fix rbac+purview web app issue (feathr-ai#700)

Resolves feathr-ai#699 Root cause: Purview Registry starts too slow (than SQL registry) while RBAC layer add a dependency to its API in RBAC init which causes the web app crash Trials and Fix Trial: Add a sleep(60) command in start.sh will make the deployment successful Fix: Move the registry api dependency outside of RBAC init; Log the failure as Runtime Exception
hyingyang-linkedin · Oct 25, 2022 · e300c55 · e300c55
1 parent 41bc451
commit e300c55
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 14 deletions.
diff --git a/registry/access_control/rbac/access.py b/registry/access_control/rbac/access.py
@@ -6,6 +6,10 @@
 from rbac.models import AccessType, User, UserAccess,_to_uuid
 from rbac.auth import authorize
 
+import json
+import requests
+from rbac import config
+
 """
 All Access Validation Functions. Used as FastAPI Dependencies.
 """
@@ -68,11 +72,20 @@ def _get_project_name(id_or_name: Union[str, UUID]):
         _to_uuid(id_or_name)
         if id_or_name not in rbac.projects_ids:
             # refresh project id map if id not found
-            rbac.get_projects_ids()
+            _get_projects_ids()
         return rbac.projects_ids[id_or_name]
     except KeyError:
-        raise ForbiddenAccess(f"Project Id {id_or_name} not found in Registry")
+        raise RuntimeError(f"Project Id {id_or_name} not found in Registry {config.RBAC_REGISTRY_URL}")
     except ValueError:
         pass
     # It is a name
-    return id_or_name
+    return id_or_name
+
+
+def _get_projects_ids():
+    """cache all project ids from registry api"""
+    try:
+        response = requests.get(url=f"{config.RBAC_REGISTRY_URL}/projects-ids").content.decode('utf-8')
+        rbac.projects_ids = json.loads(response)
+    except Exception as e:
+        raise RuntimeError(f"Failed to get projects ids from Registry {config.RBAC_REGISTRY_URL}, {e}")
diff --git a/registry/access_control/rbac/db_rbac.py b/registry/access_control/rbac/db_rbac.py
@@ -1,5 +1,3 @@
-import json
-import requests
 from fastapi import HTTPException, status
 from typing import Any
 from rbac import config
@@ -21,7 +19,7 @@ def __init__(self):
             os.environ["RBAC_CONNECTION_STR"] = config.RBAC_CONNECTION_STR
         self.conn = connect()
         self.get_userroles()
-        self.get_projects_ids()
+        self.projects_ids = {}
 
     def get_userroles(self):
         # Cache is not supported in cluster, make sure every operation read from database.
@@ -47,7 +45,7 @@ def get_global_admin_users(self) -> list[str]:
     def validate_project_access_users(self, project: str, user: str, access: str = AccessType.READ) -> bool:
         self.get_userroles()
         for u in self.userroles:
-            if (u.user_name == user and u.project_name in [project, SUPER_ADMIN_SCOPE] and (access in u.access)):
+            if (u.user_name == user.lower() and u.project_name in [project.lower(), SUPER_ADMIN_SCOPE] and (access in u.access)):
                 return True
         return False
 
@@ -101,7 +99,7 @@ def add_userrole(self, project_name: str, user_name: str, role_name: str, create
         # check if record already exist
         self.get_userroles()
         for u in self.userroles:
-            if u.project_name == project_name and u.user_name == user_name and u.role_name == role_name:
+            if u.project_name == project_name.lower() and u.user_name == user_name.lower() and u.role_name == role_name:
                 logging.warning(
                     f"User {user_name} already have {role_name} role of {project_name}.")
                 return True
@@ -162,9 +160,4 @@ def init_project_admin(self, creator_name: str, project_name: str):
             values ('%s','%s','%s','%s','%s', getutcdate())"""
         self.conn.update(query % (project_name.lower(), creator_name.lower(), RoleType.ADMIN.value, create_by, create_reason))
         logging.info(f"Userrole initialized with query: {query%(project_name, creator_name, RoleType.ADMIN.value, create_by, create_reason)}")
-        return self.get_userroles()
-
-    def get_projects_ids(self):
-        """cache all project ids from registry api"""
-        response = requests.get(url=f"{config.RBAC_REGISTRY_URL}/projects-ids").content.decode('utf-8')
-        self.projects_ids =  json.loads(response)
+        return self.get_userroles()