Do not list Quota API's to accounts with Quota disabled

[JoaoJandre]

Description

Currently, even if an account has the Quota plugin disabled, they may still list and use the Quota APIs. This PR fixes this behavior, making the quota.account.enabled be respected when listing APIs and calling APIs.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

A new role was created and granted permission to call all Quota APIs, then a new account was created from that role.
With the plugin enabled for this account, all Quota APIs were called and worked as expected. Then the plugin was disabled for the account and all the APIs were called again, all the calls got a permission denied error, except the quotaIsEnable API, which continued to work (as expected).
Finally, still with quota disabled for the account, a sync was done using CloudMonkey to verify that the quota APIs would not be discovered, and only quotaIsEnable was discovered for that account (as expected).

[DaanHoogland]

clgtm, but can you extract the new blocks in ApiDiscoveryServiceImpl , please?
also there is a license header missing

[codecov]

Codecov Report

Merging #7599 (741abeb) into main (b2e9993) will increase coverage by 16.07%.
Report is 485 commits behind head on main.
The diff coverage is 42.13%.

@@              Coverage Diff              @@
##               main    #7599       +/-   ##
=============================================
+ Coverage     12.97%   29.05%   +16.07%     
- Complexity     8978    30906    +21928     
=============================================
  Files          2716     5189     +2473     
  Lines        256309   365814   +109505     
  Branches      39968    53493    +13525     
=============================================
+ Hits          33268   106293    +73025     
- Misses       218880   244954    +26074     
- Partials       4161    14567    +10406     

Flag	Coverage Δ
simulator-marvin-tests	24.98% <41.01%> (?)
uitests	4.50% <ø> (?)
unit-tests	14.79% <7.92%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
...com/cloud/agent/dhcp/DhcpProtocolParserServer.java	0.00% <ø> (ø)
api/src/main/java/com/cloud/agent/api/Answer.java	42.30% <ø> (ø)
...c/main/java/com/cloud/agent/api/to/DatadiskTO.java	0.00% <ø> (ø)
...i/src/main/java/com/cloud/agent/api/to/DpdkTO.java	0.00% <ø> (ø)
...ud/agent/api/to/deployasis/OVFConfigurationTO.java	0.00% <ø> (ø)
...om/cloud/agent/api/to/deployasis/OVFNetworkTO.java	0.00% <ø> (ø)
...nt/api/to/deployasis/OVFVirtualHardwareItemTO.java	0.00% <ø> (ø)
...api/to/deployasis/OVFVirtualHardwareSectionTO.java	0.00% <ø> (ø)
...main/java/com/cloud/offering/DiskOfferingInfo.java	76.47% <ø> (ø)
.../com/cloud/resource/RollingMaintenanceManager.java	7.31% <ø> (ø)
... and 178 more

... and 3654 files with indirect coverage changes

📣 Codecov offers a browser extension for seamless coverage viewing on GitHub. Try it in Chrome or Firefox today!

[JoaoJandre]

@blueorangutan package

[blueorangutan]

@JoaoJandre a [SF] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 6726

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SF] Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-7375)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 47511 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7599-t7375-kvm-centos7.zip
Smoke tests completed. 112 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_01_migrate_VM_and_root_volume	Error	78.82	test_vm_life_cycle.py
test_02_migrate_VM_with_two_data_disks	Error	52.43	test_vm_life_cycle.py

[DaanHoogland]

clgtm

[shwstppr]

@blueorangutan package

[blueorangutan]

@shwstppr a [SF] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 7271

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SF] Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-7877)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 41501 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7599-t7877-kvm-centos7.zip
Smoke tests completed. 113 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[DaanHoogland]

@JoaoJandre , can you look at @GutoVeronezi 's comments/suggestions?

[JoaoJandre]

@blueorangutan package

[blueorangutan]

@JoaoJandre a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 7729

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-8314)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 53832 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7599-t8314-kvm-centos7.zip
Smoke tests completed. 115 look OK, 2 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_01_invalid_upgrade_kubernetes_cluster	Failure	3606.69	test_kubernetes_clusters.py
test_02_upgrade_kubernetes_cluster	Failure	3616.32	test_kubernetes_clusters.py
test_03_deploy_and_scale_kubernetes_cluster	Failure	0.05	test_kubernetes_clusters.py
test_04_autoscale_kubernetes_cluster	Failure	0.04	test_kubernetes_clusters.py
test_05_basic_lifecycle_kubernetes_cluster	Failure	0.04	test_kubernetes_clusters.py
test_06_delete_kubernetes_cluster	Failure	0.06	test_kubernetes_clusters.py
test_07_deploy_kubernetes_ha_cluster	Failure	0.05	test_kubernetes_clusters.py
test_08_upgrade_kubernetes_ha_cluster	Failure	0.05	test_kubernetes_clusters.py
test_09_delete_kubernetes_ha_cluster	Failure	0.04	test_kubernetes_clusters.py
test_10_vpc_tier_kubernetes_cluster	Failure	42.79	test_kubernetes_clusters.py
test_11_test_unmanaged_cluster_lifecycle	Error	1.29	test_kubernetes_clusters.py
ContextSuite context=TestKubernetesCluster>:teardown	Error	53.69	test_kubernetes_clusters.py
test_08_migrate_vm	Error	0.06	test_vm_life_cycle.py

[DaanHoogland]

@kishankavala @GutoVeronezi can you approve?

[GutoVeronezi]

@kishankavala @GutoVeronezi can you approve?

@DaanHoogland
I was thinking about this one, perhaps it does not make sense to not list the APIs if the Quota for the account is disabled. For instance, we could have an account that would visualize the Quota (like a manager) but would not be accounted for; therefore, the Quota would be disabled for the account, but the account would still be able to request the Quota APIs. For denying access to the APIs, we could create different roles.

cc: @JoaoJandre

[DaanHoogland]

@kishankavala @GutoVeronezi can you approve?

@DaanHoogland I was thinking about this one, perhaps it does not make sense to not list the APIs if the Quota for the account is disabled. For instance, we could have an account that would visualize the Quota (like a manager) but would not be accounted for; therefore, the Quota would be disabled for the account, but the account would still be able to request the Quota APIs. For denying access to the APIs, we could create different roles.

cc: @JoaoJandre

make functional sense @GutoVeronezi , let me know what/when... moving this out of 4.19 for now

[JoaoJandre]

@kishankavala @GutoVeronezi can you approve?

@DaanHoogland I was thinking about this one, perhaps it does not make sense to not list the APIs if the Quota for the account is disabled. For instance, we could have an account that would visualize the Quota (like a manager) but would not be accounted for; therefore, the Quota would be disabled for the account, but the account would still be able to request the Quota APIs. For denying access to the APIs, we could create different roles.

cc: @JoaoJandre

@DaanHoogland @GutoVeronezi Looking at it this way, I believe that this PR is not really relevant anymore. As this functionality can be achieved using different roles to block the wanted APIs. I'll be closing the PR.