-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OLS-546: Use cluster id as user id #882
OLS-546: Use cluster id as user id #882
Conversation
@onmete: This pull request references OLS-546 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
cc97e3b
to
29b61dd
Compare
29b61dd
to
a38961b
Compare
mocked_call = MagicMock() | ||
mocked_call.get_cluster_custom_object.return_value = cluster_id | ||
mock_get_custom_objects_api.return_value = mocked_call | ||
assert get_cluster_id() == "some-cluster-id" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
prob. use real UUID? will it be tested in the code btw?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you mean ensuring what we get from the cluster as id is really uuid? That seems like an overkill to me, but I can add it if you think it is reasonable.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #882 +/- ##
==========================================
- Coverage 95.34% 95.24% -0.10%
==========================================
Files 54 54
Lines 2211 2252 +41
==========================================
+ Hits 2108 2145 +37
- Misses 103 107 +4
|
76d88b2
to
c124563
Compare
@bparees @xrajesh The user id in the e2e CI is "system:serviceaccount:openshift-lightspeed:test-user". In order to have the feature in the PR covered by e2e test, I need to hit the /authorized endpoint as the "kube:admin". Would you know an easy way how to do it besides updating the the request model of that endpoint to allow post user (which I'm not sure if we want to do)? Another option would be to remove the e2e test. |
@onmete The tests are using the test-user's token. here . You can make a API call as kubeadmin by getting the kubeadmin's token. I am thinking we are logging in as the kubeadmin. Hence |
1dca8fc
to
21c3045
Compare
ols/utils/auth_dependency.py
Outdated
@@ -206,7 +238,7 @@ async def __call__(self, request: Request) -> tuple[str, str]: | |||
status_code=403, detail="Forbidden: Invalid or expired token" | |||
) | |||
if user_info.user.username == "kube:admin": | |||
user_info.user.uid = DEFAULT_KUBEADMIN_UID | |||
user_info.user.uid = get_cluster_id() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the cluster id isn't going to change between user queries, so we should just fetch it once during OLS startup and then use that value every time we get a request from kubeadmin.
this will also help avoid anther issue you're not handling here, which is what happens if getting the cluster id fails? you log the errors in the helper, but ultimately return None
to the caller.
if you fetch it during startup you can retry + refuse to start until we successfully get the cluster id.
it also removes the extra/repeated api calls.
tests/e2e/test_api.py
Outdated
@@ -728,6 +728,29 @@ def test_forbidden_user(): | |||
assert response.status_code == requests.codes.forbidden | |||
|
|||
|
|||
# TODO: disabled until we figure out how to get the token that returns | |||
# user kube:admin in the CI |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we can at least have a legitimate test of the get_cluster_id helper, right? (not really an e2e test since you won't be going through the OLS server, but since we have a cluster stood up, you can test that the get_cluster_id helper gets the right value.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I was thinking about it too as a backup when we can't do e2e.
5d5bb47
to
445f994
Compare
445f994
to
b383fd8
Compare
/retest |
c0114a4
to
e6b1429
Compare
@onmete minor change proposed - otherwise - this LGTM. |
271d4ca
to
a089664
Compare
/lgtm |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: tisnik The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
Service hiccup - {'errors': [{'status': 500, 'detail': 'Could not get the SSO public key', 'meta': {'response_by': 'gateway'}}]} /retest |
/retest |
a089664
to
573addf
Compare
/lgtm |
/retest |
/retest |
/lgtm |
@onmete: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Description
Use cluster id as user id
Type of change