Prevent upgrade failures if there are existing annotations permissions

[nvazquez]

Description

This PR prevents upgrade failures in the specific case in which the annotations are allowed as part of the role permissions for some roles.
Fixes: #5617

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

• Create a vanilla environment
• Upgrade a 4.15.2 environment without adding any role permission

[nvazquez]

@blueorangutan package

[blueorangutan]

@nvazquez a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result: ✔️ el7 ✔️ el8 ✔️ debian ✔️ suse15. SL-JID 2163

[nvazquez]

@blueorangutan test

[blueorangutan]

@nvazquez a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

[DaanHoogland]

cltgm

[GutoVeronezi]

CLGTM

[blueorangutan]

Trillian test result (tid-2843)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 31597 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr5846-t2843-kvm-centos7.zip
Smoke tests completed. 92 look OK, 0 have errors
Only failed tests results shown below:

Test	Result	Time (s)	Test File

[GabrielBrascher]

LGTM

[rohityadavcloud]

LGTM - would it make more sense to do via java (to check if these exist?)

[nvazquez]

@rohityadavcloud sorry I do not see the benefit of moving it to the java code in this case, do you mean moving the SQL check to the java upgrade code or updating the authorized parameter on the @APICommand annotation for the java classes involved?

[DaanHoogland]

@nvazquez there is a benefit in what @rohityadavcloud says; we are in a mess with guest OS mappings because of using IDs in schema upgrade scripts. This could happen for roles as well in the long run. So it might be good to device an upgrade mech that is more robust. This will work for sure, but it is not a mechanism that we should promote.

[nvazquez]

@blueorangutan package

[blueorangutan]

@nvazquez a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

[nvazquez]

@DaanHoogland @rohityadavcloud I see your point, thanks for clarifying. I have updated the PR accordingly, can you please re-review?

[nvazquez]

@blueorangutan package

[blueorangutan]

@nvazquez a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result: ✖️ el7 ✖️ el8 ✖️ debian ✖️ suse15. SL-JID 2194

[nvazquez]

@blueorangutan package

[blueorangutan]

@nvazquez a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

[sureshanaparti]

code LGTM

[blueorangutan]

Packaging result: ✖️ el7 ✔️ el8 ✔️ debian ✔️ suse15. SL-JID 2198

[nvazquez]

@blueorangutan package

[blueorangutan]

@nvazquez a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result: ✔️ el7 ✔️ el8 ✔️ debian ✔️ suse15. SL-JID 2200

[nvazquez]

@blueorangutan test

[blueorangutan]

@nvazquez a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

[blueorangutan]

Trillian test result (tid-2871)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 30370 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr5846-t2871-kvm-centos7.zip
Smoke tests completed. 92 look OK, 0 have errors
Only failed tests results shown below:

Test	Result	Time (s)	Test File

[DaanHoogland]

clgtm,
@nvazquez I know you did some upgrade testing, can you describe that, please?

It seems to me we can use a similar mech for the guest os (mapping) upgrades in the future. Do you agree @nvazquez @sureshanaparti ? see #3609, #5685

[sureshanaparti]

clgtm, @nvazquez I know you did some upgrade testing, can you describe that, please?

It seems to me we can use a similar mech for the guest os (mapping) upgrades in the future. Do you agree @nvazquez @sureshanaparti ? see #3609, #5685

agree @DaanHoogland

[nvazquez]

@DaanHoogland I have added it to the PR description: tested the vanilla environment creation and also upgrade from a 4.15.2 environment in which I didn't add any additional role permission

[DaanHoogland]

@nvazquez @sureshanaparti I'd say one more test and we are good to merge:
4.15.2 env with extra roles/permissions defined -> upgrade it.
??

[sureshanaparti]

@nvazquez @sureshanaparti I'd say one more test and we are good to merge:
4.15.2 env with extra roles/permissions defined -> upgrade it.
??

@DaanHoogland I'll perform upgrade test with some rules, and update here.

[DaanHoogland]

@nvazquez @sureshanaparti I'd say one more test and we are good to merge:
4.15.2 env with extra roles/permissions defined -> upgrade it.
??

@DaanHoogland I'll perform upgrade test with some rules, and update here.

thanks @sureshanaparti

[sureshanaparti]

Verified upgrade from CS 4.15.2 with existing annotations permissions. LGTM.

• Manually added the following rules to default roles (Resource Admin: 2, Domain Admin: 3, User: 4) in DB, as add/update rules to the default roles is not allowed from 4.15.

INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 2, 'listAnnotations', 'ALLOW');
INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 3, 'addAnnotation', 'DENY');
INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 3, 'removeAnnotation', 'ALLOW');
INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 4, 'listAnnotations', 'ALLOW');
INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 4, 'addAnnotation', 'DENY');
INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 4, 'removeAnnotation', 'DENY');

• Upgraded to 4.16, and noticed the missing rules are added. If there are any existing rules, this is the safe mechanism - to check and add the rules while upgrading.

2022-01-17 21:53:59,522 DEBUG [c.c.u.d.Upgrade41520to41600] (main:null) (logid:) Generating uuid for existing ssh key-pairs
2022-01-17 21:53:59,523 DEBUG [c.c.u.d.Upgrade41520to41600] (main:null) (logid:) Successfully generated uuid for existing ssh key-pairs
2022-01-17 21:53:59,525 DEBUG [c.c.u.d.Upgrade41520to41600] (main:null) (logid:) Checking the annotation permissions for the role: 2
2022-01-17 21:53:59,528 DEBUG [c.c.u.d.Upgrade41520to41600] (main:null) (logid:) Checking the annotation permissions for the role: 2 and rule: listAnnotations
2022-01-17 21:53:59,531 DEBUG [c.c.u.d.Upgrade41520to41600] (main:null) (logid:) Found existing role permission for role: 2 and rule: listAnnotations, not updating it
2022-01-17 21:53:59,531 DEBUG [c.c.u.d.Upgrade41520to41600] (main:null) (logid:) Checking the annotation permissions for the role: 2 and rule: addAnnotation
2022-01-17 21:53:59,533 DEBUG [c.c.u.d.Upgrade41520to41600] (main:null) (logid:) Inserting role permission for role: 2 and rule: addAnnotation
2022-01-17 21:53:59,534 DEBUG [c.c.u.d.Upgrade41520to41600] (main:null) (logid:) Checking the annotation permissions for the role: 2 and rule: removeAnnotation
2022-01-17 21:53:59,534 DEBUG [c.c.u.d.Upgrade41520to41600] (main:null) (logid:) Inserting role permission for role: 2 and rule: removeAnnotation
2022-01-17 21:53:59,535 DEBUG [c.c.u.d.Upgrade41520to41600] (main:null) (logid:) Checking the annotation permissions for the role: 3
2022-01-17 21:53:59,535 DEBUG [c.c.u.d.Upgrade41520to41600] (main:null) (logid:) Checking the annotation permissions for the role: 3 and rule: listAnnotations
2022-01-17 21:53:59,535 DEBUG [c.c.u.d.Upgrade41520to41600] (main:null) (logid:) Inserting role permission for role: 3 and rule: listAnnotations
2022-01-17 21:53:59,536 DEBUG [c.c.u.d.Upgrade41520to41600] (main:null) (logid:) Checking the annotation permissions for the role: 3 and rule: addAnnotation
2022-01-17 21:53:59,536 DEBUG [c.c.u.d.Upgrade41520to41600] (main:null) (logid:) Found existing role permission for role: 3 and rule: addAnnotation, not updating it
2022-01-17 21:53:59,536 DEBUG [c.c.u.d.Upgrade41520to41600] (main:null) (logid:) Checking the annotation permissions for the role: 3 and rule: removeAnnotation
2022-01-17 21:53:59,537 DEBUG [c.c.u.d.Upgrade41520to41600] (main:null) (logid:) Found existing role permission for role: 3 and rule: removeAnnotation, not updating it
2022-01-17 21:53:59,537 DEBUG [c.c.u.d.Upgrade41520to41600] (main:null) (logid:) Checking the annotation permissions for the role: 4
2022-01-17 21:53:59,537 DEBUG [c.c.u.d.Upgrade41520to41600] (main:null) (logid:) Checking the annotation permissions for the role: 4 and rule: listAnnotations
2022-01-17 21:53:59,538 DEBUG [c.c.u.d.Upgrade41520to41600] (main:null) (logid:) Found existing role permission for role: 4 and rule: listAnnotations, not updating it
2022-01-17 21:53:59,538 DEBUG [c.c.u.d.Upgrade41520to41600] (main:null) (logid:) Checking the annotation permissions for the role: 4 and rule: addAnnotation
2022-01-17 21:53:59,538 DEBUG [c.c.u.d.Upgrade41520to41600] (main:null) (logid:) Found existing role permission for role: 4 and rule: addAnnotation, not updating it
2022-01-17 21:53:59,538 DEBUG [c.c.u.d.Upgrade41520to41600] (main:null) (logid:) Checking the annotation permissions for the role: 4 and rule: removeAnnotation
2022-01-17 21:53:59,539 DEBUG [c.c.u.d.Upgrade41520to41600] (main:null) (logid:) Found existing role permission for role: 4 and rule: removeAnnotation, not updating it
2022-01-17 21:53:59,553 INFO  [c.c.u.DatabaseUpgradeChecker] (main:null) (logid:) Cleanup upgrade Upgrade41520to41600 to upgrade from 4.15.2.0-4.16.0.0 to 4.16.0.0