MartinEmrich opened a new issue, #7946:
URL: https://github.com/apache/cloudstack/issues/7946
##### ISSUE TYPE
<!-- Pick one below and delete the rest -->
* Bug Report
##### COMPONENT NAME
<!--
Categorize the issue, e.g. API, VR, VPN, UI, etc.
-->
~~~
Mangement Server
~~~
##### CLOUDSTACK VERSION
~~~
4.18.0
~~~
##### CONFIGURATION
<!--
Information about the configuration if relevant, e.g. basic network,
advanced networking, etc. N/A otherwise
-->
##### OS / ENVIRONMENT
CentOS 7 / MariaDB 10.6
##### SUMMARY
After migrating to dynamic roles with `migrate-dynamicroles.py` and
upgrading from 4.11 to 4.18, domain admins can no longer log in or use the API.
##### STEPS TO REPRODUCE
* Use and migrate an Apache Cloudstack installation since 2013 until at
4.11.2.0.
* Migrate to dynamic roles with
`/usr/share/cloudstack-common/scripts/util/migrate-dynamicroles.py -H localhost
-b cloud -u cloud -p xxxx -D` and moving command.properties out of the way
##### EXPECTED RESULTS
~~~
Domain account users to continue to work as before.
~~~
##### ACTUAL RESULTS
Top level root admin works fine.
But domain admin or other users do not:
Logging in to the UI gets stuck at "Discovering features...".
using the API results in messages like
```
2023-09-06 09:43:41,659 DEBUG [c.c.a.ApiServlet]
(qtp1444635922-1285:ctx-d0c978ae) (logid:bff1f438) ===START=== 10.12.0.248 --
GET name=cdskl-shared&command=listServiceOfferings&apiKey=XXXX
2023-09-06 09:43:41,664 DEBUG [c.c.a.ApiServer]
(qtp1444635922-1285:ctx-d0c978ae ctx-eefbdbcf) (logid:bff1f438) CIDRs from
which account 'Account
[{"accountName":"admin","id":39,"uuid":"813308c2-8405-46c3-aa09-0e6bbd90e3b1"}]'
is allowed to perform API calls: 0.0.0.0/0,::/0
2023-09-06 09:43:41,666 DEBUG [c.c.a.ApiServer]
(qtp1444635922-1285:ctx-d0c978ae ctx-eefbdbcf) (logid:bff1f438) The API
[listServiceOfferings] does not exist or is not available for the account
Account
[{"accountName":"admin","id":39,"uuid":"813308c2-8405-46c3-aa09-0e6bbd90e3b1"}].
2023-09-06 09:43:41,667 DEBUG [c.c.a.ApiServlet]
(qtp1444635922-1285:ctx-d0c978ae ctx-eefbdbcf) (logid:bff1f438) ===END===
10.12.0.248 -- GET name=cdskl-shared&command=listServiceOfferings&apiKey=XXXX
````
##### Additional info
The UI does not allow me to add permissions to the default roles. But by
adding a specific permission to the database manually makes that API function
work for domain admins, e.g.:
```
INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`, `rule`,
`permission`, `description`) VALUES ('8890d77e-c77a-4df1-a5f6-6af1dd52ac0c ',
3, 'listVirtualMachines', 'ALLOW', 'Test');
```
Reading the migration Python script source code, using "-D" for "use default
rules" does only enable the dynamic rule checker option, but does `sys.exit(0)`
directly after that. It does *not* insert any default rules into the database.
I suspect that this might work for a fresh installation, where the
installation process might fill the role_permissions table with what is
necessary, but that is missing here.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
