Skip to content

Clean up network permissions on account deletion #10176

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
DaanHoogland merged 2 commits into from
Jan 15, 2025
Merged

Clean up network permissions on account deletion #10176

DaanHoogland merged 2 commits into from
Jan 15, 2025

Conversation

@bernardodemarco
Copy link
Member

@bernardodemarco bernardodemarco commented Jan 11, 2025

Description

Currently, if an account with network permissions for guest networks is deleted, CloudStack does not automatically delete these permissions, and operators cannot delete them later through the APIs. The workaround for this scenario is to manually remove the permissions entries from the cloud.network_permissions table. Therefore, this PR proposes to clean up the network permissions of an account when it is deleted.

Additionally, when attempting to delete an account that is a project administrator, an error message is returned. This error message has been enhanced to include instructions on the next steps the operator should perform to properly delete the given account.

Fixes #10103

Types of changes

  • Breaking change (fix or feature that would cause existing functionality to change)
  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Enhancement (improves an existing feature and functionality)
  • Cleanup (Code refactoring and cleanup, that may add test cases)
  • build/CI
  • test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

  • Major
  • Minor

Screenshots (if appropriate):

How Has This Been Tested?

First, I created a domain ROOT/d1, a domain admin (d1) and two regular users within it (u1 and u2). With the d1 account, I created a project and added the u1 account as a project administrator.

When attempting to delete the u1 account, an error message was returned, indicating that the account was a project administrator.

image

After demoting the account to a regular project role, I created two guest networks and granted permission to both u1 and u2 accounts.

MariaDB [cloud]> select * from network_permissions;
+----+------------+------------+
| id | network_id | account_id |
+----+------------+------------+
|  8 |        209 |         14 |
|  9 |        209 |         16 |
| 10 |        210 |         16 |
| 11 |        210 |         14 |
+----+------------+------------+
4 rows in set (0.001 sec)

Then, I deleted the u1 account, which has a serial ID equal to 16, and verified that the network permissions were correctly expunged:

MariaDB [cloud]> select * from network_permissions;
+----+------------+------------+
| id | network_id | account_id |
+----+------------+------------+
|  8 |        209 |         14 |
| 11 |        210 |         14 |
+----+------------+------------+
2 rows in set (0.001 sec)

I reproduced these same steps with the u2 account and verified that the network permissions were also correctly deleted.

@bernardodemarco
Copy link
Member Author

bernardodemarco commented Jan 11, 2025

@blueorangutan package

@blueorangutan
Copy link

blueorangutan commented Jan 11, 2025

@bernardodemarco a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

@codecov
Copy link

codecov bot commented Jan 11, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 42.10526% with 11 lines in your changes missing coverage. Please review.

Project coverage is 15.13%. Comparing base (afc95f1) to head (e63e07a).
Report is 6 commits behind head on 4.19.

Files with missing lines Patch % Lines
...oudstack/network/dao/NetworkPermissionDaoImpl.java 0.00% 10 Missing ⚠️
...c/main/java/com/cloud/user/AccountManagerImpl.java 88.88% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff            @@
##               4.19   #10176   +/-   ##
=========================================
  Coverage     15.12%   15.13%           
- Complexity    11268    11270    +2     
=========================================
  Files          5408     5408           
  Lines        473954   473965   +11     
  Branches      57810    57810           
=========================================
+ Hits          71709    71716    +7     
- Misses       394231   394236    +5     
+ Partials       8014     8013    -1
Flag Coverage Δ
uitests 4.30% <ø> (ø)
unittests 15.85% <42.10%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@blueorangutan
Copy link

blueorangutan commented Jan 11, 2025

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 12059

@DaanHoogland
Copy link
Contributor

DaanHoogland commented Jan 13, 2025

@blueorangutan test

@blueorangutan
Copy link

blueorangutan commented Jan 13, 2025

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

DaanHoogland
DaanHoogland approved these changes Jan 13, 2025
View reviewed changes
Copy link
Contributor

@DaanHoogland DaanHoogland left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

clgtm

@DaanHoogland DaanHoogland added this to the 4.19.2 milestone Jan 13, 2025
weizhouapache
weizhouapache approved these changes Jan 13, 2025
View reviewed changes
Copy link
Member

@weizhouapache weizhouapache left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code lgtm

@blueorangutan
Copy link

blueorangutan commented Jan 13, 2025

[SF] Trillian test result (tid-12095)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 52455 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10176-t12095-kvm-ol8.zip
Smoke tests completed. 132 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test Result Time (s) Test File
test_02_list_cpvm_vm Failure 0.05 test_ssvm.py
test_04_cpvm_internals Failure 0.05 test_ssvm.py

@DaanHoogland DaanHoogland self-assigned this Jan 14, 2025
@DaanHoogland
Copy link
Contributor

DaanHoogland commented Jan 15, 2025

verified in lab env

@DaanHoogland DaanHoogland merged commit 796bd4f into apache:4.19 Jan 15, 2025
25 checks passed
@DaanHoogland DaanHoogland mentioned this pull request Jan 15, 2025
Closed
DaanHoogland added a commit that referenced this pull request Jan 20, 2025
@DaanHoogland
Merge release branch 4.20 to main
ecd60a4 
* 4.20:
  Maintenance mode: Add host to deployment planner avoid list to fix local storage vm migration (#9892)
  Add project-user association normalization script to 4.20.1 upgrade (#10116)
  fix slider component for global settings of the range type (#10187)
  Clean up network permissions on account deletion (#10176)
rg9975 pushed a commit to rg9975/cloudstack that referenced this pull request Jan 31, 2025
@bernardodemarco
Clean up network permissions on account deletion (apache#10176)
b7959d9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DaanHoogland DaanHoogland DaanHoogland approved these changes

@weizhouapache weizhouapache weizhouapache approved these changes

Assignees

@DaanHoogland DaanHoogland

Labels

None yet

Projects

None yet

Milestone

4.19.2

Development

Successfully merging this pull request may close these issues.

4 participants

@bernardodemarco @blueorangutan @DaanHoogland @weizhouapache