cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rhtyd <...@git.apache.org>
Subject [GitHub] cloudstack pull request: CLOUDSTACK-8562: Dynamic Role-Based API C...
Date Mon, 25 Apr 2016 11:38:04 GMT
Github user rhtyd commented on the pull request:

    https://github.com/apache/cloudstack/pull/1489#issuecomment-214276787
  
    @koushik-das Yes, all tests run as a regular user too. See the integration test, we're
using user api clients (search self.getUserApiClient) to perform tests -- i.e. tests are not
run all as root admin only. What you're asking is already covered, they are also run by Travis.
    
    I'm sorry if the discussion confused you, please re-read FS again but let me try to explain
below as well;
    
    By default, we don't want to encourage new users to use static checker which is why dynamic-checker
is enabled for developers/new-users. For this reason the commands.properties.in file in codebase
has been deprecated. In packaging too, we're not including commands.properties file.
    
    For existing deployments, we are *NOT* forcing users to migrate to the dynamic roles feature
and their existing commands.properties file won't be renamed or removed during upgrade. Though,
the upgrade path will add dynamic-role specific tables/schema and default roles. There is
an upgrade/migrate script for such users who can migrate in future at their wish, the script
will read rules from commands.properties file and put them in DB.
    
    Please read the admin docs too if they help you understand the process:
    https://github.com/apache/cloudstack-docs-admin/pull/37
    
    
    Now, once a users is already using dynamic checker (fresh or migrated at a later stage),
we don't want them to be easily able to migrate back to static checker as allowing admin to
do that with a global setting switch is a security issue (sorry being pessimistic here). Therefore,
we do two checks to evaluate if dynamic roles is allowed:
    - check if the global setting says that dynamic roles is enabled
    - check that commands.properties does not exist
    The reverse is true for static checker, see the isEnabled()/isDisabled method in the checker
implementation.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message