BryanMLima opened a new pull request, #7150:
URL: https://github.com/apache/cloudstack/pull/7150
### Description
Currently, ACS allows the creation of ACLs for VPCs; however, it is required
to create an ACL per VPC. Therefore, even if multiple VPCs had the same ACL
rules, it would be required to create multiple ACLs. This PR aims to change
this behavior as to be able to create global ACLs which will be available to
all VPCs, similar to the default ones: `default_allow` and `default_deny`.
This PR removed the requirement of the parameter `vpcId` of the
`createNetworkACLList`; therefore, if there is not a VPC ID in the parameter
call, then it is a global ACL. It is important to note that only root admins
can manipulate these global ACLs, but anyone can use them.
### Types of changes
- [ ] Breaking change (fix or feature that would cause existing
functionality to change)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] Enhancement (improves an existing feature and functionality)
- [ ] Cleanup (Code refactoring and cleanup, that may add test cases)
### Feature/Enhancement Scale or Bug Severity
#### Feature/Enhancement Scale
- [ ] Major
- [x] Minor
#### Bug Severity
- [ ] BLOCKER
- [ ] Critical
- [ ] Major
- [x] Minor
- [ ] Trivial
### Screenshots (if appropriate):
### How Has This Been Tested?
I performed the following tests in a local lab:
<details>
<summary><h3>T0 - createNetworkAclList</h3></summary>
I created a global ACL with a root admin account.
~~~
(lab-bryan) 🐱 > create networkacllist name=teste-2-global
description=testeglobal2 fordisplay=true
{
"networkacllist": {
"description": "testeglobal2",
"fordisplay": true,
"id": "fb7cadc2-8209-4a5f-974f-58a7db6b1115",
"name": "teste-2-global"
}
}
~~~
I tried to create a global ACL with a domain admin account.
~~~
(lab-bryan-domain) 🐱 > create networkacllist name=teste-2-global
description=testeglobal2 fordisplay=true
🙈 Error: (HTTP 531, error code 4365) Only Root Admin can create global ACLs.
~~~
**Expected?** Yes
</details>
<details>
<summary><h3>T1 - replaceNetworkaclList</h3></summary>
I replaced the ACL for a network as root admin
~~~
(lab-bryan) 🐱 > replace networkacllist
networkid=b539e342-e625-4cae-bc1f-9115f9f8f734
aclid=fb7cadc2-8209-4a5f-974f-58a7db6b1115
{
"success": true
}
~~~
I replaced the ACL for a network as domain admin
~~~
(lab-bryan-domain) 🐱 > replace networkacllist
networkid=b539e342-e625-4cae-bc1f-9115f9f8f734
aclid=fb7cadc2-8209-4a5f-974f-58a7db6b1115
{
"success": true
}
~~~
**Expected?** Yes
</details>
<details>
<summary><h3>T2 - createNetworkAcl</h3></summary>
I created an ACL rule as root admin
~~~
(lab-bryan) 🐱 > create networkacl aclid=fb7cadc2-8209-4a5f-974f-58a7db6b1115
protocol=all action=allow cidrlist=0.0.0.0/0
{
"networkacl": {
"aclid": "fb7cadc2-8209-4a5f-974f-58a7db6b1115",
"aclname": "teste-2-global",
"action": "Allow",
"cidrlist": "0.0.0.0/0",
"fordisplay": true,
"id": "acafd739-4dc2-472b-b571-2fed43502150",
"number": 1,
"protocol": "all",
"state": "Active",
"tags": [],
"traffictype": "Ingress"
}
}
~~~
I tried to create an ACL rule as a domain admin
~~~
(lab-bryan-domain) 🐱 > create networkacl
aclid=fb7cadc2-8209-4a5f-974f-58a7db6b1115 protocol=all action=allow
cidrlist=0.0.0.0/0
🙈 Error: (HTTP 531, error code 4365) Only Root Admins can create rules for a
global ACL.
~~~
**Expected?** Yes
</details>
<details>
<summary><h3>T3 - deleteNetworkAcl</h3></summary>
I deleted an ACL rule as root admin
~~~
(lab-bryan) 🐱 > delete networkacl id=acafd739-4dc2-472b-b571-2fed43502150
{
"success": true
}
~~~
I tried to delete an ACL rule as domain admin
~~~
(lab-bryan-domain) 🐱 > delete networkacl
id=acafd739-4dc2-472b-b571-2fed43502150
{
"accountid": "a522847f-936d-4347-8603-9a959df2128c",
"cmd":
"org.apache.cloudstack.api.command.user.network.DeleteNetworkACLCmd",
"completed": "2023-01-26T14:52:53+0000",
"created": "2023-01-26T14:52:53+0000",
"jobid": "6785543c-d729-4725-99a0-f01eace2963a",
"jobprocstatus": 0,
"jobresult": {
"errorcode": 530,
"errortext": "Only Root Admin can delete global ACL rules."
},
"jobresultcode": 530,
"jobresulttype": "object",
"jobstatus": 2,
"userid": "b7dcc0af-e83d-4290-bfcd-39b69abb5a0e"
}
🙈 Error: async API failed for job 6785543c-d729-4725-99a0-f01eace2963a
~~~
**Expected?** Yes
</details>
<details>
<summary><h3>T4 - moveNetworkAclItem</h3></summary>
I tried to move an ACL rule as root admin, I used a screenshot as CMK has a
problem to decode the response of API `moveNetworkAclItem` (not caused by this
PR, this faulty behavior was already like this).
I tried to move an ACL rule as domain admin
**Expected?** Yes
</details>
<details>
<summary><h3>T5 - updateNetworkAclItem</h3></summary>
I updated an ACL rule as root admin
~~~
(lab-bryan) 🐱 > update networkaclitem
id=97c39f8e-f800-4fe5-add2-8261148ecd46 cidrlist=0.0.0.0/0,192.168.0.1/8
{
"networkacl": {
"aclid": "fb7cadc2-8209-4a5f-974f-58a7db6b1115",
"aclname": "teste-2-global",
"action": "Allow",
"cidrlist": "0.0.0.0/0,192.168.0.1/8",
"fordisplay": true,
"id": "97c39f8e-f800-4fe5-add2-8261148ecd46",
"number": 3,
"protocol": "all",
"state": "Add",
"tags": [],
"traffictype": "Ingress"
}
}
~~~
I tried to update an ACL rule as domain Admin
~~~
(lab-bryan-domain) 🐱 > update networkaclitem
id=97c39f8e-f800-4fe5-add2-8261148ecd46 cidrlist=0.0.0.0/0,192.168.0.1/8
{
"accountid": "a522847f-936d-4347-8603-9a959df2128c",
"cmd":
"org.apache.cloudstack.api.command.user.network.UpdateNetworkACLItemCmd",
"completed": "2023-01-26T15:09:38+0000",
"created": "2023-01-26T15:09:38+0000",
"jobid": "996a0316-1529-47a5-b8e9-1988575a8088",
"jobprocstatus": 0,
"jobresult": {
"errorcode": 530,
"errortext": "Only Root Admins can update global ACLs."
},
"jobresultcode": 530,
"jobresulttype": "object",
"jobstatus": 2,
"userid": "b7dcc0af-e83d-4290-bfcd-39b69abb5a0e"
}
🙈 Error: async API failed for job 996a0316-1529-47a5-b8e9-1988575a8088
~~~
**Expected?** Yes
</details>
<details>
<summary><h3>T6 - deleteNetworkAclList</h3></summary>
I deleted an ACL rule as root admin
~~~
(lab-bryan) 🐱 > delete networkacllist
id=fb7cadc2-8209-4a5f-974f-58a7db6b1115
{
"success": true
}
~~~
I tried to delete an ACL rule as domain admin
~~~
(lab-bryan-domain) 🐱 > delete networkacllist
id=fb7cadc2-8209-4a5f-974f-58a7db6b1115
{
"accountid": "a522847f-936d-4347-8603-9a959df2128c",
"cmd":
"org.apache.cloudstack.api.command.user.network.DeleteNetworkACLListCmd",
"completed": "2023-01-26T15:11:13+0000",
"created": "2023-01-26T15:11:13+0000",
"jobid": "40a2047d-8d23-4785-b53a-5baee1da9bf7",
"jobprocstatus": 0,
"jobresult": {
"errorcode": 530,
"errortext": "Only Root Admin can delete global ACLs."
},
"jobresultcode": 530,
"jobresulttype": "object",
"jobstatus": 2,
"userid": "b7dcc0af-e83d-4290-bfcd-39b69abb5a0e"
}
🙈 Error: async API failed for job 40a2047d-8d23-4785-b53a-5baee1da9bf7
~~~
**Expected?** Yes
</details>
---
Furthermore, I created three VPCs and three VMs, each one attach to a tier
of a VPC. After this, I created a global ACL allowing SSH connections. I tested
the `ssh` command with all public IPs, previously created, of the VMs. All
worked as expected. Furthermore, I changed the rule to deny any access to por
22 for the TCP protocol. Similarly, I tried to used `ssh` with all 3 public IPs
and all failed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
