GaOrtiga opened a new pull request, #6960:
URL: https://github.com/apache/cloudstack/pull/6960
### Description
ACS does not allow the operator to define the visibility of roles, meaning
all of them are visible to all users, with the exception of Root Admin roles.
In order to address this situation, a new parameter `public_role` has been
created in the following APIs: `createRole`, `updateRole` and `importRole`.
This parameter adds a new property to the role, allowing it to be hidden from
the users; so, when updating, importing or creating a new role it is possible
for the operator to inform if it is public (visible to all users) or private
(only visible to Root Admins and the creator of the role). Also, the behavior
of the API `listRoles` has been adjusted to return the roles according to this
new property.
The following are examples of the listings using a Root Admin account and a
Domain Admin account.
<details><summary>Listing with a Root Admin account</summary>
```
(localcloud) 🐱 > list roles
{
"count": 10,
"role": [
{
"description": "Default root admin role",
"id": "64b34ae1-26de-11ec-8dcf-5254005dcdac",
"isdefault": true,
"ispublic": false,
"name": "Root Admin",
"type": "Admin"
},
{
"description": "Default resource admin role",
"id": "64b38969-26de-11ec-8dcf-5254005dcdac",
"isdefault": true,
"ispublic": true,
"name": "Resource Admin",
"type": "ResourceAdmin"
},
{
"description": "Default domain admin role",
"id": "64b48e57-26de-11ec-8dcf-5254005dcdac",
"isdefault": true,
"ispublic": true,
"name": "Domain Admin",
"type": "DomainAdmin"
},
{
"description": "Default user role",
"id": "64b4ca77-26de-11ec-8dcf-5254005dcdac",
"isdefault": true,
"ispublic": true,
"name": "User",
"type": "User"
},
{
"description": "Default read-only admin role",
"id": "68ea06f5-26de-11ec-8dcf-5254005dcdac",
"isdefault": true,
"ispublic": false,
"name": "Read-Only Admin - Default",
"type": "Admin"
},
{
"description": "Default read-only user role",
"id": "68ea3701-26de-11ec-8dcf-5254005dcdac",
"isdefault": true,
"ispublic": true,
"name": "Read-Only User - Default",
"type": "User"
},
{
"description": "Default support admin role",
"id": "68ea6ff9-26de-11ec-8dcf-5254005dcdac",
"isdefault": true,
"ispublic": false,
"name": "Support Admin - Default",
"type": "Admin"
},
{
"description": "Default support user role",
"id": "68eaab60-26de-11ec-8dcf-5254005dcdac",
"isdefault": true,
"ispublic": false,
"name": "Support User - Default",
"type": "User"
},
{
"id": "2281d1f7-ba24-484e-bc1f-8519870dfc16",
"isdefault": false,
"ispublic": false,
"name": "privaterole1",
"type": "User"
},
{
"id": "eebb8a56-6fce-4300-ade0-40a3e03a08a8",
"isdefault": false,
"ispublic": true,
"name": "publicrole1",
"type": "DomainAdmin"
}
]
}
```
</details>
<details><summary>Listing with a Domain Admin account</summary>
```
(localcloud) 🐱 > list roles
{
"count": 5,
"role": [
{
"description": "Default resource admin role",
"id": "64b38969-26de-11ec-8dcf-5254005dcdac",
"isdefault": true,
"ispublic": true,
"name": "Resource Admin",
"type": "ResourceAdmin"
},
{
"description": "Default domain admin role",
"id": "64b48e57-26de-11ec-8dcf-5254005dcdac",
"isdefault": true,
"ispublic": true,
"name": "Domain Admin",
"type": "DomainAdmin"
},
{
"description": "Default user role",
"id": "64b4ca77-26de-11ec-8dcf-5254005dcdac",
"isdefault": true,
"ispublic": true,
"name": "User",
"type": "User"
},
{
"description": "Default read-only user role",
"id": "68ea3701-26de-11ec-8dcf-5254005dcdac",
"isdefault": true,
"ispublic": true,
"name": "Read-Only User - Default",
"type": "User"
},
{
"id": "eebb8a56-6fce-4300-ade0-40a3e03a08a8",
"isdefault": false,
"ispublic": true,
"name": "publicrole1",
"type": "DomainAdmin"
}
]
}
```
</details>
Example of the other APIs:
<details><summary>createRole</summary>
```
(localcloud) 🐱 > create role roleid=64b34ae1-26de-11ec-8dcf-5254005dcdac
name=roleTeste ispublic=false description="role para teste"
{
"role": {
"description": "role para teste",
"id": "777e8dde-6670-42e2-8328-876d6445cc7c",
"ispublic": false,
"name": "roleTeste",
"type": "Admin"
}
}
```
</details>
<details><summary>updateRole</summary>
```
(localcloud) 🐱 > update role id=777e8dde-6670-42e2-8328-876d6445cc7c
ispublic=true
{
"role": {
"description": "role para teste",
"id": "777e8dde-6670-42e2-8328-876d6445cc7c",
"ispublic": true,
"name": "roleTeste",
"type": "Admin"
}
}
```
</details>
<details><summary>importRole</summary>
```
(localcloud) 🐱 > import role name=importedRoleTeste ispublic=false
rules[0].rule=* rules[0].permission=allow type=User
{
"role": {
"id": "54045972-0272-4ab8-93c2-c299331897db",
"ispublic": false,
"name": "importedRoleTeste",
"type": "User"
}
}
```
</details>
### Types of changes
- [ ] Breaking change (fix or feature that would cause existing
functionality to change)
- [X] New feature (non-breaking change which adds functionality)
- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] Enhancement (improves an existing feature and functionality)
- [ ] Cleanup (Code refactoring and cleanup, that may add test cases)
### Feature/Enhancement Scale or Bug Severity
#### Feature/Enhancement Scale
- [ ] Major
- [X] Minor
### How Has This Been Tested?
1. I created two new roles using the `createRole` API. One with the
parameter `public_role` set to `false` and one with it set to `true`. I
verified that both roles were successfully created with the specified
parameters.
2. I repeated the same steps from the first test, but this time using the
`importRole` API instead. I verified that the roles were successfully imported
with the specified parameters.
3. I updated the `public_role` parameter from two different roles using the
`updateRole` API, the first one had the parameter as `true` and I updated it to
`false` and the second had it as `false` and I updated it to `true`. Both were
successfully updated.
4. I used the API `listRoles` using a Root Admin account and verified that
every role was visible.
5. I used the API `listRoles` using a Domain Admin account and verified that
it could not see private roles.
6. I created an account of the type user using a private role and verified
that it could log in.
7. With this same account I created a new network, and a new VM, and
verified that both worked normally.
8. I repeated tests 6 and 7 but this time with an account of the type Root
Admin, and verified that it worked aswell.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
