list only own zones for resource admin

[DaanHoogland]

Description

This PR...

Fixes: #10906

By adding a global setting allow.user.view.all.zone depending on this setting the resource admin from the issue description will be able to see zones that do not fall withing their dedication domain, or not. The default is true, meaning that on listZones all zones are shown. If set to false the user will only see the zone from their dedication domain.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

[Copilot]

Pull Request Overview

This PR tightens zone-level access for resource managers and applies broad Java refactoring to modernize code style.

• Enforce per-zone permissions in listDataCentersInternal by renaming id to zoneId and invoking checkAccessAndSpecifyAuthority.
• Remove unused imports and private methods across QueryManagerImpl, and standardize Java 7+ features (diamond operators, toArray(new T[0])).
• Simplify API commands by dropping redundant static names/overrides and adopting diamond operators in response list declarations.

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
server/src/main/java/com/cloud/api/query/QueryManagerImpl.java	Enforce zone access control, remove unused code, and refactor to use diamond operators and array patterns.
api/src/main/java/org/apache/cloudstack/api/command/user/zone/ListZonesCmd.java	Remove obsolete getCommandName() override and static response name.
api/src/main/java/org/apache/cloudstack/api/command/admin/pod/ListPodsByCmd.java	Adopt diamond operators in ListResponse and collection initializations.
api/src/main/java/org/apache/cloudstack/api/command/admin/cluster/ListClustersCmd.java	Simplify Pair constructions and apply diamond operators to list declarations.

Comments suppressed due to low confidence (2)

server/src/main/java/com/cloud/api/query/QueryManagerImpl.java:3151

• The internal method searchForStorageTagsInternal no longer accepts the command parameter, so any filtering based on ListStorageTagsCmd fields may be skipped. Restore or pass the command to preserve expected filtering behavior.

        Pair<List<StoragePoolTagVO>, Integer> result = searchForStorageTagsInternal();

server/src/main/java/com/cloud/api/query/QueryManagerImpl.java:3192

• The signature for searchForHostTagsInternal was changed to drop the ListHostTagsCmd argument, which likely removes filtering by command parameters. Confirm that host-tag filters are still applied or reintroduce the parameter.

        Pair<List<HostTagVO>, Integer> result = searchForHostTagsInternal();

[DaanHoogland]

@blueorangutan package

[blueorangutan]

@DaanHoogland a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 13913

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[codecov]

Codecov Report

Attention: Patch coverage is 6.89655% with 162 lines in your changes missing coverage. Please review.

Project coverage is 16.16%. Comparing base (8f2735a) to head (fa43e59).
Report is 30 commits behind head on 4.20.

Files with missing lines	Patch %	Lines
...ain/java/com/cloud/api/query/QueryManagerImpl.java	4.26%	154 Missing and 3 partials ⚠️
...ack/api/command/admin/cluster/ListClustersCmd.java	0.00%	3 Missing ⚠️
...loudstack/api/command/admin/pod/ListPodsByCmd.java	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##               4.20   #11087    +/-   ##
==========================================
  Coverage     16.15%   16.16%            
- Complexity    13273    13275     +2     
==========================================
  Files          5657     5656     -1     
  Lines        497898   497767   -131     
  Branches      60374    60363    -11     
==========================================
+ Hits          80435    80443     +8     
+ Misses       408505   408370   -135     
+ Partials       8958     8954     -4     

Flag	Coverage Δ
uitests	4.00% <ø> (-0.01%)	⬇️
unittests	17.01% <6.89%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[blueorangutan]

[SF] Trillian test result (tid-13660)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 58841 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11087-t13660-kvm-ol8.zip
Smoke tests completed. 141 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[yadvr]

Few comments;

• I think you mean 'Resource Admin' and not manager, pl fix that
• If all users/roles can list zones, then resource admin should be allowed to list all zones and be able to do all actions as allowed by the role (historically) such as VM deployment etc. Alternatively, there could be a global setting to allow toggling the behaviour for the Resource Admin role.
• But^^, Resource Admin can be restricted & allowed to only administrate the dedicated zone (dedicated to the domain in which they are the resource admins) and allow historic actions (such as managing host, storage pool in such zones). This may need some fact finding as Resource Admins are not maintained/used for quite some time now.

[DaanHoogland]

@blueorangutan package

[blueorangutan]

@DaanHoogland a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 14163

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-13770)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 52845 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11087-t13770-kvm-ol8.zip
Smoke tests completed. 141 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 14212

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 14233

[blueorangutan]

[SF] Trillian test result (tid-13811)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 54606 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11087-t13811-kvm-ol8.zip
Smoke tests completed. 141 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[DaanHoogland]

@nvazquez can you share your results here or on the issue, please? I want to move this forwards.

[nvazquez]

LGTM - Manually tested:

As an admin:

• Create domain and zone
• Dedicate the zone to the domain
• Create a new Role based on type = Resource Admin and create an account from it
• Assigned the API rules to the new role according to the issue #10906
• Changed the value of the setting: allow.user.view.all.zones to false

As the resource admin from the new domain:

• Listed zones -> verified only the dedicated zone is visible
• Tested adding a cluster -> verified only the dedicated zone is listed on the Zones dropdown, similar on Pods, Hosts.

Just a small remark:
When the setting allow.user.view.all.zones is true, the resource admin is not able to list Disabled zones. I think this is out of scope from this PR, or perhaps the role needs extra API permissions

@DaanHoogland can you please update the PR description with a fuctional description?

[DaanHoogland]

@blueorangutan package

[blueorangutan]

@DaanHoogland a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 14298

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[sureshanaparti]

clgtm

[blueorangutan]

[SF] Trillian test result (tid-13851)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 55841 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11087-t13851-kvm-ol8.zip
Smoke tests completed. 141 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File