cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-10236) Unable to login to ACS after upgrading 4.5 -> 4.11
Date Wed, 24 Jan 2018 12:12:00 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-10236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16337473#comment-16337473
] 

ASF GitHub Bot commented on CLOUDSTACK-10236:
---------------------------------------------

rhtyd closed pull request #2426: CLOUDSTACK-10236: Enable dynamic roles for missing props
file
URL: https://github.com/apache/cloudstack/pull/2426
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java b/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java
index 53c2340665f..20294d16518 100644
--- a/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java
+++ b/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java
@@ -31,6 +31,7 @@
 import org.apache.log4j.Logger;
 
 import com.cloud.hypervisor.Hypervisor;
+import com.cloud.utils.PropertiesUtil;
 import com.cloud.utils.exception.CloudRuntimeException;
 
 public class Upgrade41000to41100 implements DbUpgrade {
@@ -65,10 +66,27 @@ public boolean supportsRollingUpgrade() {
 
     @Override
     public void performDataMigration(Connection conn) {
+        checkAndEnableDynamicRoles(conn);
         validateUserDataInBase64(conn);
         updateSystemVmTemplates(conn);
     }
 
+    private void checkAndEnableDynamicRoles(final Connection conn) {
+        final Map<String, String> apiMap = PropertiesUtil.processConfigFile(new String[]
{ "commands.properties" });
+        if (apiMap == null || apiMap.isEmpty()) {
+            if (LOG.isDebugEnabled()) {
+                LOG.debug("No commands.properties file was found, enabling dynamic roles
by setting dynamic.apichecker.enabled to true if not already enabled.");
+            }
+            try (final PreparedStatement updateStatement = conn.prepareStatement("INSERT
INTO cloud.configuration (category, instance, name, default_value, value) VALUES ('Advanced',
'DEFAULT', 'dynamic.apichecker.enabled', 'false', 'true') ON DUPLICATE KEY UPDATE value='true'"))
{
+                updateStatement.executeUpdate();
+            } catch (SQLException e) {
+                LOG.error("Failed to set dynamic.apichecker.enabled to true, please run migrate-dynamicroles.py
script to manually migrate to dynamic roles.", e);
+            }
+        } else {
+            LOG.warn("Old commands.properties static checker is deprecated, please use migrate-dynamicroles.py
to migrate to dynamic roles. Refer http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/latest/accounts.html#using-dynamic-roles");
+        }
+    }
+
     private void validateUserDataInBase64(Connection conn) {
         try (final PreparedStatement selectStatement = conn.prepareStatement("SELECT `id`,
`user_data` FROM `cloud`.`user_vm` WHERE `user_data` IS NOT NULL;");
              final ResultSet selectResultSet = selectStatement.executeQuery()) {
diff --git a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
index fc78268fc62..f3dc3a3b8d7 100644
--- a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
+++ b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
@@ -39,6 +39,7 @@
 
 // This is the default API access checker that grab's the user's account
 // based on the account type, access is granted
+@Deprecated
 public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIChecker {
 
     protected static final Logger LOGGER = Logger.getLogger(StaticRoleBasedAPIAccessChecker.class);
diff --git a/scripts/util/migrate-dynamicroles.py b/scripts/util/migrate-dynamicroles.py
index cbb83f91783..35dfe662513 100755
--- a/scripts/util/migrate-dynamicroles.py
+++ b/scripts/util/migrate-dynamicroles.py
@@ -55,6 +55,14 @@ def migrateApiRolePermissions(apis, conn):
             if (octetKey[role] & int(apis[api])) > 0:
                 runSql(conn, "INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`,
`rule`, `permission`, `sort_order`) values (UUID(), %d, '%s', 'ALLOW', %d);" % (role, api,
sortOrder))
                 sortOrder += 1
+    print("Static role permissions from commands.properties have been migrated into the db")
+
+
+def enableDynamicApiChecker(conn):
+    runSql(conn, "UPDATE `cloud`.`configuration` SET value='true' where name='dynamic.apichecker.enabled'")
+    conn.commit()
+    conn.close()
+    print("Dynamic role based API checker has been enabled!")
 
 
 def main():
@@ -71,6 +79,8 @@ def main():
                         help="Host or IP of the MySQL server")
     parser.add_option("-f", "--properties-file", action="store", type="string", dest="commandsfile",
default="/etc/cloudstack/management/commands.properties",
                         help="The commands.properties file")
+    parser.add_option("-D", "--default", action="store_true", dest="defaultRules", default=False,
+                        help="")
     parser.add_option("-d", "--dryrun", action="store_true", dest="dryrun", default=False,
                         help="Dry run and debug operations this tool will perform")
     (options, args) = parser.parse_args()
@@ -89,8 +99,14 @@ def main():
             port=int(options.port),
             db=options.db)
 
+    if options.defaultRules:
+        print("Applying the default role permissions, ignoring any provided properties files(s).")
+        enableDynamicApiChecker(conn)
+        sys.exit(0)
+
     if not os.path.isfile(options.commandsfile):
-        print("Provided commands.properties cannot be accessed or does not exist, please
check check permissions")
+        print("Provided commands.properties cannot be accessed or does not exist.")
+        print("Please check passed options, or run only with --default option to use the
default role permissions.")
         sys.exit(1)
 
     while True:
@@ -122,15 +138,8 @@ def main():
 
     # Migrate rules from commands.properties to cloud.role_permissions
     migrateApiRolePermissions(apiMap, conn)
-    print("Static role permissions from commands.properties have been migrated into the db")
-
-    # Enable dynamic role based API checker
-    runSql(conn, "UPDATE `cloud`.`configuration` SET value='true' where name='dynamic.apichecker.enabled'")
-    conn.commit()
-    conn.close()
-
-    print("Dynamic role based API checker has been enabled!")
 
+    enableDynamicApiChecker(conn)
 
 if __name__ == '__main__':
     main()


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Unable to login to ACS after upgrading 4.5 -> 4.11 
> ---------------------------------------------------
>
>                 Key: CLOUDSTACK-10236
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10236
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Management Server
>    Affects Versions: 4.11.0.0
>            Reporter: Boris Stoyanov
>            Assignee: Rohit Yadav
>            Priority: Blocker
>             Fix For: 4.11.0.0
>
>
> I've upgraded my CentOS6 env from 4.5 to 4.11 and ended up not being able to login. I'm
getting 'Session expired' message right after I enter my admin username and password. Here's
the management log output: 
>  
> {code:java}
> 2018-01-17 13:07:47,383 DEBUG [c.c.u.AccountManagerImpl] (qtp1310540333-19:ctx-404c4037)
(logid:2d1dd5ba) Attempting to log in user: admin in domain 1
> 2018-01-17 13:07:47,389 DEBUG [o.a.c.s.a.PBKDF2UserAuthenticator] (qtp1310540333-19:ctx-404c4037)
(logid:2d1dd5ba) Retrieving user: admin
> 2018-01-17 13:07:48,248 DEBUG [c.c.u.AccountManagerImpl] (qtp1310540333-19:ctx-404c4037)
(logid:2d1dd5ba) CIDRs from which account 'Acct[3daa963c-fb6a-11e7-ae7e-06efa8010701-admin]'
is allowed to perform API calls: 0.0.0.0/0,::/0
> 2018-01-17 13:07:48,249 DEBUG [c.c.u.AccountManagerImpl] (qtp1310540333-19:ctx-404c4037)
(logid:2d1dd5ba) User: admin in domain 1 has successfully logged in
> 2018-01-17 13:07:48,260 INFO [c.c.a.ApiServer] (qtp1310540333-19:ctx-404c4037) (logid:2d1dd5ba)
Current user logged in under UTC timezone
> 2018-01-17 13:07:48,260 INFO [c.c.a.ApiServer] (qtp1310540333-19:ctx-404c4037) (logid:2d1dd5ba)
Timezone offset from UTC is: 0.0
> 2018-01-17 13:07:48,267 DEBUG [c.c.a.ApiServlet] (qtp1310540333-19:ctx-404c4037) (logid:2d1dd5ba)
===END=== 10.1.0.1 – POST
> 2018-01-17 13:07:48,340 DEBUG [c.c.a.ApiServlet] (qtp1310540333-16:ctx-390d3282) (logid:b98a9144)
===START=== 10.1.0.1 – GET command=listCapabilities&response=json&_=1516194514030
> 2018-01-17 13:07:48,349 DEBUG [c.c.a.ApiServer] (qtp1310540333-16:ctx-390d3282 ctx-0509900f)
(logid:b98a9144) CIDRs from which account 'Acct[3daa963c-fb6a-11e7-ae7e-06efa8010701-admin]'
is allowed to perform API calls: 0.0.0.0/0,::/0
> 2018-01-17 13:07:48,372 DEBUG [c.c.a.ApiServlet] (qtp1310540333-16:ctx-390d3282 ctx-0509900f)
(logid:b98a9144) ===END=== 10.1.0.1 – GET command=listCapabilities&response=json&_=1516194514030
> 2018-01-17 13:07:48,439 DEBUG [c.c.a.ApiServlet] (qtp1310540333-19:ctx-495f6fd0) (logid:67992211)
===START=== 10.1.0.1 – GET command=listZones&response=json&_=1516194514137
> 2018-01-17 13:07:48,449 DEBUG [c.c.a.ApiServer] (qtp1310540333-19:ctx-495f6fd0 ctx-606dcc84)
(logid:67992211) CIDRs from which account 'Acct[3daa963c-fb6a-11e7-ae7e-06efa8010701-admin]'
is allowed to perform API calls: 0.0.0.0/0,::/0
> 2018-01-17 13:07:48,474 DEBUG [c.c.a.ApiServlet] (qtp1310540333-19:ctx-495f6fd0 ctx-606dcc84)
(logid:67992211) ===END=== 10.1.0.1 – GET command=listZones&response=json&_=1516194514137
> 2018-01-17 13:07:48,549 DEBUG [c.c.a.ApiServlet] (qtp1310540333-16:ctx-f2bcf13f) (logid:f73a6f0c)
===START=== 10.1.0.1 – GET command=cloudianIsEnabled&response=json&_=1516194514249
> 2018-01-17 13:07:48,556 DEBUG [c.c.a.ApiServer] (qtp1310540333-16:ctx-f2bcf13f ctx-3e6a3a41)
(logid:f73a6f0c) CIDRs from which account 'Acct[3daa963c-fb6a-11e7-ae7e-06efa8010701-admin]'
is allowed to perform API calls: 0.0.0.0/0,::/0
> 2018-01-17 13:07:48,579 DEBUG [c.c.a.ApiServlet] (qtp1310540333-16:ctx-f2bcf13f ctx-3e6a3a41)
(logid:f73a6f0c) ===END=== 10.1.0.1 – GET command=cloudianIsEnabled&response=json&_=1516194514249
> 2018-01-17 13:07:48,645 DEBUG [c.c.a.ApiServlet] (qtp1310540333-19:ctx-560f926e) (logid:62a5cb2f)
===START=== 10.1.0.1 – GET command=quotaIsEnabled&response=json&_=1516194514343
> 2018-01-17 13:07:48,653 DEBUG [c.c.a.ApiServer] (qtp1310540333-19:ctx-560f926e ctx-c9a2914a)
(logid:62a5cb2f) CIDRs from which account 'Acct[3daa963c-fb6a-11e7-ae7e-06efa8010701-admin]'
is allowed to perform API calls: 0.0.0.0/0,::/0
> 2018-01-17 13:07:48,658 DEBUG [c.c.a.ApiServer] (qtp1310540333-19:ctx-560f926e ctx-c9a2914a)
(logid:62a5cb2f) The given command 'quotaIsEnabled' either does not exist, is not available
for user, or not available from ip address '/10.1.0.1'.
> 2018-01-17 13:07:48,660 DEBUG [c.c.a.ApiServlet] (qtp1310540333-19:ctx-560f926e ctx-c9a2914a)
(logid:62a5cb2f) ===END=== 10.1.0.1 – GET command=quotaIsEnabled&response=json&_=1516194514343
> 2018-01-17 13:07:48,738 DEBUG [c.c.a.ApiServlet] (qtp1310540333-16:ctx-9b8e4337) (logid:3c2cd5ee)
===START=== 10.1.0.1 – GET command=listProjectInvitations&response=json&state=Pending&_=1516194514436
> 2018-01-17 13:07:48,739 DEBUG [c.c.a.ApiServer] (qtp1310540333-16:ctx-9b8e4337 ctx-9814e0e7)
(logid:3c2cd5ee) Expired session, missing signature, or missing apiKey – ignoring request.
Signature: null, apiKey: null
> 2018-01-17 13:07:48,741 DEBUG [c.c.a.ApiServlet] (qtp1310540333-20:ctx-a4668354) (logid:337ae399)
===START=== 10.1.0.1 – GET command=listProjects&response=json&accountId=3daaa51e-fb6a-11e7-ae7e-06efa8010701&listAll=true&page=1&pageSize=500&_=1516194514440
> 2018-01-17 13:07:48,742 DEBUG [c.c.a.ApiServer] (qtp1310540333-20:ctx-a4668354 ctx-b627f275)
(logid:337ae399) Expired session, missing signature, or missing apiKey – ignoring request.
Signature: null, apiKey: null
> 2018-01-17 13:07:48,743 DEBUG [c.c.a.ApiServlet] (qtp1310540333-19:ctx-17bae500) (logid:1e7476c3)
===START=== 10.1.0.1 – GET command=listZones&response=json&_=1516194514435
> 2018-01-17 13:07:48,745 DEBUG [c.c.a.ApiServer] (qtp1310540333-19:ctx-17bae500 ctx-de5c59c7)
(logid:1e7476c3) Expired session, missing signature, or missing apiKey – ignoring request.
Signature: null, apiKey: null
> 2018-01-17 13:07:48,745 DEBUG [c.c.a.ApiServlet] (qtp1310540333-20:ctx-a4668354 ctx-b627f275)
(logid:337ae399) ===END=== 10.1.0.1 – GET command=listProjects&response=json&accountId=3daaa51e-fb6a-11e7-ae7e-06efa8010701&listAll=true&page=1&pageSize=500&_=1516194514440
> 2018-01-17 13:07:48,741 DEBUG [c.c.a.ApiServlet] (qtp1310540333-16:ctx-9b8e4337 ctx-9814e0e7)
(logid:3c2cd5ee) ===END=== 10.1.0.1 – GET command=listProjectInvitations&response=json&state=Pending&_=1516194514436
> 2018-01-17 13:07:48,743 DEBUG [c.c.a.ApiServlet] (qtp1310540333-13:ctx-4605c852) (logid:3328fe07)
===START=== 10.1.0.1 – GET command=listRegions&response=json&_=1516194514439
> 2018-01-17 13:07:48,747 DEBUG [c.c.a.ApiServer] (qtp1310540333-13:ctx-4605c852 ctx-31295f73)
(logid:3328fe07) Expired session, missing signature, or missing apiKey – ignoring request.
Signature: null, apiKey: null
> 2018-01-17 13:07:48,749 DEBUG [c.c.a.ApiServlet] (qtp1310540333-13:ctx-4605c852 ctx-31295f73)
(logid:3328fe07) ===END=== 10.1.0.1 – GET command=listRegions&response=json&_=1516194514439
> 2018-01-17 13:07:48,752 DEBUG [c.c.a.ApiServlet] (qtp1310540333-19:ctx-17bae500 ctx-de5c59c7)
(logid:1e7476c3) ===END=== 10.1.0.1 – GET command=listZones&response=json&_=1516194514435
> 2018-01-17 13:07:48,826 DEBUG [c.c.a.ApiServlet] (qtp1310540333-14:ctx-eaa9e2e9) (logid:4694b0ed)
===START=== 10.1.0.1 – GET command=listCaCertificate&response=json&_=1516194514527
> 2018-01-17 13:07:48,827 DEBUG [c.c.a.ApiServer] (qtp1310540333-14:ctx-eaa9e2e9 ctx-8ca6348b)
(logid:4694b0ed) Expired session, missing signature, or missing apiKey – ignoring request.
Signature: null, apiKey: null
> 2018-01-17 13:07:48,828 DEBUG [c.c.a.ApiServlet] (qtp1310540333-14:ctx-eaa9e2e9 ctx-8ca6348b)
(logid:4694b0ed) ===END=== 10.1.0.1 – GET command=listCaCertificate&response=json&_=1516194514527
> 2018-01-17 13:07:49,451 DEBUG [c.c.a.ApiServlet] (qtp1310540333-18:ctx-3ae768fb) (logid:f282b164)
===START=== 10.1.0.1 – GET command=logout&response=json&_=1516194515151
> 2018-01-17 13:07:49,458 DEBUG [c.c.a.ApiServlet] (qtp1310540333-18:ctx-3ae768fb) (logid:f282b164)
===END=== 10.1.0.1 – GET command=logout&response=json&_=1516194515151
> 2018-01-17 13:07:50,152 DEBUG [c.c.a.ApiServlet] (qtp1310540333-18:ctx-54681ff2) (logid:728ae178)
===START=== 10.1.0.1 – GET command=listCapabilities&response=json&_=1516194515849
> 2018-01-17 13:07:50,154 DEBUG [c.c.a.ApiServer] (qtp1310540333-18:ctx-54681ff2 ctx-1f30d250)
(logid:728ae178) Expired session, missing signature, or missing apiKey – ignoring request.
Signature: null, apiKey: null
> 2018-01-17 13:07:50,157 DEBUG [c.c.a.ApiServlet] (qtp1310540333-18:ctx-54681ff2 ctx-1f30d250)
(logid:728ae178) ===END=== 10.1.0.1 – GET command=listCapabilities&response=json&_=1516194515849
> 2018-01-17 13:07:50,220 DEBUG [c.c.a.ApiServlet] (qtp1310540333-14:ctx-9ac0ae73) (logid:a44d0074)
===START=== 10.1.0.1 – GET command=listConfigurations&response=json&name=default.ui.page.size&_=1516194515919
> 2018-01-17 13:07:50,220 DEBUG [c.c.a.ApiServer] (qtp1310540333-14:ctx-9ac0ae73 ctx-5e4487a3)
(logid:a44d0074) Expired session, missing signature, or missing apiKey – ignoring request.
Signature: null, apiKey: null
> 2018-01-17 13:07:50,222 DEBUG [c.c.a.ApiServlet] (qtp1310540333-14:ctx-9ac0ae73 ctx-5e4487a3)
(logid:a44d0074) ===END=== 10.1.0.1 – GET command=listConfigurations&response=json&name=default.ui.page.size&_=1516194515919
> 2018-01-17 13:07:50,284 DEBUG [c.c.a.ApiServlet] (qtp1310540333-18:ctx-dcbc8682) (logid:c5813f96)
===START=== 10.1.0.1 – GET command=listIdps&response=json&_=1516194515984
> 2018-01-17 13:07:50,285 DEBUG [c.c.a.ApiServer] (qtp1310540333-18:ctx-dcbc8682 ctx-454308e2)
(logid:c5813f96) The given command listIdps either does not exist, is not available for user,
or not available from ip address '10.1.0.1'.
> 2018-01-17 13:07:50,285 DEBUG [c.c.a.ApiServlet] (qtp1310540333-18:ctx-dcbc8682 ctx-454308e2)
(logid:c5813f96) ===END=== 10.1.0.1 – GET command=listIdps&response=json&_=1516194515984
> 2018-01-17 13:07:50,567 DEBUG [c.c.c.ConsoleProxyManagerImpl] (consoleproxy-1:ctx-bf5139f9)
(logid:9aeed140) Zone 1 is not ready to launch console proxy yet
> 2018-01-17 13:07:50,625 DEBUG [o.a.c.s.SecondaryStorageManagerImpl] (secstorage-1:ctx-cfb5cf98)
(logid:55fc36ee) Zone 1 is not ready to launch secondary storage VM yet
> 2018-01-17 13:07:51,558 DEBUG [c.c.a.m.AgentManagerImpl] (AgentManager-Handler-5:null)
(logid SeqA 2-2139: Processing Seq 2-2139: { Cmd , MgmtId: -1, via: 2, Ver: v1, Flags: 11,
[{"com.cloud.agent.api.ConsoleProxyLoadReportCommand":{"_proxyVmId":1,"_loadInfo":"
> {\n \"connections\": []\n}
> ","wait":0}}] }
> 2018-01-17 13:07:51,567 DEBUG [c.c.a.m.AgentManagerImpl] (AgentManager-Handler-5:null)
(logid SeqA 2-2139: Sending Seq 2-2139: { Ans: , MgmtId: 7626385590017, via: 2, Ver: v1, Flags:
100010, [{"com.cloud.agent.api.AgentControlAnswer":{"result":true,"wait":0}}] }{code}
>  
> Some details about the env: 
> Advanced zone 
>  1 kvm host on CentOS 6 
>  NFS storage 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message