Deck: Optionally allow to make the rerun button create a new Job #12827
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
size/L
alvaroaleman
force-pushed
the
ui-restart
branch
2 times, most recently
from
002cb98
to
4ad9c05
Compare
There was a problem hiding this comment.
This can be very useful for private prow instances!
Question I have in mind:
- Do we want to add job-level blacklist/whitelist rerun?
- I think we want to log who triggered this rerun, or else it's hard to audit, even for private instances
- This can work with public Prow as well, if we want to introduce github auth :-)
prow/cmd/deck/static/prow/prow.ts
Outdated
| var i; | ||
| if (rerunCreatesJob) { | ||
| i = icon.create("refresh", "Rerun this job"); | ||
| i.href = `${url}`; |
There was a problem hiding this comment.
would like to see a pop up like created prowjob $prowjobID, or even a confirm page can help?
There was a problem hiding this comment.
Yeah, had that thought as well. Will ask one of our frontend devs for help on Monday.
|
cc @cjwagner @stevekuznetsov @fejta for thoughts ^^ |
If we do that should be a generic thing and not specific to triggering them via Deck.
Well, that is not possible because the auth for Deck is not integrated in Deck but instead done by some proxy that is put in front of it. If someone wants audit here, they should IMHO gather the relevant data from the proxy.
Yes, but that is far beyond my frontend skills :P |
|
The ability to see the actual config used is pretty handy, as is the ability to see the prowjob ID (which is the UUID in that URL). I think that enabling this options completely removes the ability to do that. I am in favour of the functionality existing, but it would be nice to do something about the prior functionality, which went beyond a straight rerun (which is in practice almost none of my use of this button — I mostly just want a quick way to see what the job was). It might also be worth somehow being clear about what "rerun" means — it uses the job configuration as of when that job was originally run (which may not be up to date), but re-resolves refs and so uses whatever the latest versions of those refs is. This may or may not be what people meant when they clicked it. |
prow/cmd/deck/static/prow/prow.ts
Outdated
| let i; | ||
| if (rerunCreatesJob) { | ||
| i = icon.create("refresh", "Rerun this job"); | ||
| i.href = `${url}`; |
There was a problem hiding this comment.
I'd prefer to see this as an asynchronous call rather than a page reload.
There was a problem hiding this comment.
But the page has to be reloaded anyways to see the new job or is there some other way? (Feel free to point my some doc, this is far from my area of expertise)
This is something @mirandachrist will likely be working on very soon. Lets sync first thing next week and get a design doc for this so that we can implement this in an extensible way.
+100 It would be great if we exposed the ProwJob yaml via a dedicated button instead of providing that info indirectly and non-obviously with the rerun button.
Also a great point. It would be nice to provide both options with a UI switch. It would also be nice to have an option that runs the job newest configuration for the job instead of the spec that ran previously (we could add that in a follow up PR). |
|
I think a form fill guarded by GitHub Auth would be a much more forward-looking approach to this. +1 to Cole's comments |
Woho, I didn't realize. I was actually thinking about filing an issue so
That does match with at least what I expected, although not sure if it also matches general expectations.
Completely agree. But I would like to have this in the meantime as an intermediate solution. Currently the only way to restart periodics or postsubmits is by using what yaml from Deck and I would like to make this a bit better. |
I think we would want to make this an active choice from the user.
While I appreciate that I do want to make sure we take the time to make this clean and not err too much on the side of quick, organic changes that complicate our landscape. |
|
For presubmits we need to validate that the requesting user has the ability to call |
|
Yeah, and all of those questions are much more easily solved with a web page behind github auth. I think Alva means for this PR to be an admin-level flag on less locked-down Prow instances? |
|
I'm working on adding a button that links to the prowjob YAML, so the config will still be viewable after the rerun button is changed. |
Yes, exactly that, this should never get activated on a public Prow instance and that is also what the description of the flag says. Discussed this with @cjwagner and @mirandachrist . Miranda will add another button for showing the yaml and improve what I added here by adding authorization and the possibility to change the refs. |
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
removed
the
needs-rebase
|
So the "job config cant be displayed anymore" is not valid anymore, thanks to the dedicated button @mirandachrist added in 26eecf9. @Katharine @cjwagner @stevekuznetsov Is there currently still something open you want to see as part of this PR? While the functionality is not really usable for public prow instances right now, its feature gated and shouldn't be too hard to extend with authn and/or authz. |
|
So I have one major concern about this - there is no CSRF (Cross-Site Request Forgery) protection present. The upshot is that a malicious user can get an authorised user to rerun a job by convincing them to follow a link. In theory, this is even a problem for an internal instance - in practice, given that you need a valid prowjob UUID to do anything, for a truly internal instance the risk is probably minimal. Externally, though, this would be a non-starter without additional CSRF protection, even once authorisation was added. The general approach to CSRF protection is to issue users with a token on page load which is then validated when a protected action is taken. Usually this involves maintaining state, but if you can manage user/session identifiers somehow then you can pull it off using crypto instead. Given the context of this PR, I'm not going to block on this - as long as only authorised users can discover valid prowjob UUIDs, I think the risk is pretty minimal. However, we must not blindly add authentication to this and open it up more broadly. I would like to see a comment somewhere pertinent in the code reminding people of this. I also have a second concern: the request to |
alvaroaleman
force-pushed
the
ui-restart
branch
2 times, most recently
from
c21f094
to
4218197
Compare
|
@Katharine This now does a POST request and has a warning regarding the CSRF |
| let i; | ||
| if (rerunCreatesJob) { | ||
| i = icon.create("refresh", "Rerun this job"); | ||
| i.onclick = () => { |
There was a problem hiding this comment.
Just a heads up - some people have said they'd still like to see the "kubectl create ..." popup, even if directly triggering the rerun is enabled. In my PR, I'm adding a "run" button within that popup that will actually rerun the job, so it's still displayed:
There was a problem hiding this comment.
@mirandachrist If you just hadn't explained that, I wouldn't have derived from the view on the screenshot that the run button runs the job tbh (But that discussion is probably better put on your PR)
|
This looks almost good to me, but I would like to see I'd ideally also like to see it take the prowjob name from a POSTed form rather than from the query string, but I'm not going to be picky about that one this time around. |
Anyone can discover valid ProwJob UUIDs if they can access the front end. The |
Correct. We cannot use this as part of the OAuth-ed rerun setup without further work (and there is now a comment in the relevant code reminding us of this). |
@Katharine done |
|
Or did you mean for it to always check for POST, not only in the case where the rerun is actually executed? |
Only in the case where the rerun is actually executed. |
Co-Authored-By: Katharine Berry <ktbry@google.com>
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 93f1314bac35c12f14d1dfac772c58d91452b111
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alvaroaleman, Katharine The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
With this change it is possible to set a
--rerun-creates-jobflag in Deck, it defaults tofalse. If it is set totrueand the Deck RBAC role is extended to allowCREATEforprowjobs, thererunbutton in Deck will actually create a new ProwJob instead of showing instructions on how to create one (Which is only helpful to someone who has access to the Prow cluster).I've tested manually that this works, but this is is the second time I've done something with TypeScript, so it is possible that that part looks weird to someone who knows how to do it properly 😬
/assign @Katharine