Hi Daan.
Thanks.
I tried the -d option (dryrun). Seems like it don't accept my "y"...(?)
I get the same error when running without -d
:~# python /usr/share/cloudstack-common/scripts/util/migrate-dynamicroles.py -u
cloud -p * -H * -P * -f /etc/cloudstack/management/commands.properties -d
Apache CloudStack Role Permission Migration Tool
(c) Apache CloudStack Authors and the ASF, under the Apache License, Version 2.0
Running this migration tool will remove any default-role permissions from
cloud.role_permissions. Do you want to continue? [y/N]y
Traceback (most recent call last):
File "/usr/share/cloudstack-common/scripts/util/migrate-dynamicroles.py",
line 145, in <module>
main()
File "/usr/share/cloudstack-common/scripts/util/migrate-dynamicroles.py",
line 115, in main
"Do you want to continue? [y/N]").lower()
File "<string>", line 1, in <module>
NameError: name 'y' is not defined
:~#
This is migrate-dynamicroles.py file:
Line 115: "Do you want to continue? [y/N]").lower()
Line 145: main()
#############################
cat /usr/share/cloudstack-common/scripts/util/migrate-dynamicroles.py
#!/usr/bin/python3
# -*- coding: utf-8 -*-
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
import os
import sys
import uuid
from contextlib import closing
from optparse import OptionParser
try:
import mysql.connector
except ImportError:
print("mysql.connector cannot be imported, please install
mysql-connector-python")
sys.exit(1)
dryrun = False
def runSql(conn, query):
if dryrun:
print("Running SQL query: " + query)
return
with closing(conn.cursor()) as cursor:
cursor.execute(query)
def migrateApiRolePermissions(apis, conn):
# All allow for root admin role Admin(id:1)
runSql(conn, "INSERT INTO `cloud`.`role_permissions` (`uuid`, `role_id`,
`rule`, `permission`, `sort_order`) values (UUID(), 1, '*', 'ALLOW', 0);")
# Migrate rules based on commands.properties rule for ResourceAdmin(id:2),
DomainAdmin(id:3), User(id:4)
octetKey = {2:2, 3:4, 4:8}
for role in [2, 3, 4]:
sortOrder = 0
for api in sorted(apis.keys()):
# Ignore auth commands
if api in ['login', 'logout', 'samlSso', 'samlSlo', 'listIdps',
'listAndSwitchSamlAccount', 'getSPMetadata']:
continue
if (octetKey[role] & int(apis[api])) > 0:
runSql(conn, "INSERT INTO `cloud`.`role_permissions` (`uuid`,
`role_id`, `rule`, `permission`, `sort_order`) values (UUID(), %d, '%s',
'ALLOW', %d);" % (role, api, sortOrder))
sortOrder += 1
print("Static role permissions from commands.properties have been migrated
into the db")
def enableDynamicApiChecker(conn):
runSql(conn, "UPDATE `cloud`.`configuration` SET value='true' where
name='dynamic.apichecker.enabled'")
conn.commit()
conn.close()
print("Dynamic role based API checker has been enabled!")
def main():
parser = OptionParser()
parser.add_option("-b", "--db", action="store", type="string", dest="db",
default="cloud",
help="The name of the database, default: cloud")
parser.add_option("-u", "--user", action="store", type="string",
dest="user", default="cloud",
help="User name a MySQL user with privileges on cloud
database")
parser.add_option("-p", "--password", action="store", type="string",
dest="password", default="cloud",
help="Password of a MySQL user with privileges on cloud
database")
parser.add_option("-H", "--host", action="store", type="string",
dest="host", default="127.0.0.1",
help="Host or IP of the MySQL server")
parser.add_option("-P", "--port", action="store", type="int", dest="port",
default=3306,
help="Host or IP of the MySQL server")
parser.add_option("-f", "--properties-file", action="store", type="string",
dest="commandsfile", default="/etc/cloudstack/management/commands.properties",
help="The commands.properties file")
parser.add_option("-D", "--default", action="store_true",
dest="defaultRules", default=False,
help="")
parser.add_option("-d", "--dryrun", action="store_true", dest="dryrun",
default=False,
help="Dry run and debug operations this tool will
perform")
(options, args) = parser.parse_args()
print("Apache CloudStack Role Permission Migration Tool")
print("(c) Apache CloudStack Authors and the ASF, under the Apache License,
Version 2.0\n")
global dryrun
if options.dryrun:
dryrun = True
conn = mysql.connector.connect(
host=options.host,
user=options.user,
passwd=options.password,
port=int(options.port),
db=options.db)
if options.defaultRules:
print("Applying the default role permissions, ignoring any provided
properties files(s).")
enableDynamicApiChecker(conn)
sys.exit(0)
if not os.path.isfile(options.commandsfile):
print("Provided commands.properties cannot be accessed or does not
exist.")
print("Please check passed options, or run only with --default option
to use the default role permissions.")
sys.exit(1)
while True:
choice = input("Running this migration tool will remove any " +
"default-role permissions from
cloud.role_permissions. " +
"Do you want to continue? [y/N]").lower()
if choice == 'y':
break
else:
print("Aborting!")
sys.exit(1)
# Generate API to permission octet map
apiMap = {}
with open(options.commandsfile) as f:
for line in f.readlines():
if not line or line == '' or line == '\n' or line == '\r\n' or
line.startswith('#'):
continue
name, value = line.split('=')
apiMap[name.strip()] = value.strip().split(';')[-1]
# Rename and deprecate old commands.properties file
if not dryrun:
os.rename(options.commandsfile, options.commandsfile + '.deprecated')
print("The commands.properties file has been deprecated and moved at: " +
options.commandsfile + '.deprecated')
# Truncate any rules in cloud.role_permissions table
runSql(conn, "DELETE FROM `cloud`.`role_permissions` WHERE `role_id` in
(1,2,3,4);")
# Migrate rules from commands.properties to cloud.role_permissions
migrateApiRolePermissions(apiMap, conn)
enableDynamicApiChecker(conn)
if __name__ == '__main__':
main()
David Larsen
-----Opprinnelig melding-----
Fra: Daan Hoogland <[email protected]>
Sendt: onsdag 6. oktober 2021 10.29
Til: users <[email protected]>
Emne: Re: Dynamic Roles and user roles in command.properties
David,
Only createSnapshotFromVMSnapshot and moveNetworkAclItem, does explain that
users can not log in, after logging in a lot of list* APIs are executed.
The roles you have, are the default set of roles and the "User" should contain
all that is needed to have a normal log on working.
I have no idea why and how the conversion failed, but at least all entries with
=15 should be in that role and then probably some new APIs as well.
I didn't quite get if "root admin" can log in fine, for them there should be an
entry * - allow.
I think you have three options:
- 1. debug the conversion script
- 2. install a clean sheet ACS in a test env and copy the roles data from that
- 3. do the thing you so dread (sorry) and fill the entries in the DB
maybe a combination of the three will work as well.
regards,
On Wed, Oct 6, 2021 at 9:46 AM David Larsen <[email protected]> wrote:
> Hi Daan.
>
> Our complete commands.properties are listed below. I have never
> changed it.
>
> When I tried the migrate script with the -D option, no user can log in
> completely. After they log in, it shows "Discovering features..." or
> something like that... Don't remember the exact words.
> Global Admin users have full access.
>
> When I look into the Roles section in Cloudstack, user role has two
> rules:
> createSnapshotFromVMSnapshot - allow
> moveNetworkAclItem - allow
>
>
> If the migrate script don't work, what are my options?
> Do I have to go through the commands.properties file and add every
> dynamic roles manually?
> Hope not...
>
> From the roles section in Cloudstack, I have these roles:
> Root Admin
> Resource Admin
> Domain Admin
> User
> Read-Only Admin - Default
> Read-Only User - Default
> Support Admin - Default
> Support User - Default
>
> Any default ruleset available for the different roles
>
> ###########################
>
> cat /etc/cloudstack/management/commands.properties
> # Licensed to the Apache Software Foundation (ASF) under one # or more
> contributor license agreements. See the NOTICE file # distributed
> with this work for additional information # regarding copyright
> ownership. The ASF licenses this file # to you under the Apache
> License, Version 2.0 (the # "License"); you may not use this file
> except in compliance # with the License. You may obtain a copy of the
> License at #
> #
> https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.apache.org%2Flicenses%2FLICENSE-2.0&data=04%7C01%7C%7C5077f4bdb3b044a75c0508d988a36a5b%7C1dd023eed2894f208926463c9b991b5f%7C1%7C1%7C637691057723071240%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=38BYAOTCdzqPv5DE93kYCY7dvd5s1m2WgP0WJqnPaDc%3D&reserved=0
> #
> # Unless required by applicable law or agreed to in writing, #
> software distributed under the License is distributed on an # "AS IS"
> BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express
> or implied. See the License for the # specific language governing
> permissions and limitations # under the License.
>
> ### bitmap of permissions at the end of each classname, 1 = ADMIN, 2 =
> RESOURCE_DOMAIN_ADMIN, 4 = DOMAIN_ADMIN, 8 = USER ### Please
> standardize naming conventions to camel-case (even for acronyms).
>
> ### CloudStack authentication commands
> login=15
> logout=15
>
> ### SAML SSO/SLO commands
> samlSso=15
> samlSlo=15
> getSPMetadata=15
> listIdps=15
> authorizeSamlSso=7
> listSamlAuthorization=7
> listAndSwitchSamlAccount=15
>
> ### Account commands
> createAccount=7
> deleteAccount=7
> updateAccount=7
> disableAccount=7
> enableAccount=7
> lockAccount=7
> listAccounts=15
> markDefaultZoneForAccount=1
>
> #### User commands
> createUser=7
> deleteUser=7
> updateUser=15
> listUsers=15
> lockUser=7
> disableUser=7
> enableUser=7
> getUser=1
>
> #### Domain commands
> createDomain=1
> updateDomain=1
> deleteDomain=1
> listDomains=7
> listDomainChildren=7
>
> ####Cloud Identifier commands
> getCloudIdentifier=15
>
> #### Limit commands
> updateResourceLimit=7
> updateResourceCount=7
> listResourceLimits=15
>
> #### VM commands
> deployVirtualMachine=15
> destroyVirtualMachine=15
> rebootVirtualMachine=15
> startVirtualMachine=15
> stopVirtualMachine=15
> resetPasswordForVirtualMachine=15
> resetSSHKeyForVirtualMachine=15
> updateVirtualMachine=15
> listVirtualMachines=15
> getVMPassword=15
> restoreVirtualMachine=15
> changeServiceForVirtualMachine=15
> scaleVirtualMachine=15
> assignVirtualMachine=7
> migrateVirtualMachine=1
> migrateVirtualMachineWithVolume=1
> recoverVirtualMachine=15
> expungeVirtualMachine=15
> getVirtualMachineUserData=15
>
> #### snapshot commands
> createSnapshot=15
> listSnapshots=15
> deleteSnapshot=15
> createSnapshotPolicy=15
> updateSnapshotPolicy=15
> deleteSnapshotPolicies=15
> listSnapshotPolicies=15
> revertSnapshot=15
>
> #### template commands
> createTemplate=15
> registerTemplate=15
> updateTemplate=15
> copyTemplate=15
> deleteTemplate=15
> listTemplates=15
> updateTemplatePermissions=15
> listTemplatePermissions=15
> extractTemplate=15
> prepareTemplate=1
>
> #### iso commands
> attachIso=15
> detachIso=15
> listIsos=15
> registerIso=15
> updateIso=15
> deleteIso=15
> copyIso=15
> updateIsoPermissions=15
> listIsoPermissions=15
> extractIso=15
>
> #### guest OS commands
> listOsTypes=15
> listOsCategories=15
> addGuestOs=1
> updateGuestOs=1
> removeGuestOs=1
>
> #### guest OS mapping commands
> listGuestOsMapping=1
> addGuestOsMapping=1
> updateGuestOsMapping=1
> removeGuestOsMapping=1
>
> #### service offering commands
> createServiceOffering=7
> deleteServiceOffering=7
> updateServiceOffering=7
> listServiceOfferings=15
>
> #### disk offering commands
> createDiskOffering=7
> updateDiskOffering=7
> deleteDiskOffering=7
> listDiskOfferings=15
>
> #### vlan commands
> createVlanIpRange=1
> deleteVlanIpRange=1
> listVlanIpRanges=1
> dedicatePublicIpRange=1
> releasePublicIpRange=1
> dedicateGuestVlanRange=1
> releaseDedicatedGuestVlanRange=1
> listDedicatedGuestVlanRanges=1
>
> #### address commands
> associateIpAddress=15
> disassociateIpAddress=15
> listPublicIpAddresses=15
> updateIpAddress=15
>
> #### firewall commands
> listPortForwardingRules=15
> createPortForwardingRule=15
> deletePortForwardingRule=15
> updatePortForwardingRule=15
>
> #### NAT commands
> enableStaticNat=15
> createIpForwardingRule=15
> deleteIpForwardingRule=15
> listIpForwardingRules=15
> disableStaticNat=15
>
> #### load balancer commands
> createLoadBalancerRule=15
> deleteLoadBalancerRule=15
> removeFromLoadBalancerRule=15
> assignToLoadBalancerRule=15
> createLBStickinessPolicy=15
> updateLBStickinessPolicy=15
> deleteLBStickinessPolicy=15
> listLoadBalancerRules=15
> listLBStickinessPolicies=15
> listLBHealthCheckPolicies=15
> createLBHealthCheckPolicy=15
> updateLBHealthCheckPolicy=15
> deleteLBHealthCheckPolicy=15
> listLoadBalancerRuleInstances=15
> updateLoadBalancerRule=15
>
> ##### SSL offload commands
>
> uploadSslCert=15
> deleteSslCert=15
> listSslCerts=15
> assignCertToLoadBalancer=15
> removeCertFromLoadBalancer=15
>
> #### autoscale commands
> createCounter=1
> createCondition=15
> createAutoScalePolicy=15
> createAutoScaleVmProfile=15
> createAutoScaleVmGroup=15
> deleteCounter=1
> deleteCondition=15
> deleteAutoScalePolicy=15
> deleteAutoScaleVmProfile=15
> deleteAutoScaleVmGroup=15
> listCounters=15
> listConditions=15
> listAutoScalePolicies=15
> listAutoScaleVmProfiles=15
> listAutoScaleVmGroups=15
> enableAutoScaleVmGroup=15
> disableAutoScaleVmGroup=15
> updateAutoScalePolicy=15
> updateAutoScaleVmProfile=15
> updateAutoScaleVmGroup=15
>
> #### router commands
> startRouter=7
> rebootRouter=7
> stopRouter=7
> destroyRouter=7
> changeServiceForRouter=7
> listRouters=7
> listVirtualRouterElements=7
> configureVirtualRouterElement=7
> createVirtualRouterElement=7
> upgradeRouterTemplate=1
>
> #### system vm commands
> startSystemVm=1
> rebootSystemVm=1
> stopSystemVm=1
> destroySystemVm=1
> listSystemVms=3
> migrateSystemVm=1
> changeServiceForSystemVm=1
> scaleSystemVm=1
>
> #### configuration commands
> updateConfiguration=1
> listConfigurations=1
> listCapabilities=15
> listDeploymentPlanners=1
> cleanVMReservations=1
>
> #### pod commands
> createPod=1
> updatePod=1
> deletePod=1
> listPods=3
>
> #### zone commands
> createZone=1
> updateZone=1
> deleteZone=1
> listZones=15
>
> #### events commands
> listEvents=15
> listEventTypes=15
> archiveEvents=15
> deleteEvents=15
>
> #### alerts commands
> listAlerts=3
> archiveAlerts=1
> deleteAlerts=1
> generateAlert=1
>
> #### system capacity commands
> listCapacity=3
>
> #### swift commands
> addSwift=1
> listSwifts=1
>
> #### image store commands
> addImageStore=1
> addImageStoreS3=1
> listImageStores=1
> deleteImageStore=1
> createSecondaryStagingStore=1
> listSecondaryStagingStores=1
> deleteSecondaryStagingStore=1
> updateCloudToUseObjectStore=1
>
> #### host commands
> addHost=3
> addCluster=1
> deleteCluster=1
> updateCluster=1
> reconnectHost=1
> updateHost=1
> deleteHost=3
> prepareHostForMaintenance=1
> cancelHostMaintenance=1
> listHosts=3
> listHostTags=7
> findHostsForMigration=1
> addSecondaryStorage=1
> updateHostPassword=1
> releaseHostReservation=1
>
> #### VmWare DC
> addVmwareDc=1
> removeVmwareDc=1
> listVmwareDcs=1
>
> #### volume commands
> attachVolume=15
> uploadVolume=15
> detachVolume=15
> createVolume=15
> deleteVolume=15
> listVolumes=15
> extractVolume=15
> migrateVolume=15
> resizeVolume=15
> updateVolume=1
>
> #### registration command: FIXME -- this really should be something
> in management server that
> #### generates a new key for the user and
> they just have to
> #### use that key...the key is stored in
> the db associated w/
> #### the userId...every request to the
> developer API should be
> #### checked against the key
> registerUserKeys=15
>
> ### async-query command
> queryAsyncJobResult=15
> listAsyncJobs=15
>
> #### storage pools commands
> listStoragePools=3
> listStorageProviders=3
> listStorageTags=7
> createStoragePool=1
> updateStoragePool=1
> deleteStoragePool=1
> listClusters=3
> enableStorageMaintenance=1
> cancelStorageMaintenance=1
> findStoragePoolsForMigration=1
>
> #### security group commands
> createSecurityGroup=15
> deleteSecurityGroup=15
> authorizeSecurityGroupIngress=15
> revokeSecurityGroupIngress=15
> authorizeSecurityGroupEgress=15
> revokeSecurityGroupEgress=15
> listSecurityGroups=15
>
> #### vm group commands
> createInstanceGroup=15
> deleteInstanceGroup=15
> updateInstanceGroup=15
> listInstanceGroups=15
>
> ### Certificate commands
> uploadCustomCertificate=1
>
> ### other commands
> listHypervisors=15
>
> ### VPN
> createRemoteAccessVpn=15
> deleteRemoteAccessVpn=15
> listRemoteAccessVpns=15
> updateRemoteAccessVpn=15
>
>
> addVpnUser=15
> removeVpnUser=15
> listVpnUsers=15
>
> #### network offering commands
> createNetworkOffering=1
> updateNetworkOffering=1
> deleteNetworkOffering=1
> listNetworkOfferings=15
>
> #### network commands
> createNetwork=15
> deleteNetwork=15
> listNetworks=15
> restartNetwork=15
> updateNetwork=15
>
> #### nic commands ####
> addNicToVirtualMachine=15
> removeNicFromVirtualMachine=15
> updateDefaultNicForVirtualMachine=15
>
> ####
> addIpToNic=15
> removeIpFromNic=15
> updateVmNicIp=15
> listNics=15
>
> #### SSH key pair commands
> registerSSHKeyPair=15
> createSSHKeyPair=15
> deleteSSHKeyPair=15
> listSSHKeyPairs=15
>
> #### Projects commands
> createProject=15
> deleteProject=15
> updateProject=15
> activateProject=15
> suspendProject=15
> listProjects=15
> addAccountToProject=15
> deleteAccountFromProject=15
> listProjectAccounts=15
> listProjectInvitations=15
> updateProjectInvitation=15
> deleteProjectInvitation=15
>
> ####
> createFirewallRule=15
> deleteFirewallRule=15
> listFirewallRules=15
> updateFirewallRule=15
>
> ####
> createEgressFirewallRule=15
> deleteEgressFirewallRule=15
> listEgressFirewallRules=15
> updateEgressFirewallRule=15
>
> #### hypervisor capabilities commands
> updateHypervisorCapabilities=1
> listHypervisorCapabilities=1
>
> #### Physical Network commands
> createPhysicalNetwork=1
> deletePhysicalNetwork=1
> listPhysicalNetworks=1
> updatePhysicalNetwork=1
>
> #### Physical Network Service Provider commands
> listSupportedNetworkServices=1
> addNetworkServiceProvider=1
> deleteNetworkServiceProvider=1
> listNetworkServiceProviders=1
> updateNetworkServiceProvider=1
>
> #### Physical Network Traffic Type commands
> addTrafficType=1
> deleteTrafficType=1
> listTrafficTypes=1
> updateTrafficType=1
> listTrafficTypeImplementors=1
>
> #### Storage Network commands
> createStorageNetworkIpRange=1
> deleteStorageNetworkIpRange=1
> listStorageNetworkIpRange=1
> updateStorageNetworkIpRange=1
>
> ### Network Devices commands
> addNetworkDevice=1
> listNetworkDevice=1
> deleteNetworkDevice=1
>
> ### VPC commands
> createVPC=15
> listVPCs=15
> deleteVPC=15
> updateVPC=15
> restartVPC=15
>
> #### VPC offering commands
> createVPCOffering=1
> updateVPCOffering=1
> deleteVPCOffering=1
> listVPCOfferings=15
>
> #### Private gateway commands
> createPrivateGateway=1
> listPrivateGateways=15
> deletePrivateGateway=1
>
> #### Network ACL commands
> createNetworkACL=15
> updateNetworkACLItem=15
> deleteNetworkACL=15
> listNetworkACLs=15
> createNetworkACLList=15
> deleteNetworkACLList=15
> replaceNetworkACLList=15
> listNetworkACLLists=15
> updateNetworkACLList=15
>
>
> #### Static route commands
> createStaticRoute=15
> deleteStaticRoute=15
> listStaticRoutes=15
>
> #### Tags commands
> createTags=15
> deleteTags=15
> listTags=15
>
> #### Meta Data commands
> addResourceDetail=1
> removeResourceDetail=1
> listResourceDetails=15
>
> ### Site-to-site VPN commands
> createVpnCustomerGateway=15
> createVpnGateway=15
> createVpnConnection=15
> deleteVpnCustomerGateway=15
> deleteVpnGateway=15
> deleteVpnConnection=15
> updateVpnCustomerGateway=15
> resetVpnConnection=15
> listVpnCustomerGateways=15
> listVpnGateways=15
> listVpnConnections=15
> updateVpnConnection=15
> updateVpnGateway=15
>
> #### router commands
> createVirtualRouterElement=7
> configureVirtualRouterElement=7
> listVirtualRouterElements=7
>
> #### ovs commands
> createOvsElement=7
> configureOvsElement=7
> listOvsElements=7
>
> #### usage commands
> generateUsageRecords=1
> listUsageRecords=7
> listUsageTypes=1
> removeRawUsageRecords=1
>
> #### traffic monitor commands
> addTrafficMonitor=1
> deleteTrafficMonitor=1
> listTrafficMonitors=1
>
> #### Cisco Nexus 1000v Virtual Supervisor Module (VSM) commands
> deleteCiscoNexusVSM=1
> enableCiscoNexusVSM=1
> disableCiscoNexusVSM=1
> listCiscoNexusVSMs=1
>
> #### f5 big ip load balancer commands
>
> #Deprecated commands
> addExternalLoadBalancer=1
> deleteExternalLoadBalancer=1
> listExternalLoadBalancers=1
>
> addF5LoadBalancer=1
> configureF5LoadBalancer=1
> deleteF5LoadBalancer=1
> listF5LoadBalancers=1
> listF5LoadBalancerNetworks=1
>
> #### juniper srx firewall commands
> addExternalFirewall=1
> deleteExternalFirewall=1
> listExternalFirewalls=1
>
> addSrxFirewall=1
> deleteSrxFirewall=1
> configureSrxFirewall=1
> listSrxFirewalls=1
> listSrxFirewallNetworks=1
>
> #### Palo Alto firewall commands
> addPaloAltoFirewall=1
> deletePaloAltoFirewall=1
> configurePaloAltoFirewall=1
> listPaloAltoFirewalls=1
> listPaloAltoFirewallNetworks=1
>
> ####Netapp integration commands
> createVolumeOnFiler=15
> destroyVolumeOnFiler=15
> listVolumesOnFiler=15
> createLunOnFiler=15
> destroyLunOnFiler=15
> listLunsOnFiler=15
> associateLun=15
> dissociateLun=15
> createPool=15
> deletePool=15
> modifyPool=15
> listPools=15
>
> #### netscaler load balancer commands
> addNetscalerLoadBalancer=1
> deleteNetscalerLoadBalancer=1
> configureNetscalerLoadBalancer=1
> listNetscalerLoadBalancers=1
> listNetscalerLoadBalancerNetworks=1
>
> #### nicira nvp commands
>
> addNiciraNvpDevice=1
> deleteNiciraNvpDevice=1
> listNiciraNvpDevices=1
> listNiciraNvpDeviceNetworks=1
>
> # Not implemented (yet)
> #configureNiciraNvpDevice=1
>
> #### brocade vcs commands
>
> addBrocadeVcsDevice=1
> deleteBrocadeVcsDevice=1
> listBrocadeVcsDevices=1
> listBrocadeVcsDeviceNetworks=1
>
> #### bigswitch bcf commands
>
> addBigSwitchBcfDevice=1
> deleteBigSwitchBcfDevice=1
> listBigSwitchBcfDevices=1
>
> #### stratosphere ssp commands
>
> addStratosphereSsp=1
> deleteStratoshereSsp=1
>
> #### nuage vsp commands
>
> addNuageVspDevice=1
> updateNuageVspDevice=1
> deleteNuageVspDevice=1
> listNuageVspDevices=1
> issueNuageVspResourceRequest=15
>
> #### host simulator commands
>
> configureSimulator=1
> querySimulatorMock=1
> cleanupSimulatorMock=1
>
> #### api discovery commands
>
> listApis=15
>
> #### API Rate Limit service command
>
> getApiLimit=15
> resetApiLimit=1
>
> #### API SolidFire Service Command
> getSolidFireAccountId=15
> getSolidFireVolumeSize=15
> getSolidFireVolumeAccessGroupId=15
> getSolidFireVolumeIscsiName=15
>
> #### Region commands
> addRegion=1
> updateRegion=1
> removeRegion=1
> listRegions=15
>
> #### GSLB (Global Server Load Balancing) commands
> createGlobalLoadBalancerRule=15
> deleteGlobalLoadBalancerRule=15
> updateGlobalLoadBalancerRule=15
> listGlobalLoadBalancerRules=15
> assignToGlobalLoadBalancerRule=15
> removeFromGlobalLoadBalancerRule=15
>
> ### VM Snapshot commands
> listVMSnapshot=15
> createVMSnapshot=15
> deleteVMSnapshot=15
> revertToVMSnapshot=15
>
> #### Baremetal commands
> addBaremetalHost=1
> addBaremetalPxeKickStartServer=1
> addBaremetalPxePingServer=1
> addBaremetalDhcp=1
> listBaremetalDhcp=1
> listBaremetalPxeServers=1
> addBaremetalRct=1
> deleteBaremetalRct=1
> listBaremetalRct=1
>
> #### UCS commands
> addUcsManager=1
> listUcsManagers=1
> listUcsProfiles=1
> listUcsBlades=1
> associateUcsProfileToBlade=1
> removedeleteUcsManager=1
>
> #### New Load Balancer commands
> createLoadBalancer=15
> listLoadBalancers=15
> deleteLoadBalancer=15
> updateLoadBalancer=15
>
> #Internal Load Balancer Element commands
> configureInternalLoadBalancerElement=7
> createInternalLoadBalancerElement=7
> listInternalLoadBalancerElements=7
>
>
> #### Affinity group commands
> createAffinityGroup=15
> deleteAffinityGroup=15
> listAffinityGroups=15
> updateVMAffinityGroup=15
> listAffinityGroupTypes=15
>
> #### Cisco Vnmc commands
> addCiscoVnmcResource=1
> deleteCiscoVnmcResource=1
> listCiscoVnmcResources=1
>
> #### Cisco Asa1000v commands
> addCiscoAsa1000vResource=1
> deleteCiscoAsa1000vResource=1
> listCiscoAsa1000vResources=1
>
> #### portable public IP commands
> createPortableIpRange=1
> deletePortableIpRange=1
> listPortableIpRanges=1
>
> #### Internal LB VM commands
> stopInternalLoadBalancerVM=1
> startInternalLoadBalancerVM=1
> listInternalLoadBalancerVMs=1
>
> ### Network Isolation methods listing
> listNetworkIsolationMethods=1
>
> #### Dedicated Resource commands
> dedicateZone=1
> dedicatePod=1
> dedicateCluster=1
> dedicateHost=1
> releaseDedicatedZone=1
> releaseDedicatedPod=1
> releaseDedicatedCluster=1
> releaseDedicatedHost=1
> listDedicatedZones=1
> listDedicatedPods=1
> listDedicatedClusters=1
> listDedicatedHosts=1
>
> ### LDAP
> listLdapConfigurations=15
> addLdapConfiguration=3
> deleteLdapConfiguration=3
> listLdapUsers=3
> ldapCreateAccount=3
> importLdapUsers=3
> linkDomainToLdap=3
>
>
> #### juniper-contrail commands
> createServiceInstance=1
>
> ### OpenDaylight plugin commands
> addOpenDaylightController=1
> deleteOpenDaylightController=1
> listOpenDaylightControllers=1
>
> ### GloboDNS commands
> addGloboDnsHost=1
>
> ### volume/template post upload
> getUploadParamsForVolume=15
> getUploadParamsForTemplate=15
>
> ### Quota Service
> quotaStatement=15
> quotaBalance=15
> quotaSummary=15
> quotaUpdate=1
> quotaTariffList=15
> quotaTariffUpdate=1
> quotaCredits=1
> quotaEmailTemplateList=1
> quotaEmailTemplateUpdate=1
> quotaIsEnabled=15
>
>
> 😊
>
> David Larsen
>
> -----Opprinnelig melding-----
> Fra: David Larsen <[email protected]>
> Sendt: mandag 4. oktober 2021 17.46
> Til: [email protected]
> Emne: SV: Dynamic Roles and user roles in command.properties
>
> Hi Daan.
>
> Thanks for your quick reply.
> I see.., 15 is user allowed. didn't read the description good enough
> 😊
> I have never created any roles. I tried the -D option with
> migrate-dynamicroles.py
>
> Med vennlig hilsen
>
> David Larsen
>
> -----Opprinnelig melding-----
> Fra: Daan Hoogland <[email protected]>
> Sendt: mandag 4. oktober 2021 16:59
> Til: users <[email protected]>
> Emne: Re: Dynamic Roles and user roles in command.properties
>
> David,
> The '=15's mean user is allowed, as 15 = 8+4=2=1 (it is a decimal
> description of a bit-field) Have you created any roles along the way?
>
> On Mon, Oct 4, 2021 at 4:51 PM David Larsen <[email protected]> wrote:
>
> > Hi
> >
> > I have tried to migrate our Cloudstack (4.15) to use dynamic roles.
> > The migrate process went ok, but users can't log in afterwards...(?).
> > When they log in, the only response they get is "discovering..."
> > I had to go back to commands.properties.
> >
> > What are the default user roles when using dynamic roles?
> >
> > Which roles are migrated from commands.properties when using
> > migrate-dynamicroles.py?
> >
> > I have never changed anything in the commands.properties file while
> > upgrading from version 4.2->................4.15 through the years.
> >
> > When I look in the commands.properties file, I see in the
> > description 8=user.... I can't fint any line in this file with =8
> >
> > Parts of our commands.properties file:
> >
> > :/etc/cloudstack/management# cat commands.properties # Licensed to
> > the Apache Software Foundation (ASF) under one # or more contributor
> > license agreements. See the NOTICE file # distributed with this
> > work for additional information # regarding copyright ownership.
> > The ASF licenses this file # to you under the Apache License,
> > Version 2.0 (the # "License"); you may not use this file except in
> > compliance # with the License. You may obtain a copy of the License
> > at # #
> https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.a
> pache.org%2Flicenses%2FLICENSE-2.0&data=04%7C01%7C%7C5077f4bdb3b04
> 4a75c0508d988a36a5b%7C1dd023eed2894f208926463c9b991b5f%7C1%7C1%7C63769
> 1057723071240%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2lu
> MzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=38BYAOTCdzqPv5DE93
> kYCY7dvd5s1m2WgP0WJqnPaDc%3D&reserved=0
> > #
> > # Unless required by applicable law or agreed to in writing, #
> > software distributed under the License is distributed on an # "AS IS"
> > BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either
> > express or implied. See the License for the # specific language
> > governing permissions and limitations # under the License.
> >
> > ### bitmap of permissions at the end of each classname, 1 = ADMIN, 2
> > = RESOURCE_DOMAIN_ADMIN, 4 = DOMAIN_ADMIN, 8 = USER ### Please
> > standardize naming conventions to camel-case (even for acronyms).
> >
> > ### CloudStack authentication commands
> > login=15
> > logout=15
> >
> > ### SAML SSO/SLO commands
> > samlSso=15
> > samlSlo=15
> > getSPMetadata=15
> > listIdps=15
> > authorizeSamlSso=7
> > listSamlAuthorization=7
> > listAndSwitchSamlAccount=15
> >
> > ### Account commands
> > createAccount=7
> > deleteAccount=7
> > updateAccount=7
> > disableAccount=7
> > enableAccount=7
> > lockAccount=7
> > listAccounts=15
> > markDefaultZoneForAccount=1
> >
> > #### User commands
> > createUser=7
> > deleteUser=7
> > updateUser=15
> > listUsers=15
> > lockUser=7
> > disableUser=7
> > enableUser=7
> > getUser=1
> >
> > #### Domain commands
> > createDomain=1
> > updateDomain=1
> > deleteDomain=1
> > listDomains=7
> > listDomainChildren=7
> >
> > ####Cloud Identifier commands
> > getCloudIdentifier=15
> >
> > #### Limit commands
> > updateResourceLimit=7
> > updateResourceCount=7
> > listResourceLimits=15
> >
> > #### VM commands
> > deployVirtualMachine=15
> > destroyVirtualMachine=15
> > rebootVirtualMachine=15
> > startVirtualMachine=15
> > stopVirtualMachine=15
> > resetPasswordForVirtualMachine=15
> > resetSSHKeyForVirtualMachine=15
> > updateVirtualMachine=15
> > listVirtualMachines=15
> > getVMPassword=15
> > restoreVirtualMachine=15
> > changeServiceForVirtualMachine=15
> > scaleVirtualMachine=15
> > assignVirtualMachine=7
> > migrateVirtualMachine=1
> > migrateVirtualMachineWithVolume=1
> > recoverVirtualMachine=15
> > expungeVirtualMachine=15
> > getVirtualMachineUserData=15
> >
> > #### snapshot commands
> > createSnapshot=15
> > listSnapshots=15
> > deleteSnapshot=15
> > createSnapshotPolicy=15
> > updateSnapshotPolicy=15
> > deleteSnapshotPolicies=15
> > listSnapshotPolicies=15
> > revertSnapshot=15
> >
> > #### template commands
> > createTemplate=15
> > registerTemplate=15
> > updateTemplate=15
> > copyTemplate=15
> > deleteTemplate=15
> > listTemplates=15
> > .....................
> >
> > Med vennlig hilsen
> >
> > David Larsen
> > Senior systemkonsulent
> >
> >
> >
>
> --
> Daan
>
--
Daan
