Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: reduce the number of api calls from Workspace Create Modal #9735

Merged
merged 7 commits into from
Jul 29, 2024
Merged

fix: reduce the number of api calls from Workspace Create Modal #9735

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
610c22d
fix: reduce the number of api Calls from Workspace Create Modal
salonig23 Jul 25, 2024
779a5d7
fixed glitch in the modal
salonig23 Jul 26, 2024
6c18698
address comments
salonig23 Jul 26, 2024
d6d8e55
handle closing of edit modal
salonig23 Jul 26, 2024
1dcd22d
improved permission checks
salonig23 Jul 26, 2024
56710bc
final fixes
salonig23 Jul 29, 2024
023f582
fix path for get k8s resource managers And resource quotas APIs
salonig23 Jul 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions harness/determined/common/api/bindings.py
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

11 changes: 0 additions & 11 deletions master/internal/api_master.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -370,16 +370,5 @@ func (a *apiServer) GetKubernetesResourceManagers(
ctx context.Context,
req *apiv1.GetKubernetesResourceManagersRequest,
) (*apiv1.GetKubernetesResourceManagersResponse, error) {
u, _, err := grpcutil.GetUser(ctx)
if err != nil {
return nil, err
}
permErr, err := cluster.AuthZProvider.Get().CanGetMasterConfig(ctx, u)
if err != nil {
return nil, err
} else if permErr != nil {
return nil, permErr
}

return &apiv1.GetKubernetesResourceManagersResponse{ResourceManagers: a.m.config.GetKubernetesClusterNames()}, nil
}
13 changes: 4 additions & 9 deletions master/internal/api_workspace.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -610,17 +610,12 @@ func (a *apiServer) DeleteWorkspaceNamespaceBindings(ctx context.Context,
func (a *apiServer) deleteWorkspaceNamespaceBinding(ctx context.Context,
clusterNames []string, workspaceID int32, curUser *model.User,
) error {
w, err := a.GetWorkspaceByID(ctx, workspaceID, *curUser, true)
if err != nil {
return err
}

if err := workspace.AuthZProvider.Get().
CanSetWorkspaceNamespaceBindings(ctx, *curUser, w); err != nil {
CanSetWorkspaceNamespaceBindings(ctx, *curUser); err != nil {
return status.Error(codes.PermissionDenied, err.Error())
}
if len(clusterNames) > 0 {
err = db.Bun().RunInTx(ctx, nil, func(ctx context.Context, tx bun.Tx) error {
err := db.Bun().RunInTx(ctx, nil, func(ctx context.Context, tx bun.Tx) error {
deletedBindings, err := workspace.DeleteWorkspaceNamespaceBindings(ctx, int(workspaceID), clusterNames, &tx)
if err != nil {
return err
Expand Down Expand Up @@ -837,7 +832,7 @@ func (a *apiServer) setWorkspaceNamespaceBindings(ctx context.Context,

wkspID := int(w.Id)
if err := workspace.AuthZProvider.Get().
CanSetWorkspaceNamespaceBindings(ctx, *curUser, w); err != nil {
CanSetWorkspaceNamespaceBindings(ctx, *curUser); err != nil {
return nil, status.Error(codes.PermissionDenied, err.Error())
}

Expand Down Expand Up @@ -1012,7 +1007,7 @@ func (a *apiServer) setResourceQuotas(ctx context.Context,
) (*apiv1.SetResourceQuotasResponse, error) {
license.RequireLicense("set resource quota")
if err := workspace.AuthZProvider.Get().
CanSetResourceQuotas(ctx, *curUser, w); err != nil {
CanSetResourceQuotas(ctx, *curUser); err != nil {
return nil, status.Error(codes.PermissionDenied, err.Error())
}

Expand Down
3 changes: 1 addition & 2 deletions master/internal/workspace/authz_basic_impl.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,7 +160,7 @@ func (a *WorkspaceAuthZBasic) CanCreateWorkspaceWithCheckpointStorageConfig(

// CanSetWorkspaceNamespaceBindings retruns an error if the user is not a cluster admin.
func (a *WorkspaceAuthZBasic) CanSetWorkspaceNamespaceBindings(
ctx context.Context, curUser model.User, workspace *workspacev1.Workspace,
ctx context.Context, curUser model.User,
) error {
if !curUser.Admin {
return fmt.Errorf("only admins may set workspace bindings")
Expand All @@ -170,7 +170,6 @@ func (a *WorkspaceAuthZBasic) CanSetWorkspaceNamespaceBindings(

// CanSetResourceQuotas returns an error if the user is not a cluster admin.
func (a *WorkspaceAuthZBasic) CanSetResourceQuotas(ctx context.Context, curUser model.User,
workspace *workspacev1.Workspace,
) error {
if !curUser.Admin {
return fmt.Errorf("only admins may set resource quotas")
Expand Down
6 changes: 2 additions & 4 deletions master/internal/workspace/authz_iface.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,10 +44,8 @@ type WorkspaceAuthZ interface {
CanCreateWorkspace(ctx context.Context, curUser model.User) error
CanCreateWorkspaceWithAgentUserGroup(ctx context.Context, curUser model.User) error
CanCreateWorkspaceWithCheckpointStorageConfig(ctx context.Context, curUser model.User) error
CanSetWorkspaceNamespaceBindings(ctx context.Context, curUser model.User,
workspace *workspacev1.Workspace) error
CanSetResourceQuotas(ctx context.Context, curUser model.User,
workspace *workspacev1.Workspace) error
CanSetWorkspaceNamespaceBindings(ctx context.Context, curUser model.User) error
CanSetResourceQuotas(ctx context.Context, curUser model.User) error

// PATCH /api/v1/workspaces/:workspace_id
CanSetWorkspacesName(
Expand Down
12 changes: 6 additions & 6 deletions master/internal/workspace/authz_permissive.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,18 +157,18 @@ func (p *WorkspaceAuthZPermissive) CanSetWorkspacesDefaultPools(

// CanSetWorkspaceNamespaceBindings calls RBAC authz but enforces basic authz.
func (p *WorkspaceAuthZPermissive) CanSetWorkspaceNamespaceBindings(
ctx context.Context, curUser model.User, workspace *workspacev1.Workspace,
ctx context.Context, curUser model.User,
) error {
_ = (&WorkspaceAuthZRBAC{}).CanSetWorkspaceNamespaceBindings(ctx, curUser, workspace)
return (&WorkspaceAuthZBasic{}).CanSetWorkspaceNamespaceBindings(ctx, curUser, workspace)
_ = (&WorkspaceAuthZRBAC{}).CanSetWorkspaceNamespaceBindings(ctx, curUser)
return (&WorkspaceAuthZBasic{}).CanSetWorkspaceNamespaceBindings(ctx, curUser)
}

// CanSetResourceQuotas calls RBAC authz but enforces basic authz.
func (p *WorkspaceAuthZPermissive) CanSetResourceQuotas(
ctx context.Context, curUser model.User, workspace *workspacev1.Workspace,
ctx context.Context, curUser model.User,
) error {
_ = (&WorkspaceAuthZRBAC{}).CanSetResourceQuotas(ctx, curUser, workspace)
return (&WorkspaceAuthZBasic{}).CanSetResourceQuotas(ctx, curUser, workspace)
_ = (&WorkspaceAuthZRBAC{}).CanSetResourceQuotas(ctx, curUser)
return (&WorkspaceAuthZBasic{}).CanSetResourceQuotas(ctx, curUser)
}

func init() {
Expand Down
8 changes: 4 additions & 4 deletions master/internal/workspace/authz_rbac.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -369,7 +369,7 @@ func (r *WorkspaceAuthZRBAC) CanSetWorkspacesDefaultPools(

// CanSetWorkspaceNamespaceBindings determines whether a user can set a workspace namespace bindng.
func (r *WorkspaceAuthZRBAC) CanSetWorkspaceNamespaceBindings(ctx context.Context,
curUser model.User, workspace *workspacev1.Workspace,
curUser model.User,
) (err error) {
fields := audit.ExtractLogFields(ctx)
addInfoWithoutWorkspace(curUser, fields,
Expand All @@ -378,13 +378,13 @@ func (r *WorkspaceAuthZRBAC) CanSetWorkspaceNamespaceBindings(ctx context.Contex
audit.LogFromErr(fields, err)
}()

return db.DoesPermissionMatch(ctx, curUser.ID, &workspace.Id,
return db.DoesPermissionMatch(ctx, curUser.ID, nil,
rbacv1.PermissionType_PERMISSION_TYPE_SET_WORKSPACE_NAMESPACE_BINDINGS)
}

// CanSetResourceQuotas determines whether a user can set a resource quota on a workspace.
func (r *WorkspaceAuthZRBAC) CanSetResourceQuotas(ctx context.Context,
curUser model.User, workspace *workspacev1.Workspace,
curUser model.User,
) (err error) {
fields := audit.ExtractLogFields(ctx)
addInfoWithoutWorkspace(curUser, fields,
Expand All @@ -393,7 +393,7 @@ func (r *WorkspaceAuthZRBAC) CanSetResourceQuotas(ctx context.Context,
audit.LogFromErr(fields, err)
}()

return db.DoesPermissionMatch(ctx, curUser.ID, &workspace.Id,
return db.DoesPermissionMatch(ctx, curUser.ID, nil,
rbacv1.PermissionType_PERMISSION_TYPE_SET_RESOURCE_QUOTAS)
}

Expand Down
Loading
Loading