Migrations: Revert remove ACL migration #5942
Conversation
N-o-Z
added
include-changelog
pkg/kv/migrations/migrations_test.go
Outdated
| ctx := context.Background() | ||
|
|
||
| mig := migrations.NewACLsMigrator(nil, false) | ||
|
|
||
| for _, tt := range tests { |
There was a problem hiding this comment.
| ctx := context.Background() | |
| mig := migrations.NewACLsMigrator(nil, false) | |
| for _, tt := range tests { | |
| ctx := context.Background() | |
| mig := migrations.NewACLsMigrator(nil, false) | |
| for _, tt := range tests { |
pkg/kv/migrations/migrations_test.go
Outdated
| permission, err := mig.ComputePermission(ctx, tt.Actions) | ||
|
|
||
| if permission != tt.Permission { |
There was a problem hiding this comment.
| permission, err := mig.ComputePermission(ctx, tt.Actions) | |
| if permission != tt.Permission { | |
| permission, err := mig.ComputePermission(ctx, tt.Actions) | |
| if permission != tt.Permission { |
pkg/kv/migrations/migrations_test.go
Outdated
| permission, err := mig.ComputePermission(ctx, tt.Actions) | ||
|
|
||
| if permission != tt.Permission { | ||
| t.Errorf("Got permission %s when expecting %s", permission, tt.Permission) | ||
| } | ||
|
|
||
| if !errors.Is(err, tt.Err) { | ||
| t.Errorf("Got error %s but expected %s", err, tt.Err) | ||
| } |
There was a problem hiding this comment.
- Need to verify expected error first
- In case there is an err we need to skip permissions check
pkg/kv/migrations/migrations_test.go
Outdated
| // ##################################################################################### | ||
| // # | ||
| // rbac_to_acl # | ||
| // # |
There was a problem hiding this comment.
Can we replace these headers with function doc or package level docs.
There are some examples (https://tip.golang.org/doc/comment)
pkg/kv/migrations/migrations_test.go
Outdated
| for i, a := range perms { | ||
| for j, b := range perms { | ||
| t.Run(fmt.Sprintf("%s:%s", a, b), func(t *testing.T) { |
There was a problem hiding this comment.
Suggest not to create a subtest for each check - just print the combination in the error.
|
|
||
| // handle migrate within ACLs | ||
| if version == kv.ACLMigrateVersion { | ||
| if force { |
There was a problem hiding this comment.
Update using force flag should be handled by migrate level, not on a specific migrate to acl, as it is relevant no matter to which level you like to force the update - the level just have to be less or equal to the latest compiled with the binary.
There was a problem hiding this comment.
It's more complicated then that. The force was designed specifically for ACLMigrationVersion (blocking migration). It was not designed for a rolling upgrade. I suggest to use the force flag per migration
| func updateKVSchemaVersion(ctx context.Context, kvStore kv.Store, version uint) error { | ||
| err := kv.SetDBSchemaVersion(ctx, kvStore, version) | ||
| if err != nil { | ||
| return fmt.Errorf("failed to upgrade version, to fix this re-run migration: %w", err) | ||
| } | ||
| return nil | ||
| } |
There was a problem hiding this comment.
Would keep this one as part of rbac_to_acl as it looks like another helper for the specific code
There was a problem hiding this comment.
This is being used in both import_premissions.py and rbac_to_acl.py.
pkg/kv/migrations/rbac_to_acl.go
Outdated
| return addedActionsSlice | ||
| } | ||
|
|
||
| // BroaderPermission returns true if a offers strictly more permissions that b. |
There was a problem hiding this comment.
| // BroaderPermission returns true if a offers strictly more permissions that b. | |
| // BroaderPermission returns true if a offers strictly more permissions that b. Unknown ACLPermission will panic. |
| addedActions := make(map[string]struct{}, len(allAllowedActions)) | ||
| for _, action := range permissions.Actions { | ||
| if someActionMatches(action, allAllowedActions) && !someActionMatches(action, alreadyAllowedActions) { | ||
| addedActions[action] = struct{}{} | ||
| } | ||
| } | ||
| addedActionsSlice := make([]string, 0, len(addedActions)) | ||
| for action := range addedActions { | ||
| addedActionsSlice = append(addedActionsSlice, action) | ||
| } | ||
| return addedActionsSlice |
There was a problem hiding this comment.
If we are going over a unique array of actions, to verify someActionMatches - why do we need a map (like we need to make sure to have unique keys) and transform it to a slice at the end.
Looks like we just need to add the relevant actions to a slice and return.
There was a problem hiding this comment.
I'd rather not touch this code. It was written by @guy-har and already been battle tested.
There was a problem hiding this comment.
Thanks - will look into it in a different PR.
pkg/kv/migrations/rbac_to_acl.go
Outdated
| var ( | ||
| allAllowedActions map[string]struct{} | ||
| ) |
There was a problem hiding this comment.
| var ( | |
| allAllowedActions map[string]struct{} | |
| ) | |
| var allAllowedActions map[string]struct{} |
pkg/kv/migrations/migrations_test.go
Outdated
| // rbac_to_acl # | ||
| // # | ||
| // ##################################################################################### | ||
| // # rbac_to_acl test code |
There was a problem hiding this comment.
| // # rbac_to_acl test code | |
| // TestGetMinPermission - rbac_to_acl test code |
pkg/kv/migrations/migrations_test.go
Outdated
| // # import_permissions test code | ||
|
|
There was a problem hiding this comment.
| // # import_permissions test code | |
| // TestMigrateImportPermissions - import_permissions test code |
| addedActions := make(map[string]struct{}, len(allAllowedActions)) | ||
| for _, action := range permissions.Actions { | ||
| if someActionMatches(action, allAllowedActions) && !someActionMatches(action, alreadyAllowedActions) { | ||
| addedActions[action] = struct{}{} | ||
| } | ||
| } | ||
| addedActionsSlice := make([]string, 0, len(addedActions)) | ||
| for action := range addedActions { | ||
| addedActionsSlice = append(addedActionsSlice, action) | ||
| } | ||
| return addedActionsSlice |
There was a problem hiding this comment.
Thanks - will look into it in a different PR.
| _, err = rbacToACL(ctx, authService, true, updateTime, func(groupID string, acl model.ACL, warn error) { | ||
| groupReports = append(groupReports, Warning{GroupID: groupID, ACL: acl, Warn: warn}) | ||
| }) |
There was a problem hiding this comment.
IIUC you are forcing it even if you have errors.
AFAIK this is not the expected behavior, it might perform unwanted changes (such as upgrading users to admin)
Linked Issue
Closes #5941
Change Description
Introduce ACL migration as part of a rolling upgrade