<fix>[compute]: fix VM clone quota check fail

[zstack-robot-1]

1.Clone a tenant VM using admin account, quota check
didn't base on current role.
2.quota error is overwritten during exception handling.
http://jira.zstack.io/browse/ZSTAC-83646

Resolves: ZSTAC-83646

Change-Id: I776c6b7a786d79746f616b716f736f646e686868

sync from gitlab !9480

[coderabbitai]

Walkthrough

本次变更引入了基于会话账户UUID的管理员权限检查机制，并重构了配额验证流程，使其支持返回错误代码而非直接抛出异常。同时增强了主机分配消息和规范，使会话账户信息能够在分配流程中流转。

Changes

Cohort / File(s)	Summary
配额分配流程主逻辑 compute/src/main/java/org/zstack/compute/allocator/QuotaAllocatorFlow.java	修改allocate()方法以支持会话账户UUID的管理员权限检查；为管理员添加条件跳过配额容量和实例检查；非管理员调用改为返回ErrorCode的方法，并捕获错误后手动抛出异常。
配额检查方法重构 identity/src/main/java/org/zstack/identity/QuotaUtil.java, compute/src/main/java/org/zstack/compute/vm/VmQuotaOperator.java	引入新的WithResult方法系列返回ErrorCode而非直接抛异常；保留原有公共方法并委托给新方法以维持向后兼容性；将直接异常抛出替换为条件性异常处理。
分配消息和规范扩展 header/src/main/java/org/zstack/header/allocator/AllocateHostMsg.java, header/src/main/java/org/zstack/header/allocator/HostAllocatorSpec.java	添加sessionAccountUuid字段和相应的getter/setter；工厂方法fromAllocationMsg()更新以传播会话账户UUID值。

Sequence Diagram

sequenceDiagram
    participant QAF as QuotaAllocatorFlow
    participant VMQ as VmQuotaOperator
    participant QU as QuotaUtil
    
    alt 管理员权限
        QAF->>QAF: 检查sessionAccountUuid和管理员权限
        QAF->>QAF: 直接跳过配额检查
        QAF->>QAF: next(candidates)<br/>继续流程
    else 非管理员权限
        QAF->>VMQ: checkVmCupAndMemoryCapacityWithResult()
        VMQ->>QU: checkQuotaAndReturn()
        QU-->>VMQ: 返回 ErrorCode|null
        VMQ-->>QAF: 返回 ErrorCode|null
        alt 配额检查失败
            QAF->>QAF: throw OperationFailureException(error)
        else 配额检查成功
            QAF->>VMQ: checkVmInstanceQuotaWithResult()
            VMQ->>QU: checkQuotaAndReturn()
            QU-->>VMQ: 返回 ErrorCode|null
            VMQ-->>QAF: 返回 ErrorCode|null
            alt 实例配额检查失败
                QAF->>QAF: throw OperationFailureException(error)
            else 实例配额检查成功
                QAF->>QAF: next(candidates)<br/>继续流程
            end
        end
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰✨ 配额流水新妙法，
管理员权限轻轻划，
错误代码悄悄传，
向后兼容心不乱，
会话账户处处见，
分配体系更完善！

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 5.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	PR标题完全符合要求的格式[scope]: ，长度45字符，在72字符限制内，并准确总结了主要变更：修复VM克隆时的配额检查问题。
Description check	✅ Passed	PR描述清晰说明了解决的两个问题：配额检查未基于当前角色和异常处理中配额错误被覆盖，并关联了JIRA票据ZSTAC-83646，与变更集内容相关。

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sync/tian.huang/huangtian-ZSTAC-83646@@2

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

identity/src/main/java/org/zstack/identity/QuotaUtil.java (1)

35-35: ⚠️ Potential issue | 🟡 Minor

导入语句格式异常。

这一行的格式看起来有问题，/** 紧跟在分号后面，可能是合并冲突或编辑错误导致的。

🐛 建议修复

-import static org.zstack.utils.clouderrorcode.CloudOperationsErrorCode.*;/**
+import static org.zstack.utils.clouderrorcode.CloudOperationsErrorCode.*;
+
+/**

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@identity/src/main/java/org/zstack/identity/QuotaUtil.java` at line 35, The
import line in QuotaUtil.java is malformed because a stray "/**" is appended to
the end of the import statement; edit the import statement that references
org.zstack.utils.clouderrorcode.CloudOperationsErrorCode (the static import
line) to remove the trailing "/**" and ensure the line ends with a semicolon and
nothing else so the file compiles and imports correctly.

🧹 Nitpick comments (2)

header/src/main/java/org/zstack/header/allocator/AllocateHostMsg.java (1)

34-34: 新增字段及其访问器的实现是正确的。

该字段用于在主机分配流程中传递会话账户 UUID，以便在配额检查时区分操作者身份。

一个小建议：getter 和 setter 的格式（单行书写）与文件中其他方法风格不一致，建议调整为多行格式以保持一致性。

♻️ 可选的格式调整

-    public String getSessionAccountUuid() { return sessionAccountUuid; }
-
-    public void setSessionAccountUuid(String sessionAccountUuid) { this.sessionAccountUuid = sessionAccountUuid; }
+    public String getSessionAccountUuid() {
+        return sessionAccountUuid;
+    }
+
+    public void setSessionAccountUuid(String sessionAccountUuid) {
+        this.sessionAccountUuid = sessionAccountUuid;
+    }

Also applies to: 215-218

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@header/src/main/java/org/zstack/header/allocator/AllocateHostMsg.java` at
line 34, 新增的字段 sessionAccountUuid 与其访问器 getSessionAccountUuid 和
setSessionAccountUuid 已实现正确，但访问器采用单行写法与文件其余方法风格不一致；请将 getSessionAccountUuid 和
setSessionAccountUuid 改为标准多行 getter/setter 格式（每个方法各占多行，带花括号和
return/this.assignment 行），并同时修正文件中另一处相同问题的访问器（提到的 215-218 位置的同名或类似方法）以保持风格一致性。

header/src/main/java/org/zstack/header/allocator/HostAllocatorSpec.java (1)

165-171: getter/setter 的位置破坏了相关方法的分组。

getSessionAccountUuid() 和 setSessionAccountUuid() 被放置在 getL3NetworkUuids() 和 setL3NetworkUuids() 之间，导致 L3NetworkUuids 的 getter/setter 被分隔开。建议将 sessionAccountUuid 的访问器移至字段声明附近的其他 getter/setter 区域，以保持代码组织的一致性。

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@header/src/main/java/org/zstack/header/allocator/HostAllocatorSpec.java`
around lines 165 - 171, The two accessors getSessionAccountUuid() and
setSessionAccountUuid() are misplaced between getL3NetworkUuids() and
setL3NetworkUuids(), splitting that pair; move getSessionAccountUuid() and
setSessionAccountUuid() out of the middle and place them adjacent to the other
sessionAccountUuid accessors (near the field declaration or the other related
getters/setters) so that getL3NetworkUuids() and setL3NetworkUuids() remain
contiguous in class HostAllocatorSpec.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@compute/src/main/java/org/zstack/compute/allocator/QuotaAllocatorFlow.java`:
- Around line 56-61: The admin-check currently in QuotaAllocatorFlow uses
AccountConstant.isAdminPermission(sessionAccountUuid) to skip quota checks;
change it to use QuotaUtil's account-type check so it matches other quota logic:
replace the AccountConstant.isAdminPermission(...) checks around
spec.getSessionAccountUuid() in QuotaAllocatorFlow with a call to new
QuotaUtil().isAdminAccount(...) (or the equivalent QuotaUtil.isAdminAccount
usage) so the flow treats all SystemAdmin accounts as admins consistent with
QuotaChecker and VmQuotaOperator.

---

Outside diff comments:
In `@identity/src/main/java/org/zstack/identity/QuotaUtil.java`:
- Line 35: The import line in QuotaUtil.java is malformed because a stray "/**"
is appended to the end of the import statement; edit the import statement that
references org.zstack.utils.clouderrorcode.CloudOperationsErrorCode (the static
import line) to remove the trailing "/**" and ensure the line ends with a
semicolon and nothing else so the file compiles and imports correctly.

---

Nitpick comments:
In `@header/src/main/java/org/zstack/header/allocator/AllocateHostMsg.java`:
- Line 34: 新增的字段 sessionAccountUuid 与其访问器 getSessionAccountUuid 和
setSessionAccountUuid 已实现正确，但访问器采用单行写法与文件其余方法风格不一致；请将 getSessionAccountUuid 和
setSessionAccountUuid 改为标准多行 getter/setter 格式（每个方法各占多行，带花括号和
return/this.assignment 行），并同时修正文件中另一处相同问题的访问器（提到的 215-218 位置的同名或类似方法）以保持风格一致性。

In `@header/src/main/java/org/zstack/header/allocator/HostAllocatorSpec.java`:
- Around line 165-171: The two accessors getSessionAccountUuid() and
setSessionAccountUuid() are misplaced between getL3NetworkUuids() and
setL3NetworkUuids(), splitting that pair; move getSessionAccountUuid() and
setSessionAccountUuid() out of the middle and place them adjacent to the other
sessionAccountUuid accessors (near the field declaration or the other related
getters/setters) so that getL3NetworkUuids() and setL3NetworkUuids() remain
contiguous in class HostAllocatorSpec.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: http://open.zstack.ai:20001/code-reviews/zstack-cloud.yaml (via .coderabbit.yaml)

Review profile: CHILL

Plan: Pro

Run ID: 488d71f8-befd-414f-99bc-e337a0fb6044

📥 Commits

Reviewing files that changed from the base of the PR and between c4c23a6 and c0bceed.

📒 Files selected for processing (5)

• compute/src/main/java/org/zstack/compute/allocator/QuotaAllocatorFlow.java
• compute/src/main/java/org/zstack/compute/vm/VmQuotaOperator.java
• header/src/main/java/org/zstack/header/allocator/AllocateHostMsg.java
• header/src/main/java/org/zstack/header/allocator/HostAllocatorSpec.java
• identity/src/main/java/org/zstack/identity/QuotaUtil.java

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# 检查 AccountConstant.isAdminPermission 的所有使用场景，以及是否有其他管理员检查方式
echo "=== AccountConstant.isAdminPermission 的实现 ==="
ast-grep --pattern 'static boolean isAdminPermission($$$) {
  $$$
}'

echo ""
echo "=== QuotaUtil.isAdminAccount 的使用 ==="
rg -n "isAdminAccount" --type java -C 2

Repository: MatheMatrix/zstack

Length of output: 8656

---

🏁 Script executed:

# View the relevant lines in QuotaAllocatorFlow.java to confirm the usage
echo "=== QuotaAllocatorFlow.java lines 56-65 ==="
sed -n '56,65p' compute/src/main/java/org/zstack/compute/allocator/QuotaAllocatorFlow.java

echo ""
echo "=== Search for AccountConstant.isAdminPermission usage in quota-related code ==="
rg -n "isAdminPermission.*skip|skip.*isAdminPermission" --type java

echo ""
echo "=== Check other quota flow or allocator files for comparison ==="
fd ".*Allocator.*\.java$|.*Quota.*\.java$" compute/src/main/java --exec grep -l "isAdminPermission\|isAdminAccount" {} \;

Repository: MatheMatrix/zstack

Length of output: 911

---

🏁 Script executed:

# Check how QuotaChecker.java and VmQuotaOperator.java handle the resource owner admin check
echo "=== QuotaChecker.java quota skip logic ==="
sed -n '35,50p' identity/src/main/java/org/zstack/identity/QuotaChecker.java

echo ""
echo "=== VmQuotaOperator.java quota check for resource owner ==="
sed -n '400,415p' compute/src/main/java/org/zstack/compute/vm/VmQuotaOperator.java

echo ""
echo "=== Check if there are existing quota checks in compute module ==="
rg -A 5 -B 5 "skip.*checkquota\|checkquota.*skip" compute/ --type java

Repository: MatheMatrix/zstack

Length of output: 1623

---

🏁 Script executed:

# Get the complete method context to understand the full quota check flow
echo "=== Full QuotaAllocatorFlow.java method context ==="
sed -n '50,100p' compute/src/main/java/org/zstack/compute/allocator/QuotaAllocatorFlow.java

echo ""
echo "=== Check QuotaUtil to understand when isAdminPermission vs isAdminAccount should be used ==="
sed -n '155,175p' identity/src/main/java/org/zstack/identity/QuotaUtil.java

Repository: MatheMatrix/zstack

Length of output: 2828

---

建议将管理员权限检查改为与其他配额检查保持一致。

在 QuotaAllocatorFlow.java 中，第 58 行和第 65 行使用 AccountConstant.isAdminPermission() 来跳过配额检查，但该方法仅检查账户 UUID 是否等于 INITIAL_SYSTEM_ADMIN_UUID（初始系统管理员）。

根据代码库中其他配额检查的实现模式，应该使用 QuotaUtil.isAdminAccount() 来检查，该方法会判断账户类型是否为 SystemAdmin（覆盖所有系统管理员账户）。具体体现在：

• QuotaChecker.java 第 41 行使用 isAdminAccount()
• VmQuotaOperator.java 第 408 行使用 isAdminAccount()
• QuotaUtil.java 第 166 行采用组合检查：(isAdminPermission() || isAdminAccount())

建议将第 58 行和第 65 行改为使用 new QuotaUtil().isAdminAccount() 以保持配额检查逻辑的一致性。

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@compute/src/main/java/org/zstack/compute/allocator/QuotaAllocatorFlow.java`
around lines 56 - 61, The admin-check currently in QuotaAllocatorFlow uses
AccountConstant.isAdminPermission(sessionAccountUuid) to skip quota checks;
change it to use QuotaUtil's account-type check so it matches other quota logic:
replace the AccountConstant.isAdminPermission(...) checks around
spec.getSessionAccountUuid() in QuotaAllocatorFlow with a call to new
QuotaUtil().isAdminAccount(...) (or the equivalent QuotaUtil.isAdminAccount
usage) so the flow treats all SystemAdmin accounts as admins consistent with
QuotaChecker and VmQuotaOperator.

[ZStack-Robot]

Comment from yaohua.wu:

Review: MR !9480 — ZSTAC-83646 fix VM clone quota check fail

关联 MR: premium !13346
Jira: ZSTAC-83646 — admin clone 租户 VM 时 quota 校验基于租户而非操作者 + quota 报错被覆盖为 unhandled exception

变更概述

本 MR 修复两个问题：

1. admin bypass：在 AllocateHostMsg / HostAllocatorSpec 中新增 sessionAccountUuid 字段透传操作者身份，QuotaAllocatorFlow 据此跳过 admin 的 quota 校验。
2. 错误传播：QuotaUtil.CheckQuota() 抛出的 ApiMessageInterceptionException 在 host allocator chain 中被吞掉覆盖为 "unhandled exception"。新增 checkQuotaAndReturn() 返回 ErrorCode，由 QuotaAllocatorFlow 包装为 OperationFailureException（框架正确处理），保留原始 quota 错误信息。

架构上设计合理：WithResult 变体返回 ErrorCode，旧方法保留为 wrapper 抛 ApiMessageInterceptionException，向后兼容无回归风险。

Warning

1. 🟡 [QuotaAllocatorFlow.java] 遗忘路径风险 — sessionAccountUuid 依赖调用方逐一设置

   当前 sessionAccountUuid 仅在 MevocoVmInstanceBase 的 clone dryRun 路径中设置。但 DesignatedAllocateHostMsg 在代码库中还有 8+ 处构造（VmInstanceBase.getStartingCandidateHosts L919、getMigrationTargetHosts L2002、VmAllocateHostFlow、VmAllocateHostForStoppedVmFlow 等），均未设置此字段。

   虽然这些路径的 admin 操作通常在 API interceptor 层已通过 AccountType.SystemAdmin 跳过了 quota 检查，但 QuotaAllocatorFlow 仍会对 admin 操作租户 VM 执行额外的 quota 校验。clone 之所以触发 bug 是因为 dryRun 路径绕过了 API interceptor。

   风险：未来新增 dryRun 路径时，如果忘记设置 sessionAccountUuid，同样的问题会复现。当前修复依赖"每个调用点都记得传 sessionAccountUuid"的隐式约定。

   建议：考虑在 QuotaAllocatorFlow.allocate() 内部直接从操作上下文获取 session 信息（如通过 ThreadContext 或 spec 中已有的其他字段），而非依赖调用方显式传递。如果当前方案作为 hotfix 可接受，建议在代码中添加注释说明设计决策和 TODO。

2. 🟡 [HostAllocatorSpec.java:165-169] getter/setter 打断现有代码对 — getSessionAccountUuid() / setSessionAccountUuid() 插入在 getL3NetworkUuids() 和 setL3NetworkUuids() 之间，打断了 L3NetworkUuids 的 getter-setter 配对。建议移到文件末尾或其他 getter-setter 对之间。

3. 🟡 [AllocateHostMsg.java:215-217] 格式不一致 — 新增的 getter/setter 使用单行格式 { return sessionAccountUuid; }，文件中其他所有方法均使用多行格式。建议统一为多行格式。

Suggestion

1. 🟢 [VmQuotaOperator.java] 方法命名 typo — checkVmCupAndMemoryCapacityWithResult 延续了已有的 "Cup" 拼写错误（应为 "Cpu"）。新增方法是修正命名的好时机。

2. 🟢 [VmQuotaOperator.java] wrapper 方法丢失 @Transactional 注解 — 重构后的 wrapper checkVmInstanceQuota() 和 checkVmCupAndMemoryCapacity() 不再有 @Transactional(readOnly = true) 注解（原方法有）。虽然 @Configurable + AspectJ weaving 下内部方法调用的 @Transactional 仍生效，但建议在 wrapper 上也保留注解以明确事务语义。

3. 🟢 [QuotaAllocatorFlow.java:56] 注释改进 — // skip checkquota if the operator is admin 中 "checkquota" 建议改为 "quota check" 以提升可读性。

Verdict: ✅ APPROVED

修复正确解决了 Jira 中描述的两个问题：admin clone 租户 VM 的 quota 绕过 + 错误信息保留。WithResult 模式的重构向后兼容，OperationFailureException 替代 ApiMessageInterceptionException 在 allocator flow 中是正确选择。遗忘路径风险作为 hotfix 可接受，建议后续优化集中 admin bypass 逻辑。

---

🤖 Robot Reviewer