CKS: generate a random UUID as password of CKS user in project

[weizhouapache]

Description

This PR fixes the password CKS user in project

UuidUtils.first returns only the first part of UUID , which contains 8 letters/digits in total.
If the min length is set to a value more than 8, the CKS cluster cannot be created in project

To be consistent with CKS user in non-project, use UUID instead of first 8 chars of UUID as password of CKS user in project

This fixes #11626

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

[weizhouapache]

@blueorangutan package

[sureshanaparti]

clgtm

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[DaanHoogland]

lgtm, but how about when the min pw length is set beyond a UUID length?

[codecov]

Codecov Report

❌ Patch coverage is 0% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 16.17%. Comparing base (1948f90) to head (0727b7b).
⚠️ Report is 17 commits behind head on 4.20.

Files with missing lines	Patch %	Lines
...c/main/java/com/cloud/user/AccountManagerImpl.java	0.00%	3 Missing ⚠️
...bernetes/cluster/KubernetesClusterManagerImpl.java	0.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               4.20   #11639      +/-   ##
============================================
- Coverage     16.17%   16.17%   -0.01%     
+ Complexity    13298    13297       -1     
============================================
  Files          5656     5656              
  Lines        498151   498221      +70     
  Branches      60441    60452      +11     
============================================
- Hits          80589    80581       -8     
- Misses       408591   408671      +80     
+ Partials       8971     8969       -2     

Flag	Coverage Δ
uitests	4.00% <ø> (ø)
unittests	17.02% <0.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[weizhouapache]

lgtm, but how about when the min pw length is set beyond a UUID length?

then #11626 appears 😆

this is just a quick workaround.
If user enables password policy, update the number of uppercase letters and number of special chars to a non-zero value, CKS will not work. so we need to find a ideal solution later.

generate a more strong password matching the policy, or ignore the password policy for CKS users
refer to #11637 (comment)

[DaanHoogland]

clgtm ( but a real solution should be created in a call that generates a password from a password policy in the end )

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✔️ debian ✖️ suse15. SL-JID 15014

[shwstppr]

change looks good but maybe for a complete solution we can bypass PasswordPolicy here. Kubernetes project account is created with System account call context so maybe we can bypass policy validations when System is creating accounts

[weizhouapache]

change looks good but maybe for a complete solution we can bypass PasswordPolicy here. Kubernetes project account is created with System account call context so maybe we can bypass policy validations when System is creating accounts

thanks @shwstppr
if I understand correctly, you prefer to the PR #11637 ?

[shwstppr]

@weizhouapache best case would have been creating a password compliant to the password policy. But because of regex config it would be difficult and error-prone. Next best is bypassing policy and creating a stronger password (which would never be used though). So I think maybe we keep this usage of complete UUID and then bypass the policy for system created account (which I feel would be more generic than adding a User.Source.CKS)

[weizhouapache]

@weizhouapache best case would have been creating a password compliant to the password policy. But because of regex config it would be difficult and error-prone. Next best is bypassing policy and creating a stronger password (which would never be used though). So I think maybe we keep this usage of complete UUID and then bypass the policy for system created account (which I feel would be more generic than adding a User.Source.CKS)

thanks @shwstppr
agree that complete UUID should be secure enough.
User.Source.CKS in #11637 is used to bypass the policy. but you are right, we could just bypass the password policy of all users created by system account. let me see if it is possible

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 15179

[shwstppr]

@weizhouapache I've not tested but I guess we didn't need all the changes to pass the caller.
We could use CallContext.getCallingAccount(). KubernetesClusterManager was already using the system callcontext at line 1550

[weizhouapache]

@weizhouapache I've not tested but I guess we didn't need all the changes to pass the caller. We could use CallContext.getCallingAccount(). KubernetesClusterManager was already using the system callcontext at line 1550

thanks @shwstppr , good point
let me double check and test it

[weizhouapache]

@weizhouapache I've not tested but I guess we didn't need all the changes to pass the caller. We could use CallContext.getCallingAccount(). KubernetesClusterManager was already using the system callcontext at line 1550

reverted the last commit, added a simple check on the caller

tested ok

• updated password.policy lengths from 0 to 1
• without this PR, when created a CKS cluster in a new project, got an error "User password should contain at least [1] special characters."
• with this PR, CKS cluster in project has been created successfully

thanks @shwstppr , good advise

[shwstppr]

LGTM

[shwstppr]

LGTM. Tested before and after changes.

Before changes

Changed values for password configs

k8s cluster creation failed

After changes

Account created successfully

k8s cluster created

Tested password restrictions still applied when creating as admin

[weizhouapache]

cool, thanks for the testing @shwstppr

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 15234

[weizhouapache]

@blueorangutan test

[blueorangutan]

@weizhouapache a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-14487)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 56881 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11639-t14487-kvm-ol8.zip
Smoke tests completed. 140 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_01_deployVMInSharedNetwork	Failure	426.81	test_network.py

[weizhouapache]

merging based on approvals and manua test, thanks @shwstppr