api,server: allow project role-based api access

[shwstppr]

Description

Fixes #9071

Allows API access when the API is called with a project and ProjectRoleBasedApiAccessChecker allows it.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

With cmk,

(localcloud) 🐱 > set username admin
(localcloud) 🐱 > list projectroles projectid=b0e2ec2f-cd50-4c95-8f7a-6ccc3d828270 
{
  "count": 1,
  "projectrole": [
    {
      "id": "3f79738e-d279-415d-8e08-655d714de4ef",
      "ispublic": true,
      "name": "TestRole",
      "projectid": "b0e2ec2f-cd50-4c95-8f7a-6ccc3d828270"
    }
  ]
}
(localcloud) 🐱 > list projectrolepermissions projectroleid=3f79738e-d279-415d-8e08-655d714de4ef projectid=b0e2ec2f-cd50-4c95-8f7a-6ccc3d828270 
{
  "count": 1,
  "projectrolepermission": [
    {
      "description": "",
      "id": "9406a1d9-28a5-40bb-84e4-cb14c7b995be",
      "permission": "allow",
      "projectid": "b0e2ec2f-cd50-4c95-8f7a-6ccc3d828270",
      "projectroleid": "3f79738e-d279-415d-8e08-655d714de4ef",
      "projectrolename": "TestRole",
      "rule": "listRouters"
    }
  ]
}
(localcloud) 🐱 > list projectaccounts projectid=b0e2ec2f-cd50-4c95-8f7a-6ccc3d828270 
{
  "count": 2,
  "projectaccount": [
    {
      "account": "user",
      "accountid": "d5a668bc-24d0-4b2b-ad3e-b76d33bfb8ad",
      "accounttype": 0,
      "domain": "ROOT",
      "domainid": "f5fbb046-168b-11ef-b711-a02942fcdd70",
      "project": "test",
      "projectid": "b0e2ec2f-cd50-4c95-8f7a-6ccc3d828270",
      "projectroleid": "3f79738e-d279-415d-8e08-655d714de4ef",
      "role": "Regular",
      "user": [
        {
          "account": "user",
          "accountid": "d5a668bc-24d0-4b2b-ad3e-b76d33bfb8ad",
          "accounttype": 0,
          "created": "2024-05-20T15:53:48+0530",
          "domain": "ROOT",
          "domainid": "f5fbb046-168b-11ef-b711-a02942fcdd70",
          "email": "[email protected]",
          "firstname": "User",
          "id": "736c21b2-26ec-4286-ae5b-820a1162063b",
          "is2faenabled": false,
          "is2famandated": false,
          "iscallerchilddomain": false,
          "isdefault": false,
          "lastname": "User",
          "roleid": "02579f2d-168c-11ef-b711-a02942fcdd70",
          "rolename": "User",
          "roletype": "User",
          "state": "enabled",
          "username": "user",
          "usersource": "native"
        }
      ]
    },
    {
      "account": "admin",
      "accountid": "f5fc3642-168b-11ef-b711-a02942fcdd70",
      "accounttype": 1,
      "domain": "ROOT",
      "domainid": "f5fbb046-168b-11ef-b711-a02942fcdd70",
      "project": "test",
      "projectid": "b0e2ec2f-cd50-4c95-8f7a-6ccc3d828270",
      "role": "Admin",
      "user": [
        {
          "account": "admin",
          "accountid": "f5fc3642-168b-11ef-b711-a02942fcdd70",
          "accounttype": 1,
          "apikey": "mvD2LzAcCAu8PeSv_JZ4EGWqF0yIM_OD6RAMyiuImQdDhKjSfMfR18RQeVaRvCEUBiflGFnLC5Z7Mqxt2Bu7uw",
          "created": "2024-05-20T20:33:05+0530",
          "domain": "ROOT",
          "domainid": "f5fbb046-168b-11ef-b711-a02942fcdd70",
          "email": "[email protected]",
          "firstname": "Admin",
          "id": "f5fcab99-168b-11ef-b711-a02942fcdd70",
          "is2faenabled": false,
          "is2famandated": false,
          "iscallerchilddomain": false,
          "isdefault": true,
          "lastname": "User",
          "roleid": "025770df-168c-11ef-b711-a02942fcdd70",
          "rolename": "Root Admin",
          "roletype": "Admin",
          "state": "enabled",
          "username": "admin",
          "usersource": "native"
        }
      ]
    }
  ]
}
(localcloud) 🐱 > set username user
(localcloud) 🐱 > list routers projectid=b0e2ec2f-cd50-4c95-8f7a-6ccc3d828270 
{
  "count": 1,
  "router": [
    {
      "created": "2024-05-20T17:20:57+0530",
      "dns1": "10.147.28.6",
      "domain": "ROOT",
      "domainid": "f5fbb046-168b-11ef-b711-a02942fcdd70",
      "gateway": "192.168.2.1",
      "hasannotations": false,
      "healthchecksfailed": false,
      "hypervisor": "Simulator",
      "id": "81bf48cb-207b-440b-8eb1-ba369be5f4c3",
      "isredundantrouter": false,
      "linklocalip": "169.254.128.149",
      "linklocalmacaddress": "0e:00:a9:fe:80:95",
      "linklocalnetmask": "255.255.0.0",
      "linklocalnetworkid": "263e8962-4d06-49e8-8c4e-fba43795ce55",
      "name": "r-4-QA",
      "nic": [
        {
          "gateway": "169.254.0.1",
          "id": "b627bc47-a302-4604-be6c-ec01119fc28b",
          "ipaddress": "169.254.128.149",
          "isdefault": false,
          "macaddress": "0e:00:a9:fe:80:95",
          "netmask": "255.255.0.0",
          "networkid": "263e8962-4d06-49e8-8c4e-fba43795ce55",
          "traffictype": "Control"
        },
        {
          "broadcasturi": "vlan://50",
          "gateway": "192.168.2.1",
          "id": "0f4909b9-e8f8-4d3b-b41b-28c947bc4ced",
          "ipaddress": "192.168.2.4",
          "isdefault": true,
          "isolationuri": "vlan://50",
          "macaddress": "1e:00:40:00:00:ca",
          "mtu": 1500,
          "netmask": "255.255.255.0",
          "networkid": "279c5f4e-7751-4189-9e6f-681293ccf448",
          "traffictype": "Public"
        }
      ],
      "project": "test",
      "projectid": "b0e2ec2f-cd50-4c95-8f7a-6ccc3d828270",
      "publicip": "192.168.2.4",
      "publicmacaddress": "1e:00:40:00:00:ca",
      "publicnetmask": "255.255.255.0",
      "publicnetworkid": "279c5f4e-7751-4189-9e6f-681293ccf448",
      "redundantstate": "UNKNOWN",
      "requiresupgrade": false,
      "role": "VIRTUAL_ROUTER",
      "scriptsversion": "2e3cc644-1f77-48a1-8a71-d93ca4fa2b2a",
      "serviceofferingid": "a3813a41-847b-41da-8014-6d1ed82a5961",
      "serviceofferingname": "System Offering For Software Router",
      "softwareversion": "4.19.1.0",
      "state": "Running",
      "templateid": "50b16e30-1691-11ef-b711-a02942fcdd70",
      "templatename": "SystemVM Template (simulator)",
      "version": "4.10.0",
      "zoneid": "d6974a22-cfc5-4e25-b580-eb843fbc90b3",
      "zonename": "Sandbox-simulator"
    }
  ]
}

[codecov]

Codecov Report

Attention: Patch coverage is 65.21739% with 8 lines in your changes are missing coverage. Please review.

Project coverage is 14.96%. Comparing base (87e7c57) to head (91baba1).
Report is 5 commits behind head on 4.19.

Files	Patch %	Lines
...ain/java/org/apache/cloudstack/acl/APIChecker.java	0.00%	3 Missing ⚠️
...oudstack/acl/ProjectRoleBasedApiAccessChecker.java	0.00%	3 Missing ⚠️
server/src/main/java/com/cloud/api/ApiServer.java	88.23%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               4.19    #9090      +/-   ##
============================================
- Coverage     14.96%   14.96%   -0.01%     
+ Complexity    10995    10991       -4     
============================================
  Files          5373     5374       +1     
  Lines        469005   469045      +40     
  Branches      58953    60633    +1680     
============================================
- Hits          70198    70191       -7     
- Misses       391036   391086      +50     
+ Partials       7771     7768       -3     

Flag	Coverage Δ
uitests	4.31% <ø> (ø)
unittests	15.67% <65.21%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[shwstppr]

@blueorangutan package

[blueorangutan]

@shwstppr a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[shwstppr]

@rajujith @andrijapanicsb I've created this PR to allow API access for accounts within the project irrespective of their account role.
Though this would give them access to info which is otherwise not accessible to them.
The other option could be disallowing adding accounts to project with a projectrole which has higher access than their account role. (ie, testrole is a ProjectRole inside project which has listRouters API access. ACS will throw an error when project admin tries to add an account which has a role which doesn't have listRouters API access).

[blueorangutan]

Packaging result [SF]: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 9658

[DaanHoogland]

clgtm, nice unit-test but I think manual testing is needed anyway.

[DaanHoogland]

@blueorangutan test alma9 kvm-alma9 keepEnv

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (alma9 mgmt + kvm-alma9) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-10252)
Environment: kvm-alma9 (x2), Advanced Networking with Mgmt server a9
Total time taken: 50449 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr9090-t10252-kvm-alma9.zip
Smoke tests completed. 129 look OK, 2 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_01_events_resource	Error	428.95	test_events_resource.py
test_02_trigger_shutdown	Failure	341.41	test_safe_shutdown.py

[shwstppr]

This would need some discussions so moving to draft for now.

To support the use-case of elevating account privileges we may need to:

• either implement changes from this PR with restrictions on normal user/domain-admin account elevating privileges for another user/domain-admin account
• or allow changing role of an account admin should be allowed to elevate user from role User to Domain Admin #9015

cc @rajujith @andrijapanicsb @Pearl1594 @rohityadavcloud @DaanHoogland

[shwstppr]

This would need some discussions so moving to draft for now.

To support the use-case of elevating account privileges we may need to:

* either implement changes from this PR with restrictions on normal user/domain-admin account elevating privileges for another user/domain-admin account

* or allow changing role of an account [admin should be allowed to elevate user from role `User` to `Domain Admin` #9015](https://github.com/apache/cloudstack/issues/9015)

cc @rajujith @andrijapanicsb @Pearl1594 @rohityadavcloud @DaanHoogland

Based on the discussions, closing this and the behaviour will be documented

[sureshanaparti]

Doc PR: apache/cloudstack-documentation#403