cloudstack server: simplify role change validation

Description

Fixes #9015

Simplifies role change checks with the following conditions:

Caller should not be of Unknown role type
New role's type should not be Unknown
Caller should not be able to escalate or de-escalate an account's role which is of higher role type
New role should not be of type Admin with domain other than ROOT domain

Types of changes

[ ] Breaking change (fix or feature that would cause existing functionality to change)
[ ] New feature (non-breaking change which adds functionality)
[x] Bug fix (non-breaking change which fixes an issue)
[ ] Enhancement (improves an existing feature and functionality)
[ ] Cleanup (Code refactoring and cleanup, that may add test cases)
[ ] build/CI

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

[ ] Major
[ ] Minor

Bug Severity

[ ] BLOCKER
[ ] Critical
[ ] Major
[ ] Minor
[ ] Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

Jun 05 '24 08:06 shwstppr

@blueorangutan package

Jun 05 '24 08:06 shwstppr

Codecov Report

Attention: Patch coverage is 80.00000% with 3 lines in your changes missing coverage. Please review.

Project coverage is 15.12%. Comparing base (ef1a58d) to head (690188c). Report is 10 commits behind head on 4.19.

Files with missing lines	Patch %	Lines
...c/main/java/com/cloud/user/AccountManagerImpl.java	80.00%	1 Missing and 2 partials :warning:

Additional details and impacted files

@@            Coverage Diff            @@
##               4.19    #9173   +/-   ##
=========================================
  Coverage     15.12%   15.12%           
- Complexity    11255    11261    +6     
=========================================
  Files          5408     5408           
  Lines        473838   473844    +6     
  Branches      57770    57774    +4     
=========================================
+ Hits          71676    71687   +11     
+ Misses       394165   394157    -8     
- Partials       7997     8000    +3

Flag	Coverage Δ
uitests	`4.30% <ø> (ø)`
unittests	`15.84% <80.00%> (+<0.01%)`	:arrow_up:

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

Jun 05 '24 08:06 codecov[bot]

@shwstppr a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

Jun 05 '24 08:06 blueorangutan

Packaging result [SF]: ✖️ el7 ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 9789

Jun 05 '24 09:06 blueorangutan

@blueorangutan package

Jun 05 '24 09:06 shwstppr

@shwstppr a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

Jun 05 '24 09:06 blueorangutan

Packaging result [SF]: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 9790

Jun 05 '24 10:06 blueorangutan

@blueorangutan test

Jun 06 '24 07:06 DaanHoogland

@DaanHoogland a [SL] Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

Jun 06 '24 07:06 blueorangutan

[SF] Trillian test result (tid-10374) Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7 Total time taken: 42525 seconds Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr9173-t10374-kvm-centos7.zip Smoke tests completed. 125 look OK, 6 have errors, 0 did not run Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_DeployVmAntiAffinityGroup_in_project	`Error`	85.90	test_affinity_groups_projects.py
test_DeployVmAntiAffinityGroup	`Error`	35.64	test_affinity_groups.py
test_03_deploy_and_scale_kubernetes_cluster	`Failure`	26.74	test_kubernetes_clusters.py
test_08_upgrade_kubernetes_ha_cluster	`Failure`	0.06	test_kubernetes_clusters.py
test_01_non_strict_host_anti_affinity	`Failure`	116.25	test_nonstrict_affinity_group.py
test_02_non_strict_host_affinity	`Error`	82.31	test_nonstrict_affinity_group.py
test_02_trigger_shutdown	`Failure`	346.80	test_safe_shutdown.py
test_hostha_enable_ha_when_host_in_maintenance	`Error`	302.83	test_hostha_kvm.py

Jun 06 '24 19:06 blueorangutan

@DaanHoogland @rohityadavcloud Thanks for the review but I'm not sure if we agree on the behaviour which is why this is still in draft. I will try to summarise impact of this change

ROOT admin can promote or demote all roles except when it tries to make a domain-admin from a subdomain to admin there will be an error
Domain-admins (if allowed based on API permission) can promote or demote an account to roles lower than domain-admin level. They won't be able to make a normal user account into domain-admin or vice-versa.
Normal user accounts (if allowed based on API permission) can promote or demote an account to roles lower than normal account level (probably none).

Jun 13 '24 07:06 shwstppr

Thanks @shwstppr

Domain-admins (if allowed based on API permission) can promote or demote an account to roles lower than domain-admin level. They won't be able to make a normal user account into domain-admin or vice-versa.

I would expect a Domain Admin to promote a user up to their own level.

Normal user accounts (if allowed based on API permission) can promote or demote an account to roles lower than normal account level (probably none).

well, that mean they can make other users read only. I am not sure if this is desired.

Jun 13 '24 08:06 DaanHoogland

I would expect a Domain Admin to promote a user up to their own level.

I feel this shouldn't be allowed. It should be done by account with higher privileges, ROOT admin here. We can change if others agree on the same.

well, that mean they can make other users read only. I am not sure if this is desired.

No, they won't be able to. Check is based on the RoleType (https://github.com/apache/cloudstack/blob/4.19/api/src/main/java/org/apache/cloudstack/acl/RoleType.java#L30-L34). So, they won't be able to do anything even if API allows unless we add a new RoleType in the code.

Jun 13 '24 08:06 shwstppr

@blueorangutan package

Jul 22 '24 06:07 shwstppr

@shwstppr a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

Jul 22 '24 06:07 blueorangutan

Packaging result [SF]: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 10430

Jul 22 '24 08:07 blueorangutan

This pull request has merge conflicts. Dear author, please fix the conflicts and sync your branch with the base branch.

Aug 06 '24 17:08 github-actions[bot]

I would expect a Domain Admin to promote a user up to their own level.

I feel this shouldn't be allowed. It should be done by account with higher privileges, ROOT admin here. We can change if others agree on the same.

well, that mean they can make other users read only. I am not sure if this is desired.

No, they won't be able to. Check is based on the RoleType (https://github.com/apache/cloudstack/blob/4.19/api/src/main/java/org/apache/cloudstack/acl/RoleType.java#L30-L34). So, they won't be able to do anything even if API allows unless we add a new RoleType in the code.

Changed this to suggested check, ie, allow updating to same level as caller

@blueorangutan package

Aug 22 '24 11:08 shwstppr

@shwstppr a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

Aug 22 '24 12:08 blueorangutan

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 10752

Aug 22 '24 13:08 blueorangutan

@blueorangutan package

Sep 18 '24 10:09 DaanHoogland

@DaanHoogland a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

Sep 18 '24 10:09 blueorangutan

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 11144

Sep 18 '24 11:09 blueorangutan

@blueorangutan test

Sep 18 '24 12:09 DaanHoogland

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

Sep 18 '24 12:09 blueorangutan

[SF] Trillian test result (tid-11512) Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8 Total time taken: 46532 seconds Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr9173-t11512-kvm-ol8.zip Smoke tests completed. 133 look OK, 0 have errors, 0 did not run Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

Sep 19 '24 02:09 blueorangutan

@shwstppr , do we still have functional doubts on the current state of the code? (or can we postpone further discussion to a next issue/PR)

Nov 08 '24 15:11 DaanHoogland

This pull request has merge conflicts. Dear author, please fix the conflicts and sync your branch with the base branch.

Dec 04 '24 07:12 github-actions[bot]

@DaanHoogland I think this is okay from my side but will need some testing.

@blueorangutan package

Dec 04 '24 07:12 shwstppr

@shwstppr a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

Dec 04 '24 07:12 blueorangutan