From 1c0182ff0c9d704f92f6ed3d5002e580395914b1 Mon Sep 17 00:00:00 2001 From: Wei Zhou Date: Mon, 15 Sep 2025 13:49:01 +0200 Subject: [PATCH 1/4] CKS: generate a UUID for CKS user in project --- .../cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java index 9b3e487680d4..5a1712968266 100644 --- a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java +++ b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java @@ -1551,7 +1551,7 @@ protected Account createProjectKubernetesAccount(final Project project, final St try { Role role = getProjectKubernetesAccountRole(); UserAccount userAccount = accountService.createUserAccount(accountName, - UuidUtils.first(UUID.randomUUID().toString()), PROJECT_KUBERNETES_ACCOUNT_FIRST_NAME, + UUID.randomUUID().toString(), PROJECT_KUBERNETES_ACCOUNT_FIRST_NAME, PROJECT_KUBERNETES_ACCOUNT_LAST_NAME, null, null, accountName, Account.Type.NORMAL, role.getId(), project.getDomainId(), null, null, null, null, User.Source.NATIVE); projectManager.assignAccountToProject(project, userAccount.getAccountId(), ProjectAccount.Role.Regular, From 2493a598e33f899a7c61c74005fadf3443b7c599 Mon Sep 17 00:00:00 2001 From: Wei Zhou Date: Fri, 26 Sep 2025 08:49:38 +0200 Subject: [PATCH 2/4] server,cks: skip password policy if create account and user by system account --- .../main/java/com/cloud/user/AccountService.java | 3 +-- .../cluster/KubernetesClusterManagerImpl.java | 2 +- .../contrail/management/MockAccountManager.java | 4 ++-- .../api/command/LdapCreateAccountCmd.java | 2 +- .../api/command/LdapImportUsersCmd.java | 2 +- .../api/command/LinkAccountToLdapCmd.java | 2 +- .../api/command/LinkDomainToLdapCmd.java | 2 +- .../apache/cloudstack/ldap/LdapAuthenticator.java | 2 +- .../cloudstack/ldap/LdapAuthenticatorSpec.groovy | 2 +- .../cloudstack/ldap/LdapImportUsersCmdSpec.groovy | 4 ++-- .../api/command/LinkAccountToLdapCmdTest.java | 2 +- .../api/command/LinkDomainToLdapCmdTest.java | 2 +- .../java/com/cloud/user/AccountManagerImpl.java | 15 +++++++++------ .../com/cloud/user/MockAccountManagerImpl.java | 4 ++-- 14 files changed, 25 insertions(+), 23 deletions(-) diff --git a/api/src/main/java/com/cloud/user/AccountService.java b/api/src/main/java/com/cloud/user/AccountService.java index c0ebcf09f59b..1a3fbae72949 100644 --- a/api/src/main/java/com/cloud/user/AccountService.java +++ b/api/src/main/java/com/cloud/user/AccountService.java @@ -46,8 +46,7 @@ public interface AccountService { UserAccount createUserAccount(CreateAccountCmd accountCmd); UserAccount createUserAccount(String userName, String password, String firstName, String lastName, String email, String timezone, String accountName, Account.Type accountType, - Long roleId, Long domainId, String networkDomain, Map details, String accountUUID, String userUUID, User.Source source); - + Long roleId, Long domainId, String networkDomain, Map details, String accountUUID, String userUUID, User.Source source, Account caller); /** * Locks a user by userId. A locked user cannot access the API, but will still have running VMs/IP addresses * allocated/etc. diff --git a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java index 5a1712968266..6d890c8ac083 100644 --- a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java +++ b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java @@ -1553,7 +1553,7 @@ protected Account createProjectKubernetesAccount(final Project project, final St UserAccount userAccount = accountService.createUserAccount(accountName, UUID.randomUUID().toString(), PROJECT_KUBERNETES_ACCOUNT_FIRST_NAME, PROJECT_KUBERNETES_ACCOUNT_LAST_NAME, null, null, accountName, Account.Type.NORMAL, role.getId(), - project.getDomainId(), null, null, null, null, User.Source.NATIVE); + project.getDomainId(), null, null, null, null, User.Source.NATIVE, accountService.getSystemAccount()); projectManager.assignAccountToProject(project, userAccount.getAccountId(), ProjectAccount.Role.Regular, userAccount.getId(), null); Account account = accountService.getAccount(userAccount.getAccountId()); diff --git a/plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/MockAccountManager.java b/plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/MockAccountManager.java index bc9dbfa7b436..465ea2ffe544 100644 --- a/plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/MockAccountManager.java +++ b/plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/MockAccountManager.java @@ -147,12 +147,12 @@ public UserAccount createUserAccount(CreateAccountCmd cmd) { cmd.getLastName(), cmd.getEmail(), cmd.getTimeZone(), cmd.getAccountName(), cmd.getAccountType(), cmd.getRoleId(), cmd.getDomainId(), cmd.getNetworkDomain(), cmd.getDetails(), cmd.getAccountUUID(), - cmd.getUserUUID(), User.Source.UNKNOWN); + cmd.getUserUUID(), User.Source.UNKNOWN, null); } @Override public UserAccount createUserAccount(String userName, String password, String firstName, String lastName, String email, String timezone, String accountName, Account.Type accountType, Long roleId, - Long domainId, String networkDomain, Map details, String accountUUID, String userUUID, User.Source source) { + Long domainId, String networkDomain, Map details, String accountUUID, String userUUID, User.Source source, Account caller) { // TODO Auto-generated method stub return null; } diff --git a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LdapCreateAccountCmd.java b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LdapCreateAccountCmd.java index 880ecea4d13c..87cda3da4e16 100644 --- a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LdapCreateAccountCmd.java +++ b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LdapCreateAccountCmd.java @@ -95,7 +95,7 @@ UserAccount createCloudstackUserAccount(final LdapUser user, String accountName, Account account = _accountService.getActiveAccountByName(accountName, domainId); if (account == null) { return _accountService.createUserAccount(username, generatePassword(), user.getFirstname(), user.getLastname(), user.getEmail(), timezone, accountName, getAccountType(), getRoleId(), - domainId, networkDomain, details, accountUUID, userUUID, User.Source.LDAP); + domainId, networkDomain, details, accountUUID, userUUID, User.Source.LDAP, null); } else { User newUser = _accountService.createUser(username, generatePassword(), user.getFirstname(), user.getLastname(), user.getEmail(), timezone, accountName, domainId, userUUID, User.Source.LDAP); diff --git a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LdapImportUsersCmd.java b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LdapImportUsersCmd.java index eada5f6df39b..1e9e3810bfe4 100644 --- a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LdapImportUsersCmd.java +++ b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LdapImportUsersCmd.java @@ -108,7 +108,7 @@ private void createCloudstackUserAccount(LdapUser user, String accountName, Doma if (account == null) { logger.debug("No account exists with name: " + accountName + " creating the account and an user with name: " + user.getUsername() + " in the account"); _accountService.createUserAccount(user.getUsername(), generatePassword(), user.getFirstname(), user.getLastname(), user.getEmail(), timezone, accountName, getAccountType(), getRoleId(), - domain.getId(), domain.getNetworkDomain(), details, UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP); + domain.getId(), domain.getNetworkDomain(), details, UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP, null); } else { // check if the user exists. if yes, call update UserAccount csuser = _accountService.getActiveUserAccount(user.getUsername(), domain.getId()); diff --git a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LinkAccountToLdapCmd.java b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LinkAccountToLdapCmd.java index 52ece5c44f43..5af5a4b35117 100644 --- a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LinkAccountToLdapCmd.java +++ b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LinkAccountToLdapCmd.java @@ -89,7 +89,7 @@ public void execute() throws ServerApiException { try { UserAccount userAccount = _accountService .createUserAccount(admin, "", ldapUser.getFirstname(), ldapUser.getLastname(), ldapUser.getEmail(), null, admin, Account.Type.DOMAIN_ADMIN, RoleType.DomainAdmin.getId(), domainId, null, null, UUID.randomUUID().toString(), - UUID.randomUUID().toString(), User.Source.LDAP); + UUID.randomUUID().toString(), User.Source.LDAP, null); response.setAdminId(String.valueOf(userAccount.getAccountId())); logger.info("created an account with name {} in the given domain {} with id {}", admin, _domainService.getDomain(domainId), domainId); } catch (Exception e) { diff --git a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LinkDomainToLdapCmd.java b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LinkDomainToLdapCmd.java index c351924de6de..6f4ec3d643bd 100644 --- a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LinkDomainToLdapCmd.java +++ b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LinkDomainToLdapCmd.java @@ -105,7 +105,7 @@ public void execute() throws ServerApiException { if (account == null) { try { UserAccount userAccount = _accountService.createUserAccount(admin, "", ldapUser.getFirstname(), ldapUser.getLastname(), ldapUser.getEmail(), null, - admin, Account.Type.DOMAIN_ADMIN, RoleType.DomainAdmin.getId(), domainId, null, null, UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP); + admin, Account.Type.DOMAIN_ADMIN, RoleType.DomainAdmin.getId(), domainId, null, null, UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP, null); response.setAdminId(String.valueOf(userAccount.getAccountId())); logger.info("created an account with name {} in the given domain {} with id {}", admin, _domainService.getDomain(domainId), domainId); } catch (Exception e) { diff --git a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapAuthenticator.java b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapAuthenticator.java index 36c663566cb9..bad65eebcc6d 100644 --- a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapAuthenticator.java +++ b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapAuthenticator.java @@ -310,7 +310,7 @@ private void createCloudStackUserAccount(LdapUser user, long domainId, Account.T String username = user.getUsername(); _accountManager.createUserAccount(username, "", user.getFirstname(), user.getLastname(), user.getEmail(), null, username, accountType, RoleType.getByAccountType(accountType).getId(), domainId, null, null, - UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP); + UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP, null); } private void disableUserInCloudStack(UserAccount user) { diff --git a/plugins/user-authenticators/ldap/src/test/groovy/org/apache/cloudstack/ldap/LdapAuthenticatorSpec.groovy b/plugins/user-authenticators/ldap/src/test/groovy/org/apache/cloudstack/ldap/LdapAuthenticatorSpec.groovy index 8fa7f3ee2e89..21ace3f5b3be 100644 --- a/plugins/user-authenticators/ldap/src/test/groovy/org/apache/cloudstack/ldap/LdapAuthenticatorSpec.groovy +++ b/plugins/user-authenticators/ldap/src/test/groovy/org/apache/cloudstack/ldap/LdapAuthenticatorSpec.groovy @@ -176,7 +176,7 @@ class LdapAuthenticatorSpec extends spock.lang.Specification { ldapManager.getUser(username, type.toString(), name) >> new LdapUser(username, "email", "firstname", "lastname", "principal", "domain", false, null) ldapManager.canAuthenticate(_, _, _) >> true //user should be created in cloudstack - accountManager.createUserAccount(username, "", "firstname", "lastname", "email", null, username, (short) 2, domainId, username, null, _, _, User.Source.LDAP) >> Mock(UserAccount) + accountManager.createUserAccount(username, "", "firstname", "lastname", "email", null, username, (short) 2, domainId, username, null, _, _, User.Source.LDAP, null) >> Mock(UserAccount) when: Pair result = ldapAuthenticator.authenticate(username, "password", domainId, null) diff --git a/plugins/user-authenticators/ldap/src/test/groovy/org/apache/cloudstack/ldap/LdapImportUsersCmdSpec.groovy b/plugins/user-authenticators/ldap/src/test/groovy/org/apache/cloudstack/ldap/LdapImportUsersCmdSpec.groovy index 68b910811c79..92b8ef8a3a8e 100644 --- a/plugins/user-authenticators/ldap/src/test/groovy/org/apache/cloudstack/ldap/LdapImportUsersCmdSpec.groovy +++ b/plugins/user-authenticators/ldap/src/test/groovy/org/apache/cloudstack/ldap/LdapImportUsersCmdSpec.groovy @@ -213,8 +213,8 @@ class LdapImportUsersCmdSpec extends spock.lang.Specification { def accountService = Mock(AccountService) 1 * accountService.getActiveAccountByName('ACCOUNT', 0) >> Mock(AccountVO) - 1 * accountService.createUser('rmurphy', _ , 'Ryan', 'Murphy', 'rmurphy@test.com', null, 'ACCOUNT', 0, _, User.Source.LDAP) >> Mock(UserVO) - 0 * accountService.createUserAccount('rmurphy', _, 'Ryan', 'Murphy', 'rmurphy@test.com', null, 'ACCOUNT', 2, 0, 'DOMAIN', null, _, _, User.Source.LDAP) + 1 * accountService.createUser('rmurphy', _ , 'Ryan', 'Murphy', 'rmurphy@test.com', null, 'ACCOUNT', 0, _, User.Source.LDAP, null) >> Mock(UserVO) + 0 * accountService.createUserAccount('rmurphy', _, 'Ryan', 'Murphy', 'rmurphy@test.com', null, 'ACCOUNT', 2, 0, 'DOMAIN', null, _, _, User.Source.LDAP, null) 0 * accountService.updateUser(_,'Ryan', 'Murphy', 'rmurphy@test.com', null, null, null, null, null); def ldapImportUsersCmd = new LdapImportUsersCmd(ldapManager, domainService, accountService) diff --git a/plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/api/command/LinkAccountToLdapCmdTest.java b/plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/api/command/LinkAccountToLdapCmdTest.java index adf0f98f2943..3d5668396faf 100644 --- a/plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/api/command/LinkAccountToLdapCmdTest.java +++ b/plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/api/command/LinkAccountToLdapCmdTest.java @@ -88,7 +88,7 @@ public void execute() throws Exception { userAccount.setAccountId(24); when(accountService.createUserAccount(eq(username), eq(""), eq("Admin"), eq("Admin"), eq("admin@ccp.citrix.com"), isNull(String.class), eq(username), eq(Account.Type.DOMAIN_ADMIN), eq(RoleType.DomainAdmin.getId()), eq(domainId), isNull(String.class), - (java.util.Map)isNull(), anyString(), anyString(), eq(User.Source.LDAP))).thenReturn(userAccount); + (java.util.Map)isNull(), anyString(), anyString(), eq(User.Source.LDAP), isNull(Account.class))).thenReturn(userAccount); linkAccountToLdapCmd.execute(); LinkAccountToLdapResponse result = (LinkAccountToLdapResponse)linkAccountToLdapCmd.getResponseObject(); diff --git a/plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/api/command/LinkDomainToLdapCmdTest.java b/plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/api/command/LinkDomainToLdapCmdTest.java index 080347fefd32..77aa20eb2bd0 100644 --- a/plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/api/command/LinkDomainToLdapCmdTest.java +++ b/plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/api/command/LinkDomainToLdapCmdTest.java @@ -86,7 +86,7 @@ public void execute() throws Exception { userAccount.setAccountId(24); when(accountService.createUserAccount(eq(username), eq(""), eq("Admin"), eq("Admin"), eq("admin@ccp.citrix.com"), isNull(String.class), eq(username), eq(Account.Type.DOMAIN_ADMIN), eq(RoleType.DomainAdmin.getId()), eq(domainId), isNull(String.class), - (java.util.Map)isNull(), anyString(), anyString(), eq(User.Source.LDAP))).thenReturn(userAccount); + (java.util.Map)isNull(), anyString(), anyString(), eq(User.Source.LDAP), isNull(Account.class))).thenReturn(userAccount); linkDomainToLdapCmd.execute(); diff --git a/server/src/main/java/com/cloud/user/AccountManagerImpl.java b/server/src/main/java/com/cloud/user/AccountManagerImpl.java index 04a64fbfc8c9..97d5343c3155 100644 --- a/server/src/main/java/com/cloud/user/AccountManagerImpl.java +++ b/server/src/main/java/com/cloud/user/AccountManagerImpl.java @@ -1286,7 +1286,7 @@ public UserAccount createUserAccount(CreateAccountCmd accountCmd) { accountCmd.getLastName(), accountCmd.getEmail(), accountCmd.getTimeZone(), accountCmd.getAccountName(), accountCmd.getAccountType(), accountCmd.getRoleId(), accountCmd.getDomainId(), accountCmd.getNetworkDomain(), accountCmd.getDetails(), accountCmd.getAccountUUID(), - accountCmd.getUserUUID(), User.Source.UNKNOWN); + accountCmd.getUserUUID(), User.Source.UNKNOWN, CallContext.current().getCallingAccount()); } // /////////////////////////////////////////////////// @@ -1301,7 +1301,7 @@ public UserAccount createUserAccount(final String userName, final String passwor final String lastName, final String email, final String timezone, String accountName, final Account.Type accountType, final Long roleId, Long domainId, final String networkDomain, final Map details, - String accountUUID, final String userUUID, final User.Source source) { + String accountUUID, final String userUUID, final User.Source source, Account caller) { if (accountName == null) { accountName = userName; @@ -1360,7 +1360,7 @@ public Pair doInTransaction(TransactionStatus status) { checkRoleEscalation(getCurrentCallingAccount(), account); // create the first user for the account - UserVO user = createUser(accountId, userName, password, firstName, lastName, email, timezone, userUUID, source); + UserVO user = createUser(accountId, userName, password, firstName, lastName, email, timezone, userUUID, source, caller); if (accountType == Account.Type.RESOURCE_DOMAIN_ADMIN) { // set registration token @@ -1530,7 +1530,7 @@ public UserVO createUser(String userName, String password, String firstName, Str verifyCallerPrivilegeForUserOrAccountOperations(account); UserVO user; - user = createUser(account.getId(), userName, password, firstName, lastName, email, timeZone, userUUID, source); + user = createUser(account.getId(), userName, password, firstName, lastName, email, timeZone, userUUID, source, null); return user; } @@ -2742,12 +2742,15 @@ public AccountVO doInTransaction(TransactionStatus status) { }); } - protected UserVO createUser(long accountId, String userName, String password, String firstName, String lastName, String email, String timezone, String userUUID, User.Source source) { + protected UserVO createUser(long accountId, String userName, String password, String firstName, String lastName, String email, String timezone, String userUUID, + User.Source source, Account caller) { if (logger.isDebugEnabled()) { logger.debug("Creating user: " + userName + ", accountId: " + accountId + " timezone:" + timezone); } - passwordPolicy.verifyIfPasswordCompliesWithPasswordPolicies(password, userName, getAccount(accountId).getDomainId()); + if (caller == null || caller.getId() != Account.ACCOUNT_ID_SYSTEM) { + passwordPolicy.verifyIfPasswordCompliesWithPasswordPolicies(password, userName, getAccount(accountId).getDomainId()); + } String encodedPassword = null; for (UserAuthenticator authenticator : _userPasswordEncoders) { diff --git a/server/src/test/java/com/cloud/user/MockAccountManagerImpl.java b/server/src/test/java/com/cloud/user/MockAccountManagerImpl.java index a84f02755c7c..0a121ebce066 100644 --- a/server/src/test/java/com/cloud/user/MockAccountManagerImpl.java +++ b/server/src/test/java/com/cloud/user/MockAccountManagerImpl.java @@ -374,13 +374,13 @@ public UserAccount createUserAccount(CreateAccountCmd cmd) { cmd.getLastName(), cmd.getEmail(), cmd.getTimeZone(), cmd.getAccountName(), cmd.getAccountType(), cmd.getRoleId(), cmd.getDomainId(), cmd.getNetworkDomain(), cmd.getDetails(), cmd.getAccountUUID(), - cmd.getUserUUID(), User.Source.UNKNOWN); + cmd.getUserUUID(), User.Source.UNKNOWN, null); } @Override public UserAccount createUserAccount(String userName, String password, String firstName, String lastName, String email, String timezone, String accountName, Account.Type accountType, Long roleId, Long domainId, String networkDomain, Map details, String accountUUID, - String userUUID, User.Source source) { + String userUUID, User.Source source, Account caller) { // TODO Auto-generated method stub return null; } From 0878f0f53283b27b34e82ce3ce105435a190f956 Mon Sep 17 00:00:00 2001 From: Wei Zhou Date: Fri, 26 Sep 2025 14:20:42 +0200 Subject: [PATCH 3/4] Revert "server,cks: skip password policy if create account and user by system account" This reverts commit 2493a598e33f899a7c61c74005fadf3443b7c599. --- .../main/java/com/cloud/user/AccountService.java | 3 ++- .../cluster/KubernetesClusterManagerImpl.java | 2 +- .../contrail/management/MockAccountManager.java | 4 ++-- .../api/command/LdapCreateAccountCmd.java | 2 +- .../api/command/LdapImportUsersCmd.java | 2 +- .../api/command/LinkAccountToLdapCmd.java | 2 +- .../api/command/LinkDomainToLdapCmd.java | 2 +- .../apache/cloudstack/ldap/LdapAuthenticator.java | 2 +- .../cloudstack/ldap/LdapAuthenticatorSpec.groovy | 2 +- .../cloudstack/ldap/LdapImportUsersCmdSpec.groovy | 4 ++-- .../api/command/LinkAccountToLdapCmdTest.java | 2 +- .../api/command/LinkDomainToLdapCmdTest.java | 2 +- .../java/com/cloud/user/AccountManagerImpl.java | 15 ++++++--------- .../com/cloud/user/MockAccountManagerImpl.java | 4 ++-- 14 files changed, 23 insertions(+), 25 deletions(-) diff --git a/api/src/main/java/com/cloud/user/AccountService.java b/api/src/main/java/com/cloud/user/AccountService.java index 1a3fbae72949..c0ebcf09f59b 100644 --- a/api/src/main/java/com/cloud/user/AccountService.java +++ b/api/src/main/java/com/cloud/user/AccountService.java @@ -46,7 +46,8 @@ public interface AccountService { UserAccount createUserAccount(CreateAccountCmd accountCmd); UserAccount createUserAccount(String userName, String password, String firstName, String lastName, String email, String timezone, String accountName, Account.Type accountType, - Long roleId, Long domainId, String networkDomain, Map details, String accountUUID, String userUUID, User.Source source, Account caller); + Long roleId, Long domainId, String networkDomain, Map details, String accountUUID, String userUUID, User.Source source); + /** * Locks a user by userId. A locked user cannot access the API, but will still have running VMs/IP addresses * allocated/etc. diff --git a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java index 6d890c8ac083..5a1712968266 100644 --- a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java +++ b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java @@ -1553,7 +1553,7 @@ protected Account createProjectKubernetesAccount(final Project project, final St UserAccount userAccount = accountService.createUserAccount(accountName, UUID.randomUUID().toString(), PROJECT_KUBERNETES_ACCOUNT_FIRST_NAME, PROJECT_KUBERNETES_ACCOUNT_LAST_NAME, null, null, accountName, Account.Type.NORMAL, role.getId(), - project.getDomainId(), null, null, null, null, User.Source.NATIVE, accountService.getSystemAccount()); + project.getDomainId(), null, null, null, null, User.Source.NATIVE); projectManager.assignAccountToProject(project, userAccount.getAccountId(), ProjectAccount.Role.Regular, userAccount.getId(), null); Account account = accountService.getAccount(userAccount.getAccountId()); diff --git a/plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/MockAccountManager.java b/plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/MockAccountManager.java index 465ea2ffe544..bc9dbfa7b436 100644 --- a/plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/MockAccountManager.java +++ b/plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/MockAccountManager.java @@ -147,12 +147,12 @@ public UserAccount createUserAccount(CreateAccountCmd cmd) { cmd.getLastName(), cmd.getEmail(), cmd.getTimeZone(), cmd.getAccountName(), cmd.getAccountType(), cmd.getRoleId(), cmd.getDomainId(), cmd.getNetworkDomain(), cmd.getDetails(), cmd.getAccountUUID(), - cmd.getUserUUID(), User.Source.UNKNOWN, null); + cmd.getUserUUID(), User.Source.UNKNOWN); } @Override public UserAccount createUserAccount(String userName, String password, String firstName, String lastName, String email, String timezone, String accountName, Account.Type accountType, Long roleId, - Long domainId, String networkDomain, Map details, String accountUUID, String userUUID, User.Source source, Account caller) { + Long domainId, String networkDomain, Map details, String accountUUID, String userUUID, User.Source source) { // TODO Auto-generated method stub return null; } diff --git a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LdapCreateAccountCmd.java b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LdapCreateAccountCmd.java index 87cda3da4e16..880ecea4d13c 100644 --- a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LdapCreateAccountCmd.java +++ b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LdapCreateAccountCmd.java @@ -95,7 +95,7 @@ UserAccount createCloudstackUserAccount(final LdapUser user, String accountName, Account account = _accountService.getActiveAccountByName(accountName, domainId); if (account == null) { return _accountService.createUserAccount(username, generatePassword(), user.getFirstname(), user.getLastname(), user.getEmail(), timezone, accountName, getAccountType(), getRoleId(), - domainId, networkDomain, details, accountUUID, userUUID, User.Source.LDAP, null); + domainId, networkDomain, details, accountUUID, userUUID, User.Source.LDAP); } else { User newUser = _accountService.createUser(username, generatePassword(), user.getFirstname(), user.getLastname(), user.getEmail(), timezone, accountName, domainId, userUUID, User.Source.LDAP); diff --git a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LdapImportUsersCmd.java b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LdapImportUsersCmd.java index 1e9e3810bfe4..eada5f6df39b 100644 --- a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LdapImportUsersCmd.java +++ b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LdapImportUsersCmd.java @@ -108,7 +108,7 @@ private void createCloudstackUserAccount(LdapUser user, String accountName, Doma if (account == null) { logger.debug("No account exists with name: " + accountName + " creating the account and an user with name: " + user.getUsername() + " in the account"); _accountService.createUserAccount(user.getUsername(), generatePassword(), user.getFirstname(), user.getLastname(), user.getEmail(), timezone, accountName, getAccountType(), getRoleId(), - domain.getId(), domain.getNetworkDomain(), details, UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP, null); + domain.getId(), domain.getNetworkDomain(), details, UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP); } else { // check if the user exists. if yes, call update UserAccount csuser = _accountService.getActiveUserAccount(user.getUsername(), domain.getId()); diff --git a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LinkAccountToLdapCmd.java b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LinkAccountToLdapCmd.java index 5af5a4b35117..52ece5c44f43 100644 --- a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LinkAccountToLdapCmd.java +++ b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LinkAccountToLdapCmd.java @@ -89,7 +89,7 @@ public void execute() throws ServerApiException { try { UserAccount userAccount = _accountService .createUserAccount(admin, "", ldapUser.getFirstname(), ldapUser.getLastname(), ldapUser.getEmail(), null, admin, Account.Type.DOMAIN_ADMIN, RoleType.DomainAdmin.getId(), domainId, null, null, UUID.randomUUID().toString(), - UUID.randomUUID().toString(), User.Source.LDAP, null); + UUID.randomUUID().toString(), User.Source.LDAP); response.setAdminId(String.valueOf(userAccount.getAccountId())); logger.info("created an account with name {} in the given domain {} with id {}", admin, _domainService.getDomain(domainId), domainId); } catch (Exception e) { diff --git a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LinkDomainToLdapCmd.java b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LinkDomainToLdapCmd.java index 6f4ec3d643bd..c351924de6de 100644 --- a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LinkDomainToLdapCmd.java +++ b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LinkDomainToLdapCmd.java @@ -105,7 +105,7 @@ public void execute() throws ServerApiException { if (account == null) { try { UserAccount userAccount = _accountService.createUserAccount(admin, "", ldapUser.getFirstname(), ldapUser.getLastname(), ldapUser.getEmail(), null, - admin, Account.Type.DOMAIN_ADMIN, RoleType.DomainAdmin.getId(), domainId, null, null, UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP, null); + admin, Account.Type.DOMAIN_ADMIN, RoleType.DomainAdmin.getId(), domainId, null, null, UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP); response.setAdminId(String.valueOf(userAccount.getAccountId())); logger.info("created an account with name {} in the given domain {} with id {}", admin, _domainService.getDomain(domainId), domainId); } catch (Exception e) { diff --git a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapAuthenticator.java b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapAuthenticator.java index bad65eebcc6d..36c663566cb9 100644 --- a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapAuthenticator.java +++ b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapAuthenticator.java @@ -310,7 +310,7 @@ private void createCloudStackUserAccount(LdapUser user, long domainId, Account.T String username = user.getUsername(); _accountManager.createUserAccount(username, "", user.getFirstname(), user.getLastname(), user.getEmail(), null, username, accountType, RoleType.getByAccountType(accountType).getId(), domainId, null, null, - UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP, null); + UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP); } private void disableUserInCloudStack(UserAccount user) { diff --git a/plugins/user-authenticators/ldap/src/test/groovy/org/apache/cloudstack/ldap/LdapAuthenticatorSpec.groovy b/plugins/user-authenticators/ldap/src/test/groovy/org/apache/cloudstack/ldap/LdapAuthenticatorSpec.groovy index 21ace3f5b3be..8fa7f3ee2e89 100644 --- a/plugins/user-authenticators/ldap/src/test/groovy/org/apache/cloudstack/ldap/LdapAuthenticatorSpec.groovy +++ b/plugins/user-authenticators/ldap/src/test/groovy/org/apache/cloudstack/ldap/LdapAuthenticatorSpec.groovy @@ -176,7 +176,7 @@ class LdapAuthenticatorSpec extends spock.lang.Specification { ldapManager.getUser(username, type.toString(), name) >> new LdapUser(username, "email", "firstname", "lastname", "principal", "domain", false, null) ldapManager.canAuthenticate(_, _, _) >> true //user should be created in cloudstack - accountManager.createUserAccount(username, "", "firstname", "lastname", "email", null, username, (short) 2, domainId, username, null, _, _, User.Source.LDAP, null) >> Mock(UserAccount) + accountManager.createUserAccount(username, "", "firstname", "lastname", "email", null, username, (short) 2, domainId, username, null, _, _, User.Source.LDAP) >> Mock(UserAccount) when: Pair result = ldapAuthenticator.authenticate(username, "password", domainId, null) diff --git a/plugins/user-authenticators/ldap/src/test/groovy/org/apache/cloudstack/ldap/LdapImportUsersCmdSpec.groovy b/plugins/user-authenticators/ldap/src/test/groovy/org/apache/cloudstack/ldap/LdapImportUsersCmdSpec.groovy index 92b8ef8a3a8e..68b910811c79 100644 --- a/plugins/user-authenticators/ldap/src/test/groovy/org/apache/cloudstack/ldap/LdapImportUsersCmdSpec.groovy +++ b/plugins/user-authenticators/ldap/src/test/groovy/org/apache/cloudstack/ldap/LdapImportUsersCmdSpec.groovy @@ -213,8 +213,8 @@ class LdapImportUsersCmdSpec extends spock.lang.Specification { def accountService = Mock(AccountService) 1 * accountService.getActiveAccountByName('ACCOUNT', 0) >> Mock(AccountVO) - 1 * accountService.createUser('rmurphy', _ , 'Ryan', 'Murphy', 'rmurphy@test.com', null, 'ACCOUNT', 0, _, User.Source.LDAP, null) >> Mock(UserVO) - 0 * accountService.createUserAccount('rmurphy', _, 'Ryan', 'Murphy', 'rmurphy@test.com', null, 'ACCOUNT', 2, 0, 'DOMAIN', null, _, _, User.Source.LDAP, null) + 1 * accountService.createUser('rmurphy', _ , 'Ryan', 'Murphy', 'rmurphy@test.com', null, 'ACCOUNT', 0, _, User.Source.LDAP) >> Mock(UserVO) + 0 * accountService.createUserAccount('rmurphy', _, 'Ryan', 'Murphy', 'rmurphy@test.com', null, 'ACCOUNT', 2, 0, 'DOMAIN', null, _, _, User.Source.LDAP) 0 * accountService.updateUser(_,'Ryan', 'Murphy', 'rmurphy@test.com', null, null, null, null, null); def ldapImportUsersCmd = new LdapImportUsersCmd(ldapManager, domainService, accountService) diff --git a/plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/api/command/LinkAccountToLdapCmdTest.java b/plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/api/command/LinkAccountToLdapCmdTest.java index 3d5668396faf..adf0f98f2943 100644 --- a/plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/api/command/LinkAccountToLdapCmdTest.java +++ b/plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/api/command/LinkAccountToLdapCmdTest.java @@ -88,7 +88,7 @@ public void execute() throws Exception { userAccount.setAccountId(24); when(accountService.createUserAccount(eq(username), eq(""), eq("Admin"), eq("Admin"), eq("admin@ccp.citrix.com"), isNull(String.class), eq(username), eq(Account.Type.DOMAIN_ADMIN), eq(RoleType.DomainAdmin.getId()), eq(domainId), isNull(String.class), - (java.util.Map)isNull(), anyString(), anyString(), eq(User.Source.LDAP), isNull(Account.class))).thenReturn(userAccount); + (java.util.Map)isNull(), anyString(), anyString(), eq(User.Source.LDAP))).thenReturn(userAccount); linkAccountToLdapCmd.execute(); LinkAccountToLdapResponse result = (LinkAccountToLdapResponse)linkAccountToLdapCmd.getResponseObject(); diff --git a/plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/api/command/LinkDomainToLdapCmdTest.java b/plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/api/command/LinkDomainToLdapCmdTest.java index 77aa20eb2bd0..080347fefd32 100644 --- a/plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/api/command/LinkDomainToLdapCmdTest.java +++ b/plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/api/command/LinkDomainToLdapCmdTest.java @@ -86,7 +86,7 @@ public void execute() throws Exception { userAccount.setAccountId(24); when(accountService.createUserAccount(eq(username), eq(""), eq("Admin"), eq("Admin"), eq("admin@ccp.citrix.com"), isNull(String.class), eq(username), eq(Account.Type.DOMAIN_ADMIN), eq(RoleType.DomainAdmin.getId()), eq(domainId), isNull(String.class), - (java.util.Map)isNull(), anyString(), anyString(), eq(User.Source.LDAP), isNull(Account.class))).thenReturn(userAccount); + (java.util.Map)isNull(), anyString(), anyString(), eq(User.Source.LDAP))).thenReturn(userAccount); linkDomainToLdapCmd.execute(); diff --git a/server/src/main/java/com/cloud/user/AccountManagerImpl.java b/server/src/main/java/com/cloud/user/AccountManagerImpl.java index 97d5343c3155..04a64fbfc8c9 100644 --- a/server/src/main/java/com/cloud/user/AccountManagerImpl.java +++ b/server/src/main/java/com/cloud/user/AccountManagerImpl.java @@ -1286,7 +1286,7 @@ public UserAccount createUserAccount(CreateAccountCmd accountCmd) { accountCmd.getLastName(), accountCmd.getEmail(), accountCmd.getTimeZone(), accountCmd.getAccountName(), accountCmd.getAccountType(), accountCmd.getRoleId(), accountCmd.getDomainId(), accountCmd.getNetworkDomain(), accountCmd.getDetails(), accountCmd.getAccountUUID(), - accountCmd.getUserUUID(), User.Source.UNKNOWN, CallContext.current().getCallingAccount()); + accountCmd.getUserUUID(), User.Source.UNKNOWN); } // /////////////////////////////////////////////////// @@ -1301,7 +1301,7 @@ public UserAccount createUserAccount(final String userName, final String passwor final String lastName, final String email, final String timezone, String accountName, final Account.Type accountType, final Long roleId, Long domainId, final String networkDomain, final Map details, - String accountUUID, final String userUUID, final User.Source source, Account caller) { + String accountUUID, final String userUUID, final User.Source source) { if (accountName == null) { accountName = userName; @@ -1360,7 +1360,7 @@ public Pair doInTransaction(TransactionStatus status) { checkRoleEscalation(getCurrentCallingAccount(), account); // create the first user for the account - UserVO user = createUser(accountId, userName, password, firstName, lastName, email, timezone, userUUID, source, caller); + UserVO user = createUser(accountId, userName, password, firstName, lastName, email, timezone, userUUID, source); if (accountType == Account.Type.RESOURCE_DOMAIN_ADMIN) { // set registration token @@ -1530,7 +1530,7 @@ public UserVO createUser(String userName, String password, String firstName, Str verifyCallerPrivilegeForUserOrAccountOperations(account); UserVO user; - user = createUser(account.getId(), userName, password, firstName, lastName, email, timeZone, userUUID, source, null); + user = createUser(account.getId(), userName, password, firstName, lastName, email, timeZone, userUUID, source); return user; } @@ -2742,15 +2742,12 @@ public AccountVO doInTransaction(TransactionStatus status) { }); } - protected UserVO createUser(long accountId, String userName, String password, String firstName, String lastName, String email, String timezone, String userUUID, - User.Source source, Account caller) { + protected UserVO createUser(long accountId, String userName, String password, String firstName, String lastName, String email, String timezone, String userUUID, User.Source source) { if (logger.isDebugEnabled()) { logger.debug("Creating user: " + userName + ", accountId: " + accountId + " timezone:" + timezone); } - if (caller == null || caller.getId() != Account.ACCOUNT_ID_SYSTEM) { - passwordPolicy.verifyIfPasswordCompliesWithPasswordPolicies(password, userName, getAccount(accountId).getDomainId()); - } + passwordPolicy.verifyIfPasswordCompliesWithPasswordPolicies(password, userName, getAccount(accountId).getDomainId()); String encodedPassword = null; for (UserAuthenticator authenticator : _userPasswordEncoders) { diff --git a/server/src/test/java/com/cloud/user/MockAccountManagerImpl.java b/server/src/test/java/com/cloud/user/MockAccountManagerImpl.java index 0a121ebce066..a84f02755c7c 100644 --- a/server/src/test/java/com/cloud/user/MockAccountManagerImpl.java +++ b/server/src/test/java/com/cloud/user/MockAccountManagerImpl.java @@ -374,13 +374,13 @@ public UserAccount createUserAccount(CreateAccountCmd cmd) { cmd.getLastName(), cmd.getEmail(), cmd.getTimeZone(), cmd.getAccountName(), cmd.getAccountType(), cmd.getRoleId(), cmd.getDomainId(), cmd.getNetworkDomain(), cmd.getDetails(), cmd.getAccountUUID(), - cmd.getUserUUID(), User.Source.UNKNOWN, null); + cmd.getUserUUID(), User.Source.UNKNOWN); } @Override public UserAccount createUserAccount(String userName, String password, String firstName, String lastName, String email, String timezone, String accountName, Account.Type accountType, Long roleId, Long domainId, String networkDomain, Map details, String accountUUID, - String userUUID, User.Source source, Account caller) { + String userUUID, User.Source source) { // TODO Auto-generated method stub return null; } From 0727b7bc0b79f44285b0e5df69765e005e7a4946 Mon Sep 17 00:00:00 2001 From: Wei Zhou Date: Fri, 26 Sep 2025 14:20:53 +0200 Subject: [PATCH 4/4] CKS: skip password policy check for cks user in project --- server/src/main/java/com/cloud/user/AccountManagerImpl.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/server/src/main/java/com/cloud/user/AccountManagerImpl.java b/server/src/main/java/com/cloud/user/AccountManagerImpl.java index 04a64fbfc8c9..2f6392ffaad2 100644 --- a/server/src/main/java/com/cloud/user/AccountManagerImpl.java +++ b/server/src/main/java/com/cloud/user/AccountManagerImpl.java @@ -2747,7 +2747,10 @@ protected UserVO createUser(long accountId, String userName, String password, St logger.debug("Creating user: " + userName + ", accountId: " + accountId + " timezone:" + timezone); } - passwordPolicy.verifyIfPasswordCompliesWithPasswordPolicies(password, userName, getAccount(accountId).getDomainId()); + Account callingAccount = getCurrentCallingAccount(); + if (callingAccount.getId() != Account.ACCOUNT_ID_SYSTEM) { + passwordPolicy.verifyIfPasswordCompliesWithPasswordPolicies(password, userName, getAccount(accountId).getDomainId()); + } String encodedPassword = null; for (UserAuthenticator authenticator : _userPasswordEncoders) {