Changes to the error message displayed during the removal of public templates that are used

[erikbocks]

Description

During the removal of public templates, if it is being used by VMs, an error message is displayed informing that the removal could not proceed because it is being used by VMs, and the list of VMs using it is returned. However, sometimes the user that is trying to remove the template does not have access to these resources. Thus, the error message was changed, in order to return the list of VMs only to users with RootAdmin accounts and for the others users, the message only states that the template is being used by VMs.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• Build/CI
• Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Screenshots (if appropriate):

Exception message for User type accounts

Exception message for Root Admin type accounts

How Has This Been Tested?

First, two User type accounts were created: templateAcc and instanceAcc. The templateAcc account was accessed and a public template was registered. After that, the instanceAcc was accessed and a VM was deployed using the template registered by templateAcc.

Logged in as templateAcc again, I tried to remove the registered template, and it was possible to validate that the error message was displayed without the VMs list. By logging in with a Root Admin account, it was possible to validate that the error message contained the VMs lists. Through the Management Server's logs it was also possible to validate that the log message displayed the VMs list:

Updated log message

2025-12-17 12:58:08,815 [management] WARN  [c.c.t.TemplateManagerImpl:1360] (API-Job-Executor-1:[ctx-106b8b79, job-448, ctx-e8ca5865]) (logid:c41a7e6a) Unable to delete template with ID 210, because there are VM instances using it. Instances list: [VM instance {"id":33,"instanceName":"i-13-33-VM","type":"User","uuid":"a15065e6-5422-4eca-ae8a-e4f0d8887a99"}].

[codecov]

Codecov Report

❌ Patch coverage is 66.66667% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 16.25%. Comparing base (ce42ce5) to head (dfc69f3).
⚠️ Report is 19 commits behind head on 4.20.

Files with missing lines	Patch %	Lines
...n/java/com/cloud/template/TemplateManagerImpl.java	66.66%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               4.20   #12373      +/-   ##
============================================
- Coverage     16.26%   16.25%   -0.02%     
+ Complexity    13428    13418      -10     
============================================
  Files          5660     5662       +2     
  Lines        499959   500164     +205     
  Branches      60707    60731      +24     
============================================
- Hits          81326    81279      -47     
- Misses       409560   409801     +241     
- Partials       9073     9084      +11     

Flag	Coverage Δ
uitests	4.15% <ø> (-0.01%)	⬇️
unittests	17.10% <66.66%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[winterhazel]

@erikbocks could you target 4.20 as this is a simple enhancement?

[github-actions]

This pull request has merge conflicts. Dear author, please fix the conflicts and sync your branch with the base branch.

[DaanHoogland]

clgtm

[sureshanaparti]

@blueorangutan package

[blueorangutan]

@sureshanaparti a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16840

[sureshanaparti]

@blueorangutan test

[blueorangutan]

@sureshanaparti a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[DaanHoogland]

@blueorangutan package

[blueorangutan]

@DaanHoogland a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[Copilot]

Pull request overview

This PR updates the exception message thrown when deleting a template that is still in use by VM instances, limiting the VM instance list exposure to RootAdmin callers while keeping detailed information in management server logs.

Changes:

• Replace the previous error message that always included the full VM instance list with a generic message for non-RootAdmin users.
• Append the VM instances list to the thrown exception only when the caller is a RootAdmin.
• Remove the Guava Joiner usage/import and build the instances list string using StringUtils.join.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[abh1sar]

Code LGTM

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16873

[RosiKyu]

LGTM

Tested the error message differentiation between regular User and RootAdmin accounts via both CLI and UI; the VM instances list is correctly hidden from non-admin users and always present in management server logs.

#	Test Case	Method	Status
TC1	Regular user deletes public template in use — error shows VM count only, no VM list	CLI + UI	PASS
TC2	RootAdmin deletes public template in use — error shows VM count + full VM instances list	CLI + UI	PASS
TC3	Management server logs always contain full VM instances list regardless of caller	CLI (log grep)	PASS

Result: 3/3 PASS

TC1: Regular user deletes public template in use: generic error without VM list

Objective
Verify that a non-RootAdmin user attempting to delete a public template that is in use by VMs belonging to another account receives an error message with only the VM count, without exposing the list of VM instances.

Test Steps

1. As RootAdmin, create two User accounts: templateacc and instanceacc
2. Register a public template (pr12373-public-tmpl) owned by templateacc
3. Deploy a VM (pr12373-test-vm) using that template under instanceacc
4. Register API keys for templateacc and configure a cmk profile
5. As templateacc, attempt to delete the template: delete template id=b84d638a-42fe-4da5-8de2-ae2f1f7f9de1

Expected Result:
The delete operation should fail with an error message stating the template is in use by N VM instances, without listing the actual VM instance details.

Actual Result:
The delete operation failed with error code 431 and the message:
"Unable to delete template [Template {...}] because there are [1] VM instances using it."
The VM instances list was not included in the error message.

Test Evidence:

(templateacc) 🐱 > delete template id=b84d638a-42fe-4da5-8de2-ae2f1f7f9de1
{
  "jobresult": {
    "errorcode": 431,
    "errortext": "Unable to delete template [Template {\"format\":\"QCOW2\",\"id\":202,\"name\":\"pr12373-public-tmpl\",\"uniqueName\":\"202-5-d5dcffa6-38d4-3d3b-bf67-ec85ca2f1008\",\"uuid\":\"b84d638a-42fe-4da5-8de2-ae2f1f7f9de1\"}] because there are [1] VM instances using it."
  },
  "jobresultcode": 431,
  "jobstatus": 2
}

UI test:

TC2: RootAdmin deletes public template in use - detailed error with VM list

Objective
Verify that a RootAdmin user attempting to delete a public template that is in use by VMs receives an error message that includes both the VM count AND the full list of VM instances using the template.

Test Steps

1. Using the same setup from TC1 (template pr12373-public-tmpl owned by templateacc, VM pr12373-test-vm deployed under instanceacc)
2. Switch to RootAdmin cmk profile: set profile localcloud
3. As RootAdmin, attempt to delete the template: delete template id=b84d638a-42fe-4da5-8de2-ae2f1f7f9de1

Expected Result:
The delete operation should fail with an error message stating the template is in use, including the full list of VM instances (id, instanceName, state, type, uuid).

Actual Result:
The delete operation failed with error code 431 and the message:
"Unable to delete template [...] because there are [1] VM instances using it. Instances list: [VM instance {"id":3,"instanceName":"i-6-3-VM","state":"Running","type":"User","uuid":"e5a80723-59a2-48cf-9e52-6dc008472056"}]."
The VM instances list was included in the error message for RootAdmin.

Test Evidence:

(localcloud) 🐱 > delete template id=b84d638a-42fe-4da5-8de2-ae2f1f7f9de1
{
  "jobresult": {
    "errorcode": 431,
    "errortext": "Unable to delete template [Template {\"format\":\"QCOW2\",\"id\":202,\"name\":\"pr12373-public-tmpl\",\"uniqueName\":\"202-5-d5dcffa6-38d4-3d3b-bf67-ec85ca2f1008\",\"uuid\":\"b84d638a-42fe-4da5-8de2-ae2f1f7f9de1\"}] because there are [1] VM instances using it. Instances list: [VM instance {\"id\":3,\"instanceName\":\"i-6-3-VM\",\"state\":\"Running\",\"type\":\"User\",\"uuid\":\"e5a80723-59a2-48cf-9e52-6dc008472056\"}]."
  },
  "jobresultcode": 431,
  "jobstatus": 2
}

UI test

TC3: Management server logs always contain full VM instances list

Objective
Verify that the management server logs always record the complete VM instances list in the WARN message, regardless of whether the caller is a regular User or a RootAdmin.

Test Steps

1. Using the same setup from TC1/TC2
2. On the management server, run: grep "Unable to delete template" /var/log/cloudstack/management/management-server.log
3. Verify that all WARN entries include the full Instances list

Expected Result:
All WARN log entries should contain the full Instances list: [...] with VM details, regardless of the caller's account type. The API response (DEBUG lines) should differ: no Instances list for regular users, full list for RootAdmin.

Actual Result:
All 5 WARN entries (from both templateAcc and admin attempts via CLI and UI) contain the full Instances list: Instances list: [VM instance {"id":3,"instanceName":"i-6-3-VM","state":"Running","type":"User","uuid":"e5a80723-59a2-48cf-9e52-6dc008472056"}].

Additionally, the DEBUG lines confirm the API response behavior:

• templateAcc (job-38): errortext ends with "...VM instances using it." - NO Instances list
• admin (job-41): errortext ends with "...Instances list: [...]." - WITH Instances list

Test Evidence:

# templateAcc attempt (job-38) - WARN has full list, API response does not:
2026-02-23 09:32:14,844 WARN  [c.c.t.TemplateManagerImpl] (API-Job-Executor-30:[ctx-78d721b9, job-38, ctx-1e1e02a4]) (logid:695f59a2) Unable to delete template [...] because there are [1] VM instances using it. Instances list: [VM instance {"id":3,"instanceName":"i-6-3-VM","state":"Running","type":"User","uuid":"e5a80723-59a2-48cf-9e52-6dc008472056"}].
2026-02-23 09:32:14,852 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (API-Job-Executor-30:[ctx-78d721b9, job-38]) (logid:695f59a2) Complete async job-38, jobStatus: FAILED, resultCode: 431, result: ...errortext":"Unable to delete template [...] because there are [1] VM instances using it."}

# admin attempt (job-41) - WARN has full list, API response also has it:
2026-02-23 09:34:48,143 WARN  [c.c.t.TemplateManagerImpl] (API-Job-Executor-33:[ctx-b3a256cf, job-41, ctx-bbf0c04f]) (logid:dff3d2f7) Unable to delete template [...] because there are [1] VM instances using it. Instances list: [VM instance {"id":3,"instanceName":"i-6-3-VM","state":"Running","type":"User","uuid":"e5a80723-59a2-48cf-9e52-6dc008472056"}].
2026-02-23 09:34:48,147 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (API-Job-Executor-33:[ctx-b3a256cf, job-41]) (logid:dff3d2f7) Complete async job-41, jobStatus: FAILED, resultCode: 431, result: ...errortext":"Unable to delete template [...] because there are [1] VM instances using it. Instances list: [VM instance {"id":3,"instanceName":"i-6-3-VM","state":"Running","type":"User","uuid":"e5a80723-59a2-48cf-9e52-6dc008472056"}]."}