attaching volume wasn't available 
> in HV. Some detached volume didn't got cleaned up properly and so the device 
> id wasn't released.
> The fix would be clean up stale volumes before attaching new ones so the 
> device slots are released. Also using the device id should be best effort and 
> if that particular id is not available in XS, it should fallback on using an 
> id that is available and automatically assigned.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8826) XenServer - Use device id passed as part of attach volume API properly

2016-04-20 Thread Simon Godard (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8826?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15250458#comment-15250458
 ] 

Simon Godard commented on CLOUDSTACK-8826:
--

This bug fix looks like it broke a simple HVM VM start when more than 2 volumes 
are attached. Using 'autodetect' as the device Id is also rejected by XenServer 
when using HVM.

I tested with a PV VM and it seems to work fine.

> XenServer - Use device id passed as part of attach volume API properly
> --
>
> Key: CLOUDSTACK-8826
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8826
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: XenServer
>Affects Versions: 4.6.0
>Reporter: Koushik Das
>Assignee: Koushik Das
> Fix For: 4.6.0
>
>
> Random failures were seen in XS attach/detach volume test scenarios (many 
> attach/detach were performed on the same VM over a span of 24 hrs).
> The failures happened as the device id for attaching volume wasn't available 
> in HV. Some detached volume didn't got cleaned up properly and so the device 
> id wasn't released.
> The fix would be clean up stale volumes before attaching new ones so the 
> device slots are released. Also using the device id should be best effort and 
> if that particular id is not available in XS, it should fallback on using an 
> id that is available and automatically assigned.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8611) CS waits indefinitely for CheckS2SVpnConnectionsCommand to return

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8611?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15250430#comment-15250430
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8611:


Github user swill commented on the pull request:

https://github.com/apache/cloudstack/pull/1459#issuecomment-212541636
  
I think this one is ready now.  I will add it to my merge queue.


> CS waits indefinitely for CheckS2SVpnConnectionsCommand to return
> -
>
> Key: CLOUDSTACK-8611
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8611
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Likitha Shetty
>Assignee: Suresh Kumar Anaparti
> Fix For: 4.9.0
>
>
> On one instance, CS began to execute CheckS2SVpnConnectionsCommand command on 
> a router but the command result was never returned to the MS. If a command 
> never returns, then 'DirectAgent' thread executing this command is blocked 
> indefinitely and cannot pick up any other request.
> Now since this command is designed to execute in sequence on a host and is 
> run regularly, every execution of that command thereafter on that particular 
> host ended up picking up a DirectAgent thread and waiting for the previous 
> execution to complete. And hence overtime, the host ended up using and 
> blocking all 'DirectAgent' threads indefinitely.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8906) /var/log/cloud/ doesn't get logrotated on xenserver

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15250387#comment-15250387
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8906:


Github user swill commented on the pull request:

https://github.com/apache/cloudstack/pull/883#issuecomment-212537408
  
I will admit, I don't really understand everything in play here.  If I read 
this quickly, it seems like this PR may not be needed because #861 essentially 
changes the database to point to the `XenServer600Resource` resource which does 
not have the logrotate problem.  Can I get a clarification from @remibergsma 
and/or @SudharmaJain.  Thanks...


> /var/log/cloud/ doesn't get logrotated on xenserver 
> 
>
> Key: CLOUDSTACK-8906
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8906
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: sudharma jain
>




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9349) Unable to detach root volume when using Hypervisor Type KVM

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15250360#comment-15250360
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9349:


Github user swill commented on the pull request:

https://github.com/apache/cloudstack/pull/1500#issuecomment-212533078
  
We need some LGTM code reviews of this one.  I would also like to run CI 
against it because it changes code that is common to other functionality to 
make sure nothing else gets broken from this change.


> Unable to detach root volume when using Hypervisor Type KVM
> ---
>
> Key: CLOUDSTACK-9349
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9349
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: Volumes
>Affects Versions: 4.5.1, 4.6.2, 4.7.1, 4.8.0, 4.9.0
> Environment: Centos 7
>Reporter: Simon Weller
>Priority: Minor
> Fix For: 4.7.2
>
>
> Back in 4.5, support was added in CLOUDSTACK-6284 for detaching root volumes. 
> The original support was meant to work with Xen, VMware and KVM.
> After chatting with fuflo in the Cloudstack irc channel, it was pointed out 
> that a constraint was not correctly modified in VolumeApiServiceImpl.java to 
> allow the detach to occur when vm.getHypervisorType() == HypervisorType.KVM.
> This is a very useful feature, as it allows us to simulate a snapshot revert 
> with Ceph by using createVolume sourced from a snapshot, then detaching and 
> reattaching the root volume (new root volume needs to be attached as 
> device=0).
> I'm going to propose a PR for this shortly



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9100) ISO.CREATE/TEMPLATE.CREATE event missing for usage_event by template sync thread

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15250351#comment-15250351
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9100:


Github user swill commented on the pull request:

https://github.com/apache/cloudstack/pull/1157#issuecomment-212531389
  
I think we are just missing 1 LGTM for this one.


> ISO.CREATE/TEMPLATE.CREATE event missing for usage_event by template sync 
> thread
> 
>
> Key: CLOUDSTACK-9100
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9100
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: sudharma jain
>




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8611) CS waits indefinitely for CheckS2SVpnConnectionsCommand to return

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8611?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15250245#comment-15250245
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8611:


Github user GabrielBrascher commented on the pull request:

https://github.com/apache/cloudstack/pull/1459#issuecomment-212512170
  
@DaanHoogland I removed `@param`, `@return` and `@throws` from javadoc. 
Thanks.


> CS waits indefinitely for CheckS2SVpnConnectionsCommand to return
> -
>
> Key: CLOUDSTACK-8611
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8611
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Likitha Shetty
>Assignee: Suresh Kumar Anaparti
> Fix For: 4.9.0
>
>
> On one instance, CS began to execute CheckS2SVpnConnectionsCommand command on 
> a router but the command result was never returned to the MS. If a command 
> never returns, then 'DirectAgent' thread executing this command is blocked 
> indefinitely and cannot pick up any other request.
> Now since this command is designed to execute in sequence on a host and is 
> run regularly, every execution of that command thereafter on that particular 
> host ended up picking up a DirectAgent thread and waiting for the previous 
> execution to complete. And hence overtime, the host ended up using and 
> blocking all 'DirectAgent' threads indefinitely.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8611) CS waits indefinitely for CheckS2SVpnConnectionsCommand to return

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8611?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15250227#comment-15250227
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8611:


Github user GabrielBrascher commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1459#discussion_r60444764
  
--- Diff: utils/src/main/java/com/cloud/utils/ssh/SshHelper.java ---
@@ -206,4 +216,87 @@ public static void scpTo(String host, int port, String 
user, File pemKeyFile, St
 conn.close();
 }
 }
+
+/**
+ * It gets a {@link Session} from the given {@link Connection}; then, 
it waits
+ * {@value #WAITING_OPEN_SSH_SESSION} milliseconds before returning 
the session, given a time to
+ * ensure that the connection is open before proceeding the execution.
+ *
+ * @param conn
--- End diff --

@DaanHoogland are you talking about the `@param`, `@return` and `@throws`? 
It was auto-generated by Eclipse, I can remove them. I agree that they do not 
add value (even because in this case it has any explanation), just didn't pay 
attention to them.


> CS waits indefinitely for CheckS2SVpnConnectionsCommand to return
> -
>
> Key: CLOUDSTACK-8611
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8611
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Likitha Shetty
>Assignee: Suresh Kumar Anaparti
> Fix For: 4.9.0
>
>
> On one instance, CS began to execute CheckS2SVpnConnectionsCommand command on 
> a router but the command result was never returned to the MS. If a command 
> never returns, then 'DirectAgent' thread executing this command is blocked 
> indefinitely and cannot pick up any other request.
> Now since this command is designed to execute in sequence on a host and is 
> run regularly, every execution of that command thereafter on that particular 
> host ended up picking up a DirectAgent thread and waiting for the previous 
> execution to complete. And hence overtime, the host ended up using and 
> blocking all 'DirectAgent' threads indefinitely.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15250174#comment-15250174
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user bhaisaab commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1489#discussion_r60440106
  
--- Diff: 
plugins/acl/dynamic-role-based/src/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
 ---
@@ -0,0 +1,170 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.exception.PermissionDeniedException;
+import com.cloud.user.Account;
+import com.cloud.user.AccountService;
+import com.cloud.user.User;
+import com.cloud.utils.component.AdapterBase;
+import com.cloud.utils.component.PluggableService;
+import com.google.common.base.Strings;
+import org.apache.cloudstack.api.APICommand;
+
+import org.apache.log4j.Logger;
+
+import javax.ejb.Local;
+import javax.inject.Inject;
+import javax.naming.ConfigurationException;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+@Local(value = APIChecker.class)
+public class DynamicRoleBasedAPIAccessChecker extends AdapterBase 
implements APIChecker {
+
+protected static final Logger LOGGER = 
Logger.getLogger(DynamicRoleBasedAPIAccessChecker.class);
+
+@Inject
+private AccountService accountService;
+@Inject
+private RoleService roleService;
+
+private List services;
+private Map annotationRoleBasedApisMap = new 
HashMap<>();
+
+protected DynamicRoleBasedAPIAccessChecker() {
+super();
+for (RoleType roleType : RoleType.values()) {
+annotationRoleBasedApisMap.put(roleType, new 
HashSet());
+}
+}
+
+private void denyApiAccess(final String commandName) throws 
PermissionDeniedException {
+throw new PermissionDeniedException("The API does not exist or is 
blacklisted for the account's role. " +
+"The account with is not allowed to request the api: " + 
commandName);
+}
+
+private boolean checkPermission(final List  
permissions, final RolePermission.Permission permissionToCheck, final String 
commandName) {
+if (permissions == null || permissions.isEmpty() || 
Strings.isNullOrEmpty(commandName)) {
+return false;
+}
+for (final RolePermission permission : permissions) {
+if (permission.getPermission() != permissionToCheck) {
+continue;
+}
+try {
+final Rule rule = new Rule(permission.getRule());
+if (rule.matches(commandName)) {
+return true;
+}
+} catch (InvalidParameterValueException e) {
+LOGGER.warn("Invalid rule permission, please fix id=" + 
permission.getId() + " rule=" + permission.getRule());
+continue;
+}
+}
+return false;
+}
+
+public boolean isDisabled() {
+return !roleService.isEnabled();
+}
+
+@Override
+public boolean checkAccess(User user, String commandName) throws 
PermissionDeniedException {
+if (isDisabled()) {
+return true;
+}
+Account account = accountService.getAccount(user.getAccountId());
+if (account == null) {
+throw new PermissionDeniedException("The account id=" + 
user.getAccountId() + "for user id=" + user.getId() + "is null");
+}
+
+final Role accountRole = roleService.findRole(account.getRoleId());
+if (accountRole == null ||

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15250172#comment-15250172
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user bhaisaab commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1489#discussion_r60439905
  
--- Diff: 
plugins/acl/dynamic-role-based/src/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
 ---
@@ -0,0 +1,170 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.exception.PermissionDeniedException;
+import com.cloud.user.Account;
+import com.cloud.user.AccountService;
+import com.cloud.user.User;
+import com.cloud.utils.component.AdapterBase;
+import com.cloud.utils.component.PluggableService;
+import com.google.common.base.Strings;
+import org.apache.cloudstack.api.APICommand;
+
+import org.apache.log4j.Logger;
+
+import javax.ejb.Local;
+import javax.inject.Inject;
+import javax.naming.ConfigurationException;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+@Local(value = APIChecker.class)
+public class DynamicRoleBasedAPIAccessChecker extends AdapterBase 
implements APIChecker {
+
+protected static final Logger LOGGER = 
Logger.getLogger(DynamicRoleBasedAPIAccessChecker.class);
+
+@Inject
+private AccountService accountService;
+@Inject
+private RoleService roleService;
+
+private List services;
+private Map annotationRoleBasedApisMap = new 
HashMap<>();
+
+protected DynamicRoleBasedAPIAccessChecker() {
+super();
+for (RoleType roleType : RoleType.values()) {
+annotationRoleBasedApisMap.put(roleType, new 
HashSet());
+}
+}
+
+private void denyApiAccess(final String commandName) throws 
PermissionDeniedException {
+throw new PermissionDeniedException("The API does not exist or is 
blacklisted for the account's role. " +
+"The account with is not allowed to request the api: " + 
commandName);
+}
+
+private boolean checkPermission(final List  
permissions, final RolePermission.Permission permissionToCheck, final String 
commandName) {
+if (permissions == null || permissions.isEmpty() || 
Strings.isNullOrEmpty(commandName)) {
+return false;
+}
+for (final RolePermission permission : permissions) {
+if (permission.getPermission() != permissionToCheck) {
+continue;
+}
+try {
+final Rule rule = new Rule(permission.getRule());
+if (rule.matches(commandName)) {
+return true;
+}
+} catch (InvalidParameterValueException e) {
+LOGGER.warn("Invalid rule permission, please fix id=" + 
permission.getId() + " rule=" + permission.getRule());
+continue;
+}
+}
+return false;
+}
+
+public boolean isDisabled() {
+return !roleService.isEnabled();
+}
+
+@Override
+public boolean checkAccess(User user, String commandName) throws 
PermissionDeniedException {
+if (isDisabled()) {
+return true;
+}
+Account account = accountService.getAccount(user.getAccountId());
+if (account == null) {
+throw new PermissionDeniedException("The account id=" + 
user.getAccountId() + "for user id=" + user.getId() + "is null");
+}
+
+final Role accountRole = roleService.findRole(account.getRoleId());
+if (accountRole == null ||

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15250170#comment-15250170
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user bhaisaab commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1489#discussion_r60439732
  
--- Diff: 
plugins/acl/dynamic-role-based/src/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
 ---
@@ -0,0 +1,170 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.exception.PermissionDeniedException;
+import com.cloud.user.Account;
+import com.cloud.user.AccountService;
+import com.cloud.user.User;
+import com.cloud.utils.component.AdapterBase;
+import com.cloud.utils.component.PluggableService;
+import com.google.common.base.Strings;
+import org.apache.cloudstack.api.APICommand;
+
+import org.apache.log4j.Logger;
+
+import javax.ejb.Local;
+import javax.inject.Inject;
+import javax.naming.ConfigurationException;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+@Local(value = APIChecker.class)
+public class DynamicRoleBasedAPIAccessChecker extends AdapterBase 
implements APIChecker {
+
+protected static final Logger LOGGER = 
Logger.getLogger(DynamicRoleBasedAPIAccessChecker.class);
+
+@Inject
+private AccountService accountService;
+@Inject
+private RoleService roleService;
+
+private List services;
+private Map annotationRoleBasedApisMap = new 
HashMap<>();
+
+protected DynamicRoleBasedAPIAccessChecker() {
+super();
+for (RoleType roleType : RoleType.values()) {
+annotationRoleBasedApisMap.put(roleType, new 
HashSet());
+}
+}
+
+private void denyApiAccess(final String commandName) throws 
PermissionDeniedException {
+throw new PermissionDeniedException("The API does not exist or is 
blacklisted for the account's role. " +
+"The account with is not allowed to request the api: " + 
commandName);
+}
+
+private boolean checkPermission(final List  
permissions, final RolePermission.Permission permissionToCheck, final String 
commandName) {
+if (permissions == null || permissions.isEmpty() || 
Strings.isNullOrEmpty(commandName)) {
+return false;
+}
+for (final RolePermission permission : permissions) {
+if (permission.getPermission() != permissionToCheck) {
+continue;
+}
+try {
+final Rule rule = new Rule(permission.getRule());
+if (rule.matches(commandName)) {
+return true;
+}
+} catch (InvalidParameterValueException e) {
+LOGGER.warn("Invalid rule permission, please fix id=" + 
permission.getId() + " rule=" + permission.getRule());
+continue;
+}
+}
+return false;
+}
+
+public boolean isDisabled() {
+return !roleService.isEnabled();
+}
+
+@Override
+public boolean checkAccess(User user, String commandName) throws 
PermissionDeniedException {
+if (isDisabled()) {
+return true;
+}
+Account account = accountService.getAccount(user.getAccountId());
+if (account == null) {
+throw new PermissionDeniedException("The account id=" + 
user.getAccountId() + "for user id=" + user.getId() + "is null");
+}
+
+final Role accountRole = roleService.findRole(account.getRoleId());
+if (accountRole == null ||

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15250166#comment-15250166
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user bhaisaab commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1489#discussion_r60439393
  
--- Diff: 
plugins/acl/dynamic-role-based/src/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
 ---
@@ -0,0 +1,166 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import com.cloud.exception.PermissionDeniedException;
+import com.cloud.user.Account;
+import com.cloud.user.AccountService;
+import com.cloud.user.User;
+import com.cloud.utils.component.AdapterBase;
+import com.cloud.utils.component.PluggableService;
+import com.google.common.base.Strings;
+import org.apache.cloudstack.api.APICommand;
+
+import javax.ejb.Local;
+import javax.inject.Inject;
+import javax.naming.ConfigurationException;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+@Local(value = APIChecker.class)
+public class DynamicRoleBasedAPIAccessChecker extends AdapterBase 
implements APIChecker {
+
+@Inject
+private AccountService accountService;
+@Inject
+private RoleService roleService;
+
+private List services;
+private Map annotationRoleBasedApisMap = new 
HashMap<>();
+
+protected DynamicRoleBasedAPIAccessChecker() {
+super();
+for (RoleType roleType : RoleType.values()) {
+annotationRoleBasedApisMap.put(roleType, new 
HashSet());
+}
+}
+
+private void denyApiAccess(final String commandName) throws 
PermissionDeniedException {
+throw new PermissionDeniedException("The API does not exist or is 
blacklisted for the account's role. " +
+"The account with is not allowed to request the api: " + 
commandName);
+}
+
+private boolean checkPermission(final List  
permissions, final RolePermission.Permission permissionToCheck, final String 
commandName) {
+if (permissions == null) {
+return false;
+}
+for (final RolePermission permission : permissions) {
+if (permission.getPermission() != permissionToCheck) {
+continue;
+}
+final String rule = permission.getRule();
+if (rule.contains("*")) {
+if (commandName.matches(rule.replace("*", "\\w*"))) {
+return true;
+}
+} else {
+if (commandName.equals(rule)) {
+return true;
+}
+}
+}
+return false;
+}
+
+public boolean isDisabled() {
+return !roleService.isEnabled();
+}
+
+@Override
+public boolean checkAccess(User user, String commandName) throws 
PermissionDeniedException {
+if (isDisabled()) {
+return true;
+}
+Account account = accountService.getAccount(user.getAccountId());
+if (account == null) {
+throw new PermissionDeniedException("The account id=" + 
user.getAccountId() + "for user id=" + user.getId() + "is null");
+}
+
+final Role accountRole = roleService.findRole(account.getRoleId());
+if (accountRole == null || accountRole.getId() < 1L) {
+denyApiAccess(commandName);
+}
+
+// Allow all APIs for root admins
+if (accountRole.getRoleType() == RoleType.Admin && 
accountRole.getId() == RoleType.Admin.getId()) {
+return true;
+}
+
+final List rolePermissions =

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15250117#comment-15250117
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1489#discussion_r60434048
  
--- Diff: api/src/org/apache/cloudstack/acl/RolePermission.java ---
@@ -0,0 +1,30 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.acl;
+
+import org.apache.cloudstack.api.Identity;
+import org.apache.cloudstack.api.InternalIdentity;
+
+public interface RolePermission extends InternalIdentity, Identity {
+enum Permission {ALLOW, DENY}
+
+long getRoleId();
+String getRule();
--- End diff --

@bhaisaab is it possible to use ``Rule`` as the type for this method?


> User Definable Roles
> 
>
> Key: CLOUDSTACK-8562
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8562
> Project: CloudStack
>  Issue Type: New Feature
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: Management Server
>Reporter: Paul Angus
>Assignee: Rohit Yadav
>
> Static command.properties moved to database and made user definable



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15250105#comment-15250105
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user jburwell commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1489#discussion_r60433227
  
--- Diff: api/src/org/apache/cloudstack/acl/Rule.java ---
@@ -0,0 +1,65 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.acl;
+
+import com.cloud.exception.InvalidParameterValueException;
+import com.google.common.base.Strings;
+
+import java.util.regex.Pattern;
+
+public final class Rule {
+private final String rule;
+private final static Pattern ALLOWED_PATTERN = 
Pattern.compile("^[a-zA-Z0-9*]+$");
+
+public Rule(final String rule) {
+validate(rule);
+this.rule = rule;
+}
+
+public boolean matches(final String commandName) {
+if (Strings.isNullOrEmpty(commandName)) {
+return false;
+}
+if (isWildcard()) {
+if (commandName.matches(rule.replace("*", "\\w*"))) {
+return true;
+}
+} else {
+if (commandName.equalsIgnoreCase(rule)) {
+return true;
+}
+}
+return false;
+}
+
+public boolean isWildcard() {
+return rule.contains("*");
+}
+
+@Override
+public String toString() {
+return rule;
+}
+
+private static boolean validate(final String rule) throws 
InvalidParameterValueException {
+if (Strings.isNullOrEmpty(rule) || 
!ALLOWED_PATTERN.matcher(rule).matches()) {
+throw new InvalidParameterValueException("Invalid rule 
provided. Only API names and wildcards are allowed.");
--- End diff --

Add the rule value into the error message for debugging.


> User Definable Roles
> 
>
> Key: CLOUDSTACK-8562
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8562
> Project: CloudStack
>  Issue Type: New Feature
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: Management Server
>Reporter: Paul Angus
>Assignee: Rohit Yadav
>
> Static command.properties moved to database and made user definable



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8970) Centos 6.{1,2,3,4,5} guest OS mapping for vmware is not available

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15250077#comment-15250077
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8970:


Github user bhaisaab commented on the pull request:

https://github.com/apache/cloudstack/pull/956#issuecomment-212474106
  
@SudharmaJain The provided version have already released so these change 
need to go into 481to490 related sql /cc @swill 

any vmware/guest-os-mapping guru want to comment on the changes -- 
@anshulgangwar @devdeep @agneya2001 @koushik-das @sureshanaparti 


> Centos 6.{1,2,3,4,5} guest OS mapping for vmware is not available
> -
>
> Key: CLOUDSTACK-8970
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8970
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: sudharma jain
>
> "Dynamically Scale" fails everytime because the setting of the guest OS in 
> VMware is not correctly set. When we set the OS Type of a 
> VM(account1-centos1) to "CentOS 6.5 (64-bit)". Then the value of the guest OS 
> in VMware is set to "Other (64-bit) and memory size is displayed by a grayed 
> out.
> If the OS type of VM is "CentOS 6.4 (64-bit)" , "CentOS 6.3 (64-bit)" 
> ,"CentOS 6.2 (64-bit)" or "CentOS 6.1 (64-bit)", the same issue happen.
> However, for "CentOS 6.0 (64-bit)", the value of the guest OS in VMware is 
> set to "Linux CentOS4/5/6/7(64-bit)" and memory size is not displayed by a 
> grayed out, we were able to "Dynamically Scale" the VM.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8901) PrepareTemplate job thread hard-coded to max 8 threads

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8901?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15250078#comment-15250078
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8901:


Github user bhaisaab commented on the pull request:

https://github.com/apache/cloudstack/pull/880#issuecomment-212474909
  
Thanks @SudharmaJain LGTM (just code review), can you do a push -f (travis 
job failed for some reason)


> PrepareTemplate job thread hard-coded to max 8 threads
> --
>
> Key: CLOUDSTACK-8901
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8901
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: sudharma jain
>
>  The thread pool is hardcoded to use 8 threads,
> com.cloud.template.TemplateManagerImpl.configure(String, Map):
> _preloadExecutor = Executors.newFixedThreadPool(8, new 
> NamedThreadFactory("Template-Preloader"));
> Need to make it configurable.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8906) /var/log/cloud/ doesn't get logrotated on xenserver

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15250070#comment-15250070
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8906:


Github user bhaisaab commented on the pull request:

https://github.com/apache/cloudstack/pull/883#issuecomment-212471834
  
@SudharmaJain Will @swill is the RM for master/4.9, I'm not following these 
changes perhaps any Xen guru can comment, @agneya2001 ?
@remibergsma do you have any outstanding issues with this PR


> /var/log/cloud/ doesn't get logrotated on xenserver 
> 
>
> Key: CLOUDSTACK-8906
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8906
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: sudharma jain
>




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9358) StringIndexOutOfBoundsException when publishing events

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9358?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249973#comment-15249973
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9358:


GitHub user olivierlemasle opened a pull request:

https://github.com/apache/cloudstack/pull/1503

CLOUDSTACK-9358: StringIndexOutOfBoundsException on events

Fixes JSON deserialization of `cmdInfo` (current process fails with 
`StringIndexOutOfBoundsException` when `cmdEventType` is the last parameter in 
the JSON string).

A {{StringIndexOutOfBoundsException}} is thrown in some cases during event 
publication.

Example: a stopVirtualMachine API request is executed, and fails with:

```
2016-04-15 09:24:43,080 ERROR [o.a.c.f.m.MessageDispatcher] 
(catalina-exec-1:ctx-840cbaa7 ctx-8daf0e9c ctx-f63af073) Unexpected exception 
when calling com.cloud.api.ApiServer.handleAsyncJobPublishEvent
java.lang.reflect.InvocationTargetException
at sun.reflect.GeneratedMethodAccessor307.invoke(Unknown Source)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at 
org.apache.cloudstack.framework.messagebus.MessageDispatcher.dispatch(MessageDispatcher.java:75)
at 
org.apache.cloudstack.framework.messagebus.MessageDispatcher.onPublishMessage(MessageDispatcher.java:45)
at 
org.apache.cloudstack.framework.messagebus.MessageBusBase$SubscriptionNode.notifySubscribers(MessageBusBase.java:441)
at 
org.apache.cloudstack.framework.messagebus.MessageBusBase.publish(MessageBusBase.java:178)
at 
org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl.publishOnEventBus(AsyncJobManagerImpl.java:1052)
at 
org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl.submitAsyncJob(AsyncJobManagerImpl.java:180)
at 
org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl.submitAsyncJob(AsyncJobManagerImpl.java:168)
at com.cloud.api.ApiServer.queueCommand(ApiServer.java:687)
at com.cloud.api.ApiServer.handleRequest(ApiServer.java:528)
at 
com.cloud.api.ApiServlet.processRequestInContext(ApiServlet.java:296)
at com.cloud.api.ApiServlet$1.run(ApiServlet.java:127)
at 
org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56)
at 
org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103)
at 
org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53)
at com.cloud.api.ApiServlet.processRequest(ApiServlet.java:124)
at com.cloud.api.ApiServlet.doGet(ApiServlet.java:86)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:620)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at 
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at 
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1720)
at 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1679)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at

[jira] [Created] (CLOUDSTACK-9358) StringIndexOutOfBoundsException when publishing events

2016-04-20 Thread Olivier Lemasle (JIRA) 
Olivier Lemasle created CLOUDSTACK-9358:
---

 Summary: StringIndexOutOfBoundsException when publishing events
 Key: CLOUDSTACK-9358
 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9358
 Project: CloudStack
  Issue Type: Bug
  Security Level: Public (Anyone can view this level - this is the default.)
  Components: eventbus
Affects Versions: 4.8.0, 4.7.1, 4.7.0, 4.6.2, 4.6.1, 4.6.0, 4.5.2, 4.4.4, 
4.5.1, 4.4.3, 4.4.2, 4.4.1, 4.5.0, 4.4.0, 4.7.2, 4.8.1, 4.9.0
Reporter: Olivier Lemasle
Assignee: Olivier Lemasle
Priority: Critical
 Fix For: 4.9.0


A {{StringIndexOutOfBoundsException}} is thrown in some cases during event 
publication.

Example: a stopVirtualMachine API request is executed, and fails with:

{noformat}
2016-04-15 09:24:43,080 ERROR [o.a.c.f.m.MessageDispatcher] 
(catalina-exec-1:ctx-840cbaa7 ctx-8daf0e9c ctx-f63af073) Unexpected exception 
when calling com.cloud.api.ApiServer.handleAsyncJobPublishEvent
java.lang.reflect.InvocationTargetException
at sun.reflect.GeneratedMethodAccessor307.invoke(Unknown Source)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at 
org.apache.cloudstack.framework.messagebus.MessageDispatcher.dispatch(MessageDispatcher.java:75)
at 
org.apache.cloudstack.framework.messagebus.MessageDispatcher.onPublishMessage(MessageDispatcher.java:45)
at 
org.apache.cloudstack.framework.messagebus.MessageBusBase$SubscriptionNode.notifySubscribers(MessageBusBase.java:441)
at 
org.apache.cloudstack.framework.messagebus.MessageBusBase.publish(MessageBusBase.java:178)
at 
org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl.publishOnEventBus(AsyncJobManagerImpl.java:1052)
at 
org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl.submitAsyncJob(AsyncJobManagerImpl.java:180)
at 
org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl.submitAsyncJob(AsyncJobManagerImpl.java:168)
at com.cloud.api.ApiServer.queueCommand(ApiServer.java:687)
at com.cloud.api.ApiServer.handleRequest(ApiServer.java:528)
at com.cloud.api.ApiServlet.processRequestInContext(ApiServlet.java:296)
at com.cloud.api.ApiServlet$1.run(ApiServlet.java:127)
at 
org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56)
at 
org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103)
at 
org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53)
at com.cloud.api.ApiServlet.processRequest(ApiServlet.java:124)
at com.cloud.api.ApiServlet.doGet(ApiServlet.java:86)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:620)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at 
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at 
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1720)
at 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1679)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at

[jira] [Commented] (CLOUDSTACK-9349) Unable to detach root volume when using Hypervisor Type KVM

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249896#comment-15249896
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9349:


Github user dmabry commented on the pull request:

https://github.com/apache/cloudstack/pull/1500#issuecomment-212426369
  
@koushik-das - Thanks for the feedback.  I have added the 
require_hardware="false" as you suggested and pushed a new commit to the branch.

If all looks good, I'll squash the commits in prep for the final merge.


> Unable to detach root volume when using Hypervisor Type KVM
> ---
>
> Key: CLOUDSTACK-9349
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9349
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: Volumes
>Affects Versions: 4.5.1, 4.6.2, 4.7.1, 4.8.0, 4.9.0
> Environment: Centos 7
>Reporter: Simon Weller
>Priority: Minor
> Fix For: 4.7.2
>
>
> Back in 4.5, support was added in CLOUDSTACK-6284 for detaching root volumes. 
> The original support was meant to work with Xen, VMware and KVM.
> After chatting with fuflo in the Cloudstack irc channel, it was pointed out 
> that a constraint was not correctly modified in VolumeApiServiceImpl.java to 
> allow the detach to occur when vm.getHypervisorType() == HypervisorType.KVM.
> This is a very useful feature, as it allows us to simulate a snapshot revert 
> with Ceph by using createVolume sourced from a snapshot, then detaching and 
> reattaching the root volume (new root volume needs to be attached as 
> device=0).
> I'm going to propose a PR for this shortly



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8826) XenServer - Use device id passed as part of attach volume API properly

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8826?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249874#comment-15249874
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8826:


Github user pdion891 commented on the pull request:

https://github.com/apache/cloudstack/pull/792#issuecomment-212423092
  
@koushik-das  does this fix got tested with HVM vm having more than 4 VDI?  
because we are experiencing issue where an HVM vm on XenServer 6.5 having 4 vdi 
(1 root + 3 datadisk) fail to start after a shutdown and it seams to be related 
to this part of code.  This is currently working on 4.4.x version of ACS.



> XenServer - Use device id passed as part of attach volume API properly
> --
>
> Key: CLOUDSTACK-8826
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8826
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: XenServer
>Affects Versions: 4.6.0
>Reporter: Koushik Das
>Assignee: Koushik Das
> Fix For: 4.6.0
>
>
> Random failures were seen in XS attach/detach volume test scenarios (many 
> attach/detach were performed on the same VM over a span of 24 hrs).
> The failures happened as the device id for attaching volume wasn't available 
> in HV. Some detached volume didn't got cleaned up properly and so the device 
> id wasn't released.
> The fix would be clean up stale volumes before attaching new ones so the 
> device slots are released. Also using the device id should be best effort and 
> if that particular id is not available in XS, it should fallback on using an 
> id that is available and automatically assigned.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8901) PrepareTemplate job thread hard-coded to max 8 threads

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8901?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249861#comment-15249861
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8901:


Github user SudharmaJain commented on the pull request:

https://github.com/apache/cloudstack/pull/880#issuecomment-212418415
  
Rebased against master.


> PrepareTemplate job thread hard-coded to max 8 threads
> --
>
> Key: CLOUDSTACK-8901
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8901
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: sudharma jain
>
>  The thread pool is hardcoded to use 8 threads,
> com.cloud.template.TemplateManagerImpl.configure(String, Map):
> _preloadExecutor = Executors.newFixedThreadPool(8, new 
> NamedThreadFactory("Template-Preloader"));
> Need to make it configurable.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8970) Centos 6.{1,2,3,4,5} guest OS mapping for vmware is not available

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249853#comment-15249853
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8970:


Github user SudharmaJain commented on the pull request:

https://github.com/apache/cloudstack/pull/956#issuecomment-212416597
  
@bhaisaab Rebased against master.


> Centos 6.{1,2,3,4,5} guest OS mapping for vmware is not available
> -
>
> Key: CLOUDSTACK-8970
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8970
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: sudharma jain
>
> "Dynamically Scale" fails everytime because the setting of the guest OS in 
> VMware is not correctly set. When we set the OS Type of a 
> VM(account1-centos1) to "CentOS 6.5 (64-bit)". Then the value of the guest OS 
> in VMware is set to "Other (64-bit) and memory size is displayed by a grayed 
> out.
> If the OS type of VM is "CentOS 6.4 (64-bit)" , "CentOS 6.3 (64-bit)" 
> ,"CentOS 6.2 (64-bit)" or "CentOS 6.1 (64-bit)", the same issue happen.
> However, for "CentOS 6.0 (64-bit)", the value of the guest OS in VMware is 
> set to "Linux CentOS4/5/6/7(64-bit)" and memory size is not displayed by a 
> grayed out, we were able to "Dynamically Scale" the VM.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9100) ISO.CREATE/TEMPLATE.CREATE event missing for usage_event by template sync thread

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249804#comment-15249804
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9100:


Github user SudharmaJain commented on the pull request:

https://github.com/apache/cloudstack/pull/1157#issuecomment-212408609
  
Rebased against master. 


> ISO.CREATE/TEMPLATE.CREATE event missing for usage_event by template sync 
> thread
> 
>
> Key: CLOUDSTACK-9100
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9100
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: sudharma jain
>




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249802#comment-15249802
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user koushik-das commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1489#discussion_r60399552
  
--- Diff: 
plugins/acl/dynamic-role-based/src/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
 ---
@@ -0,0 +1,166 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import com.cloud.exception.PermissionDeniedException;
+import com.cloud.user.Account;
+import com.cloud.user.AccountService;
+import com.cloud.user.User;
+import com.cloud.utils.component.AdapterBase;
+import com.cloud.utils.component.PluggableService;
+import com.google.common.base.Strings;
+import org.apache.cloudstack.api.APICommand;
+
+import javax.ejb.Local;
+import javax.inject.Inject;
+import javax.naming.ConfigurationException;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+@Local(value = APIChecker.class)
+public class DynamicRoleBasedAPIAccessChecker extends AdapterBase 
implements APIChecker {
+
+@Inject
+private AccountService accountService;
+@Inject
+private RoleService roleService;
+
+private List services;
+private Map annotationRoleBasedApisMap = new 
HashMap<>();
+
+protected DynamicRoleBasedAPIAccessChecker() {
+super();
+for (RoleType roleType : RoleType.values()) {
+annotationRoleBasedApisMap.put(roleType, new 
HashSet());
+}
+}
+
+private void denyApiAccess(final String commandName) throws 
PermissionDeniedException {
+throw new PermissionDeniedException("The API does not exist or is 
blacklisted for the account's role. " +
+"The account with is not allowed to request the api: " + 
commandName);
+}
+
+private boolean checkPermission(final List  
permissions, final RolePermission.Permission permissionToCheck, final String 
commandName) {
+if (permissions == null) {
+return false;
+}
+for (final RolePermission permission : permissions) {
+if (permission.getPermission() != permissionToCheck) {
+continue;
+}
+final String rule = permission.getRule();
+if (rule.contains("*")) {
+if (commandName.matches(rule.replace("*", "\\w*"))) {
+return true;
+}
+} else {
+if (commandName.equals(rule)) {
+return true;
+}
+}
+}
+return false;
+}
+
+public boolean isDisabled() {
+return !roleService.isEnabled();
+}
+
+@Override
+public boolean checkAccess(User user, String commandName) throws 
PermissionDeniedException {
+if (isDisabled()) {
+return true;
+}
+Account account = accountService.getAccount(user.getAccountId());
+if (account == null) {
+throw new PermissionDeniedException("The account id=" + 
user.getAccountId() + "for user id=" + user.getId() + "is null");
+}
+
+final Role accountRole = roleService.findRole(account.getRoleId());
+if (accountRole == null || accountRole.getId() < 1L) {
+denyApiAccess(commandName);
+}
+
+// Allow all APIs for root admins
+if (accountRole.getRoleType() == RoleType.Admin && 
accountRole.getId() == RoleType.Admin.getId()) {
+return true;
+}
+
+final List rolePermissions =

[jira] [Commented] (CLOUDSTACK-8906) /var/log/cloud/ doesn't get logrotated on xenserver

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249765#comment-15249765
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8906:


Github user SudharmaJain commented on the pull request:

https://github.com/apache/cloudstack/pull/883#issuecomment-212404120
  
@bhaisaab Rebased the branch. 


> /var/log/cloud/ doesn't get logrotated on xenserver 
> 
>
> Key: CLOUDSTACK-8906
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8906
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: sudharma jain
>




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9349) Unable to detach root volume when using Hypervisor Type KVM

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249735#comment-15249735
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9349:


Github user kiwiflyer commented on the pull request:

https://github.com/apache/cloudstack/pull/1500#issuecomment-212400883
  
@koushik-das -  Our use case is to emulate a snapshot revert with Ceph by 
using createVolume sourced from a snapshot, then detaching and reattach the 
root volume of a VM with device id of 0.

This preserves the previous volume history and allows the user to switch 
back and forth between different snapshots.


> Unable to detach root volume when using Hypervisor Type KVM
> ---
>
> Key: CLOUDSTACK-9349
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9349
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: Volumes
>Affects Versions: 4.5.1, 4.6.2, 4.7.1, 4.8.0, 4.9.0
> Environment: Centos 7
>Reporter: Simon Weller
>Priority: Minor
> Fix For: 4.7.2
>
>
> Back in 4.5, support was added in CLOUDSTACK-6284 for detaching root volumes. 
> The original support was meant to work with Xen, VMware and KVM.
> After chatting with fuflo in the Cloudstack irc channel, it was pointed out 
> that a constraint was not correctly modified in VolumeApiServiceImpl.java to 
> allow the detach to occur when vm.getHypervisorType() == HypervisorType.KVM.
> This is a very useful feature, as it allows us to simulate a snapshot revert 
> with Ceph by using createVolume sourced from a snapshot, then detaching and 
> reattaching the root volume (new root volume needs to be attached as 
> device=0).
> I'm going to propose a PR for this shortly



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (CLOUDSTACK-9300) MySQL HA feature StaticStrategy throws exception

2016-04-20 Thread Simon Weller (JIRA) 

 [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9300?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Simon Weller updated CLOUDSTACK-9300:
-
Fix Version/s: 4.9.0

> MySQL HA feature StaticStrategy throws exception
> 
>
> Key: CLOUDSTACK-9300
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9300
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Affects Versions: 4.7.0, 4.7.1, 4.8.0, Future
> Environment: Centos 7
>Reporter: Simon Weller
>Assignee: Simon Weller
>Priority: Minor
> Fix For: 4.9.0
>
>
> 2016-03-03 12:00:13,204 INFO  [c.c.u.d.T.Transaction] 
> (localhost-startStop-1:null) (logid:) Is Data Base High Availiability 
> enabled? Ans : true
> 2016-03-03 12:00:13,239 INFO  [c.c.u.d.T.Transaction] 
> (localhost-startStop-1:null) (logid:) The slaves configured for Cloud Data 
> base is/are : localhost,localhost
> 2016-03-03 12:00:13,303 ERROR [c.c.u.d.Merovingian2] 
> (localhost-startStop-1:null) (logid:) Unable to get a new db connection
> java.sql.SQLException: Invalid load balancing strategy 
> 'com.cloud.utils.db.StaticStrategy'.
> at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:927)
> at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:924)
> at com.mysql.jdbc.Util.loadExtensions(Util.java:602)
> at 
> com.mysql.jdbc.LoadBalancingConnectionProxy.(LoadBalancingConnectionProxy.java:280)
> at 
> com.mysql.jdbc.FailoverConnectionProxy.(FailoverConnectionProxy.java:67)
> at 
> com.mysql.jdbc.NonRegisteringDriver.connectFailover(NonRegisteringDriver.java:433)
> at 
> com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:346)
> at java.sql.DriverManager.getConnection(DriverManager.java:571)
> at java.sql.DriverManager.getConnection(DriverManager.java:215)
> at 
> org.apache.commons.dbcp.DriverManagerConnectionFactory.createConnection(DriverManagerConnectionFactory.java:75)
> at 
> org.apache.commons.dbcp.PoolableConnectionFactory.makeObject(PoolableConnectionFactory.java:582)
> at 
> org.apache.commons.pool.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:1188)
> at 
> org.apache.commons.dbcp.PoolingDataSource.getConnection(PoolingDataSource.java:106)
> at 
> com.cloud.utils.db.TransactionLegacy.getStandaloneConnectionWithException(TransactionLegacy.java:202)
> at com.cloud.utils.db.Merovingian2.(Merovingian2.java:68)
> at 
> com.cloud.utils.db.Merovingian2.createLockMaster(Merovingian2.java:88)
> at 
> com.cloud.server.LockMasterListener.(LockMasterListener.java:33)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native 
> Method)
> at 
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
> at 
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
> at 
> org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:148)
> at 
> org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:121)
> at 
> org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:277)
> at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1077)
> at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:981)
> at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:487)
> at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:458)
> at 
> org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:293)
> at 
> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:223)
> at 
> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:290)
> at 
> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:191)
> at 
> org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:636)
> at 
>

[jira] [Assigned] (CLOUDSTACK-9300) MySQL HA feature StaticStrategy throws exception

2016-04-20 Thread Simon Weller (JIRA) 

 [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9300?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Simon Weller reassigned CLOUDSTACK-9300:


Assignee: Simon Weller

> MySQL HA feature StaticStrategy throws exception
> 
>
> Key: CLOUDSTACK-9300
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9300
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Affects Versions: 4.7.0, 4.7.1, 4.8.0, Future
> Environment: Centos 7
>Reporter: Simon Weller
>Assignee: Simon Weller
>Priority: Minor
>
> 2016-03-03 12:00:13,204 INFO  [c.c.u.d.T.Transaction] 
> (localhost-startStop-1:null) (logid:) Is Data Base High Availiability 
> enabled? Ans : true
> 2016-03-03 12:00:13,239 INFO  [c.c.u.d.T.Transaction] 
> (localhost-startStop-1:null) (logid:) The slaves configured for Cloud Data 
> base is/are : localhost,localhost
> 2016-03-03 12:00:13,303 ERROR [c.c.u.d.Merovingian2] 
> (localhost-startStop-1:null) (logid:) Unable to get a new db connection
> java.sql.SQLException: Invalid load balancing strategy 
> 'com.cloud.utils.db.StaticStrategy'.
> at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:927)
> at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:924)
> at com.mysql.jdbc.Util.loadExtensions(Util.java:602)
> at 
> com.mysql.jdbc.LoadBalancingConnectionProxy.(LoadBalancingConnectionProxy.java:280)
> at 
> com.mysql.jdbc.FailoverConnectionProxy.(FailoverConnectionProxy.java:67)
> at 
> com.mysql.jdbc.NonRegisteringDriver.connectFailover(NonRegisteringDriver.java:433)
> at 
> com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:346)
> at java.sql.DriverManager.getConnection(DriverManager.java:571)
> at java.sql.DriverManager.getConnection(DriverManager.java:215)
> at 
> org.apache.commons.dbcp.DriverManagerConnectionFactory.createConnection(DriverManagerConnectionFactory.java:75)
> at 
> org.apache.commons.dbcp.PoolableConnectionFactory.makeObject(PoolableConnectionFactory.java:582)
> at 
> org.apache.commons.pool.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:1188)
> at 
> org.apache.commons.dbcp.PoolingDataSource.getConnection(PoolingDataSource.java:106)
> at 
> com.cloud.utils.db.TransactionLegacy.getStandaloneConnectionWithException(TransactionLegacy.java:202)
> at com.cloud.utils.db.Merovingian2.(Merovingian2.java:68)
> at 
> com.cloud.utils.db.Merovingian2.createLockMaster(Merovingian2.java:88)
> at 
> com.cloud.server.LockMasterListener.(LockMasterListener.java:33)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native 
> Method)
> at 
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
> at 
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
> at 
> org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:148)
> at 
> org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:121)
> at 
> org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:277)
> at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1077)
> at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:981)
> at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:487)
> at 
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:458)
> at 
> org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:293)
> at 
> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:223)
> at 
> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:290)
> at 
> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:191)
> at 
> org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:636)
> at 
>

[jira] [Commented] (CLOUDSTACK-8611) CS waits indefinitely for CheckS2SVpnConnectionsCommand to return

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8611?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249703#comment-15249703
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8611:


Github user DaanHoogland commented on the pull request:

https://github.com/apache/cloudstack/pull/1459#issuecomment-212395104
  
@swill LGTM


> CS waits indefinitely for CheckS2SVpnConnectionsCommand to return
> -
>
> Key: CLOUDSTACK-8611
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8611
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Likitha Shetty
>Assignee: Suresh Kumar Anaparti
> Fix For: 4.9.0
>
>
> On one instance, CS began to execute CheckS2SVpnConnectionsCommand command on 
> a router but the command result was never returned to the MS. If a command 
> never returns, then 'DirectAgent' thread executing this command is blocked 
> indefinitely and cannot pick up any other request.
> Now since this command is designed to execute in sequence on a host and is 
> run regularly, every execution of that command thereafter on that particular 
> host ended up picking up a DirectAgent thread and waiting for the previous 
> execution to complete. And hence overtime, the host ended up using and 
> blocking all 'DirectAgent' threads indefinitely.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8611) CS waits indefinitely for CheckS2SVpnConnectionsCommand to return

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8611?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249699#comment-15249699
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8611:


Github user DaanHoogland commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1459#discussion_r60393439
  
--- Diff: utils/src/main/java/com/cloud/utils/ssh/SshHelper.java ---
@@ -206,4 +216,87 @@ public static void scpTo(String host, int port, String 
user, File pemKeyFile, St
 conn.close();
 }
 }
+
+/**
+ * It gets a {@link Session} from the given {@link Connection}; then, 
it waits
+ * {@value #WAITING_OPEN_SSH_SESSION} milliseconds before returning 
the session, given a time to
+ * ensure that the connection is open before proceeding the execution.
+ *
+ * @param conn
--- End diff --

@GabrielBrascher this is the kind of javadoc I don't like. The header adds 
an explanation but these tags don't add value to the names of the params 
themselves. (just saying, no biggy)


> CS waits indefinitely for CheckS2SVpnConnectionsCommand to return
> -
>
> Key: CLOUDSTACK-8611
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8611
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Likitha Shetty
>Assignee: Suresh Kumar Anaparti
> Fix For: 4.9.0
>
>
> On one instance, CS began to execute CheckS2SVpnConnectionsCommand command on 
> a router but the command result was never returned to the MS. If a command 
> never returns, then 'DirectAgent' thread executing this command is blocked 
> indefinitely and cannot pick up any other request.
> Now since this command is designed to execute in sequence on a host and is 
> run regularly, every execution of that command thereafter on that particular 
> host ended up picking up a DirectAgent thread and waiting for the previous 
> execution to complete. And hence overtime, the host ended up using and 
> blocking all 'DirectAgent' threads indefinitely.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249670#comment-15249670
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user bhaisaab commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1489#discussion_r60390739
  
--- Diff: engine/schema/src/org/apache/cloudstack/acl/RolePermissionVO.java 
---
@@ -0,0 +1,109 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.acl;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+import java.util.UUID;
+
+@Entity
+@Table(name = "role_permissions")
+public class RolePermissionVO implements RolePermission {
--- End diff --

if you re-read my reply and see the static-checker and dynamic checker code 
-- backward compatibility is to ensure that we deny for all when no rule 
matches; for backward compatibility the dynamic checker also needs to check the 
annotation map. The dynamic checker allows for wildcard rules, and if you want 
to override annotations we'll need a set of deny rules before that. Therefore 
we need deny rules explicitly. This way of implementation makes dynamic-checker 
a drop-in replacement at the same time allows for wider use-cases and acl 
management.


> User Definable Roles
> 
>
> Key: CLOUDSTACK-8562
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8562
> Project: CloudStack
>  Issue Type: New Feature
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: Management Server
>Reporter: Paul Angus
>Assignee: Rohit Yadav
>
> Static command.properties moved to database and made user definable



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249652#comment-15249652
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user koushik-das commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1489#discussion_r60389152
  
--- Diff: engine/schema/src/org/apache/cloudstack/acl/RolePermissionVO.java 
---
@@ -0,0 +1,109 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.acl;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+import java.util.UUID;
+
+@Entity
+@Table(name = "role_permissions")
+public class RolePermissionVO implements RolePermission {
--- End diff --

I am not sure I understand how is back-compat going to be impacted. In the 
current model I don't think there is any explicit deny. In the static checker 
the order is command.properties override, command.properties and then the 
annotations. If the API is not found anywhere then its a deny by default.
About the wildcard permissions, the same can be referenced in multiple 
roles.
About the 4th point, if it is for all roles then agree but what if it is 
for 90% of the roles. Still there will be lot of duplication.


> User Definable Roles
> 
>
> Key: CLOUDSTACK-8562
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8562
> Project: CloudStack
>  Issue Type: New Feature
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: Management Server
>Reporter: Paul Angus
>Assignee: Rohit Yadav
>
> Static command.properties moved to database and made user definable



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249647#comment-15249647
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user bhaisaab commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1489#discussion_r60388741
  
--- Diff: api/src/org/apache/cloudstack/acl/Rule.java ---
@@ -0,0 +1,65 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.acl;
+
+import com.cloud.exception.InvalidParameterValueException;
+import com.google.common.base.Strings;
+
+import java.util.regex.Pattern;
+
+public final class Rule {
+private final String rule;
+private final static Pattern ALLOWED_PATTERN = 
Pattern.compile("^[a-zA-Z0-9*]+$");
+
+public Rule(final String rule) {
+validate(rule);
+this.rule = rule;
+}
+
+public boolean matches(final String commandName) {
+if (Strings.isNullOrEmpty(commandName)) {
+return false;
+}
+if (isWildcard()) {
+if (commandName.matches(rule.replace("*", "\\w*"))) {
+return true;
+}
+} else {
+if (commandName.equalsIgnoreCase(rule)) {
+return true;
+}
+}
+return false;
+}
+
+public boolean isWildcard() {
+return rule.contains("*");
+}
+
+@Override
+public String toString() {
+return rule;
+}
+
+private static boolean validate(final String rule) throws 
InvalidParameterValueException {
+if (Strings.isNullOrEmpty(rule) || 
!ALLOWED_PATTERN.matcher(rule).matches()) {
+throw new InvalidParameterValueException("Invalid rule 
provided. Only API names and wildcards are allowed.");
+}
+return true;
--- End diff --

@jburwell I've refactored and move all rule related methods in this class 
and added more unit tests. The rule itself is immutable only compo-sable by the 
constructor.


> User Definable Roles
> 
>
> Key: CLOUDSTACK-8562
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8562
> Project: CloudStack
>  Issue Type: New Feature
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: Management Server
>Reporter: Paul Angus
>Assignee: Rohit Yadav
>
> Static command.properties moved to database and made user definable



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249646#comment-15249646
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user borisstoyanov commented on the pull request:

https://github.com/apache/cloudstack/pull/1489#issuecomment-212381873
  
Hey guys, Just a FYI: I'll be addressing the testing of this PR at the end 
of next week since I'm occupied with other tasks at this time.  


> User Definable Roles
> 
>
> Key: CLOUDSTACK-8562
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8562
> Project: CloudStack
>  Issue Type: New Feature
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: Management Server
>Reporter: Paul Angus
>Assignee: Rohit Yadav
>
> Static command.properties moved to database and made user definable



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249634#comment-15249634
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user bhaisaab commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1489#discussion_r60386634
  
--- Diff: 
plugins/acl/dynamic-role-based/src/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
 ---
@@ -0,0 +1,166 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import com.cloud.exception.PermissionDeniedException;
+import com.cloud.user.Account;
+import com.cloud.user.AccountService;
+import com.cloud.user.User;
+import com.cloud.utils.component.AdapterBase;
+import com.cloud.utils.component.PluggableService;
+import com.google.common.base.Strings;
+import org.apache.cloudstack.api.APICommand;
+
+import javax.ejb.Local;
+import javax.inject.Inject;
+import javax.naming.ConfigurationException;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+@Local(value = APIChecker.class)
+public class DynamicRoleBasedAPIAccessChecker extends AdapterBase 
implements APIChecker {
+
+@Inject
+private AccountService accountService;
+@Inject
+private RoleService roleService;
+
+private List services;
+private Map annotationRoleBasedApisMap = new 
HashMap<>();
+
+protected DynamicRoleBasedAPIAccessChecker() {
+super();
+for (RoleType roleType : RoleType.values()) {
+annotationRoleBasedApisMap.put(roleType, new 
HashSet());
+}
+}
+
+private void denyApiAccess(final String commandName) throws 
PermissionDeniedException {
+throw new PermissionDeniedException("The API does not exist or is 
blacklisted for the account's role. " +
+"The account with is not allowed to request the api: " + 
commandName);
+}
+
+private boolean checkPermission(final List  
permissions, final RolePermission.Permission permissionToCheck, final String 
commandName) {
+if (permissions == null) {
+return false;
+}
+for (final RolePermission permission : permissions) {
+if (permission.getPermission() != permissionToCheck) {
+continue;
+}
+final String rule = permission.getRule();
+if (rule.contains("*")) {
+if (commandName.matches(rule.replace("*", "\\w*"))) {
+return true;
+}
+} else {
+if (commandName.equals(rule)) {
+return true;
+}
+}
+}
+return false;
+}
+
+public boolean isDisabled() {
+return !roleService.isEnabled();
+}
+
+@Override
+public boolean checkAccess(User user, String commandName) throws 
PermissionDeniedException {
+if (isDisabled()) {
+return true;
+}
+Account account = accountService.getAccount(user.getAccountId());
+if (account == null) {
+throw new PermissionDeniedException("The account id=" + 
user.getAccountId() + "for user id=" + user.getId() + "is null");
+}
+
+final Role accountRole = roleService.findRole(account.getRoleId());
+if (accountRole == null || accountRole.getId() < 1L) {
+denyApiAccess(commandName);
+}
+
+// Allow all APIs for root admins
+if (accountRole.getRoleType() == RoleType.Admin && 
accountRole.getId() == RoleType.Admin.getId()) {
+return true;
+}
+
+final List rolePermissions =

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249617#comment-15249617
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user koushik-das commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1489#discussion_r60384825
  
--- Diff: 
plugins/acl/dynamic-role-based/src/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
 ---
@@ -0,0 +1,166 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import com.cloud.exception.PermissionDeniedException;
+import com.cloud.user.Account;
+import com.cloud.user.AccountService;
+import com.cloud.user.User;
+import com.cloud.utils.component.AdapterBase;
+import com.cloud.utils.component.PluggableService;
+import com.google.common.base.Strings;
+import org.apache.cloudstack.api.APICommand;
+
+import javax.ejb.Local;
+import javax.inject.Inject;
+import javax.naming.ConfigurationException;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+@Local(value = APIChecker.class)
+public class DynamicRoleBasedAPIAccessChecker extends AdapterBase 
implements APIChecker {
+
+@Inject
+private AccountService accountService;
+@Inject
+private RoleService roleService;
+
+private List services;
+private Map annotationRoleBasedApisMap = new 
HashMap<>();
+
+protected DynamicRoleBasedAPIAccessChecker() {
+super();
+for (RoleType roleType : RoleType.values()) {
+annotationRoleBasedApisMap.put(roleType, new 
HashSet());
+}
+}
+
+private void denyApiAccess(final String commandName) throws 
PermissionDeniedException {
+throw new PermissionDeniedException("The API does not exist or is 
blacklisted for the account's role. " +
+"The account with is not allowed to request the api: " + 
commandName);
+}
+
+private boolean checkPermission(final List  
permissions, final RolePermission.Permission permissionToCheck, final String 
commandName) {
+if (permissions == null) {
+return false;
+}
+for (final RolePermission permission : permissions) {
+if (permission.getPermission() != permissionToCheck) {
+continue;
+}
+final String rule = permission.getRule();
+if (rule.contains("*")) {
+if (commandName.matches(rule.replace("*", "\\w*"))) {
+return true;
+}
+} else {
+if (commandName.equals(rule)) {
+return true;
+}
+}
+}
+return false;
+}
+
+public boolean isDisabled() {
+return !roleService.isEnabled();
+}
+
+@Override
+public boolean checkAccess(User user, String commandName) throws 
PermissionDeniedException {
+if (isDisabled()) {
+return true;
+}
+Account account = accountService.getAccount(user.getAccountId());
+if (account == null) {
+throw new PermissionDeniedException("The account id=" + 
user.getAccountId() + "for user id=" + user.getId() + "is null");
+}
+
+final Role accountRole = roleService.findRole(account.getRoleId());
+if (accountRole == null || accountRole.getId() < 1L) {
+denyApiAccess(commandName);
+}
+
+// Allow all APIs for root admins
+if (accountRole.getRoleType() == RoleType.Admin && 
accountRole.getId() == RoleType.Admin.getId()) {
+return true;
+}
+
+final List rolePermissions =

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249616#comment-15249616
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user bhaisaab commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1489#discussion_r60384791
  
--- Diff: 
plugins/acl/dynamic-role-based/src/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
 ---
@@ -0,0 +1,166 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import com.cloud.exception.PermissionDeniedException;
+import com.cloud.user.Account;
+import com.cloud.user.AccountService;
+import com.cloud.user.User;
+import com.cloud.utils.component.AdapterBase;
+import com.cloud.utils.component.PluggableService;
+import com.google.common.base.Strings;
+import org.apache.cloudstack.api.APICommand;
+
+import javax.ejb.Local;
+import javax.inject.Inject;
+import javax.naming.ConfigurationException;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+@Local(value = APIChecker.class)
+public class DynamicRoleBasedAPIAccessChecker extends AdapterBase 
implements APIChecker {
+
+@Inject
+private AccountService accountService;
+@Inject
+private RoleService roleService;
+
+private List services;
+private Map annotationRoleBasedApisMap = new 
HashMap<>();
+
+protected DynamicRoleBasedAPIAccessChecker() {
+super();
+for (RoleType roleType : RoleType.values()) {
+annotationRoleBasedApisMap.put(roleType, new 
HashSet());
+}
+}
+
+private void denyApiAccess(final String commandName) throws 
PermissionDeniedException {
+throw new PermissionDeniedException("The API does not exist or is 
blacklisted for the account's role. " +
+"The account with is not allowed to request the api: " + 
commandName);
+}
+
+private boolean checkPermission(final List  
permissions, final RolePermission.Permission permissionToCheck, final String 
commandName) {
+if (permissions == null) {
+return false;
+}
+for (final RolePermission permission : permissions) {
+if (permission.getPermission() != permissionToCheck) {
+continue;
+}
+final String rule = permission.getRule();
+if (rule.contains("*")) {
+if (commandName.matches(rule.replace("*", "\\w*"))) {
+return true;
+}
+} else {
+if (commandName.equals(rule)) {
--- End diff --

@koushik-das I spent some time thinking and I think it should be okay to do 
a ignore-case equality check. Fixed, it does equalsIgnoreCase now.


> User Definable Roles
> 
>
> Key: CLOUDSTACK-8562
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8562
> Project: CloudStack
>  Issue Type: New Feature
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: Management Server
>Reporter: Paul Angus
>Assignee: Rohit Yadav
>
> Static command.properties moved to database and made user definable



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249602#comment-15249602
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user koushik-das commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1489#discussion_r60383218
  
--- Diff: 
plugins/acl/dynamic-role-based/src/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
 ---
@@ -0,0 +1,166 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import com.cloud.exception.PermissionDeniedException;
+import com.cloud.user.Account;
+import com.cloud.user.AccountService;
+import com.cloud.user.User;
+import com.cloud.utils.component.AdapterBase;
+import com.cloud.utils.component.PluggableService;
+import com.google.common.base.Strings;
+import org.apache.cloudstack.api.APICommand;
+
+import javax.ejb.Local;
+import javax.inject.Inject;
+import javax.naming.ConfigurationException;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+@Local(value = APIChecker.class)
+public class DynamicRoleBasedAPIAccessChecker extends AdapterBase 
implements APIChecker {
+
+@Inject
+private AccountService accountService;
+@Inject
+private RoleService roleService;
+
+private List services;
+private Map annotationRoleBasedApisMap = new 
HashMap<>();
+
+protected DynamicRoleBasedAPIAccessChecker() {
+super();
+for (RoleType roleType : RoleType.values()) {
+annotationRoleBasedApisMap.put(roleType, new 
HashSet());
+}
+}
+
+private void denyApiAccess(final String commandName) throws 
PermissionDeniedException {
+throw new PermissionDeniedException("The API does not exist or is 
blacklisted for the account's role. " +
+"The account with is not allowed to request the api: " + 
commandName);
+}
+
+private boolean checkPermission(final List  
permissions, final RolePermission.Permission permissionToCheck, final String 
commandName) {
+if (permissions == null) {
+return false;
+}
+for (final RolePermission permission : permissions) {
+if (permission.getPermission() != permissionToCheck) {
--- End diff --

This method would be called for all API calls in case dynamic access 
checker is enabled. So as long as looping is not a bottleneck its ok. If the 
use-case require only a few permissions per role then you may leave it for now.


> User Definable Roles
> 
>
> Key: CLOUDSTACK-8562
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8562
> Project: CloudStack
>  Issue Type: New Feature
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: Management Server
>Reporter: Paul Angus
>Assignee: Rohit Yadav
>
> Static command.properties moved to database and made user definable



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9100) ISO.CREATE/TEMPLATE.CREATE event missing for usage_event by template sync thread

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249582#comment-15249582
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9100:


Github user SudharmaJain commented on the pull request:

https://github.com/apache/cloudstack/pull/1157#issuecomment-212360074
  
@pedro-martins On line 503, It is not a function but It is a way to define 
callback method. It has been used all over the cloudstack code.  On line 504, 
context was set and will be available in callback method 
'createTemplateAsyncCallBack'. So there are no chances of null pointer 
exception on line 598. If there was any chance of null pointer exception, it 
would have happened in my test setup.


> ISO.CREATE/TEMPLATE.CREATE event missing for usage_event by template sync 
> thread
> 
>
> Key: CLOUDSTACK-9100
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9100
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: sudharma jain
>




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Created] (CLOUDSTACK-9357) DHCP DNS option is incorrect for Redundant Router config

2016-04-20 Thread Aaron Brady (JIRA) 
Aaron Brady created CLOUDSTACK-9357:
---

 Summary: DHCP DNS option is incorrect for Redundant Router config
 Key: CLOUDSTACK-9357
 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9357
 Project: CloudStack
  Issue Type: Bug
  Security Level: Public (Anyone can view this level - this is the default.)
  Components: SystemVM
Affects Versions: 4.8.0
Reporter: Aaron Brady
Priority: Minor


With two redundant system routers, my guests are given DNS option 6 containing 
the *system* IP (not the virtual IP) of whichever router is master as their 
first DNS server entry.

This means that if one router is down or stopped, DNS requests are slowed until 
it moves on to the external secondaries I've supplied.

It looks like the `cloud-early-config` script does the right thing with 
dnsmasq.conf, but then the cloud.conf put in /etc/dnsmasq.d/ is incorrect.

I've had a look through the code and that appear to be written by
`systemvm/patches/debian/config/opt/cloud/bin/cs/CsDhcp.py`, but I've been 
unable to find where it's being passed the incorrect, non-redundant, IP 
information.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9299) Out-of-band Management for CloudStack

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249531#comment-15249531
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9299:


Github user bhaisaab commented on the pull request:

https://github.com/apache/cloudstack/pull/1502#issuecomment-212340052
  
UI Screenshots;
![screenshot from 2016-04-20 
14-34-00](https://cloud.githubusercontent.com/assets/95203/14669171/51d80780-0705-11e6-820b-b5f1a7404c41.png)

![screenshot from 2016-04-20 
14-34-08](https://cloud.githubusercontent.com/assets/95203/14669183/5a418a4a-0705-11e6-8305-e45ccfccfbef.png)


![screenshot from 2016-04-20 
14-33-55](https://cloud.githubusercontent.com/assets/95203/14669189/60b1a234-0705-11e6-9c3c-b39f4629233c.png)


![screenshot from 2016-04-20 
14-33-43](https://cloud.githubusercontent.com/assets/95203/14669192/661cc050-0705-11e6-9b5a-ada769eaa74e.png)
![screenshot from 2016-04-20 
14-34-17](https://cloud.githubusercontent.com/assets/95203/14669193/6658f138-0705-11e6-8770-a6d53bd4aa0e.png)
![screenshot from 2016-04-20 
14-34-23](https://cloud.githubusercontent.com/assets/95203/14669194/6684b5fc-0705-11e6-9f28-4e6f7a665d2e.png)




> Out-of-band Management for CloudStack
> -
>
> Key: CLOUDSTACK-9299
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9299
> Project: CloudStack
>  Issue Type: New Feature
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
> Fix For: 4.9.0, Future
>
>
> Support access to a host’s out-of-band management interface (e.g. IPMI, iLO, 
> DRAC, etc.) to manage host power operations (on/off etc.) and querying 
> current power state.
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Out-of-band+Management+for+CloudStack



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9299) Out-of-band Management for CloudStack

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249519#comment-15249519
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9299:


Github user bhaisaab commented on the pull request:

https://github.com/apache/cloudstack/pull/1502#issuecomment-212338195
  
Local test results (the feature is hypervisor agnostic, integration test 
also run with Travis as well):

 Marvin Init Successful 
=== TestName: test_01_configure_oobm_invalid | Status : SUCCESS ===

=== TestName: test_02_configure_oobm_valid | Status : SUCCESS ===

=== TestName: test_03_enabledisable_oobm_invalid | Status : SUCCESS ===

=== TestName: test_04_enabledisable_oobm_valid | Status : SUCCESS ===

=== TestName: test_05_enabledisable_across_clusterzones_oobm_valid | Status 
: SUCCESS ===

=== TestName: test_06_oobm_issue_power_action | Status : SUCCESS ===

=== TestName: test_07_oobm_background_powerstate_sync | Status : SUCCESS ===

=== TestName: test_08_multiple_mgmt_server_ownership | Status : SUCCESS ===

=== TestName: test_09_oobm_change_password | Status : SUCCESS ===



> Out-of-band Management for CloudStack
> -
>
> Key: CLOUDSTACK-9299
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9299
> Project: CloudStack
>  Issue Type: New Feature
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
> Fix For: 4.9.0, Future
>
>
> Support access to a host’s out-of-band management interface (e.g. IPMI, iLO, 
> DRAC, etc.) to manage host power operations (on/off etc.) and querying 
> current power state.
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Out-of-band+Management+for+CloudStack



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9104) VM naming convention in case vmware is used

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9104?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249517#comment-15249517
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9104:


Github user priyankparihar commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1302#discussion_r60372700
  
--- Diff: 
plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java
 ---
@@ -2030,12 +2030,29 @@ int getReservedCpuMHZ(VirtualMachineTO vmSpec) {
 return new String[] {datastoreDiskPath};
 }
 
-// Pair
-private Pair composeVmNames(VirtualMachineTO vmSpec) {
-String vmInternalCSName = vmSpec.getName();
-String vmNameOnVcenter = vmSpec.getName();
-if (_instanceNameFlag && vmSpec.getHostName() != null) {
-vmNameOnVcenter = vmSpec.getHostName();
+
+/**
+ * This method gemerate VM name for Vcenter and Cloudstack( when 
Hypervisor is VMware).
--- End diff --

Hi  @alexandrelimassantana,
Now, i think there is no typo.

--
Thanks for your careful observation.


> VM naming convention in case vmware is used
> ---
>
> Key: CLOUDSTACK-9104
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9104
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Priyank Parihar
>
> ISSUE
> ==
> VM naming convention in case vmware is used.
> Description
> ==
> User with different account cannot create VMs with the same name, which was 
> possible earlier (I am not sure in which CCP version). That time naming 
> convention used was like this “I--”
> Currently if vm.instancename.flag is set to true the VM name will be exactly 
> as display name given. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249494#comment-15249494
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user bhaisaab commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1489#discussion_r60369930
  
--- Diff: 
plugins/acl/dynamic-role-based/src/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
 ---
@@ -0,0 +1,166 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import com.cloud.exception.PermissionDeniedException;
+import com.cloud.user.Account;
+import com.cloud.user.AccountService;
+import com.cloud.user.User;
+import com.cloud.utils.component.AdapterBase;
+import com.cloud.utils.component.PluggableService;
+import com.google.common.base.Strings;
+import org.apache.cloudstack.api.APICommand;
+
+import javax.ejb.Local;
+import javax.inject.Inject;
+import javax.naming.ConfigurationException;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+@Local(value = APIChecker.class)
+public class DynamicRoleBasedAPIAccessChecker extends AdapterBase 
implements APIChecker {
+
+@Inject
+private AccountService accountService;
+@Inject
+private RoleService roleService;
+
+private List services;
+private Map annotationRoleBasedApisMap = new 
HashMap<>();
+
+protected DynamicRoleBasedAPIAccessChecker() {
+super();
+for (RoleType roleType : RoleType.values()) {
+annotationRoleBasedApisMap.put(roleType, new 
HashSet());
+}
+}
+
+private void denyApiAccess(final String commandName) throws 
PermissionDeniedException {
+throw new PermissionDeniedException("The API does not exist or is 
blacklisted for the account's role. " +
+"The account with is not allowed to request the api: " + 
commandName);
+}
+
+private boolean checkPermission(final List  
permissions, final RolePermission.Permission permissionToCheck, final String 
commandName) {
+if (permissions == null) {
+return false;
+}
+for (final RolePermission permission : permissions) {
+if (permission.getPermission() != permissionToCheck) {
--- End diff --

This is just a helper method, doing in-memory comparison/looping is faster 
than making two DB requests and provided there won't be more than 500 items 
returned so I just used a single method in the checkAccess() to get all rules 
and check for allow first, then deny, then annotations and finally deny/fail. 
Suggest if we still want two db calls?


> User Definable Roles
> 
>
> Key: CLOUDSTACK-8562
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8562
> Project: CloudStack
>  Issue Type: New Feature
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: Management Server
>Reporter: Paul Angus
>Assignee: Rohit Yadav
>
> Static command.properties moved to database and made user definable



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249492#comment-15249492
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user bhaisaab commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1489#discussion_r60369577
  
--- Diff: 
plugins/acl/dynamic-role-based/src/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
 ---
@@ -0,0 +1,166 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import com.cloud.exception.PermissionDeniedException;
+import com.cloud.user.Account;
+import com.cloud.user.AccountService;
+import com.cloud.user.User;
+import com.cloud.utils.component.AdapterBase;
+import com.cloud.utils.component.PluggableService;
+import com.google.common.base.Strings;
+import org.apache.cloudstack.api.APICommand;
+
+import javax.ejb.Local;
+import javax.inject.Inject;
+import javax.naming.ConfigurationException;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+@Local(value = APIChecker.class)
+public class DynamicRoleBasedAPIAccessChecker extends AdapterBase 
implements APIChecker {
+
+@Inject
+private AccountService accountService;
+@Inject
+private RoleService roleService;
+
+private List services;
+private Map annotationRoleBasedApisMap = new 
HashMap<>();
+
+protected DynamicRoleBasedAPIAccessChecker() {
+super();
+for (RoleType roleType : RoleType.values()) {
+annotationRoleBasedApisMap.put(roleType, new 
HashSet());
+}
+}
+
+private void denyApiAccess(final String commandName) throws 
PermissionDeniedException {
+throw new PermissionDeniedException("The API does not exist or is 
blacklisted for the account's role. " +
+"The account with is not allowed to request the api: " + 
commandName);
+}
+
+private boolean checkPermission(final List  
permissions, final RolePermission.Permission permissionToCheck, final String 
commandName) {
+if (permissions == null) {
+return false;
+}
+for (final RolePermission permission : permissions) {
+if (permission.getPermission() != permissionToCheck) {
+continue;
+}
+final String rule = permission.getRule();
+if (rule.contains("*")) {
+if (commandName.matches(rule.replace("*", "\\w*"))) {
+return true;
+}
+} else {
+if (commandName.equals(rule)) {
--- End diff --

@koushik-das just like commands.properties declarations the API name much 
match provided rule. Though, I see your point here -- let me think if this can 
have any side-effect or some use-case where this can fail; otherwise I'll fix 
this.


> User Definable Roles
> 
>
> Key: CLOUDSTACK-8562
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8562
> Project: CloudStack
>  Issue Type: New Feature
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: Management Server
>Reporter: Paul Angus
>Assignee: Rohit Yadav
>
> Static command.properties moved to database and made user definable



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249491#comment-15249491
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user bhaisaab commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1489#discussion_r60369373
  
--- Diff: 
plugins/acl/dynamic-role-based/src/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
 ---
@@ -0,0 +1,166 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import com.cloud.exception.PermissionDeniedException;
+import com.cloud.user.Account;
+import com.cloud.user.AccountService;
+import com.cloud.user.User;
+import com.cloud.utils.component.AdapterBase;
+import com.cloud.utils.component.PluggableService;
+import com.google.common.base.Strings;
+import org.apache.cloudstack.api.APICommand;
+
+import javax.ejb.Local;
+import javax.inject.Inject;
+import javax.naming.ConfigurationException;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+@Local(value = APIChecker.class)
+public class DynamicRoleBasedAPIAccessChecker extends AdapterBase 
implements APIChecker {
+
+@Inject
+private AccountService accountService;
+@Inject
+private RoleService roleService;
+
+private List services;
+private Map annotationRoleBasedApisMap = new 
HashMap<>();
+
+protected DynamicRoleBasedAPIAccessChecker() {
+super();
+for (RoleType roleType : RoleType.values()) {
+annotationRoleBasedApisMap.put(roleType, new 
HashSet());
+}
+}
+
+private void denyApiAccess(final String commandName) throws 
PermissionDeniedException {
+throw new PermissionDeniedException("The API does not exist or is 
blacklisted for the account's role. " +
+"The account with is not allowed to request the api: " + 
commandName);
+}
+
+private boolean checkPermission(final List  
permissions, final RolePermission.Permission permissionToCheck, final String 
commandName) {
+if (permissions == null) {
+return false;
+}
+for (final RolePermission permission : permissions) {
+if (permission.getPermission() != permissionToCheck) {
+continue;
+}
+final String rule = permission.getRule();
+if (rule.contains("*")) {
+if (commandName.matches(rule.replace("*", "\\w*"))) {
+return true;
+}
+} else {
+if (commandName.equals(rule)) {
+return true;
+}
+}
+}
+return false;
+}
+
+public boolean isDisabled() {
+return !roleService.isEnabled();
+}
+
+@Override
+public boolean checkAccess(User user, String commandName) throws 
PermissionDeniedException {
+if (isDisabled()) {
+return true;
+}
+Account account = accountService.getAccount(user.getAccountId());
+if (account == null) {
+throw new PermissionDeniedException("The account id=" + 
user.getAccountId() + "for user id=" + user.getId() + "is null");
+}
+
+final Role accountRole = roleService.findRole(account.getRoleId());
+if (accountRole == null || accountRole.getId() < 1L) {
+denyApiAccess(commandName);
+}
+
+// Allow all APIs for root admins
+if (accountRole.getRoleType() == RoleType.Admin && 
accountRole.getId() == RoleType.Admin.getId()) {
+return true;
+}
+
+final List rolePermissions =

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249490#comment-15249490
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user bhaisaab commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1489#discussion_r60368615
  
--- Diff: engine/schema/src/org/apache/cloudstack/acl/RolePermissionVO.java 
---
@@ -0,0 +1,109 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.acl;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+import java.util.UUID;
+
+@Entity
+@Table(name = "role_permissions")
+public class RolePermissionVO implements RolePermission {
--- End diff --

@koushik-das okay I got what you're saying, but it's not possible. Also see 
we've to be backward compatible with the static checker, so (1) the order of 
processing of rules need to be similar to the static-checker which is first 
allow rules then deny checks, then finally annotation and lastly deny all, (2) 
rules can be both apiname or wildcards such as list\* therefore we cannot have 
the references reversed or what you're suggesting, (3) the model promotes 
explicit rules than implicit declarations for security and various use-case (so 
we don't assume anything), (4) if we want an API like deployVM to be available 
for all or some role types we can use the authorized field in the API 
annotation (for example using authorized={RoleType.Admin, RoleType.User ... 
etc} will enable this API for all when no explicit rules are set by the admin). 

I've thought this through but this is the best model we can have trading 
feature use, functionality and security. Provided this, do you have suggestion 
if we can improve this.?


> User Definable Roles
> 
>
> Key: CLOUDSTACK-8562
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8562
> Project: CloudStack
>  Issue Type: New Feature
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: Management Server
>Reporter: Paul Angus
>Assignee: Rohit Yadav
>
> Static command.properties moved to database and made user definable



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9299) Out-of-band Management for CloudStack

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249472#comment-15249472
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9299:


GitHub user bhaisaab opened a pull request:

https://github.com/apache/cloudstack/pull/1502

[WIP] Don't start review yet -- CLOUDSTACK-9299: Out-of-band Management for 
CloudStack

Support access to a host’s out-of-band management interface (e.g. IPMI, iLO,
DRAC, etc.) to manage host power operations (on/off etc.) and querying 
current
power state in CloudStack.

Given the wide range of out-of-band management interfaces such as iLO and 
iDRA,
the service implementation allows for development of separate drivers as 
plugins.
This feature comes with a ipmitool based driver that uses the
ipmitool (http://linux.die.net/man/1/ipmitool) to communicate with any
out-of-band management interface that support IPMI 2.0.

This feature allows following common use-cases:
- Restarting stalled/failed hosts
- Powering off under-utilised hosts
- Powering on hosts for provisioning or to increase capacity
- Allowing system administrators to see the current power state of the host

For testing this feature `ipmisim` can be used:
https://pypi.python.org/pypi/ipmisim

FS:

https://cwiki.apache.org/confluence/display/CLOUDSTACK/Out-of-band+Management+for+CloudStack

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/shapeblue/cloudstack outofband-master

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/cloudstack/pull/1502.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #1502


commit 84157cebaa6bf3986efedb2887999d58653e8dd0
Author: Rohit Yadav 
Date:   2015-12-28T11:07:03Z

CLOUDSTACK-9299: Out-of-band Management for CloudStack

Support access to a host’s out-of-band management interface (e.g. IPMI, iLO,
DRAC, etc.) to manage host power operations (on/off etc.) and querying 
current
power state in CloudStack.

Given the wide range of out-of-band management interfaces such as iLO and 
iDRA,
the service implementation allows for development of separate drivers as 
plugins.
This feature comes with a ipmitool based driver that uses the
ipmitool (http://linux.die.net/man/1/ipmitool) to communicate with any
out-of-band management interface that support IPMI 2.0.

This feature allows following common use-cases:
- Restarting stalled/failed hosts
- Powering off under-utilised hosts
- Powering on hosts for provisioning or to increase capacity
- Allowing system administrators to see the current power state of the host

For testing this feature `ipmisim` can be used:
https://pypi.python.org/pypi/ipmisim

FS:

https://cwiki.apache.org/confluence/display/CLOUDSTACK/Out-of-band+Management+for+CloudStack

Signed-off-by: Rohit Yadav 




> Out-of-band Management for CloudStack
> -
>
> Key: CLOUDSTACK-9299
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9299
> Project: CloudStack
>  Issue Type: New Feature
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
> Fix For: 4.9.0, Future
>
>
> Support access to a host’s out-of-band management interface (e.g. IPMI, iLO, 
> DRAC, etc.) to manage host power operations (on/off etc.) and querying 
> current power state.
> FS: 
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Out-of-band+Management+for+CloudStack



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249464#comment-15249464
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user koushik-das commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1489#discussion_r60365855
  
--- Diff: engine/schema/src/org/apache/cloudstack/acl/RolePermissionVO.java 
---
@@ -0,0 +1,109 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.acl;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+import java.util.UUID;
+
+@Entity
+@Table(name = "role_permissions")
+public class RolePermissionVO implements RolePermission {
--- End diff --

@bhaisaab 
>> I'm not sure what you mean by Role refers RolePermissions, as of now 
each role has a list of role permissions linked to it if that's what you're 
asking.
With the containment approach, if there is a need to add a permission to 
allow say deployVM API on every role then you need to create a permission for 
every such role. This will lead to data duplication. Instead if the permission 
is created only once and then mapped to all the roles that needs it duplication 
won't happen. This is what I meant as reference relationship. Check the 
cloudstack DB with table name ending in map t o get an idea. This will also 
mean changing the APIs to reflect the same.



> User Definable Roles
> 
>
> Key: CLOUDSTACK-8562
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8562
> Project: CloudStack
>  Issue Type: New Feature
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: Management Server
>Reporter: Paul Angus
>Assignee: Rohit Yadav
>
> Static command.properties moved to database and made user definable



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Created] (CLOUDSTACK-9356) VPC add VPN User fails same error as CLOUDSTACK-8927

2016-04-20 Thread Thomas (JIRA) 
Thomas created CLOUDSTACK-9356:
--

 Summary: VPC add VPN User fails same error as CLOUDSTACK-8927
 Key: CLOUDSTACK-9356
 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9356
 Project: CloudStack
  Issue Type: Bug
  Security Level: Public (Anyone can view this level - this is the default.)
  Components: Management Server, VPC, XenServer
Affects Versions: 4.8.0
 Environment: Two CentOS7 MGMT Servers, Two XenServerClusters, Advanced 
Networking, VLAN isolated
Reporter: Thomas
Priority: Critical


When we try to add an VPN User on a VPC following error occurs:
Management Server:
---
Apr 20 09:24:43 WARN  [resource.virtualnetwork.VirtualRoutingResource] 
(DirectAgent-68:ctx-de5cbf45) (logid:180e35ed) Expected 1 answers while 
executing VpnUsersCfgCommand but received 2
Apr 20 09:24:43 admin02 server: WARN  [c.c.a.r.v.VirtualRoutingResource] 
(DirectAgent-68:ctx-de5cbf45) (logid:180e35ed) Expected 1 answers while 
executing VpnUsersCfgCommand but received 2
Apr 20 09:24:47 WARN  [resource.virtualnetwork.VirtualRoutingResource] 
(DirectAgent-268:ctx-873174f6) (logid:180e35ed) Expected 1 answers while 
executing VpnUsersCfgCommand but received 2
Apr 20 09:24:47 admin02 server: WARN  [c.c.a.r.v.VirtualRoutingResource] 
(DirectAgent-268:ctx-873174f6) (logid:180e35ed) Expected 1 answers while 
executing VpnUsersCfgCommand but received 2
Apr 20 09:24:47 WARN  [network.vpn.RemoteAccessVpnManagerImpl] 
(API-Job-Executor-58:ctx-7f86f610 job-1169 ctx-1073feac) (logid:180e35ed) 
Unable to apply vpn users
Apr 20 09:24:47 localhost java.lang.IndexOutOfBoundsException: Index: 1, Size: 1
Apr 20 09:24:47 localhost at 
java.util.ArrayList.rangeCheck(ArrayList.java:653)
Apr 20 09:24:47 localhost at java.util.ArrayList.get(ArrayList.java:429)
Apr 20 09:24:47 localhost at 
com.cloud.network.vpn.RemoteAccessVpnManagerImpl.applyVpnUsers(RemoteAccessVpnManagerImpl.java:532)
Apr 20 09:24:47 localhost at 
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Apr 20 09:24:47 localhost at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Apr 20 09:24:47 localhost at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Apr 20 09:24:47 localhost at 
java.lang.reflect.Method.invoke(Method.java:498)
Apr 20 09:24:47 localhost at 
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
Apr 20 09:24:47 localhost at 
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
Apr 20 09:24:47 localhost at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
Apr 20 09:24:47 localhost at 
org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91)
Apr 20 09:24:47 localhost at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
Apr 20 09:24:47 localhost at 
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
Apr 20 09:24:47 localhost at com.sun.proxy.$Proxy234.applyVpnUsers(Unknown 
Source)
Apr 20 09:24:47 localhost at 
org.apache.cloudstack.api.command.user.vpn.AddVpnUserCmd.execute(AddVpnUserCmd.java:122)
Apr 20 09:24:47 localhost at 
com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:150)
Apr 20 09:24:47 localhost at 
com.cloud.api.ApiAsyncJobDispatcher.runJob(ApiAsyncJobDispatcher.java:108)
Apr 20 09:24:47 localhost at 
org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.runInContext(AsyncJobManagerImpl.java:554)
Apr 20 09:24:47 localhost at 
org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:49)
Apr 20 09:24:47 localhost at 
org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56)
Apr 20 09:24:47 localhost at 
org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103)
Apr 20 09:24:47 localhost at 
org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53)
Apr 20 09:24:47 localhost at 
org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:46)
Apr 20 09:24:47 localhost at 
org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.run(AsyncJobManagerImpl.java:502)
Apr 20 09:24:47 localhost at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
Apr 20 09:24:47 localhost at 
java.util.concurrent.FutureTask.run(FutureTask.java:266)
Apr 20 09:24:47 localhost at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
Apr 20 09:24:47 localhost at

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249394#comment-15249394
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user koushik-das commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1489#discussion_r60358060
  
--- Diff: 
plugins/acl/dynamic-role-based/src/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
 ---
@@ -0,0 +1,166 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import com.cloud.exception.PermissionDeniedException;
+import com.cloud.user.Account;
+import com.cloud.user.AccountService;
+import com.cloud.user.User;
+import com.cloud.utils.component.AdapterBase;
+import com.cloud.utils.component.PluggableService;
+import com.google.common.base.Strings;
+import org.apache.cloudstack.api.APICommand;
+
+import javax.ejb.Local;
+import javax.inject.Inject;
+import javax.naming.ConfigurationException;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+@Local(value = APIChecker.class)
+public class DynamicRoleBasedAPIAccessChecker extends AdapterBase 
implements APIChecker {
+
+@Inject
+private AccountService accountService;
+@Inject
+private RoleService roleService;
+
+private List services;
+private Map annotationRoleBasedApisMap = new 
HashMap<>();
+
+protected DynamicRoleBasedAPIAccessChecker() {
+super();
+for (RoleType roleType : RoleType.values()) {
+annotationRoleBasedApisMap.put(roleType, new 
HashSet());
+}
+}
+
+private void denyApiAccess(final String commandName) throws 
PermissionDeniedException {
+throw new PermissionDeniedException("The API does not exist or is 
blacklisted for the account's role. " +
+"The account with is not allowed to request the api: " + 
commandName);
+}
+
+private boolean checkPermission(final List  
permissions, final RolePermission.Permission permissionToCheck, final String 
commandName) {
+if (permissions == null) {
+return false;
+}
+for (final RolePermission permission : permissions) {
+if (permission.getPermission() != permissionToCheck) {
+continue;
+}
+final String rule = permission.getRule();
+if (rule.contains("*")) {
+if (commandName.matches(rule.replace("*", "\\w*"))) {
+return true;
+}
+} else {
+if (commandName.equals(rule)) {
+return true;
+}
+}
+}
+return false;
+}
+
+public boolean isDisabled() {
+return !roleService.isEnabled();
+}
+
+@Override
+public boolean checkAccess(User user, String commandName) throws 
PermissionDeniedException {
+if (isDisabled()) {
+return true;
+}
+Account account = accountService.getAccount(user.getAccountId());
+if (account == null) {
+throw new PermissionDeniedException("The account id=" + 
user.getAccountId() + "for user id=" + user.getId() + "is null");
+}
+
+final Role accountRole = roleService.findRole(account.getRoleId());
+if (accountRole == null || accountRole.getId() < 1L) {
+denyApiAccess(commandName);
+}
+
+// Allow all APIs for root admins
+if (accountRole.getRoleType() == RoleType.Admin && 
accountRole.getId() == RoleType.Admin.getId()) {
+return true;
+}
+
+final List rolePermissions =

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249391#comment-15249391
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user bhaisaab commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1489#discussion_r60357906
  
--- Diff: engine/schema/src/org/apache/cloudstack/acl/RolePermissionVO.java 
---
@@ -0,0 +1,109 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.acl;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+import java.util.UUID;
+
+@Entity
+@Table(name = "role_permissions")
+public class RolePermissionVO implements RolePermission {
--- End diff --

@koushik-das with the current static commands.properties based approach, 
new APIs are enabled for role by developer by making changes in 
commands.properties file. During installation it is seen that any pre-existing 
commands.properties file does not get overwritten, so admin need to 
enable/change API for roles manually in commands.properties file.

With this feature, the API developer when adding new API will enable the 
API for the default role type using the authorized field in \@APICommand 
annotation. This is strictly to enforce default behaviour when there are no 
allow or deny rule for that API. The admin when upgrading to a new version to 
get the new APIs etc won't have to manually allow/deny them if authorized 
annotation is present. In general, the release notes should have list of new 
APIs that admins read and decide if they want to update/add/modify role 
permissions.

I'm not sure what you mean by `Role refers RolePermissions`, as of now each 
role has a list of role permissions linked to it if that's what you're asking.

This has been documented in the FS under the section E: 
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Dynamic+Role+Based+API+Access+Checker+for+CloudStack


> User Definable Roles
> 
>
> Key: CLOUDSTACK-8562
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8562
> Project: CloudStack
>  Issue Type: New Feature
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: Management Server
>Reporter: Paul Angus
>Assignee: Rohit Yadav
>
> Static command.properties moved to database and made user definable



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-9348) CloudStack Server degrades when a lot of connections on port 8250

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249385#comment-15249385
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9348:


Github user bhaisaab commented on the pull request:

https://github.com/apache/cloudstack/pull/1493#issuecomment-212284556
  
@jburwell fixed use of test timeout within \@Test annotation


> CloudStack Server degrades when a lot of connections on port 8250
> -
>
> Key: CLOUDSTACK-9348
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9348
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Rohit Yadav
>Assignee: Rohit Yadav
> Fix For: 4.9.0
>
>
> An intermittent issue was found with a large CloudStack deployment, where 
> servers could not keep agents connected on port 8250.
> All connections are handled by accept() in NioConnection:
> https://github.com/apache/cloudstack/blob/master/utils/src/main/java/com/cloud/utils/nio/NioConnection.java#L125
> A new connection is handled by accept() which does blocking SSL handshake. A 
> good fix would be to make this non-blocking and handle expensive tasks in 
> separate threads/pool. This way the main IO loop won't be blocked and can 
> continue to serve other agents/clients.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249382#comment-15249382
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user koushik-das commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1489#discussion_r60357104
  
--- Diff: 
plugins/acl/dynamic-role-based/src/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
 ---
@@ -0,0 +1,166 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import com.cloud.exception.PermissionDeniedException;
+import com.cloud.user.Account;
+import com.cloud.user.AccountService;
+import com.cloud.user.User;
+import com.cloud.utils.component.AdapterBase;
+import com.cloud.utils.component.PluggableService;
+import com.google.common.base.Strings;
+import org.apache.cloudstack.api.APICommand;
+
+import javax.ejb.Local;
+import javax.inject.Inject;
+import javax.naming.ConfigurationException;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+@Local(value = APIChecker.class)
+public class DynamicRoleBasedAPIAccessChecker extends AdapterBase 
implements APIChecker {
+
+@Inject
+private AccountService accountService;
+@Inject
+private RoleService roleService;
+
+private List services;
+private Map annotationRoleBasedApisMap = new 
HashMap<>();
+
+protected DynamicRoleBasedAPIAccessChecker() {
+super();
+for (RoleType roleType : RoleType.values()) {
+annotationRoleBasedApisMap.put(roleType, new 
HashSet());
+}
+}
+
+private void denyApiAccess(final String commandName) throws 
PermissionDeniedException {
+throw new PermissionDeniedException("The API does not exist or is 
blacklisted for the account's role. " +
+"The account with is not allowed to request the api: " + 
commandName);
+}
+
+private boolean checkPermission(final List  
permissions, final RolePermission.Permission permissionToCheck, final String 
commandName) {
+if (permissions == null) {
+return false;
+}
+for (final RolePermission permission : permissions) {
+if (permission.getPermission() != permissionToCheck) {
+continue;
+}
+final String rule = permission.getRule();
+if (rule.contains("*")) {
+if (commandName.matches(rule.replace("*", "\\w*"))) {
+return true;
+}
+} else {
+if (commandName.equals(rule)) {
--- End diff --

Should the equality check ignore case?


> User Definable Roles
> 
>
> Key: CLOUDSTACK-8562
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8562
> Project: CloudStack
>  Issue Type: New Feature
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: Management Server
>Reporter: Paul Angus
>Assignee: Rohit Yadav
>
> Static command.properties moved to database and made user definable



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249381#comment-15249381
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user koushik-das commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1489#discussion_r60356809
  
--- Diff: 
plugins/acl/dynamic-role-based/src/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
 ---
@@ -0,0 +1,166 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import com.cloud.exception.PermissionDeniedException;
+import com.cloud.user.Account;
+import com.cloud.user.AccountService;
+import com.cloud.user.User;
+import com.cloud.utils.component.AdapterBase;
+import com.cloud.utils.component.PluggableService;
+import com.google.common.base.Strings;
+import org.apache.cloudstack.api.APICommand;
+
+import javax.ejb.Local;
+import javax.inject.Inject;
+import javax.naming.ConfigurationException;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+@Local(value = APIChecker.class)
+public class DynamicRoleBasedAPIAccessChecker extends AdapterBase 
implements APIChecker {
+
+@Inject
+private AccountService accountService;
+@Inject
+private RoleService roleService;
+
+private List services;
+private Map annotationRoleBasedApisMap = new 
HashMap<>();
+
+protected DynamicRoleBasedAPIAccessChecker() {
+super();
+for (RoleType roleType : RoleType.values()) {
+annotationRoleBasedApisMap.put(roleType, new 
HashSet());
+}
+}
+
+private void denyApiAccess(final String commandName) throws 
PermissionDeniedException {
+throw new PermissionDeniedException("The API does not exist or is 
blacklisted for the account's role. " +
+"The account with is not allowed to request the api: " + 
commandName);
+}
+
+private boolean checkPermission(final List  
permissions, final RolePermission.Permission permissionToCheck, final String 
commandName) {
+if (permissions == null) {
+return false;
+}
+for (final RolePermission permission : permissions) {
+if (permission.getPermission() != permissionToCheck) {
--- End diff --

Instead of doing check in Java code, better to filter at DB itself to get 
only allow or deny rules.


> User Definable Roles
> 
>
> Key: CLOUDSTACK-8562
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8562
> Project: CloudStack
>  Issue Type: New Feature
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: Management Server
>Reporter: Paul Angus
>Assignee: Rohit Yadav
>
> Static command.properties moved to database and made user definable



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8562) User Definable Roles

2016-04-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15249358#comment-15249358
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8562:


Github user koushik-das commented on a diff in the pull request:

https://github.com/apache/cloudstack/pull/1489#discussion_r60355293
  
--- Diff: engine/schema/src/org/apache/cloudstack/acl/RolePermissionVO.java 
---
@@ -0,0 +1,109 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.acl;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+import java.util.UUID;
+
+@Entity
+@Table(name = "role_permissions")
+public class RolePermissionVO implements RolePermission {
--- End diff --

@bhaisaab Based on the code, Role contains one or more RolePermissions. 
With this approach if a new API gets added what is the effort to update the 
roles and permissions? Would it be better to instead use Role refers 
RolePermissions to avoid duplication of permissions?


> User Definable Roles
> 
>
> Key: CLOUDSTACK-8562
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8562
> Project: CloudStack
>  Issue Type: New Feature
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>  Components: Management Server
>Reporter: Paul Angus
>Assignee: Rohit Yadav
>
> Static command.properties moved to database and made user definable



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)