Check the network access when deploying VM in Advanced Security Group.

[sureshanaparti]

Description

This PR checks the network access when deploying VM in Advanced Security Group.

Fixes #6049

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

• Before fix, able to deploy VM with ROOT account, in Domain02 using network on Domain01 (in Advanced Security Group)
• After fix, deploy VM failed with 'Unable to use network with id= 031a45f3-8522-4265-a145-6a647df20d27, permission denied'

[sureshanaparti]

@blueorangutan package

[blueorangutan]

@sureshanaparti a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result: ✔️ el7 ✔️ el8 ✔️ debian ✔️ suse15. SL-JID 2734

[sureshanaparti]

@blueorangutan package

[blueorangutan]

@sureshanaparti a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result: ✔️ el7 ✔️ el8 ✔️ debian ✔️ suse15. SL-JID 2735

[nvazquez]

@GabrielBrascher can you please review/test this fix?

[sureshanaparti]

@blueorangutan test

[blueorangutan]

@sureshanaparti a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

[weizhouapache]

code lgtm !!

[weizhouapache]

@sureshanaparti
can you also add my suggestion in comment #6049 (comment) to this PR ?

[blueorangutan]

Trillian test result (tid-3451)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 39790 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr6050-t3451-kvm-centos7.zip
Smoke tests completed. 83 look OK, 0 have errors
Only failed tests results shown below:

Test	Result	Time (s)	Test File

[sureshanaparti]

@sureshanaparti
can you also add my suggestion in comment #6049 (comment) to this PR ?

@weizhouapache the access check for VM owner already exists here.

cloudstack/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java

Lines 1312 to 1313 in 85c5997

	Account vmOwner = _accountMgr.getAccount(vmInstance.getAccountId());
	_networkModel.checkNetworkPermissions(vmOwner, network);

so, the check against caller is still required here?

cloudstack/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java

Lines 1339 to 1340 in 85c5997

	// Perform account permission check on network
	_accountMgr.checkAccess(caller, AccessType.UseEntry, false, network);

[weizhouapache]

so, the check against caller is still required here?

@sureshanaparti
then the 2nd check can be removed

[sureshanaparti]

@blueorangutan package

[GabrielBrascher]

Thanks for the PR @sureshanaparti!
Is this ready to review or still in Draft?

I did a few tests applying your changes and seems to be working fine.
I will be running a few more tests but wanted to double-check if there is anything left for the PR.

[sureshanaparti]

Thanks for the PR @sureshanaparti! Is this ready to review or still in Draft?

I did a few tests applying your changes and seems to be working fine. I will be running a few more tests but wanted to double-check if there is anything left for the PR.

it is ready for review @GabrielBrascher

[sureshanaparti]

@blueorangutan package

[blueorangutan]

@sureshanaparti a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result: ✔️ el7 ✔️ el8 ✔️ debian ✔️ suse15. SL-JID 2753

[weizhouapache]

@sureshanaparti
should this target to 4.16 ?

[GabrielBrascher]

@thanks @sureshanaparti, code LGTM.
Tested With Advanced Network + SG and now it is working as expected.

[sureshanaparti]

@thanks @sureshanaparti, code LGTM.
Tested With Advanced Network + SG and now it is working as expected.

great, thanks for testing @GabrielBrascher

[sureshanaparti]

@sureshanaparti
should this target to 4.16 ?

@weizhouapache this is targeted to 4.17

[weizhouapache]

if there is 4.16.2.0 release, we need to backport this, right ?
why not target to 4.16 ?

[sureshanaparti]

if there is 4.16.2.0 release, we need to backport this, right ?
why not target to 4.16 ?

yes, may be when another minor release is needed on 4.16.

[nvazquez]

Agree with @weizhouapache - let's target the fix for branch 4.16 and merge forward to main

[nvazquez]

@blueorangutan package

[blueorangutan]

@nvazquez a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result: ✔️ el7 ✔️ el8 ✔️ debian ✔️ suse15. SL-JID 2766

[nvazquez]

@blueorangutan test

[nvazquez]

LGTM

[blueorangutan]

@nvazquez a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

[blueorangutan]

Trillian test result (tid-3496)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 36085 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr6050-t3496-kvm-centos7.zip
Smoke tests completed. 92 look OK, 0 have errors
Only failed tests results shown below:

Test	Result	Time (s)	Test File