Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(ec2): Volume grants have an overly complicated API #9115

Merged
merged 2 commits into from
Aug 10, 2020
Merged

fix(ec2): Volume grants have an overly complicated API #9115

merged 2 commits into from
Aug 10, 2020

Conversation

ddneilson
Copy link
Contributor

@ddneilson ddneilson commented Jul 16, 2020
edited by rix0rrr
Loading

I designed & wrote the code for the L2 Volume construct. My design for the grantAttachVolumeByResourceTag() and grantDetachVolumeByResourceTag() is flawed.

Those functions have three design requirements:

  1. To allow an instance to attach a Volume to itself;
  2. To allow an instance to attach multiple, different, volumes; and
  3. To allow the same volume to be attached to different instances via separate grants without clobbering other grants.

Since the implementation mechanism for this is a ResourceTag condition on the policy, the later two requirements mean that we must have both a unique tag key and a unique tag value for each separate permission grant (i.e. separate call to the volume's grant function).

The original design had the tag key being derived from only the volume, the tag value from only the instance(s), and allowed for overriding the tag key via a parameter to allow for the same volume to attach to multiple instances over separate grants.

In hindsight, we should be deriving both the resource tag and value from the combination of the instance(s) and the volume's unique properties. This completely eliminates the need for the tag key override.

The current design results in code like:

    // To be able to mount the *same* volume to multiple instances we must provide a tag suffix to the permission grant
    // that is unique to this particular combination of volume + mount target.
    function hashUniqueIds(resources: IConstruct[]): string {
      const md5 = crypto.createHash('md5');
      resources.forEach(res => md5.update(res.node.uniqueId));
      return md5.digest('hex');
    }
    this.props.blockVolume.grantAttachVolumeByResourceTag(target.grantPrincipal, [target], hashUniqueIds([target, this.props.blockVolume]));

It is much more desirable for this to be simply:

    this.props.blockVolume.grantAttachVolumeByResourceTag(target.grantPrincipal, [target]);

Resolves: #9114

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@ddneilson
Copy link
Contributor Author

Resolves: #9114

@ericzbeard ericzbeard removed their assignment Jul 17, 2020
@ericzbeard ericzbeard requested a review from NetaNir July 17, 2020 22:49
@ericzbeard ericzbeard assigned NetaNir and unassigned ericzbeard Jul 20, 2020
@NetaNir NetaNir requested a review from rix0rrr August 3, 2020 19:47
@rix0rrr rix0rrr changed the title fix(ec2): Fixes design flaw with Volume grant by ResourceTag fix(ec2): Volume grant with ResourceTag have an overly complicated API Aug 10, 2020
@rix0rrr rix0rrr changed the title fix(ec2): Volume grant with ResourceTag have an overly complicated API fix(ec2): Volume grants have an overly complicated API Aug 10, 2020
@mergify
Copy link
Contributor

mergify bot commented Aug 10, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: bdfd60a
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Aug 10, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 74e8391 into aws:master Aug 10, 2020
eladb pushed a commit that referenced this pull request Aug 10, 2020
@ddneilson
fix(ec2): Volume grants have an overly complicated API (#9115)
596210f 
I designed & wrote the code for the L2 Volume construct. My design for the `grantAttachVolumeByResourceTag()` and `grantDetachVolumeByResourceTag()` is flawed. 

Those functions have three design requirements:
1) To allow an instance to attach a Volume to itself; 
2) To allow an instance to attach multiple, different, volumes; and
3) To allow the same volume to be attached to different instances via separate grants without clobbering other grants.

Since the implementation mechanism for this is a `ResourceTag` condition on the policy, the later two requirements mean that we must have both a unique tag key and a unique tag value for each separate permission grant (i.e. separate call to the volume's grant function).

The original design had the tag key being derived from only the volume, the tag value from only the instance(s), and allowed for overriding the tag key via a parameter to allow for the same volume to attach to multiple instances over separate grants. 

In hindsight, we should be deriving both the resource tag and value from the combination of the instance(s) and the volume's unique properties. This completely eliminates the need for the tag key override.


The current design results in code like:
```ts
    // To be able to mount the *same* volume to multiple instances we must provide a tag suffix to the permission grant
    // that is unique to this particular combination of volume + mount target.
    function hashUniqueIds(resources: IConstruct[]): string {
      const md5 = crypto.createHash('md5');
      resources.forEach(res => md5.update(res.node.uniqueId));
      return md5.digest('hex');
    }
    this.props.blockVolume.grantAttachVolumeByResourceTag(target.grantPrincipal, [target], hashUniqueIds([target, this.props.blockVolume]));
```

It is much more desirable for this to be simply:
```ts
    this.props.blockVolume.grantAttachVolumeByResourceTag(target.grantPrincipal, [target]);
```

Resolves: #9114

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rix0rrr rix0rrr rix0rrr approved these changes

@NetaNir NetaNir Awaiting requested review from NetaNir

Assignees

@NetaNir NetaNir

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[ec2] Fix design flaw in Volume grants by ResourceTag
5 participants
@ddneilson @aws-cdk-automation @rix0rrr @ericzbeard @NetaNir