Skip to content
This repository has been archived by the owner on Mar 11, 2021. It is now read-only.

[WIP] permissions API #2246

Open
wants to merge 81 commits into
base: master
Choose a base branch
from
Open

Conversation

stooke
Copy link
Contributor

@stooke stooke commented Aug 17, 2018

This PR is put out for discussion on what the permissions API should be.

Currently permissions checking is only done when a new query parameter "qp=true" is added to the queries below.

This PR implements a new optional section in the JSON returned from /api/deployments/spaces/{spaceId}; a "links" section under the "data" object (this list of permissions is not inclusive as our k8s API doesn't check all of them).

    "links":{  
        "space":{  
            "href":"http://localhost:8080/api/spaces/{spaceId}",
            "meta":{  
                "methods":["GET"]
            }
        }
    },

Also, under each deployment object returned by the same query, in the Links object, added:

    "links":{  
         (old links for logs, console, etc)
        "self":{  
             "href": "http://localhost:8080/api/spaces/{spaceId}/applications/{appId}/deployments/{deploymentId}",
            "meta":{  
                "methods":["DELETE", "PATCH"]
            }
        }
    },

And lastly, from /api/deployments/spaces/{spaceId}, the link to the deployments API is added into the links section returned:

"links":{
   (previous links)
   "deployments" : {
          "href": "http://localhost:8080/api/deployments/spaces/{spaceId}"
          "meta":{
                 "methods": ["GET"]
           }
    }
 }

The intent is that the list of available HTTP methods would change based on accessibility of the given spaceId by the current user.

At this time, new tests have not been added to check this behaviour.

stooke added 30 commits January 26, 2018 11:17
This patch renames some more types that were missed in PR fabric8-services#1868
The /apps API has been replaced by the JSON-API conformant version /deployments.

Fixes fabric8-services#1889
@codecov-io
Copy link

codecov-io commented Sep 12, 2018

Codecov Report

Merging #2246 into master will decrease coverage by 0.63%.
The diff coverage is 18%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #2246      +/-   ##
==========================================
- Coverage   70.17%   69.53%   -0.64%     
==========================================
  Files         171      172       +1     
  Lines       16625    16676      +51     
==========================================
- Hits        11666    11596      -70     
- Misses       3829     3946     +117     
- Partials     1130     1134       +4
Impacted Files Coverage Δ
controller/deployments_osioclient.go 90.24% <100%> (ø) ⬆️
controller/deployments.go 46.8% <2%> (-9.05%) ⬇️
controller/space.go 67.21% <32.65%> (-2.43%) ⬇️
workitem/workitem_storage.go 73.07% <0%> (-8.51%) ⬇️
spacetemplate/template.go 93.1% <0%> (-6.9%) ⬇️
space/space.go 64.51% <0%> (-5.14%) ⬇️
workitem/typegroup.go 31.52% <0%> (-4.2%) ⬇️
workitem/board.go 74.46% <0%> (-3.31%) ⬇️
gormsupport/postgres.go 39.28% <0%> (-3.14%) ⬇️
controller/workitem.go 78.27% <0%> (-2.91%) ⬇️
... and 33 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9dc1c08...aa8b1b6. Read the comment docs.

@stooke
Copy link
Contributor Author

stooke commented Sep 13, 2018

@ebaron, @jiekang I've updated the PR; it's basically in its final proposed state (still needs tests). Please take a look when you have time.

Copy link
Contributor

@ebaron ebaron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Simon, looking good so far! Just a few things I'd like to point out.

@@ -64,6 +65,9 @@ func NewSpaceController(
resourceManager: resourceManager,
DeploymentsClient: http.DefaultClient,
CodebaseClient: http.DefaultClient,
ClientGetter: &defaultClientGetter{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The DeleteSpace method uses the above DeploymentsClient to call the deployments API via the Goa-generated client. Should we do the same here instead of using the ClientGetter?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did it this way because the new CanGet*() API's are internal, and it seemed more efficient to call directly. However, it's messy in several ways: I had to pass in config.Registry instead of SpaceConfiguration, and it uses the internal CanGetSpace() call, which is ... internal. So I felt slightly dirty coding it.

If I understand it, your proposal is to call //deployments/Space/{spaceID}?qp=true under the hood and use the output of that?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh right, I forgot that in order to get the permissions data we have to get all the space data as well. I don't think this would be a good idea, because of the substantial overhead for data we won't use. Perhaps we should stick with your current approach.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could add a parameter to only get the root space object, but maybe I should just leave that in a comment?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or even just skip getting any actual data for the space and only return the permissions. This may be over-complicating one API endpoint though. I'm fine with leaving as a comment for now. I imagine this would need to be addressed when moving deployments out of WIT though.

}
if canGetSpace {
methods = append(methods, "GET")
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CanGetSpace returns whether we can GET /api/deployments/spaces/:spaceID, but this link is for GET /api/spaces/:spaceID.

Copy link
Contributor Author

@stooke stooke Sep 14, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I figured it was moot since they have to to the GET to get there in the first place, and GET is all we allow. But I didn't realize at the time the permissions are different. I have removed this link.

Meta: &app.EndpointAccess{
Methods: methods,
},
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could also include links to the stats and statseries endpoints here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea - done.

a.Required("name", "permissions")
})

var internalAccess = a.Type("InternalAccess", func() {

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

internalAccess is unused

@DhritiShikhar
Copy link
Contributor

@stooke are you still working on this?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants