Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add cross domain scoping #1118

Merged
merged 1 commit into from
May 30, 2019
Merged

add cross domain scoping #1118

merged 1 commit into from
May 30, 2019

Conversation

auhlig
Copy link
Contributor

@auhlig auhlig commented May 6, 2019

As described in #1117

Copy link
Member

@povilasv povilasv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the idea and changes 🥇

Please add changelog entry.

Also I think we should add:

  • logging in info level that we are using new config.
  • logging in warn level when we are using deprecated config.

@@ -12,6 +12,7 @@ import (
"time"

"github.com/improbable-eng/thanos/pkg/objstore"
yaml "gopkg.in/yaml.v2"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please remove the blank line after this one

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ran goimports again

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

goimports doesn't solve the blank line issue, please remove the blank line after this

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i meant removed blank line and did the goimports again

// Support for cross domain scoping (user in different domain than project)
// If a userDomainName or userDomainID is given, a user is scoped to this domain
// and the tenant (aka project) is expected to be in the domain given by domainName or domainID.
if sc.UserDomainName != "" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could we use switch here instead

switch {
case sc.UserDomaiName != "": 
...
case sc.UserDomainID != "":

}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right. done

}
}
if authOpts.Scope != nil {
if sc.TenantName != "" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could we use switch here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@povilasv
Copy link
Member

povilasv commented May 7, 2019

@auhlig you just commented, but didn't actually push the changes

@auhlig
Copy link
Contributor Author

auhlig commented May 7, 2019

@povilasv github was down this morning -.-
i ran make docs and updated the code slightly: default to project_id|project_name. tenant_id and tenant_name is marked as deprecated but still respected and could be removed easily (if desired at all; even gophercloud still struggles to use the terminology consequently).
cross-domain authentication is only supported if one provides a project via id or name.

also extended the get_env part used when testing.

tested in our clusters using the configuration:

auth_url: ..
username: ..
user_domain_name: ...
password: ...
project_name: ..
project_domain_name: ...
region_name: ...
container_name: ...

are you ok with this?

level.Warn(logger).Log("msg", "usage of tenant_id is deprecated. use project_id instead")
authOpts.TenantID = sc.TenantID
case sc.ProjectName != "" || sc.ProjectID != "":
level.Info(logger).Log("msg", "using project_id or project_name")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should remove this, it isn't a good message and IMO doesn't add any value

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right. removed

}
}
if authOpts.Scope != nil {
level.Info(logger).Log("msg", "scoping to domain, project")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same here let's not log this message.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed


// Allow Gophercloud to re-authenticate automatically.
AllowReauth: true,
}

// The term `tenant` is used in the deprecated OpenStack Identity v2.
// In Identity v3 the term `project` is used instead.
switch {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could you also add a couple of examples how or when to configure project id vs project name in the docs/storage.md file

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated docs. added link to official documentation with examples

@auhlig
Copy link
Contributor Author

auhlig commented May 9, 2019

LGTY @povilasv?

@povilasv
Copy link
Member

@auhlig Sort of yes. Did you look at the tests? Would be amazing if we could add some proper testing here, so that when we change code we don't break things.

Copy link
Member

@bwplotka bwplotka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One suggestion - what do you think about using yaml.UnmarshalStrict in client.go instead leaving old fields behind? It will simplify flow and documentation (:

After that is addressed LGTM (:

RegionName string `yaml:"region_name"`
ContainerName string `yaml:"container_name"`

// Deprecated: Please use `project_id` instead.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would maybe kill this and use yaml.UmarshalStrict instead? (: We already documented the change so let's fail fast on umarshalling! (:

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sounds good. done

// The term `tenant` is used in the deprecated OpenStack Identity v2.
// In Identity v3 the term `project` is used instead.
switch {
case sc.TenantName != "":
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's use yaml.UnmarshalStrict instead?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

UserDomainName: os.Getenv("OS_USER_DOMAIN_NAME"),
ProjectDomainID: os.Getenv("OS_PROJET_DOMAIN_ID"),
ProjectDomainName: os.Getenv("OS_PROJECT_DOMAIN_NAME"),
TenantID: os.Getenv("OS_TENANT_ID"),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kill this

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

killed

@auhlig
Copy link
Contributor Author

auhlig commented May 13, 2019

Made this a breaking change by dropping tenant_id, tenant_name.
Extracted logic to parseConfig, authOptsFromConfig for easier unit testing.
Added unit tests.

LGTY @povilasv @bwplotka

@auhlig
Copy link
Contributor Author

auhlig commented May 13, 2019

Netlify doesn't seem to be in the mood to run the tests. CircleCI passed however.

@auhlig auhlig force-pushed the cross-domain branch 2 times, most recently from 6253d02 to a680c93 Compare May 13, 2019 15:52
@auhlig
Copy link
Contributor Author

auhlig commented May 13, 2019

squashed into single commit and force pushed.
giving netlify another chance by closing/re-opening PR

@auhlig auhlig closed this May 13, 2019
@auhlig auhlig reopened this May 13, 2019
Signed-off-by: Arno Uhlig <arno.uhlig@sap.com>
@auhlig
Copy link
Contributor Author

auhlig commented May 17, 2019

Updated the changelog after some merge conflicts. Can this be merged @povilasv @bwplotka?

@GiedriusS
Copy link
Member

@auhlig so essentially with this PR we are getting rid of the support of the V2 API? I'm a bit anxious about this since, for example, some companies might still be running old versions of that API (cough not gonna point any fingers). Would it be hard to add some kind of backward compatibility?

@auhlig
Copy link
Contributor Author

auhlig commented May 18, 2019

@GiedriusS This PR does not drop Identity v2 support. It's still possible to authenticate using project_id or project_name instead of the deprecated (since ~2013) terms tenant_id, tenant_name.
We only fix the terminology ( tenant became project with Identity v3) and add support for for authentication if a user is in a different domain than the project.
In summary, the only breaking change is the terminology.

@povilasv
Copy link
Member

Ok so this does include a breaking change
tenantID, tenantName -> projectID, projectName.

I think in order not to break users, just fill tenantID to projectID and tenantName to projectName.

We try to avoid breaking changes when possible and in this case it's definitely doable

Copy link
Member

@bwplotka bwplotka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

I think we noted verbosely that those fields changed, and we will fail fast so this is good IMO.

@bwplotka
Copy link
Member

@povilasv I think breaking here is better that having inconsistent configuration -> users will be immdiately notified by verbose error message.

@bwplotka
Copy link
Member

Waiting for @povilasv final LGTM to merge (:

@bwplotka bwplotka merged commit 69782ff into thanos-io:master May 30, 2019
@auhlig
Copy link
Contributor Author

auhlig commented Jun 6, 2019

Thank you guys 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants