This is an automated email from the ASF dual-hosted git repository.
rohit pushed a commit to branch 4.11
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
The following commit(s) were added to refs/heads/4.11 by this push:
new 170b6ce CLOUDSTACK-10236: Enable dynamic roles for missing props file
(#2426)
170b6ce is described below
commit 170b6ce20dd4fc2f1fd3ad84833f440d955d2987
Author: Rohit Yadav <ro...@apache.org>
AuthorDate: Wed Jan 24 13:11:08 2018 +0100
CLOUDSTACK-10236: Enable dynamic roles for missing props file (#2426)
Automate dynamic roles migration for missing props file
- In case commands.properties file is missing, enables dynamic roles.
- Adds a new -D or --default flag to migrate-dynamicroles.py script
to simply update the global setting and use the default role-rule
permissions.
- Add warning message, ask admins to move to dynamic roles during upgrade
Signed-off-by: Rohit Yadav <rohit.ya...@shapeblue.com>
---
.../com/cloud/upgrade/dao/Upgrade41000to41100.java | 18 +++++++++++++++
.../acl/StaticRoleBasedAPIAccessChecker.java | 1 +
scripts/util/migrate-dynamicroles.py | 27 ++++++++++++++--------
3 files changed, 37 insertions(+), 9 deletions(-)
diff --git a/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java
b/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java
index 53c2340..20294d1 100644
--- a/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java
+++ b/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java
@@ -31,6 +31,7 @@ import org.apache.commons.codec.binary.Base64;
import org.apache.log4j.Logger;
import com.cloud.hypervisor.Hypervisor;
+import com.cloud.utils.PropertiesUtil;
import com.cloud.utils.exception.CloudRuntimeException;
public class Upgrade41000to41100 implements DbUpgrade {
@@ -65,10 +66,27 @@ public class Upgrade41000to41100 implements DbUpgrade {
@Override
public void performDataMigration(Connection conn) {
+ checkAndEnableDynamicRoles(conn);
validateUserDataInBase64(conn);
updateSystemVmTemplates(conn);
}
+ private void checkAndEnableDynamicRoles(final Connection conn) {
+ final Map<String, String> apiMap =
PropertiesUtil.processConfigFile(new String[] { "commands.properties" });
+ if (apiMap == null || apiMap.isEmpty()) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("No commands.properties file was found, enabling
dynamic roles by setting dynamic.apichecker.enabled to true if not already
enabled.");
+ }
+ try (final PreparedStatement updateStatement =
conn.prepareStatement("INSERT INTO cloud.configuration (category, instance,
name, default_value, value) VALUES ('Advanced', 'DEFAULT',
'dynamic.apichecker.enabled', 'false', 'true') ON DUPLICATE KEY UPDATE
value='true'")) {
+ updateStatement.executeUpdate();
+ } catch (SQLException e) {
+ LOG.error("Failed to set dynamic.apichecker.enabled to true,
please run migrate-dynamicroles.py script to manually migrate to dynamic
roles.", e);
+ }
+ } else {
+ LOG.warn("Old commands.properties static checker is deprecated,
please use migrate-dynamicroles.py to migrate to dynamic roles. Refer
http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/latest/accounts.html#using-dynamic-roles";);
+ }
+ }
+
private void validateUserDataInBase64(Connection conn) {
try (final PreparedStatement selectStatement =
conn.prepareStatement("SELECT `id`, `user_data` FROM `cloud`.`user_vm` WHERE
`user_data` IS NOT NULL;");
final ResultSet selectResultSet = selectStatement.executeQuery())
{
diff --git
a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
index fc78268..f3dc3a3 100644
---
a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
+++
b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
@@ -39,6 +39,7 @@ import com.cloud.utils.component.PluggableService;
// This is the default API access checker that grab's the user's account
// based on the account type, access is granted
+@Deprecated
public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements
APIChecker {
protected static final Logger LOGGER =
Logger.getLogger(StaticRoleBasedAPIAccessChecker.class);
diff --git a/scripts/util/migrate-dynamicroles.py
b/scripts/util/migrate-dynamicroles.py
index cbb83f9..35dfe66 100755
--- a/scripts/util/migrate-dynamicroles.py
+++ b/scripts/util/migrate-dynamicroles.py
@@ -55,6 +55,14 @@ def migrateApiRolePermissions(apis, conn):
if (octetKey[role] & int(apis[api])) > 0:
runSql(conn, "INSERT INTO `cloud`.`role_permissions` (`uuid`,
`role_id`, `rule`, `permission`, `sort_order`) values (UUID(), %d, '%s',
'ALLOW', %d);" % (role, api, sortOrder))
sortOrder += 1
+ print("Static role permissions from commands.properties have been migrated
into the db")
+
+
+def enableDynamicApiChecker(conn):
+ runSql(conn, "UPDATE `cloud`.`configuration` SET value='true' where
name='dynamic.apichecker.enabled'")
+ conn.commit()
+ conn.close()
+ print("Dynamic role based API checker has been enabled!")
def main():
@@ -71,6 +79,8 @@ def main():
help="Host or IP of the MySQL server")
parser.add_option("-f", "--properties-file", action="store",
type="string", dest="commandsfile",
default="/etc/cloudstack/management/commands.properties",
help="The commands.properties file")
+ parser.add_option("-D", "--default", action="store_true",
dest="defaultRules", default=False,
+ help="")
parser.add_option("-d", "--dryrun", action="store_true", dest="dryrun",
default=False,
help="Dry run and debug operations this tool will
perform")
(options, args) = parser.parse_args()
@@ -89,8 +99,14 @@ def main():
port=int(options.port),
db=options.db)
+ if options.defaultRules:
+ print("Applying the default role permissions, ignoring any provided
properties files(s).")
+ enableDynamicApiChecker(conn)
+ sys.exit(0)
+
if not os.path.isfile(options.commandsfile):
- print("Provided commands.properties cannot be accessed or does not
exist, please check check permissions")
+ print("Provided commands.properties cannot be accessed or does not
exist.")
+ print("Please check passed options, or run only with --default option
to use the default role permissions.")
sys.exit(1)
while True:
@@ -122,15 +138,8 @@ def main():
# Migrate rules from commands.properties to cloud.role_permissions
migrateApiRolePermissions(apiMap, conn)
- print("Static role permissions from commands.properties have been migrated
into the db")
-
- # Enable dynamic role based API checker
- runSql(conn, "UPDATE `cloud`.`configuration` SET value='true' where
name='dynamic.apichecker.enabled'")
- conn.commit()
- conn.close()
-
- print("Dynamic role based API checker has been enabled!")
+ enableDynamicApiChecker(conn)
if __name__ == '__main__':
main()
--
To stop receiving notification emails like this one, please contact
ro...@apache.org.
