Use userdata uuid instead of user data in global settings

Author: vishesh92

api/src/main/java/org/apache/cloudstack/userdata/UserDataManager.java

@@ -16,6 +16,7 @@
 // under the License.
 package org.apache.cloudstack.userdata;
 
+import com.cloud.template.VirtualMachineTemplate;
 import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.framework.config.Configurable;
@@ -29,4 +30,5 @@ public interface UserDataManager extends Manager, Configurable {
 
     String concatenateUserData(String userdata1, String userdata2, String userdataProvider);
     String validateUserData(String userData, BaseCmd.HTTPMethod httpmethod);
+    Long validateAndGetUserDataIdForSystemVms(String userDataUuid, VirtualMachineTemplate vmTemplate);
 }

engine/userdata/src/main/java/org/apache/cloudstack/userdata/UserDataManagerImpl.java

@@ -22,6 +22,11 @@
 import java.util.List;
 import java.util.Map;
 
+import com.cloud.domain.Domain;
+import com.cloud.template.VirtualMachineTemplate;
+import com.cloud.user.User;
+import com.cloud.user.UserDataVO;
+import com.cloud.user.dao.UserDataDao;
 import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.commons.codec.binary.Base64;
@@ -31,7 +36,12 @@
 import com.cloud.utils.component.ManagerBase;
 import com.cloud.utils.exception.CloudRuntimeException;
 
+import javax.inject.Inject;
+
 public class UserDataManagerImpl extends ManagerBase implements UserDataManager {
+    @Inject
+    UserDataDao userDataDao;
+
     private static final int MAX_USER_DATA_LENGTH_BYTES = 2048;
     private static final int MAX_HTTP_GET_LENGTH = 2 * MAX_USER_DATA_LENGTH_BYTES; // 4KB
     private static final int NUM_OF_2K_BLOCKS = 512;
@@ -118,6 +128,21 @@ public String validateUserData(String userData, BaseCmd.HTTPMethod httpmethod) {
         return Base64.encodeBase64String(decodedUserData);
     }
 
+    @Override
+    public Long validateAndGetUserDataIdForSystemVms(String userDataUuid, VirtualMachineTemplate vmTemplate) {
+        UserDataVO templateUserDataVo = vmTemplate.getUserDataId() != null ? userDataDao.findById(vmTemplate.getUserDataId()): null;
+        UserDataVO userDataVo = StringUtils.isNotBlank(userDataUuid) ? userDataDao.findByUuid(userDataUuid) : null;
+        if (isUserDataAllowedForSystemVm(templateUserDataVo) &&
+            isUserDataAllowedForSystemVm(userDataVo)) {
+            return userDataVo != null ? userDataVo.getId() : null;
+        }
+        throw new CloudRuntimeException("User data can only be used by system VMs if it belongs to the ROOT domain and ADMIN account.");
+    }
+
+    private boolean isUserDataAllowedForSystemVm(UserDataVO userData) {
+        return userData == null || (userData.getDomainId() == Domain.ROOT_DOMAIN && userData.getAccountId() == User.UID_ADMIN);
+    }
+
     private byte[] validateAndDecodeByHTTPMethod(String userData, int maxHTTPLength, BaseCmd.HTTPMethod httpMethod) {
         byte[] decodedUserData = Base64.decodeBase64(userData.getBytes());
         if (decodedUserData == null || decodedUserData.length < 1) {

framework/config/src/main/java/org/apache/cloudstack/framework/config/ConfigKey.java

@@ -41,7 +41,6 @@ public class ConfigKey<T> {
     public static final String CATEGORY_ADVANCED = "Advanced";
     public static final String CATEGORY_ALERT = "Alert";
     public static final String CATEGORY_NETWORK = "Network";
-    public static final String CATEGORY_SECURE = "Secure";
     public static final String CATEGORY_SYSTEM = "System";
 
     // Configuration Groups to be used to define group for a config key

plugins/network-elements/elastic-loadbalancer/src/main/java/com/cloud/network/lb/ElasticLoadBalancerManagerImpl.java

@@ -31,11 +31,13 @@
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
+import com.cloud.vm.UserVmManager;
 import org.apache.cloudstack.api.command.user.loadbalancer.CreateLoadBalancerRuleCmd;
 import org.apache.cloudstack.config.ApiServiceConfiguration;
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.managed.context.ManagedContextRunnable;
+import org.apache.cloudstack.userdata.UserDataManager;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.stereotype.Component;
 
@@ -141,6 +143,10 @@ public class ElasticLoadBalancerManagerImpl extends ManagerBase implements Elast
     private ElasticLbVmMapDao _elbVmMapDao;
     @Inject
     private NicDao _nicDao;
+    @Inject
+    private UserDataManager userDataManager;
+    @Inject
+    private UserVmManager userVmManager;
 
     String _instance;
 
@@ -484,10 +490,16 @@ public boolean finalizeVirtualMachineProfile(VirtualMachineProfile profile, Depl
         buf.append(" authorized_key=").append(VirtualMachineGuru.getEncodedMsPublicKey(msPublicKey));
 
         if (SystemVmEnableUserData.valueIn(dc.getId())) {
-            String userData = RouterUserData.valueIn(dc.getId());
-            if (StringUtils.isNotBlank(userData)) {
-                String encodedUserData = Base64.getEncoder().encodeToString(userData.getBytes());
-                buf.append(" userdata=").append(encodedUserData);
+            String userDataUuid = RouterUserData.valueIn(dc.getId());
+            try {
+                Long userDataId = userDataManager.validateAndGetUserDataIdForSystemVms(userDataUuid, profile.getTemplate());
+                String userData = userVmManager.finalizeUserData(null, userDataId, profile.getTemplate());
+                if (StringUtils.isNotBlank(userData)) {
+                    String encodedUserData = Base64.getEncoder().encodeToString(userData.getBytes());
+                    buf.append(" userdata=").append(encodedUserData);
+                }
+            } catch (Exception e) {
+                logger.warn("Failed to load user data for the elastic lb vm, ignored", e);
             }
         }
 

plugins/network-elements/internal-loadbalancer/src/main/java/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java

@@ -37,11 +37,13 @@
 
 import com.cloud.event.ActionEvent;
 import com.cloud.event.EventTypes;
+import com.cloud.vm.UserVmManager;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.lb.ApplicationLoadBalancerRuleVO;
 import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao;
+import org.apache.cloudstack.userdata.UserDataManager;
 import org.apache.commons.collections.CollectionUtils;
 
 import com.cloud.agent.AgentManager;
@@ -179,6 +181,10 @@ public class InternalLoadBalancerVMManagerImpl extends ManagerBase implements In
     ResourceManager _resourceMgr;
     @Inject
     UserDao _userDao;
+    @Inject
+    private UserDataManager userDataManager;
+    @Inject
+    private UserVmManager userVmManager;
 
     @Override
     public boolean finalizeVirtualMachineProfile(final VirtualMachineProfile profile, final DeployDestination dest, final ReservationContext context) {
@@ -249,10 +255,16 @@ public boolean finalizeVirtualMachineProfile(final VirtualMachineProfile profile
 
         long dcId = profile.getVirtualMachine().getDataCenterId();
         if (SystemVmEnableUserData.valueIn(dcId)) {
-            String userData = RouterUserData.valueIn(dcId);
-            if (StringUtils.isNotBlank(userData)) {
-                String encodedUserData = Base64.getEncoder().encodeToString(userData.getBytes());
-                buf.append(" userdata=").append(encodedUserData);
+            String userDataUuid = RouterUserData.valueIn(dcId);
+            try {
+                Long userDataId = userDataManager.validateAndGetUserDataIdForSystemVms(userDataUuid, profile.getTemplate());
+                String userData = userVmManager.finalizeUserData(null, userDataId, profile.getTemplate());
+                if (StringUtils.isNotBlank(userData)) {
+                    String encodedUserData = Base64.getEncoder().encodeToString(userData.getBytes());
+                    buf.append(" userdata=").append(encodedUserData);
+                }
+            } catch (Exception e) {
+                logger.warn("Failed to load user data for the internal lb vm, ignored", e);
             }
         }
 

server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManager.java

@@ -94,8 +94,8 @@ public interface ConsoleProxyManager extends Manager, ConsoleProxyService {
             "last console proxy service management state", false, ConfigKey.Kind.Select, consoleProxyManagementStates);
 
     ConfigKey<String> ConsoleProxyUserData = new ConfigKey<>(String.class, "consoleproxy.userdata",
-            ConfigKey.CATEGORY_SECURE, "",
-            "Default user data for console proxy VMs. This works only when systemvm.userdata.enabled is set to true",
+            ConfigKey.CATEGORY_ADVANCED, "",
+            "UUID for user data for console proxy VMs. This works only when systemvm.userdata.enabled is set to true",
             true, ConfigKey.Scope.Zone, null, "User Data for CPVMs",
             null, ConfigKey.GROUP_SYSTEM_VMS, ConfigKey.SUBGROUP_CONSOLE_PROXY_VM);
 

server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java

@@ -33,6 +33,7 @@
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
+import com.cloud.vm.UserVmManager;
 import org.apache.cloudstack.agent.lb.IndirectAgentLB;
 import org.apache.cloudstack.ca.CAManager;
 import org.apache.cloudstack.consoleproxy.ConsoleAccessManager;
@@ -49,6 +50,7 @@
 import org.apache.cloudstack.storage.datastore.db.PrimaryDataStoreDao;
 import org.apache.cloudstack.storage.datastore.db.StoragePoolVO;
 import org.apache.cloudstack.storage.datastore.db.TemplateDataStoreDao;
+import org.apache.cloudstack.userdata.UserDataManager;
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang3.BooleanUtils;
 
@@ -230,6 +232,10 @@ public class ConsoleProxyManagerImpl extends ManagerBase implements ConsoleProxy
     private CAManager caManager;
     @Inject
     private NetworkOrchestrationService networkMgr;
+    @Inject
+    private UserDataManager userDataManager;
+    @Inject
+    private UserVmManager userVmManager;
 
     private ConsoleProxyListener consoleProxyListener;
 
@@ -1270,10 +1276,16 @@ public boolean finalizeVirtualMachineProfile(VirtualMachineProfile profile, Depl
         buf.append(" keystore_password=").append(VirtualMachineGuru.getEncodedString(PasswordGenerator.generateRandomPassword(16)));
 
         if (SystemVmEnableUserData.valueIn(dc.getId())) {
-            String userData = ConsoleProxyUserData.valueIn(dc.getId());
-            if (StringUtils.isNotBlank(userData)) {
-                String encodedUserData = Base64.getEncoder().encodeToString(userData.getBytes());
-                buf.append(" userdata=").append(encodedUserData);
+            String userDataUuid = ConsoleProxyUserData.valueIn(dc.getId());
+            try {
+                Long userDataId = userDataManager.validateAndGetUserDataIdForSystemVms(userDataUuid, profile.getTemplate());
+                String userData = userVmManager.finalizeUserData(null, userDataId, profile.getTemplate());
+                if (org.apache.commons.lang3.StringUtils.isNotBlank(userData)) {
+                    String encodedUserData = Base64.getEncoder().encodeToString(userData.getBytes());
+                    buf.append(" userdata=").append(encodedUserData);
+                }
+            } catch (Exception e) {
+                logger.warn("Failed to load user data for the cpvm, ignored", e);
             }
         }
 

server/src/main/java/com/cloud/network/router/VirtualNetworkApplianceManager.java

@@ -65,8 +65,8 @@ public interface VirtualNetworkApplianceManager extends Manager, VirtualNetworkA
             "Name of the default router template on Ovm3.", true, ConfigKey.Scope.Zone, null);
 
     ConfigKey<String> RouterUserData = new ConfigKey<>(String.class, "router.userdata",
-            ConfigKey.CATEGORY_SECURE, "",
-            "Default user data for VR, VPC VR, internal LB, and elastic LB. This works only when systemvm.userdata.enabled is set to true",
+            ConfigKey.CATEGORY_ADVANCED, "",
+            "UUID for user data of VR, VPC VR, internal LB, and elastic LB. This works only when systemvm.userdata.enabled is set to true",
             true, ConfigKey.Scope.Zone, null, "User Data for VRs",
             null, ConfigKey.GROUP_SYSTEM_VMS, ConfigKey.SUBGROUP_VIRTUAL_ROUTER);
 

server/src/main/java/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java

@@ -49,6 +49,7 @@
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
+import com.cloud.vm.UserVmManager;
 import com.google.gson.JsonSyntaxException;
 import com.google.gson.reflect.TypeToken;
 
@@ -73,6 +74,7 @@
 import org.apache.cloudstack.network.RoutedIpv4Manager;
 import org.apache.cloudstack.network.topology.NetworkTopology;
 import org.apache.cloudstack.network.topology.NetworkTopologyContext;
+import org.apache.cloudstack.userdata.UserDataManager;
 import org.apache.cloudstack.utils.CloudStackVersion;
 import org.apache.cloudstack.utils.identity.ManagementServerNode;
 import org.apache.cloudstack.utils.usage.UsageUtils;
@@ -354,6 +356,11 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
     @Inject
     BGPService bgpService;
 
+    @Inject
+    private UserDataManager userDataManager;
+    @Inject
+    private UserVmManager userVmManager;
+
     private int _routerStatsInterval = 300;
     private int _routerCheckInterval = 30;
     private int _rvrStatusUpdatePoolSize = 10;
@@ -2099,10 +2106,17 @@ public boolean finalizeVirtualMachineProfile(final VirtualMachineProfile profile
         buf.append(String.format(" logrotatefrequency=%s", routerLogrotateFrequency));
 
         if (SystemVmEnableUserData.valueIn(router.getDataCenterId())) {
-            String userData = RouterUserData.valueIn(router.getDataCenterId());
-            if (StringUtils.isNotBlank(userData)) {
-                String encodedUserData = Base64.getEncoder().encodeToString(userData.getBytes());
-                buf.append(" userdata=").append(encodedUserData);
+            String userDataUuid = RouterUserData.valueIn(dc.getId());
+            try {
+                Long userDataId = userDataManager.validateAndGetUserDataIdForSystemVms(userDataUuid,
+                        profile.getTemplate());
+                String userData = userVmManager.finalizeUserData(null, userDataId, profile.getTemplate());
+                if (StringUtils.isNotBlank(userData)) {
+                    String encodedUserData = Base64.getEncoder().encodeToString(userData.getBytes());
+                    buf.append(" userdata=").append(encodedUserData);
+                }
+            } catch (Exception e) {
+                logger.warn("Failed to load user data for the virtual router, ignored", e);
             }
         }
 

server/src/main/java/com/cloud/storage/secondary/SecondaryStorageVmManager.java

@@ -45,8 +45,8 @@ public interface SecondaryStorageVmManager extends Manager {
             false);
 
     ConfigKey<String> SecondaryStorageUserData = new ConfigKey<>(String.class, "secstorage.userdata",
-            ConfigKey.CATEGORY_SECURE, "",
-            "Default user data for secondary storage VMs. This works only when systemvm.userdata.enabled is set to true",
+            ConfigKey.CATEGORY_ADVANCED, "",
+            "UUID for user data for secondary storage VMs. This works only when systemvm.userdata.enabled is set to true",
             true, ConfigKey.Scope.Zone, null, "User Data for SSVMs",
             null, ConfigKey.GROUP_SYSTEM_VMS, ConfigKey.SUBGROUP_SEC_STORAGE_VM);