server: control honouring internal IDs by old APIs

shwstppr · shwstppr · commit 77edb373a0d1 · 2025-11-04T17:52:30.000+05:30
Fixes #9684 Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
diff --git a/server/src/main/java/com/cloud/api/ApiServer.java b/server/src/main/java/com/cloud/api/ApiServer.java
@@ -348,6 +348,19 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
             , ConfigKey.Scope.Global, null, null, null, null, null, ConfigKey.Kind.Select,
             EnumSet.allOf(ApiSessionKeyCheckOption.class).stream().map(Enum::toString).collect(Collectors.joining(", ")));
 
+    public static final ConfigKey<Boolean> ApiDisallowInternalIds = new ConfigKey<>(
+            ConfigKey.CATEGORY_ADVANCED,
+            Boolean.class,
+            "api.disallow.internal.ids",
+            "false",
+            "When enabled, APIs will not honour requests containing internal database IDs. "
+                    + "Only UUIDs will be accepted as entity identifiers. "
+                    + "By default, internal IDs are still accepted for backward compatibility with pre-3.x APIs.",
+            true,
+            ConfigKey.Scope.Global
+    );
+
+
     @Override
     public boolean configure(final String name, final Map<String, Object> params) throws ConfigurationException {
         messageBus.subscribe(AsyncJob.Topics.JOB_EVENT_PUBLISH, MessageDispatcher.getDispatcher(this));
@@ -1685,7 +1698,8 @@ public ConfigKey<?>[] getConfigKeys() {
                 useForwardHeader,
                 listOfForwardHeaders,
                 ApiSessionKeyCookieSameSiteSetting,
-                ApiSessionKeyCheckLocations
+                ApiSessionKeyCheckLocations,
+                ApiDisallowInternalIds
         };
     }
 }
diff --git a/server/src/main/java/com/cloud/api/dispatch/ParamProcessWorker.java b/server/src/main/java/com/cloud/api/dispatch/ParamProcessWorker.java
@@ -51,6 +51,7 @@
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.LogManager;
 
+import com.cloud.api.ApiServer;
 import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.user.Account;
 import com.cloud.user.AccountManager;
@@ -510,7 +511,7 @@ private Long translateUuidToInternalId(final String uuid, final Parameter annota
         }
         Long internalId = null;
         // If annotation's empty, the cmd existed before 3.x try conversion to long
-        final boolean isPre3x = annotation.since().isEmpty();
+        final boolean isPre3x = annotation.since().isEmpty() && !ApiServer.ApiDisallowInternalIds.value();
         // Match against Java's UUID regex to check if input is uuid string
         final boolean isUuid = UuidUtils.isUuid(uuid);
         // Enforce that it's uuid for newly added apis from version 3.x
