server: prevent update vm read-only details by shwstppr · Pull Request #4629 · apache/cloudstack

shwstppr · 2021-01-28T09:34:24Z

Description

Fixes behaviour in updateVirtualMachine API by disallowing updating read-only details (details mentioned in global setting user.vm.readonly.ui.details) of the VM for accounts other than root-admin using API. Such read-only details will be copied from original values.

Fixes #4514

Types of changes

Breaking change (fix or feature that would cause existing functionality to change)
New feature (non-breaking change which adds functionality)
Bug fix (non-breaking change which fixes an issue)
Enhancement (improves an existing feature and functionality)
Cleanup (Code refactoring and cleanup, that may add test cases)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

Major
Minor

Bug Severity

Screenshots (if appropriate):

How Has This Been Tested?

(localcloud) 🐱 >  list virtualmachine id=527a92ab-f59f-45fc-abc3-abf34ca5cbad
{
  "virtualmachine": {
    "account": "user",
    "affinitygroup": [],
    "cpunumber": 1,
    "cpuspeed": 500,
    "cpuused": "10%",
    "created": "2021-01-28T14:39:08+0530",
    "details": {
      "newdetail": "somethingnew"
    },
    "diskioread": 0,
    "diskiowrite": 0,
    "diskkbsread": 0,
    "diskkbswrite": 0,
    "displayname": "t1",
    "domain": "ROOT",
    "domainid": "b4924318-6146-11eb-9c0f-a0afbd4a2d60",
    "guestosid": "b48662d8-6146-11eb-9c0f-a0afbd4a2d60",
    "haenable": false,
    "hypervisor": "Simulator",
    "id": "527a92ab-f59f-45fc-abc3-abf34ca5cbad",
    "isdynamicallyscalable": false,
    "memory": 512,
    "memoryintfreekbs": 0,
    "memorykbs": 0,
    "memorytargetkbs": 0,
    "name": "t1",
    "networkkbsread": 32768,
    "networkkbswrite": 16384,
    "nic": [
      {
        "extradhcpoption": [],
        "gateway": "10.1.1.1",
        "id": "530b68fb-d15e-43cc-bb52-20b4686251ea",
        "ipaddress": "10.1.1.61",
        "isdefault": true,
        "macaddress": "02:00:67:12:00:01",
        "netmask": "255.255.255.0",
        "networkid": "39d80951-0087-4ab2-9af7-3dc886d04eb2",
        "networkname": "test",
        "secondaryip": [],
        "traffictype": "Guest",
        "type": "Isolated"
      }
    ],
    "osdisplayname": "CentOS 5.6 (64-bit)",
    "ostypeid": "b48662d8-6146-11eb-9c0f-a0afbd4a2d60",
    "passwordenabled": false,
    "readonlyuidetails": "dataDiskController, rootDiskController, newdetail",
    "rootdeviceid": 0,
    "rootdevicetype": "ROOT",
    "securitygroup": [],
    "serviceofferingid": "6338335e-5ee7-4fcc-a0cb-4746ff0d35e3",
    "serviceofferingname": "Small Instance",
    "state": "Stopped",
    "tags": [],
    "templatedisplaytext": "CentOS 5.6 (64-bit) no GUI (Simulator)",
    "templateid": "4a0360b8-6147-11eb-9c0f-a0afbd4a2d60",
    "templatename": "CentOS 5.6 (64-bit) no GUI (Simulator)",
    "userid": "07af36d0-391a-4c56-a85a-ccde0611174b",
    "username": "user",
    "zoneid": "25849759-355c-49be-b004-664f34d77a65",
    "zonename": "Sandbox-simulator"
  }
}

(localcloud) 🐱 >  set username admin
(localcloud) 🐱 > sync
Discovered 587 APIs
(localcloud) 🐱 > list configurations name=user.vm.readonly.ui.details
{
  "configuration": [
    {
      "category": "Advanced",
      "description": "List of UI read-only VM settings/details as comma separated string",
      "isdynamic": true,
      "name": "user.vm.readonly.ui.details",
      "value": "dataDiskController, rootDiskController, newdetail"
    }
  ],
  "count": 1
}
(localcloud) 🐱 > set username user
(localcloud) 🐱 > sync
Discovered 266 APIs
(localcloud) 🐱 > update virtualmachine id=527a92ab-f59f-45fc-abc3-abf34ca5cbad details[0].newdetail=somethingevennew
🙈 Error: (HTTP 431, error code 4350) You're not allowed to add or edit the read-only setting: newdetail
(localcloud) 🐱 > update virtualmachine id=527a92ab-f59f-45fc-abc3-abf34ca5cbad details[0].evennewdetail=somethingevenmorenew
{
  "virtualmachine": {
    "account": "user",
    "affinitygroup": [],
    "cpunumber": 1,
    "cpuspeed": 500,
    "created": "2021-01-28T14:39:08+0530",
    "details": {
      "evennewdetail": "somethingevenmorenew",
      "newdetail": "somethingnew"
    },
    "displayname": "t1",
    "domain": "ROOT",
    "domainid": "b4924318-6146-11eb-9c0f-a0afbd4a2d60",
    "guestosid": "b48662d8-6146-11eb-9c0f-a0afbd4a2d60",
    "haenable": false,
    "hypervisor": "Simulator",
    "id": "527a92ab-f59f-45fc-abc3-abf34ca5cbad",
    "isdynamicallyscalable": false,
    "memory": 512,
    "name": "t1",
    "nic": [
      {
        "extradhcpoption": [],
        "gateway": "10.1.1.1",
        "id": "530b68fb-d15e-43cc-bb52-20b4686251ea",
        "ipaddress": "10.1.1.61",
        "isdefault": true,
        "macaddress": "02:00:67:12:00:01",
        "netmask": "255.255.255.0",
        "networkid": "39d80951-0087-4ab2-9af7-3dc886d04eb2",
        "networkname": "test",
        "secondaryip": [],
        "traffictype": "Guest",
        "type": "Isolated"
      }
    ],
    "osdisplayname": "CentOS 5.6 (64-bit)",
    "ostypeid": "b48662d8-6146-11eb-9c0f-a0afbd4a2d60",
    "passwordenabled": false,
    "readonlyuidetails": "dataDiskController, rootDiskController, newdetail",
    "rootdeviceid": 0,
    "rootdevicetype": "ROOT",
    "securitygroup": [],
    "serviceofferingid": "6338335e-5ee7-4fcc-a0cb-4746ff0d35e3",
    "serviceofferingname": "Small Instance",
    "state": "Stopped",
    "tags": [],
    "templatedisplaytext": "CentOS 5.6 (64-bit) no GUI (Simulator)",
    "templateid": "4a0360b8-6147-11eb-9c0f-a0afbd4a2d60",
    "templatename": "CentOS 5.6 (64-bit) no GUI (Simulator)",
    "userid": "07af36d0-391a-4c56-a85a-ccde0611174b",
    "username": "user",
    "zoneid": "25849759-355c-49be-b004-664f34d77a65",
    "zonename": "Sandbox-simulator"
  }
}

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

blueorangutan · 2021-01-28T10:23:41Z

Packaging result: ✔centos7 ✖centos8 ✔debian. JID-2613

Signed-off-by: Abhishek Kumar <abhishek.kumar@shapeblue.com>

shwstppr · 2021-01-29T06:10:11Z

@blueorangutan package

blueorangutan · 2021-01-29T06:11:19Z

@shwstppr a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

blueorangutan · 2021-01-29T06:38:05Z

Packaging result: ✔centos7 ✖centos8 ✔debian. JID-2619

weizhouapache · 2021-01-29T08:46:19Z

@shwstppr good, thanks.
should the detail name be changed from 'user.vm.readonly.ui.details' to 'user.vm.readonly.details' ?

yadvr · 2021-02-01T08:58:02Z

@weizhouapache I think changing global setting name would require DB change and doc changes, the feature/user of the change is only UI so I guess that's why the setting name has ui in it.

shwstppr · 2021-02-01T09:04:23Z

@weizhouapache maybe we can change setting name in master alongwith similar setting changes #4135? cc @rhtyd @DaanHoogland

DaanHoogland · 2021-02-01T09:52:37Z

@shwstppr that PR also needs more attention to updates. I agree with the principle as this is not only UI but also API (which would be a security issue if it wasn't) as is this change lgtm

weizhouapache · 2021-02-01T10:15:06Z

@weizhouapache I think changing global setting name would require DB change and doc changes, the feature/user of the change is only UI so I guess that's why the setting name has ui in it.

@shwstppr that PR also needs more attention to updates. I agree with the principle as this is not only UI but also API (which would be a security issue if it wasn't) as is this change lgtm

@rhtyd @DaanHoogland
let's merge this, and change setting name afterwards as it requires sql change ?

Signed-off-by: Abhishek Kumar <abhishek.kumar@shapeblue.com>

shwstppr · 2021-02-01T13:07:29Z

@blueorangutan package

blueorangutan · 2021-02-01T13:08:32Z

@shwstppr a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

blueorangutan · 2021-02-01T13:51:19Z

Packaging result: ✔centos7 ✖centos8 ✔debian. JID-2627

Pearl1594

Verified Behaviour. LGTM

DaanHoogland · 2021-02-01T15:01:15Z

@blueorangutan test

blueorangutan · 2021-02-01T15:02:33Z

@DaanHoogland a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

blueorangutan · 2021-02-01T23:56:22Z

Trillian test result (tid-3462)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 30225 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr4629-t3462-kvm-centos7.zip
Smoke tests completed. 83 look OK, 0 have error(s)
Only failed tests results shown below:

Test	Result	Time (s)	Test File

* 4.14: server: prevent update vm read-only details (#4629)

PR apache#4629 made changes in updateVirtualMachine behaviour wrt readonly details. This change updates UI wrt new behaviour. Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

PR #4629 made changes in updateVirtualMachine behaviour wrt readonly details. This change updates UI wrt new behaviour. Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

server: prevent update vm read-only details

b268618

Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>

shwstppr added this to the 4.14.1.0 milestone Jan 28, 2021

shwstppr linked an issue Jan 28, 2021 that may be closed by this pull request

User vm details is readonly on UI but still can be changed via api or cloudmonkey/cmk #4514

Closed

shwstppr requested review from weizhouapache and yadvr January 28, 2021 09:41

ui: skip readonly settings while add, edit, delete

b8f5121

Signed-off-by: Abhishek Kumar <abhishek.kumar@shapeblue.com>

apache deleted a comment from blueorangutan Jan 29, 2021

shwstppr requested review from DaanHoogland, Pearl1594, Spaceman1984, davidjumani and harikrishna-patnala February 1, 2021 08:08

yadvr approved these changes Feb 1, 2021

View reviewed changes

fix cleaupdetails for readonly details

bd5b60b

Signed-off-by: Abhishek Kumar <abhishek.kumar@shapeblue.com>

Pearl1594 approved these changes Feb 1, 2021

View reviewed changes

DaanHoogland merged commit 05301b1 into apache:4.14 Feb 2, 2021

DaanHoogland deleted the fix-api-update-vm-readonly-detail-4514 branch February 2, 2021 08:49

DaanHoogland pushed a commit that referenced this pull request Feb 2, 2021

Merge release branch 4.14 to 4.15

66d49c5

* 4.14: server: prevent update vm read-only details (#4629)

yadvr mentioned this pull request Feb 2, 2021

User vm details is readonly on UI but still can be changed via api or cloudmonkey/cmk #4514

Closed

This was referenced Feb 9, 2021

ui: fix update vm details wrt backend changes #4670

Merged

api,engine/schema,server: vm readonly details rename #4671

Merged

Conversation

shwstppr commented Jan 28, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Types of changes

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

Bug Severity

Screenshots (if appropriate):

How Has This Been Tested?

Uh oh!

blueorangutan commented Jan 28, 2021

Uh oh!

shwstppr commented Jan 29, 2021

Uh oh!

blueorangutan commented Jan 29, 2021

Uh oh!

blueorangutan commented Jan 29, 2021

Uh oh!

weizhouapache commented Jan 29, 2021

Uh oh!

yadvr commented Feb 1, 2021

Uh oh!

shwstppr commented Feb 1, 2021

Uh oh!

DaanHoogland commented Feb 1, 2021

Uh oh!

weizhouapache commented Feb 1, 2021

Uh oh!

shwstppr commented Feb 1, 2021

Uh oh!

blueorangutan commented Feb 1, 2021

Uh oh!

blueorangutan commented Feb 1, 2021

Uh oh!

Pearl1594 left a comment

Choose a reason for hiding this comment

Uh oh!

DaanHoogland commented Feb 1, 2021

Uh oh!

blueorangutan commented Feb 1, 2021

Uh oh!

blueorangutan commented Feb 1, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

shwstppr commented Jan 28, 2021 •

edited

Loading