Fix checkRoleEscalation performance and bugs in access checking

[nvazquez]

Description

This PR fixes performance issues and bugs in AccountManagerImpl.checkRoleEscalation(Account, Account).

Performance problem: The method iterated all ~742 API commands individually, calling checkApiAccess for each command through 2 API checkers. DynamicRoleBasedAPIAccessChecker.checkAccess(Account, String) made a redundant uncached DB call on every invocation, ignoring already-cached data from
getRolePermissionsUsingCache(). Additionally, ProjectRoleBasedApiAccessChecker.checkAccess(Account, String) always returns true but was still called 742 times.

Impact before fix: ~1,484 DB calls per checkRoleEscalation invocation for non-admin roles.
Impact after fix: ~2 DB calls (or 0 with warm cache).

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• Build/CI
• Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

[codecov]

Codecov Report

❌ Patch coverage is 58.46154% with 27 lines in your changes missing coverage. Please review.
✅ Project coverage is 17.61%. Comparing base (4708121) to head (3a3df82).

Files with missing lines	Patch %	Lines
...ain/java/org/apache/cloudstack/acl/APIChecker.java	6.66%	14 Missing ⚠️
...loudstack/acl/StaticRoleBasedAPIAccessChecker.java	0.00%	9 Missing ⚠️
...oudstack/acl/ProjectRoleBasedApiAccessChecker.java	0.00%	3 Missing ⚠️
...oudstack/acl/DynamicRoleBasedAPIAccessChecker.java	94.44%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##               4.22   #12973   +/-   ##
=========================================
  Coverage     17.60%   17.61%           
- Complexity    15677    15691   +14     
=========================================
  Files          5918     5919    +1     
  Lines        531681   531726   +45     
  Branches      65005    65014    +9     
=========================================
+ Hits          93623    93649   +26     
- Misses       427498   427514   +16     
- Partials      10560    10563    +3     

Flag	Coverage Δ
uitests	3.70% <ø> (ø)
unittests	18.68% <58.46%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[nvazquez]

@blueorangutan package

[blueorangutan]

@nvazquez a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✖️ debian ✔️ suse15. SL-JID 17387

[nvazquez]

@blueorangutan test

[blueorangutan]

@nvazquez a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-15819)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 49520 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr12973-t15819-kvm-ol8.zip
Smoke tests completed. 149 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File