Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecate & Swap for Auth over DashboardConfig for group configs #3577

Merged

Conversation

andrewballantyne
Copy link
Member

@andrewballantyne andrewballantyne commented Dec 13, 2024

https://issues.redhat.com/browse/RHOAIENG-16519

Description

A new Auth resource is being added by the Platform team. OdhDashboardConfig's group configurations are no longer needed.

When we go live with this the Auth resource, the OdhDashboardConfig groups will become read-only (see #3585), the Operator will copy over the items, and grant permissions to the admin users. This PR uses this functionality of new permissions to check if the admin can modify the Auth resource directly -- if so, pull & update there; if not fall back on todays logic (aka backwards compatibility). Do note, if the Auth resource cannot be modified by this user AND it exists, we will not be able to update the Groups Config from the UI as it will attempt to update the OdhDashboardConfig while it is read-only; known limitation but should be an untravelled path.

The infrastructure to get isAdmin uses the Auth resource if it exists, SA has been granted permissions to get the resource.

Known Error States

If the CRD or the CR does not exist...
Screenshot 2024-12-17 at 10 12 07 AM

How it happens and for who, are noted below:

  • For cluster-admins
    • You'll always succeed the SSAR check
    • CRD not existing or CR not existing breaks the flow
  • For product admins
    • If you don't have directly provided access -- you fall back (you may not be able to update the resource, but you can read it)
    • If you do have direct access (RBAC granted), and the CRD or CR is missing, it breaks the flow

No matter what for the UI admin page, the resource can still be modified up until the CRD is merged with a no change allowed setting (see #3585)

How Has This Been Tested?

Today, the work for the Operator is a WIP. I used a CRD from their code & setup a rolebinding for my user:

CRD

kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1
metadata:
  name: auths.services.platform.opendatahub.io
  annotations:
    controller-gen.kubebuilder.io/version: v0.16.1
spec:
  group: services.platform.opendatahub.io
  names:
    plural: auths
    singular: auth
    kind: Auth
    listKind: AuthList
  scope: Cluster
  versions:
    - name: v1alpha1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          description: Auth is the Schema for the auths API
          type: object
          properties:
            apiVersion:
              description: |-
                APIVersion defines the versioned schema of this representation of an object.
                Servers should convert recognized schemas to the latest internal value, and
                may reject unrecognized values.
                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
              type: string
            kind:
              description: |-
                Kind is a string value representing the REST resource this object represents.
                Servers may infer this from the endpoint the client submits requests to.
                Cannot be updated.
                In CamelCase.
                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
              type: string
            metadata:
              type: object
            spec:
              description: AuthSpec defines the desired state of Auth
              type: object
              required:
                - adminGroups
                - allowedGroups
              properties:
                adminGroups:
                  type: array
                  items:
                    type: string
                allowedGroups:
                  type: array
                  items:
                    type: string
            status:
              description: AuthStatus defines the observed state of Auth
              type: object
              properties:
                conditions:
                  type: array
                  items:
                    description: Condition contains details for one aspect of the current state of this API Resource.
                    type: object
                    required:
                      - lastTransitionTime
                      - message
                      - reason
                      - status
                      - type
                    properties:
                      lastTransitionTime:
                        description: |-
                          lastTransitionTime is the last time the condition transitioned from one status to another.
                          This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                        type: string
                        format: date-time
                      message:
                        description: |-
                          message is a human readable message indicating details about the transition.
                          This may be an empty string.
                        type: string
                        maxLength: 32768
                      observedGeneration:
                        description: |-
                          observedGeneration represents the .metadata.generation that the condition was set based upon.
                          For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
                          with respect to the current state of the instance.
                        type: integer
                        format: int64
                        minimum: 0
                      reason:
                        description: |-
                          reason contains a programmatic identifier indicating the reason for the condition's last transition.
                          Producers of specific condition types may define expected values and meanings for this field,
                          and whether the values are considered a guaranteed API.
                          The value should be a CamelCase string.
                          This field may not be empty.
                        type: string
                        maxLength: 1024
                        minLength: 1
                        pattern: '^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$'
                      status:
                        description: 'status of the condition, one of True, False, Unknown.'
                        type: string
                        enum:
                          - 'True'
                          - 'False'
                          - Unknown
                      type:
                        description: type of condition in CamelCase or in foo.example.com/CamelCase.
                        type: string
                        maxLength: 316
                        pattern: '^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$'
                observedGeneration:
                  type: integer
                  format: int64
                phase:
                  type: string
          x-kubernetes-validations:
            - rule: self.metadata.name == 'auth'
              message: Auth name must be auth
      subresources:
        status: {}
      additionalPrinterColumns:
        - name: Ready
          type: string
          description: Ready
          jsonPath: '.status.conditions[?(@.type=="Ready")].status'
        - name: Reason
          type: string
          description: Reason
          jsonPath: '.status.conditions[?(@.type=="Ready")].reason'
  conversion:
    strategy: None
status:
  conditions:
    - type: NamesAccepted
      status: 'True'
      lastTransitionTime: '2024-12-11T13:05:40Z'
      reason: NoConflicts
      message: no conflicts found
    - type: Established
      status: 'True'
      lastTransitionTime: '2024-12-11T13:05:40Z'
      reason: InitialNamesAccepted
      message: the initial names have been accepted
  acceptedNames:
    plural: auths
    singular: auth
    kind: Auth
    listKind: AuthList
  storedVersions:
    - v1alpha1

Testing roles (will be handled by Platform more directly later):

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: temp-give-auth-access-role
rules:
  - verbs:
      - get
      - patch
    apiGroups:
      - services.platform.opendatahub.io
    resources:
      - auths
  - verbs:
      - get
      - list
    apiGroups:
      - user.openshift.io
    resources:
      - groups
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: temp-give-auth-access-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: temp-give-auth-access-role
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: Group
    name: odh-admins

Test Impact

Updated the unit tests to use the new function and make sure the old one is not called.

Request review criteria:

Self checklist (all need to be checked):

  • The developer has manually tested the changes and verified that the changes work
  • Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
  • The developer has added tests or explained why testing cannot be added (unit or cypress tests for related changes)

If you have UI changes:

  • Included any necessary screenshots or gifs if it was a UI change.
  • Included tags to the UX team if it was a UI/UX change.

After the PR is posted & before it merges:

  • The developer has tested their solution on a cluster by using the image produced by the PR to main

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress This PR is in WIP state label Dec 13, 2024
@andrewballantyne andrewballantyne force-pushed the auth-resource-groups branch 2 times, most recently from 70dcf3c to 2a290bf Compare December 13, 2024 17:09
@andrewballantyne andrewballantyne changed the title [WIP] Deprecate & Swap for Auth over DashboardConfig for group configs Deprecate & Swap for Auth over DashboardConfig for group configs Dec 16, 2024
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress This PR is in WIP state label Dec 16, 2024
@andrewballantyne andrewballantyne force-pushed the auth-resource-groups branch 2 times, most recently from cf9f9e4 to 1176e18 Compare December 16, 2024 20:18
Copy link

codecov bot commented Dec 16, 2024

Codecov Report

Attention: Patch coverage is 82.35294% with 24 lines in your changes missing coverage. Please review.

Project coverage is 85.14%. Comparing base (167525b) to head (bfce493).
Report is 4 commits behind head on main.

Files with missing lines Patch % Lines
frontend/src/concepts/userConfigs/utils.ts 76.59% 11 Missing ⚠️
...ontend/src/concepts/userConfigs/useWatchGroups.tsx 90.66% 7 Missing ⚠️
frontend/src/api/k8s/auth.ts 45.45% 6 Missing ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #3577      +/-   ##
==========================================
- Coverage   85.18%   85.14%   -0.04%     
==========================================
  Files        1393     1395       +2     
  Lines       31908    32034     +126     
  Branches     8940     8973      +33     
==========================================
+ Hits        27181    27276      +95     
- Misses       4727     4758      +31     
Files with missing lines Coverage Δ
frontend/src/api/k8s/groups.ts 100.00% <100.00%> (ø)
frontend/src/api/models/odh.ts 100.00% <100.00%> (ø)
frontend/src/concepts/userConfigs/groupTypes.ts 100.00% <ø> (ø)
frontend/src/k8sTypes.ts 100.00% <ø> (ø)
frontend/src/pages/groupSettings/GroupSettings.tsx 93.18% <ø> (ø)
frontend/src/services/groupSettingsService.ts 66.66% <ø> (-16.67%) ⬇️
frontend/src/api/k8s/auth.ts 45.45% <45.45%> (ø)
...ontend/src/concepts/userConfigs/useWatchGroups.tsx 90.66% <90.66%> (ø)
frontend/src/concepts/userConfigs/utils.ts 76.59% <76.59%> (ø)

... and 23 files with indirect coverage changes


Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 167525b...bfce493. Read the comment docs.

@Gkrumbach07
Copy link
Member

image
error when cr not found for both admin and cluster admin

image
when empty lists are in cr

patching works

/lgtm

@andrewballantyne
Copy link
Member Author

@Gkrumbach07 I had to rebase, conflict.

Can you also explain this comment more:

error when cr not found for both admin and cluster admin

admin -- when role is applied? Or always... because admins have no permissions today and will not succeed on the RBAC SSAR check.

Copy link
Member

@Gkrumbach07 Gkrumbach07 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Dec 19, 2024
Copy link
Contributor

openshift-ci bot commented Dec 19, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Gkrumbach07

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot removed the lgtm label Dec 19, 2024
@Gkrumbach07
Copy link
Member

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Dec 19, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit 075914a into opendatahub-io:main Dec 19, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants