server: optimize account creation by pre-loading the role permissions

[weizhouapache]

Description

This PR optimizes the process of #5879

prior to this PR

2025-07-03 13:14:34,940 DEBUG [c.c.a.ApiServlet] (qtp1390913202-23:[ctx-8349b2ec]) (logid:9c370102) ===START===  10.0.112.203 -- GET  accounttype=0&email=test%40test.com&firstname=Test&lastname=User&username=test-TestInternalLb-ZS4QJR&command=createAccount&response=json&apiKey=LIN6rqXuaJwMPfGYFh13qDwYz5VNNz1J2J6qIOWcd3oLQOq0WtD4CwRundBL6rzXToa3lQOC_vKjI3nkHtiD8Q&signature=kOcCU%2FcXP5NU8GEb6i0L%2FifXfu0%3D

2025-07-03 13:14:41,506 DEBUG [c.c.a.ApiServlet] (qtp1390913202-23:[ctx-8349b2ec, ctx-0b145e08, ctx-bf249291]) (logid:9c370102) ===END===  10.0.112.203 -- GET  accounttype=0&email=test%40test.com&firstname=Test&lastname=User&username=test-TestInternalLb-ZS4QJR&command=createAccount&response=json&apiKey=LIN6rqXuaJwMPfGYFh13qDwYz5VNNz1J2J6qIOWcd3oLQOq0WtD4CwRundBL6rzXToa3lQOC_vKjI3nkHtiD8Q&signature=kOcCU%2FcXP5NU8GEb6i0L%2FifXfu0%3D

with this PR, it is reduced to less than 1 second

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

[codecov]

Codecov Report

❌ Patch coverage is 6.45161% with 29 lines in your changes missing coverage. Please review.
✅ Project coverage is 16.25%. Comparing base (1a251c8) to head (37fe152).
⚠️ Report is 333 commits behind head on 4.20.

Files with missing lines	Patch %	Lines
...c/main/java/com/cloud/user/AccountManagerImpl.java	0.00%	16 Missing ⚠️
...oudstack/acl/DynamicRoleBasedAPIAccessChecker.java	15.38%	11 Missing ⚠️
...ain/java/org/apache/cloudstack/acl/APIChecker.java	0.00%	2 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               4.20   #11137      +/-   ##
============================================
+ Coverage     16.15%   16.25%   +0.09%     
- Complexity    13276    13425     +149     
============================================
  Files          5657     5663       +6     
  Lines        497969   500212    +2243     
  Branches      60389    60744     +355     
============================================
+ Hits          80463    81311     +848     
- Misses       408542   409816    +1274     
- Partials       8964     9085     +121     

Flag	Coverage Δ
uitests	4.15% <ø> (+0.15%)	⬆️
unittests	17.10% <6.45%> (+0.09%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sureshanaparti]

minor nit, clgtm

[sureshanaparti]

@blueorangutan package

[blueorangutan]

@sureshanaparti a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 14033

[weizhouapache]

@blueorangutan test

[blueorangutan]

@weizhouapache a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-13682)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 56085 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11137-t13682-kvm-ol8.zip
Smoke tests completed. 141 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[DaanHoogland]

clgtm

[DaanHoogland]

@weizhouapache , what do we need still to get this merged?

[sureshanaparti]

@weizhouapache is this relevant for 4.20.3, and what tests to be covered for this?

[weizhouapache]

@DaanHoogland @sureshanaparti
this is an optimization to reduce the db queries. there is not a real issue reported.

if you want to test, maybe check if there is a regression (for example, #5781 should not happen)

[RosiKyu]

Test Results

Test Case	Result
TC1: Role Escalation Prevention	FAILED
TC2: Performance Optimization	PASSED

Issue Found

Role escalation prevention (#5879) is broken. A user with a restricted Domain Admin role (with createServiceOffering denied) was able to successfully create an account with the unrestricted default Domain Admin role.

Root Cause: The checkRoleEscalation method appears to be using the wrong caller account. Server logs show:

12:57:40 CIDRs from which account 'Account [{"accountName":"restrictedadmin"...
12:57:46 Checking if user of account admin [75685252-fa97-11f0-877d-1e009d0003da] with role-id [1] can create an account...

@weizhouapache The request was authenticated as restrictedadmin (role-id 11), but the escalation check used admin (role-id 1 - Root Admin), which has all permissions and thus the check passes incorrectly.

TC1: Role Escalation Prevention (Regression Test for #5781)

Objective
Verify that a user with a restricted Domain Admin role (with createServiceOffering denied) cannot create an account with the unrestricted default Domain Admin role.

Test Steps

1. Created role "Domain Admin Restricted" by cloning default Domain Admin role (ID: 81466765-10a5-4aba-bf55-ed25f6c994c5)
2. Updated createServiceOffering permission from allow to deny for the restricted role
3. Created domain "TestDomain" (ID: 2bfa0be4-7d8e-4859-b40c-ad205f64b89b)
4. Created account "restrictedadmin" with the restricted role (ID: cece4a85-fba7-4780-8269-69cb1771bc1e)
5. Registered API keys for restrictedadmin user
6. Switched to restrictedadmin user profile (verified via list accounts showing only own account with 408 APIs available)
7. Attempted to create account "escalateduser" with unrestricted Domain Admin role (ID: 51d853ed-fa97-11f0-877d-1e009d0003da)

Expected Result:
The createAccount command should fail with a permission denied error, preventing role escalation.

Actual Result:
The account "escalateduser" was successfully created with the unrestricted Domain Admin role. Role escalation prevention is NOT working.

Root Cause Analysis:
Server log at 12:57:46 shows:

Checking if user of account admin [75685252-fa97-11f0-877d-1e009d0003da] with role-id [1] can create an account of type escalateduser

The escalation check is incorrectly using the admin account (role-id 1) instead of the actual caller restrictedadmin (role-id 11).

Test Evidence:

1. Restricted role created and permission denied:

{
  "role": {
    "description": "Restricted Domain Admin for testing",
    "id": "81466765-10a5-4aba-bf55-ed25f6c994c5",
    "name": "Domain Admin Restricted",
    "type": "DomainAdmin"
  }
}

2. createServiceOffering permission set to deny:

{
  "id": "69374f83-ddfc-4a7a-8658-054e5b3d389f",
  "permission": "deny",
  "rule": "createServiceOffering"
}

3. Verified restrictedadmin context (408 APIs, only own account visible):

{
  "account": [
    {
      "name": "restrictedadmin",
      "roleid": "81466765-10a5-4aba-bf55-ed25f6c994c5",
      "rolename": "Domain Admin Restricted"
    }
  ],
  "count": 1
}

4. Escalation succeeded (BUG):

{
  "account": {
    "name": "escalateduser",
    "roleid": "51d853ed-fa97-11f0-877d-1e009d0003da",
    "rolename": "Domain Admin",
    "created": "2026-01-26T12:57:46+0000"
  }
}

5. Server log showing wrong caller used in escalation check:

2026-01-26 12:57:40,709 DEBUG CIDRs from which account 'Account [{"accountName":"restrictedadmin"...
2026-01-26 12:57:46,013 DEBUG Checking if user of account admin [75685252-fa97-11f0-877d-1e009d0003da] with role-id [1] can create an account of type escalateduser

Status: FAILED - Role escalation prevention regression

TC2: Performance Optimization for createAccount API

Objective
Verify that the createAccount API completes in less than 1 second after the optimization (previously took ~6.5 seconds).

Test Steps

1. Switched to admin profile
2. Executed createAccount command to create user "perftest" with User role
3. Checked management server logs for API timing (START to END timestamps)

Expected Result:
The createAccount API should complete in less than 1 second.

Actual Result:
The API completed in approximately 659 milliseconds.

Test Evidence:

1. Account creation command output:

{
  "account": {
    "name": "perftest",
    "roleid": "51d8639c-fa97-11f0-877d-1e009d0003da",
    "rolename": "User",
    "created": "2026-01-26T12:59:37+0000"
  }
}

2. Server log timing:

2026-01-26 12:59:37,015 DEBUG ===START===  10.0.35.71 -- POST  
2026-01-26 12:59:37,674 DEBUG ===END===  10.0.35.71 -- POST  

Duration: 659ms (12:59:37,674 - 12:59:37,015)

Status: PASSED - Performance optimization working as expected

[weizhouapache]

thanks @RosiKyu for the testing
I moved this to draft, will have a look later

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16893

[weizhouapache]

@blueorangutan test

[blueorangutan]

@weizhouapache a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-15505)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 51897 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11137-t15505-kvm-ol8.zip
Smoke tests completed. 140 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_LoginApiDomain	Error	2.95	test_accounts.py

[weizhouapache]

@RosiKyu
I've applied your suggestions. can you retest it ? thanks

[Copilot]

Pull request overview

This PR optimizes the role-escalation prevention path during account creation (introduced in/related to #5879) by pre-loading role permissions once per role, avoiding repeated permission lookups while iterating over API names.

Changes:

• Refactors AccountManagerImpl.checkRoleEscalation to prefetch role/permission data per checker and reuse it while evaluating API access.
• Extends the APIChecker interface with optional hooks to fetch role permissions and to check access using preloaded permissions.
• Updates DynamicRoleBasedAPIAccessChecker to expose role permissions and to support the new “preloaded permissions” access-check overload.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
server/src/main/java/com/cloud/user/AccountManagerImpl.java	Uses per-role preloaded permissions in role escalation checks, calling into new APIChecker hooks.
plugins/acl/dynamic-role-based/src/main/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java	Implements the new hooks to return role+permissions and perform access checks without re-querying permissions.
api/src/main/java/org/apache/cloudstack/acl/APIChecker.java	Adds default methods for role-permission preloading and an overload for permission checks using preloaded data.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

APIChecker.checkAccess(Account, String, Role, List<RolePermission>) has a default implementation that returns false. In AccountManagerImpl.checkApiAccess(...) the return value is ignored and only exceptions deny access, so a false default will effectively behave like “allowed” if any implementation ever returns a non-null value from getRolePermissions(...) but forgets to override this new checkAccess(...) overload. Consider changing the default implementation to delegate to the existing checkAccess(Account, String) (or throw an UnsupportedOperationException) so the safe/legacy behavior is preserved by default.

Suggested change

	default boolean checkAccess(Account account, String commandName, Role accountRole, List<RolePermission> allPermissions) { return false; }
	default boolean checkAccess(Account account, String commandName, Role accountRole, List<RolePermission> allPermissions) {
	return checkAccess(account, commandName);
	}

[Copilot]

The new checkAccess(Account, String, Role, List<RolePermission>) overload and getRolePermissions(long) are role/ACL-specific, but they were added to the base APIChecker interface (which is also used by non-ACL checkers like rate limiting). To avoid coupling unrelated checkers to role permission concepts, consider moving these new methods to APIAclChecker (or another ACL-specific interface) instead of APIChecker.

Suggested change

	default Pair<Role, List<RolePermission>> getRolePermissions(long roleId) { return null; }
	default boolean checkAccess(Account account, String commandName, Role accountRole, List<RolePermission> allPermissions) { return false; }
	/**
	* ACL-specific extension for API checkers that work with roles and role permissions.
	*/
	interface APIAclChecker extends APIChecker {
	default Pair<Role, List<RolePermission>> getRolePermissions(long roleId) { return null; }
	default boolean checkAccess(Account account, String commandName, Role accountRole, List<RolePermission> allPermissions) { return false; }
	}

[Copilot]

DynamicRoleBasedAPIAccessChecker adds a new checkAccess(Account, String, Role, List<RolePermission>) path, but the existing unit tests in this module only cover checkAccess(User, String) / checkAccess(Account, String). Adding tests for the new overload (allow/deny and root-admin cases) would help prevent regressions in the new preloaded-permissions flow used during account creation.

[Copilot]

checkRoleEscalation iterates over every enabled APIChecker. This includes non-ACL checkers like ApiRateLimitServiceImpl which increments per-account counters in checkAccess(Account, String) (and may throw RequestLimitException). That means creating an account can unexpectedly consume/trigger API rate limits and also interfere with the “requested can access” probing (exceptions are treated as “irrelevant”). Consider filtering the checkers used here to APIAclChecker only (or otherwise excluding rate limiting and other non-ACL checkers) so role escalation validation only evaluates permissions.

[nvazquez]

Hi @weizhouapache @RosiKyu please check #12973 for similar optimizations