-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix cloudstack-ui package: bad directory permissions and missing WEB-INF #8568
Conversation
Updated the spec file such that directories are chmod 0755 rather than 0644 which would prevent the cloud user from reading their contents.
The cloudstack-ui package should have the same files as the bundled webapp in the management package.
Add the missing WEB-INF directory and do not set directories to 0755.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## 4.18 #8568 +/- ##
=========================================
Coverage 13.16% 13.16%
- Complexity 9201 9203 +2
=========================================
Files 2724 2724
Lines 258077 258077
Branches 40224 40224
=========================================
+ Hits 33981 33986 +5
+ Misses 219790 219784 -6
- Partials 4306 4307 +1 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
clgtm, it seems that the ui can now be deployed as any user (something outside the diff may force user 'cloud', not sure). is that right @kohrar ?
Out of the box, CloudStack serves the UI (via the cloudstack-management service) as the 'cloud' user, as defined by the cloudstack-management service file. An operator could in theory change the daemon user to something other than cloud. I don't see anything in the CloudStack documentation about changing this. Regardless of what user cloudstack-management runs as (cloud or otherwise), this PR will fix the case where the UI and API breaks if a CloudStack operator tries to install the cloudstack-ui package and configures the CloudStack management service to use that webapp directory with |
@kohrar the cloudstack-ui package is for advanced user wherein we assume it's not being served from the cloudstack management server host. The cloudstack-management already bundles the UI. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - I've added my comments, however, we don't assume for using cloudstack-ui pkg that the cloud user must exists or have access/ACLs according to it.
@DaanHoogland a Jenkins job has been kicked to build UI QA env. I'll keep you posted as I make progress. |
UI build: ✔️ |
it seems to have installed correctly in qa, so I think this is ready for merge. Not sure if I miss some corner case there that should be covered as well. |
@blueorangutan package |
@rohityadavcloud a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress. |
Packaging result [SF]: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 8522 |
…INF (#8568) * Fix bad perms on sub directories for webapp asset files Updated the spec file such that directories are chmod 0755 rather than 0644 which would prevent the cloud user from reading their contents. * Fix bad permissions for centos8 UI files, missing WEB-INF The cloudstack-ui package should have the same files as the bundled webapp in the management package. * Fix bad perms and missing WEB-INF for centos7 ui rpm Add the missing WEB-INF directory and do not set directories to 0755. * Fix missing WEB-INF on CentOS 8 cloudstack-ui rpm * Fix missing WEB-INF on CentOS 7 cloudstack-ui rpm
…INF (apache#8568) * Fix bad perms on sub directories for webapp asset files Updated the spec file such that directories are chmod 0755 rather than 0644 which would prevent the cloud user from reading their contents. * Fix bad permissions for centos8 UI files, missing WEB-INF The cloudstack-ui package should have the same files as the bundled webapp in the management package. * Fix bad perms and missing WEB-INF for centos7 ui rpm Add the missing WEB-INF directory and do not set directories to 0755. * Fix missing WEB-INF on CentOS 8 cloudstack-ui rpm * Fix missing WEB-INF on CentOS 7 cloudstack-ui rpm
…INF (apache#8568) * Fix bad perms on sub directories for webapp asset files Updated the spec file such that directories are chmod 0755 rather than 0644 which would prevent the cloud user from reading their contents. * Fix bad permissions for centos8 UI files, missing WEB-INF The cloudstack-ui package should have the same files as the bundled webapp in the management package. * Fix bad perms and missing WEB-INF for centos7 ui rpm Add the missing WEB-INF directory and do not set directories to 0755. * Fix missing WEB-INF on CentOS 8 cloudstack-ui rpm * Fix missing WEB-INF on CentOS 7 cloudstack-ui rpm
Description
The cloudstack-ui package contains a copy of the webapp. However, the package (for both CentOS 7 and CentOS 8) have two issues:
Fixes #8558
Types of changes
Feature/Enhancement Scale or Bug Severity
Feature/Enhancement Scale
Bug Severity
Screenshots (if appropriate):
How Has This Been Tested?
Rebuilt the RPM packages under Rocky Linux 8 / CentOS 8 using Docker.
New cloudstack-ui packages now have the proper permissions:
How did you try to break this feature and the system with this change?
Affects only rpmbuild for the cloudstack-ui package. Extracted RPM package to verify change.