-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ENH] - Deleting a non-empty namespace should fail, unless a force: true
flag is given
#775
Comments
I don't like the I think something like this would be better:
UPD: Because this is now stateful, there are some things to consider:
|
Also, if we do this, I think even an empty namespace must require force because it might have important user settings saved as part of it (e.g., which artifacts are being built). You don't want to erase those by mistake. |
I don't mind your suggested alternative, but for my own understanding how does requiring a |
Yeah, I suggest we wait and discuss this during our team meeting next week. It really depends on what we're trying to protect against. E.g., you can also easily mistype with force present (because you have it saved after executing some delete command that you actually wanted to run), but instead of mistyping GET -> DELETE, you mistype the namespace name. |
We've discussed this today during the meeting. The general plan that everyone seems to be happy with:
|
Is there some lightweight action the server could take on deletion to help the user recover, if the user changes their mind afterwards? |
Nope, we need to scope this separately. A proper way to backup/restore was briefly discussed during one of the previous meetings. I agree this would be a desirable feature to have. |
I'm not the biggest fan of carrying around an extra property on the namespace. I can see that it makes it harder to delete non-empty namespaces, but there are also side effects of introducing a new property - for example, we might need to do additional work on the UI side of things to identify namespaces as protected. "Protected" namespaces are another concept for the users to need to understand and for us to document as well. If the motivation for a call-and-response pattern is safety, then is this actually safer than just requiring namespaces to be empty before they can be deleted? This was another alternative suggested by @dcmcand. If the group consensus is that this is the best pattern though, I'm on board. |
I agree with Peyton that it's best to keep our models as minimal as humanly possible. There are two time frames we can think about to help us move forward. Short termWe want to prevent a destructive action without guardrails. It seems to me that the path of least resistance here is to pattern namespace deletion on the Long termIf we want to support deleting a namespace and all of its environments in one go, then I think we should have some kind of recovery mechanism in place. It doesn't need to be great or super user-friendly, but recovery should be possible and not too painful. Once we have some form of recovery in place, then we can scope how we want the API to support a user that wants to delete a namespace with environments. |
TLDR there are two proposals to fix this:
|
Feature description
Currently, it's possible for an admin user to delete namespaces with any number of environments inside them. When that happens, the environments are all deleted as well. This "dangerous-by-default" behavior is probably not what we want. I propose rejecting namespace deletion requests by default, unless
force: true
flag is passed in the request to the conda-store serverValue and/or benefit
This should make it harder for admin users to inadvertently delete an entire namespace's worth of environments in one simple request.
Anything else?
No response
The text was updated successfully, but these errors were encountered: