-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add cross domain scoping #1118
add cross domain scoping #1118
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the idea and changes 🥇
Please add changelog entry.
Also I think we should add:
- logging in info level that we are using new config.
- logging in warn level when we are using deprecated config.
pkg/objstore/swift/swift.go
Outdated
@@ -12,6 +12,7 @@ import ( | |||
"time" | |||
|
|||
"github.com/improbable-eng/thanos/pkg/objstore" | |||
yaml "gopkg.in/yaml.v2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please remove the blank line after this one
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ran goimports
again
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
goimports doesn't solve the blank line issue, please remove the blank line after this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i meant removed blank line and did the goimports again
pkg/objstore/swift/swift.go
Outdated
// Support for cross domain scoping (user in different domain than project) | ||
// If a userDomainName or userDomainID is given, a user is scoped to this domain | ||
// and the tenant (aka project) is expected to be in the domain given by domainName or domainID. | ||
if sc.UserDomainName != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could we use switch here instead
switch {
case sc.UserDomaiName != "":
...
case sc.UserDomainID != "":
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
right. done
pkg/objstore/swift/swift.go
Outdated
} | ||
} | ||
if authOpts.Scope != nil { | ||
if sc.TenantName != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could we use switch here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
@auhlig you just commented, but didn't actually push the changes |
@povilasv github was down this morning -.- also extended the get_env part used when testing. tested in our clusters using the configuration:
are you ok with this? |
pkg/objstore/swift/swift.go
Outdated
level.Warn(logger).Log("msg", "usage of tenant_id is deprecated. use project_id instead") | ||
authOpts.TenantID = sc.TenantID | ||
case sc.ProjectName != "" || sc.ProjectID != "": | ||
level.Info(logger).Log("msg", "using project_id or project_name") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should remove this, it isn't a good message and IMO doesn't add any value
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
right. removed
pkg/objstore/swift/swift.go
Outdated
} | ||
} | ||
if authOpts.Scope != nil { | ||
level.Info(logger).Log("msg", "scoping to domain, project") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same here let's not log this message.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed
pkg/objstore/swift/swift.go
Outdated
|
||
// Allow Gophercloud to re-authenticate automatically. | ||
AllowReauth: true, | ||
} | ||
|
||
// The term `tenant` is used in the deprecated OpenStack Identity v2. | ||
// In Identity v3 the term `project` is used instead. | ||
switch { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you also add a couple of examples how or when to configure project id vs project name in the docs/storage.md
file
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated docs. added link to official documentation with examples
LGTY @povilasv? |
@auhlig Sort of yes. Did you look at the tests? Would be amazing if we could add some proper testing here, so that when we change code we don't break things. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One suggestion - what do you think about using yaml.UnmarshalStrict
in client.go
instead leaving old fields behind? It will simplify flow and documentation (:
After that is addressed LGTM (:
pkg/objstore/swift/swift.go
Outdated
RegionName string `yaml:"region_name"` | ||
ContainerName string `yaml:"container_name"` | ||
|
||
// Deprecated: Please use `project_id` instead. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would maybe kill this and use yaml.UmarshalStrict
instead? (: We already documented the change so let's fail fast on umarshalling! (:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sounds good. done
pkg/objstore/swift/swift.go
Outdated
// The term `tenant` is used in the deprecated OpenStack Identity v2. | ||
// In Identity v3 the term `project` is used instead. | ||
switch { | ||
case sc.TenantName != "": |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's use yaml.UnmarshalStrict
instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
pkg/objstore/swift/swift.go
Outdated
UserDomainName: os.Getenv("OS_USER_DOMAIN_NAME"), | ||
ProjectDomainID: os.Getenv("OS_PROJET_DOMAIN_ID"), | ||
ProjectDomainName: os.Getenv("OS_PROJECT_DOMAIN_NAME"), | ||
TenantID: os.Getenv("OS_TENANT_ID"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Kill this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
killed
Netlify doesn't seem to be in the mood to run the tests. CircleCI passed however. |
6253d02
to
a680c93
Compare
squashed into single commit and force pushed. |
Signed-off-by: Arno Uhlig <arno.uhlig@sap.com>
@auhlig so essentially with this PR we are getting rid of the support of the V2 API? I'm a bit anxious about this since, for example, some companies might still be running old versions of that API (cough not gonna point any fingers). Would it be hard to add some kind of backward compatibility? |
@GiedriusS This PR does not drop Identity v2 support. It's still possible to authenticate using |
Ok so this does include a breaking change I think in order not to break users, just fill tenantID to projectID and tenantName to projectName. We try to avoid breaking changes when possible and in this case it's definitely doable |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
I think we noted verbosely that those fields changed, and we will fail fast so this is good IMO.
@povilasv I think breaking here is better that having inconsistent configuration -> users will be immdiately notified by verbose error message. |
Waiting for @povilasv final LGTM to merge (: |
Thank you guys 🎉 |
As described in #1117