apache · weizhouapache · Oct 1, 2025 · Sep 15, 2025 · Sep 26, 2025 · Sep 26, 2025
diff --git a/api/src/main/java/com/cloud/user/AccountService.java b/api/src/main/java/com/cloud/user/AccountService.java
@@ -46,8 +46,7 @@ public interface AccountService {
     UserAccount createUserAccount(CreateAccountCmd accountCmd);
 
     UserAccount createUserAccount(String userName, String password, String firstName, String lastName, String email, String timezone, String accountName, Account.Type accountType,
-                                  Long roleId, Long domainId, String networkDomain, Map<String, String> details, String accountUUID, String userUUID, User.Source source);
-
+                                  Long roleId, Long domainId, String networkDomain, Map<String, String> details, String accountUUID, String userUUID, User.Source source, Account caller);
     /**
      * Locks a user by userId. A locked user cannot access the API, but will still have running VMs/IP addresses
      * allocated/etc.

diff --git a/...etes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java b/...etes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java
@@ -1551,9 +1551,9 @@ protected Account createProjectKubernetesAccount(final Project project, final St
         try {
             Role role = getProjectKubernetesAccountRole();
             UserAccount userAccount = accountService.createUserAccount(accountName,
-                    UuidUtils.first(UUID.randomUUID().toString()), PROJECT_KUBERNETES_ACCOUNT_FIRST_NAME,
+                    UUID.randomUUID().toString(), PROJECT_KUBERNETES_ACCOUNT_FIRST_NAME,
                     PROJECT_KUBERNETES_ACCOUNT_LAST_NAME, null, null, accountName, Account.Type.NORMAL, role.getId(),
-                    project.getDomainId(), null, null, null, null, User.Source.NATIVE);
+                    project.getDomainId(), null, null, null, null, User.Source.NATIVE, accountService.getSystemAccount());
             projectManager.assignAccountToProject(project, userAccount.getAccountId(), ProjectAccount.Role.Regular,
                     userAccount.getId(), null);
             Account account = accountService.getAccount(userAccount.getAccountId());

diff --git a/...l/src/test/java/org/apache/cloudstack/network/contrail/management/MockAccountManager.java b/...l/src/test/java/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
@@ -147,12 +147,12 @@ public UserAccount createUserAccount(CreateAccountCmd cmd) {
                 cmd.getLastName(), cmd.getEmail(), cmd.getTimeZone(), cmd.getAccountName(),
                 cmd.getAccountType(), cmd.getRoleId(), cmd.getDomainId(),
                 cmd.getNetworkDomain(), cmd.getDetails(), cmd.getAccountUUID(),
-                cmd.getUserUUID(), User.Source.UNKNOWN);
+                cmd.getUserUUID(), User.Source.UNKNOWN, null);
     }
 
     @Override
     public UserAccount createUserAccount(String userName, String password, String firstName, String lastName, String email, String timezone, String accountName, Account.Type accountType, Long roleId,
-                                         Long domainId, String networkDomain, Map<String, String> details, String accountUUID, String userUUID, User.Source source) {
+                                         Long domainId, String networkDomain, Map<String, String> details, String accountUUID, String userUUID, User.Source source, Account caller) {
         // TODO Auto-generated method stub
         return null;
     }

diff --git a/...enticators/ldap/src/main/java/org/apache/cloudstack/api/command/LdapCreateAccountCmd.java b/...enticators/ldap/src/main/java/org/apache/cloudstack/api/command/LdapCreateAccountCmd.java
@@ -95,7 +95,7 @@ UserAccount createCloudstackUserAccount(final LdapUser user, String accountName,
         Account account = _accountService.getActiveAccountByName(accountName, domainId);
         if (account == null) {
             return _accountService.createUserAccount(username, generatePassword(), user.getFirstname(), user.getLastname(), user.getEmail(), timezone, accountName, getAccountType(), getRoleId(),
-                    domainId, networkDomain, details, accountUUID, userUUID, User.Source.LDAP);
+                    domainId, networkDomain, details, accountUUID, userUUID, User.Source.LDAP, null);
         } else {
             User newUser = _accountService.createUser(username, generatePassword(), user.getFirstname(), user.getLastname(), user.getEmail(), timezone, accountName, domainId,
                     userUUID, User.Source.LDAP);

diff --git a/...thenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LdapImportUsersCmd.java b/...thenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LdapImportUsersCmd.java
@@ -108,7 +108,7 @@ private void createCloudstackUserAccount(LdapUser user, String accountName, Doma
         if (account == null) {
             logger.debug("No account exists with name: " + accountName + " creating the account and an user with name: " + user.getUsername() + " in the account");
             _accountService.createUserAccount(user.getUsername(), generatePassword(), user.getFirstname(), user.getLastname(), user.getEmail(), timezone, accountName, getAccountType(), getRoleId(),
-                    domain.getId(), domain.getNetworkDomain(), details, UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP);
+                    domain.getId(), domain.getNetworkDomain(), details, UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP, null);
         } else {
 //            check if the user exists. if yes, call update
             UserAccount csuser = _accountService.getActiveUserAccount(user.getUsername(), domain.getId());

diff --git a/...enticators/ldap/src/main/java/org/apache/cloudstack/api/command/LinkAccountToLdapCmd.java b/...enticators/ldap/src/main/java/org/apache/cloudstack/api/command/LinkAccountToLdapCmd.java
@@ -89,7 +89,7 @@ public void execute() throws ServerApiException {
                         try {
                             UserAccount userAccount = _accountService
                                     .createUserAccount(admin, "", ldapUser.getFirstname(), ldapUser.getLastname(), ldapUser.getEmail(), null, admin, Account.Type.DOMAIN_ADMIN, RoleType.DomainAdmin.getId(), domainId, null, null, UUID.randomUUID().toString(),
-                                            UUID.randomUUID().toString(), User.Source.LDAP);
+                                            UUID.randomUUID().toString(), User.Source.LDAP, null);
                             response.setAdminId(String.valueOf(userAccount.getAccountId()));
                             logger.info("created an account with name {} in the given domain {} with id {}", admin, _domainService.getDomain(domainId), domainId);
                         } catch (Exception e) {

diff --git a/...henticators/ldap/src/main/java/org/apache/cloudstack/api/command/LinkDomainToLdapCmd.java b/...henticators/ldap/src/main/java/org/apache/cloudstack/api/command/LinkDomainToLdapCmd.java
@@ -105,7 +105,7 @@ public void execute() throws ServerApiException {
                     if (account == null) {
                         try {
                             UserAccount userAccount = _accountService.createUserAccount(admin, "", ldapUser.getFirstname(), ldapUser.getLastname(), ldapUser.getEmail(), null,
-                                    admin, Account.Type.DOMAIN_ADMIN, RoleType.DomainAdmin.getId(), domainId, null, null, UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP);
+                                    admin, Account.Type.DOMAIN_ADMIN, RoleType.DomainAdmin.getId(), domainId, null, null, UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP, null);
                             response.setAdminId(String.valueOf(userAccount.getAccountId()));
                             logger.info("created an account with name {} in the given domain {} with id {}", admin, _domainService.getDomain(domainId), domainId);
                         } catch (Exception e) {

diff --git a/.../user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapAuthenticator.java b/.../user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapAuthenticator.java
@@ -310,7 +310,7 @@ private void createCloudStackUserAccount(LdapUser user, long domainId, Account.T
         String username = user.getUsername();
         _accountManager.createUserAccount(username, "", user.getFirstname(), user.getLastname(), user.getEmail(), null, username,
                                           accountType, RoleType.getByAccountType(accountType).getId(), domainId, null, null,
-                                          UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP);
+                                          UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP, null);
     }
 
     private void disableUserInCloudStack(UserAccount user) {

diff --git a/...thenticators/ldap/src/test/groovy/org/apache/cloudstack/ldap/LdapAuthenticatorSpec.groovy b/...thenticators/ldap/src/test/groovy/org/apache/cloudstack/ldap/LdapAuthenticatorSpec.groovy
@@ -176,7 +176,7 @@ class LdapAuthenticatorSpec extends spock.lang.Specification {
         ldapManager.getUser(username, type.toString(), name) >> new LdapUser(username, "email", "firstname", "lastname", "principal", "domain", false, null)
         ldapManager.canAuthenticate(_, _, _) >> true
         //user should be created in cloudstack
-        accountManager.createUserAccount(username, "", "firstname", "lastname", "email", null, username, (short) 2, domainId, username, null, _, _, User.Source.LDAP) >> Mock(UserAccount)
+        accountManager.createUserAccount(username, "", "firstname", "lastname", "email", null, username, (short) 2, domainId, username, null, _, _, User.Source.LDAP, null) >> Mock(UserAccount)
 
         when:
             Pair<Boolean, UserAuthenticator.ActionOnFailedAuthentication> result = ldapAuthenticator.authenticate(username, "password", domainId, null)

diff --git a/...henticators/ldap/src/test/groovy/org/apache/cloudstack/ldap/LdapImportUsersCmdSpec.groovy b/...henticators/ldap/src/test/groovy/org/apache/cloudstack/ldap/LdapImportUsersCmdSpec.groovy
@@ -213,8 +213,8 @@ class LdapImportUsersCmdSpec extends spock.lang.Specification {
         def accountService = Mock(AccountService)
         1 * accountService.getActiveAccountByName('ACCOUNT', 0) >>  Mock(AccountVO)
 
-        1 * accountService.createUser('rmurphy', _ , 'Ryan', 'Murphy', '[email protected]', null, 'ACCOUNT', 0, _, User.Source.LDAP) >> Mock(UserVO)
-        0 * accountService.createUserAccount('rmurphy', _, 'Ryan', 'Murphy', '[email protected]', null, 'ACCOUNT', 2, 0, 'DOMAIN', null, _, _, User.Source.LDAP)
+        1 * accountService.createUser('rmurphy', _ , 'Ryan', 'Murphy', '[email protected]', null, 'ACCOUNT', 0, _, User.Source.LDAP, null) >> Mock(UserVO)
+        0 * accountService.createUserAccount('rmurphy', _, 'Ryan', 'Murphy', '[email protected]', null, 'ACCOUNT', 2, 0, 'DOMAIN', null, _, _, User.Source.LDAP, null)
         0 * accountService.updateUser(_,'Ryan', 'Murphy', '[email protected]', null, null, null, null, null);
 
         def ldapImportUsersCmd = new LdapImportUsersCmd(ldapManager, domainService, accountService)

diff --git a/...cators/ldap/src/test/java/org/apache/cloudstack/api/command/LinkAccountToLdapCmdTest.java b/...cators/ldap/src/test/java/org/apache/cloudstack/api/command/LinkAccountToLdapCmdTest.java
@@ -88,7 +88,7 @@ public void execute() throws Exception {
         userAccount.setAccountId(24);
         when(accountService.createUserAccount(eq(username), eq(""), eq("Admin"), eq("Admin"), eq("[email protected]"), isNull(String.class),
                 eq(username), eq(Account.Type.DOMAIN_ADMIN), eq(RoleType.DomainAdmin.getId()), eq(domainId), isNull(String.class),
-                (java.util.Map<String,String>)isNull(), anyString(), anyString(), eq(User.Source.LDAP))).thenReturn(userAccount);
+                (java.util.Map<String,String>)isNull(), anyString(), anyString(), eq(User.Source.LDAP), isNull(Account.class))).thenReturn(userAccount);
 
         linkAccountToLdapCmd.execute();
         LinkAccountToLdapResponse result = (LinkAccountToLdapResponse)linkAccountToLdapCmd.getResponseObject();

diff --git a/...icators/ldap/src/test/java/org/apache/cloudstack/api/command/LinkDomainToLdapCmdTest.java b/...icators/ldap/src/test/java/org/apache/cloudstack/api/command/LinkDomainToLdapCmdTest.java
@@ -86,7 +86,7 @@ public void execute() throws Exception {
         userAccount.setAccountId(24);
         when(accountService.createUserAccount(eq(username), eq(""), eq("Admin"), eq("Admin"), eq("[email protected]"), isNull(String.class),
                 eq(username), eq(Account.Type.DOMAIN_ADMIN), eq(RoleType.DomainAdmin.getId()), eq(domainId), isNull(String.class),
-                (java.util.Map<String,String>)isNull(), anyString(), anyString(), eq(User.Source.LDAP))).thenReturn(userAccount);
+                (java.util.Map<String,String>)isNull(), anyString(), anyString(), eq(User.Source.LDAP), isNull(Account.class))).thenReturn(userAccount);
 
 
         linkDomainToLdapCmd.execute();

diff --git a/server/src/main/java/com/cloud/user/AccountManagerImpl.java b/server/src/main/java/com/cloud/user/AccountManagerImpl.java
@@ -1286,7 +1286,7 @@ public UserAccount createUserAccount(CreateAccountCmd accountCmd) {
                 accountCmd.getLastName(), accountCmd.getEmail(), accountCmd.getTimeZone(), accountCmd.getAccountName(),
                 accountCmd.getAccountType(), accountCmd.getRoleId(), accountCmd.getDomainId(),
                 accountCmd.getNetworkDomain(), accountCmd.getDetails(), accountCmd.getAccountUUID(),
-                accountCmd.getUserUUID(), User.Source.UNKNOWN);
+                accountCmd.getUserUUID(), User.Source.UNKNOWN, CallContext.current().getCallingAccount());
     }
 
     // ///////////////////////////////////////////////////
@@ -1301,7 +1301,7 @@ public UserAccount createUserAccount(final String userName, final String passwor
                                          final String lastName, final String email, final String timezone,
                                          String accountName, final Account.Type accountType, final Long roleId, Long domainId,
                                          final String networkDomain, final Map<String, String> details,
-                                         String accountUUID, final String userUUID, final User.Source source) {
+                                         String accountUUID, final String userUUID, final User.Source source, Account caller) {
 
         if (accountName == null) {
             accountName = userName;
@@ -1360,7 +1360,7 @@ public Pair<Long, Account> doInTransaction(TransactionStatus status) {
                 checkRoleEscalation(getCurrentCallingAccount(), account);
 
                 // create the first user for the account
-                UserVO user = createUser(accountId, userName, password, firstName, lastName, email, timezone, userUUID, source);
+                UserVO user = createUser(accountId, userName, password, firstName, lastName, email, timezone, userUUID, source, caller);
 
                 if (accountType == Account.Type.RESOURCE_DOMAIN_ADMIN) {
                     // set registration token
@@ -1530,7 +1530,7 @@ public UserVO createUser(String userName, String password, String firstName, Str
 
         verifyCallerPrivilegeForUserOrAccountOperations(account);
         UserVO user;
-        user = createUser(account.getId(), userName, password, firstName, lastName, email, timeZone, userUUID, source);
+        user = createUser(account.getId(), userName, password, firstName, lastName, email, timeZone, userUUID, source, null);
         return user;
     }
 
@@ -2742,12 +2742,15 @@ public AccountVO doInTransaction(TransactionStatus status) {
         });
     }
 
-    protected UserVO createUser(long accountId, String userName, String password, String firstName, String lastName, String email, String timezone, String userUUID, User.Source source) {
+    protected UserVO createUser(long accountId, String userName, String password, String firstName, String lastName, String email, String timezone, String userUUID,
+                                User.Source source, Account caller) {
         if (logger.isDebugEnabled()) {
             logger.debug("Creating user: " + userName + ", accountId: " + accountId + " timezone:" + timezone);
         }
 
-        passwordPolicy.verifyIfPasswordCompliesWithPasswordPolicies(password, userName, getAccount(accountId).getDomainId());
+        if (caller == null || caller.getId() != Account.ACCOUNT_ID_SYSTEM) {
+            passwordPolicy.verifyIfPasswordCompliesWithPasswordPolicies(password, userName, getAccount(accountId).getDomainId());
+        }
 
         String encodedPassword = null;
         for (UserAuthenticator authenticator : _userPasswordEncoders) {

diff --git a/server/src/test/java/com/cloud/user/MockAccountManagerImpl.java b/server/src/test/java/com/cloud/user/MockAccountManagerImpl.java
@@ -374,13 +374,13 @@ public UserAccount createUserAccount(CreateAccountCmd cmd) {
                 cmd.getLastName(), cmd.getEmail(), cmd.getTimeZone(), cmd.getAccountName(),
                 cmd.getAccountType(), cmd.getRoleId(), cmd.getDomainId(),
                 cmd.getNetworkDomain(), cmd.getDetails(), cmd.getAccountUUID(),
-                cmd.getUserUUID(), User.Source.UNKNOWN);
+                cmd.getUserUUID(), User.Source.UNKNOWN, null);
     }
 
     @Override
     public UserAccount createUserAccount(String userName, String password, String firstName, String lastName, String email, String timezone, String accountName,
                                          Account.Type accountType, Long roleId, Long domainId, String networkDomain, Map<String, String> details, String accountUUID,
-                                         String userUUID, User.Source source) {
+                                         String userUUID, User.Source source, Account caller) {
         // TODO Auto-generated method stub
         return null;
     }