Add RBAC schema implementation #9829
Conversation
|
👋 Hello! Thanks for contributing to our project. You can see the progress at the end of this page and at https://github.com/uyuni-project/uyuni/pull/9829/checks If you are unsure the failing tests are related to your code, you can check the "reference jobs". These are jobs that run on a scheduled time with code from master. If they fail for the same reason as your build, it means the tests or the infrastructure are broken. If they do not fail, but yours do, it means it is related to your code. Reference tests: KNOWN ISSUES Sometimes the build can fail when pulling new jar files from download.opensuse.org . This is a known limitation. Given this happens rarely, when it does, all you need to do is rerun the test. Sorry for the inconvenience. For more tips on troubleshooting, see the troubleshooting guide. Happy hacking! |
wweellddeerr
requested review from
cbbayburt
and removed request for
rjmateus
wweellddeerr
force-pushed
the
rbac-base-schema
branch
from
9aef9be to
46a5977
Compare
cbbayburt
force-pushed
the
rbac-base-schema
branch
5 times, most recently
from
0a3e5f9 to
293d8f8
Compare
| -- userAccessTable view | ||
| -- User access rules on endpoints either permitted directly or through an access group | ||
| CREATE VIEW access.userAccessTable AS | ||
| WITH endpoints AS ( |
There was a problem hiding this comment.
I'm not sure if we need this initial query. We should test it in terms of performance when we have all the endpoints and see if it has any performance impact.
There was a problem hiding this comment.
This one used to be for my own convenience, but I changed this view completely with the latest commit. This view is now queried from the Java filters and is an integral part of the feature, so its performance is critical and I optimized it with proper indexes and planning.
So far I tested it with what data I have, and it's running in microseconds (with about half of the predicted endpoint data).
| http_method VARCHAR NOT NULL, | ||
| scope CHAR(1) NOT NULL | ||
| CHECK (scope in ('A', 'W')), | ||
| authorized BOOLEAN NOT NULL DEFAULT true, |
There was a problem hiding this comment.
I would make it with a more explicit name, like auth_required, as proposed in the RFC.
Rename 'authorized' to 'auth_required'
cbbayburt
force-pushed
the
rbac-base-schema
branch
from
293d8f8 to
600d1b4
Compare
Checkstyle fixes
| ) | ||
| @NamedNativeQuery(name = "WebEndpoint_get_unauthenticated_webui", | ||
| // Get unauthenticated Web UI endpoints | ||
| query = "SELECT endpoint FROM access.endpoint WHERE auth_required = false" |
There was a problem hiding this comment.
The next query is filtering by API, this one is only filtering by auth_required false. Do we need the two methods? Is this needed because the default handler for the XML-RPC API?
There was a problem hiding this comment.
This one is actually used with HTTP API routes as well (works the same way as a web UI endpoint). I'll fix the naming to reflect that.
| } | ||
|
|
||
| /** | ||
| * Get all unauthorized web UI endpoints |
There was a problem hiding this comment.
| * Get all unauthorized web UI endpoints | |
| * Get all web UI endpoints that don't require authorization check |
There was a problem hiding this comment.
I had a long argument with ChatGPT about this 🤣
Apparently, "unauthorized" means both "not authorized" and "doesn't require authorization"
But since you are also confused, I think it's better to change it like this
There was a problem hiding this comment.
I not a native speaker, and even in my main language I not really good with "wording" so I would not argue on this regard :)
| } | ||
|
|
||
| /** | ||
| * Get all unauthorized API methods |
There was a problem hiding this comment.
| * Get all unauthorized API methods | |
| * Get all API methods that don't require authorization check |
|
|
||
| /** | ||
| * Get all unauthorized API methods | ||
| * @return the set of unauthorized API methods as a string of qualified class name & method |
There was a problem hiding this comment.
| * @return the set of unauthorized API methods as a string of qualified class name & method | |
| * @return the set of API methods, that doesn't need authentication, as a string of qualified class name & method |
|
|
||
| /** | ||
| * Get all unauthorized web UI endpoints | ||
| * @return the set of unauthorized web endpoints |
There was a problem hiding this comment.
| * @return the set of unauthorized web endpoints | |
| * @return the set of web endpoints that doesn't need authorization check |
Address review issues
Fix schema idempotency issue
cbbayburt
force-pushed
the
rbac-base-schema
branch
from
d636e17 to
6540ae8
Compare
What does this PR change?
It is a port of #9802 containing the schema migration and the ORM implementation.
GUI diff
No difference.
Documentation
No documentation needed: only internal and user invisible changes
DONE
Test coverage
ℹ️ If a major new functionality is added, it is strongly recommended that tests for the new functionality are added to the Cucumber test suite
Links
https://github.com/SUSE/spacewalk/issues/26409
Changelogs
Make sure the changelogs entries you are adding are compliant with https://github.com/uyuni-project/uyuni/wiki/Contributing#changelogs and https://github.com/uyuni-project/uyuni/wiki/Contributing#uyuni-projectuyuni-repository
If you don't need a changelog check, please mark this checkbox:
If you uncheck the checkbox after the PR is created, you will need to re-run
changelog_test(see below)Re-run a test
If you need to re-run a test, please mark the related checkbox, it will be unchecked automatically once it has re-run:
Before you merge
Check How to branch and merge properly!