Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(acl) exposing an API to access ACL groups globally #2371

Closed
wants to merge 7 commits into from
Closed

feat(acl) exposing an API to access ACL groups globally #2371

wants to merge 7 commits into from

Conversation

subnetmarco
Copy link
Member

@subnetmarco subnetmarco commented Apr 11, 2017
edited

Full changelog

  • Exposing the /acls endpoint to globally access ACL groups

Issues resolved

Fix #2188

TODO: requires documentation

p0pr0ck5
p0pr0ck5 reviewed Apr 17, 2017
View reviewed changes
kong/plugins/acl/api.lua Outdated
id = self.params.id,
consumer_id = self.params.consumer_id,
}
self.params.group_or_id = nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

slightly confused, where is group_or_id populated?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good catch - it's a leftover from a first implementation when I had :group_or_id in the URL.

spec/03-plugins/19-acl/01-api_spec.lua Outdated
}
})
local body = assert.res_status(400, res)
assert.equal([[{"consumer_id":"consumer_id is required","group":"group is required"}]], body)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it might make more sense to test table equality directly, by decoding body, rather than a string representation of the JSON? table keys are not encoded deterministically (in our environment, to my knowledge), so this test can fail at random.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@p0pr0ck5 in the past tests we have been comparing the string directly. Maybe @thibaultcha has an opinion on this?

spec/03-plugins/19-acl/01-api_spec.lua Outdated
}
})
local body = assert.res_status(400, res)
assert.equal([[{"consumer_id":"consumer_id is required","group":"group is required"}]], body)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

idem

spec/03-plugins/19-acl/01-api_spec.lua Outdated
}
})
local body = assert.res_status(400, res)
assert.equal([[{"group":"group is required"}]], body)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

idem

kong/plugins/acl/api.lua Outdated
local acls, err = dao_factory.acls:find_all(filter_keys)
if err then
return helpers.yield_error(err)
elseif next(acls) == nil then
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this be elseif #acls == 0, to match existing style, and as a more performant/idiomatic approach?

@thibaultcha
Copy link
Member

Yes, better to decode too I think, since those tests have indeed proven themselves to occasionally fail on different platforms due to the behavior @p0pr0ck5 described

@p0pr0ck5 p0pr0ck5 added pr/changes requested Changes were requested to this PR by a maintainer. Please address them and ping back once done. and removed pr/status/please review labels Apr 17, 2017
@subnetmarco
Copy link
Member Author

The last commit addresses the review.

@subnetmarco subnetmarco added pr/status/please review and removed pr/changes requested Changes were requested to this PR by a maintainer. Please address them and ping back once done. labels Apr 18, 2017
@thibaultcha
Copy link
Member

Would have been better to amend previous commits to keep the history clean. Will fixup during merge

@subnetmarco
Copy link
Member Author

I kept the history in the PR so that reviews can be tracked, but the idea is to squash and merge once everything is ready.

p0pr0ck5
p0pr0ck5 reviewed Apr 18, 2017
View reviewed changes
spec/03-plugins/19-acl/01-api_spec.lua Outdated
@@ -51,7 +51,9 @@ describe("Plugin: acl (API)", function()
}
})
local body = assert.res_status(400, res)
assert.equal([[{"group":"group is required"}]], body)
assert.are.same({
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these JSON encoding changes are being handled in #2402; it's not necessary here i dont think, and it's also out of scope for this commit

p0pr0ck5
p0pr0ck5 reviewed May 1, 2017
View reviewed changes
Copy link
Contributor

@p0pr0ck5 p0pr0ck5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we also implement an endpoint /acls/:consumer_id that shows all the groups a user is associated with?

kong/plugins/acl/api.lua
before = function(self, dao_factory, helpers)
local filter_keys = {
id = self.params.id,
consumer_id = self.params.consumer_id,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since id is the PK on acls, searching by consumer_id seems unnecessary?

spec/03-plugins/19-acl/01-api_spec.lua
end)
end)

describe("GET", function()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test nesting feels really awkward. We have

/acls GET

and then

/acls GET /acls/:id GET
/acls GET /acls/:id PATCH
/acls GET /acls/:id DELETE

Can we (should we?) clean this up?

spec/03-plugins/19-acl/01-api_spec.lua
end)

describe("GET", function()
it("retrieves ACL group by id", function()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be good to expand this test to see the route in question filter out some unrelated entries (e.g. add some ACL entries that are not associated with this consumer)

CHANGELOG.md Outdated
@@ -46,6 +46,9 @@
- file-log: New `config.reopen` property to close and reopen the log file on
every request, in otder to effectively rotate the logs.
[#2348](https://github.com/Mashape/kong/pull/2348)
- acl: a new `/acls` endpoint has been exposed in the Admin API to globally
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think this isnt going to make it into 0.10.2, so this will need to be moved elsewhere?

spec/03-plugins/19-acl/01-api_spec.lua
["Content-Type"] = "application/json"
}
})
local body = cjson.decode(assert.res_status(201, res))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in some cases this is wrapping cjson.decode around res_status, and in other cases the decoding is being done as part of the body check assertion (as in the next test below). can we keep this behavior consistent?

@p0pr0ck5 p0pr0ck5 added pr/changes requested Changes were requested to this PR by a maintainer. Please address them and ping back once done. and removed pr/status/please review labels May 1, 2017
@p0pr0ck5
Copy link
Contributor

@thefosk any update?

@hbagdi
Copy link
Member

hbagdi commented Oct 19, 2017

@thefosk any update?
@thibaultcha this is similar to #2955 we're working on.

@hbagdi hbagdi mentioned this pull request Oct 31, 2017
Merged
@thibaultcha thibaultcha mentioned this pull request Nov 1, 2017
Closed
@hbagdi
Copy link
Member

hbagdi commented Nov 8, 2017
edited

@thefosk @thibaultcha @p0pr0ck5
I'm working on an enhanced version of this PR.

I feel having an endpoint GET /aclgroups to return all the group names would be pretty helpful.
And then the above endpoint will instead be GET /aclgroups/:groupname/consumers.

The problem I'm facing, it seems there is no straightforward way of doing:

select distinct group from acls;

Is there away around of doing this, or we will need to update the core DB logic? I could take a stab at it if there is another use case for such a query.

IMHO, this would be pretty useful for admin purposes.

@hbagdi hbagdi mentioned this pull request Nov 18, 2017
Closed
@thibaultcha
Copy link
Member

#3039 has just been merged and includes such an /acls endpoint for browsing the ACLs, with plans to add additional sugar endpoints around ACLs and Consumers in the future. We wil be releasing it in 0.11.2 later this week.

Closing this then!

@thibaultcha thibaultcha deleted the feat/acls-api branch November 27, 2017 19:09
thibaultcha pushed a commit that referenced this pull request Nov 27, 2017
@hbagdi @thibaultcha
feat(acl) add admin endpoints to interact with acls
a069fc3 
* `/acls/` to paginate through all acls for all consumers
* `/acls/:acl_id/consumer` to retrieve the Consumer
  associated with an acl

From #3039
Fix #2188
Supersedes #2371

Signed-off-by: Thibault Charbonnier <thibaultcha@me.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@p0pr0ck5 p0pr0ck5 p0pr0ck5 left review comments

Assignees
No one assigned
Labels
pr/changes requested Changes were requested to this PR by a maintainer. Please address them and ping back once done.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Question: How to access all consumers plugins
4 participants
@subnetmarco @thibaultcha @p0pr0ck5 @hbagdi