server: optimize account creation by pre-loading the role permissions

[weizhouapache]

Description

This PR optimizes the process of #5879

prior to this PR

2025-07-03 13:14:34,940 DEBUG [c.c.a.ApiServlet] (qtp1390913202-23:[ctx-8349b2ec]) (logid:9c370102) ===START===  10.0.112.203 -- GET  accounttype=0&email=test%40test.com&firstname=Test&lastname=User&username=test-TestInternalLb-ZS4QJR&command=createAccount&response=json&apiKey=LIN6rqXuaJwMPfGYFh13qDwYz5VNNz1J2J6qIOWcd3oLQOq0WtD4CwRundBL6rzXToa3lQOC_vKjI3nkHtiD8Q&signature=kOcCU%2FcXP5NU8GEb6i0L%2FifXfu0%3D

2025-07-03 13:14:41,506 DEBUG [c.c.a.ApiServlet] (qtp1390913202-23:[ctx-8349b2ec, ctx-0b145e08, ctx-bf249291]) (logid:9c370102) ===END===  10.0.112.203 -- GET  accounttype=0&email=test%40test.com&firstname=Test&lastname=User&username=test-TestInternalLb-ZS4QJR&command=createAccount&response=json&apiKey=LIN6rqXuaJwMPfGYFh13qDwYz5VNNz1J2J6qIOWcd3oLQOq0WtD4CwRundBL6rzXToa3lQOC_vKjI3nkHtiD8Q&signature=kOcCU%2FcXP5NU8GEb6i0L%2FifXfu0%3D

with this PR, it is reduced to less than 1 second

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

[codecov]

Codecov Report

❌ Patch coverage is 6.45161% with 29 lines in your changes missing coverage. Please review.
✅ Project coverage is 16.25%. Comparing base (1a251c8) to head (37fe152).
⚠️ Report is 297 commits behind head on 4.20.

Files with missing lines	Patch %	Lines
...c/main/java/com/cloud/user/AccountManagerImpl.java	0.00%	16 Missing ⚠️
...oudstack/acl/DynamicRoleBasedAPIAccessChecker.java	15.38%	11 Missing ⚠️
...ain/java/org/apache/cloudstack/acl/APIChecker.java	0.00%	2 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               4.20   #11137      +/-   ##
============================================
+ Coverage     16.15%   16.25%   +0.09%     
- Complexity    13276    13425     +149     
============================================
  Files          5657     5663       +6     
  Lines        497969   500212    +2243     
  Branches      60389    60744     +355     
============================================
+ Hits          80463    81311     +848     
- Misses       408542   409816    +1274     
- Partials       8964     9085     +121     

Flag	Coverage Δ
uitests	4.15% <ø> (+0.15%)	⬆️
unittests	17.10% <6.45%> (+0.09%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sureshanaparti]

minor nit, clgtm

[sureshanaparti]

@blueorangutan package

[blueorangutan]

@sureshanaparti a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 14033

[weizhouapache]

@blueorangutan test

[blueorangutan]

@weizhouapache a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-13682)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 56085 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11137-t13682-kvm-ol8.zip
Smoke tests completed. 141 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[DaanHoogland]

clgtm

[DaanHoogland]

@weizhouapache , what do we need still to get this merged?

[sureshanaparti]

@weizhouapache is this relevant for 4.20.3, and what tests to be covered for this?

[weizhouapache]

@DaanHoogland @sureshanaparti
this is an optimization to reduce the db queries. there is not a real issue reported.

if you want to test, maybe check if there is a regression (for example, #5781 should not happen)

[RosiKyu]

Test Results

Test Case	Result
TC1: Role Escalation Prevention	FAILED
TC2: Performance Optimization	PASSED

Issue Found

Role escalation prevention (#5879) is broken. A user with a restricted Domain Admin role (with createServiceOffering denied) was able to successfully create an account with the unrestricted default Domain Admin role.

Root Cause: The checkRoleEscalation method appears to be using the wrong caller account. Server logs show:

12:57:40 CIDRs from which account 'Account [{"accountName":"restrictedadmin"...
12:57:46 Checking if user of account admin [75685252-fa97-11f0-877d-1e009d0003da] with role-id [1] can create an account...

@weizhouapache The request was authenticated as restrictedadmin (role-id 11), but the escalation check used admin (role-id 1 - Root Admin), which has all permissions and thus the check passes incorrectly.

TC1: Role Escalation Prevention (Regression Test for #5781)

Objective
Verify that a user with a restricted Domain Admin role (with createServiceOffering denied) cannot create an account with the unrestricted default Domain Admin role.

Test Steps

1. Created role "Domain Admin Restricted" by cloning default Domain Admin role (ID: 81466765-10a5-4aba-bf55-ed25f6c994c5)
2. Updated createServiceOffering permission from allow to deny for the restricted role
3. Created domain "TestDomain" (ID: 2bfa0be4-7d8e-4859-b40c-ad205f64b89b)
4. Created account "restrictedadmin" with the restricted role (ID: cece4a85-fba7-4780-8269-69cb1771bc1e)
5. Registered API keys for restrictedadmin user
6. Switched to restrictedadmin user profile (verified via list accounts showing only own account with 408 APIs available)
7. Attempted to create account "escalateduser" with unrestricted Domain Admin role (ID: 51d853ed-fa97-11f0-877d-1e009d0003da)

Expected Result:
The createAccount command should fail with a permission denied error, preventing role escalation.

Actual Result:
The account "escalateduser" was successfully created with the unrestricted Domain Admin role. Role escalation prevention is NOT working.

Root Cause Analysis:
Server log at 12:57:46 shows:

Checking if user of account admin [75685252-fa97-11f0-877d-1e009d0003da] with role-id [1] can create an account of type escalateduser

The escalation check is incorrectly using the admin account (role-id 1) instead of the actual caller restrictedadmin (role-id 11).

Test Evidence:

1. Restricted role created and permission denied:

{
  "role": {
    "description": "Restricted Domain Admin for testing",
    "id": "81466765-10a5-4aba-bf55-ed25f6c994c5",
    "name": "Domain Admin Restricted",
    "type": "DomainAdmin"
  }
}

2. createServiceOffering permission set to deny:

{
  "id": "69374f83-ddfc-4a7a-8658-054e5b3d389f",
  "permission": "deny",
  "rule": "createServiceOffering"
}

3. Verified restrictedadmin context (408 APIs, only own account visible):

{
  "account": [
    {
      "name": "restrictedadmin",
      "roleid": "81466765-10a5-4aba-bf55-ed25f6c994c5",
      "rolename": "Domain Admin Restricted"
    }
  ],
  "count": 1
}

4. Escalation succeeded (BUG):

{
  "account": {
    "name": "escalateduser",
    "roleid": "51d853ed-fa97-11f0-877d-1e009d0003da",
    "rolename": "Domain Admin",
    "created": "2026-01-26T12:57:46+0000"
  }
}

5. Server log showing wrong caller used in escalation check:

2026-01-26 12:57:40,709 DEBUG CIDRs from which account 'Account [{"accountName":"restrictedadmin"...
2026-01-26 12:57:46,013 DEBUG Checking if user of account admin [75685252-fa97-11f0-877d-1e009d0003da] with role-id [1] can create an account of type escalateduser

Status: FAILED - Role escalation prevention regression

TC2: Performance Optimization for createAccount API

Objective
Verify that the createAccount API completes in less than 1 second after the optimization (previously took ~6.5 seconds).

Test Steps

1. Switched to admin profile
2. Executed createAccount command to create user "perftest" with User role
3. Checked management server logs for API timing (START to END timestamps)

Expected Result:
The createAccount API should complete in less than 1 second.

Actual Result:
The API completed in approximately 659 milliseconds.

Test Evidence:

1. Account creation command output:

{
  "account": {
    "name": "perftest",
    "roleid": "51d8639c-fa97-11f0-877d-1e009d0003da",
    "rolename": "User",
    "created": "2026-01-26T12:59:37+0000"
  }
}

2. Server log timing:

2026-01-26 12:59:37,015 DEBUG ===START===  10.0.35.71 -- POST  
2026-01-26 12:59:37,674 DEBUG ===END===  10.0.35.71 -- POST  

Duration: 659ms (12:59:37,674 - 12:59:37,015)

Status: PASSED - Performance optimization working as expected

[weizhouapache]

thanks @RosiKyu for the testing
I moved this to draft, will have a look later

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16893

[weizhouapache]

@blueorangutan test

[blueorangutan]

@weizhouapache a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-15505)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 51897 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11137-t15505-kvm-ol8.zip
Smoke tests completed. 140 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_LoginApiDomain	Error	2.95	test_accounts.py