Github user rhtyd commented on the pull request:
https://github.com/apache/cloudstack/pull/1489#issuecomment-214276787
@koushik-das Yes, all tests run as a regular user too. See the integration
test, we're using user api clients (search self.getUserApiClient) to perform
tests -- i.e. tests are not run all as root admin only. What you're asking is
already covered, they are also run by Travis.
I'm sorry if the discussion confused you, please re-read FS again but let
me try to explain below as well;
By default, we don't want to encourage new users to use static checker
which is why dynamic-checker is enabled for developers/new-users. For this
reason the commands.properties.in file in codebase has been deprecated. In
packaging too, we're not including commands.properties file.
For existing deployments, we are *NOT* forcing users to migrate to the
dynamic roles feature and their existing commands.properties file won't be
renamed or removed during upgrade. Though, the upgrade path will add
dynamic-role specific tables/schema and default roles. There is an
upgrade/migrate script for such users who can migrate in future at their wish,
the script will read rules from commands.properties file and put them in DB.
Please read the admin docs too if they help you understand the process:
https://github.com/apache/cloudstack-docs-admin/pull/37
Now, once a users is already using dynamic checker (fresh or migrated at a
later stage), we don't want them to be easily able to migrate back to static
checker as allowing admin to do that with a global setting switch is a security
issue (sorry being pessimistic here). Therefore, we do two checks to evaluate
if dynamic roles is allowed:
- check if the global setting says that dynamic roles is enabled
- check that commands.properties does not exist
The reverse is true for static checker, see the isEnabled()/isDisabled
method in the checker implementation.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
