Check to make sure only one AWX token exists #331
Conversation
…n we ware all set. We only grab the first one.
|
@Alex-Izquierdo I think we should also fix this related issue eda-server/src/aap_eda/wsapi/consumers.py Line 113 in ed74136 Since it blindly assumes that there is a token available when the ansible-rulebook comes back on the websocket channel looking for parameters and the missing token causes an exception to be thrown. For now I think the assumption is you always need a token as we make more changes we can parse the rulebook and see if it has run_job_template action and then prompt for a token but even in that case we need this code path should be protected. There is a stack trace for this code in many JIRA tickets, the server dying ends up closing the websocket connection and the ansible rulebook ends saying error exchanging web socket data. https://issues.redhat.com/browse/AAP-11677 https://issues.redhat.com/browse/AAP-11681 Since we have the activation instance here we should mark it as broken from the server side itself if the token is missing. The server provides the token to ansible-rulebook. eda-server/src/aap_eda/wsapi/consumers.py Line 102 in ed74136 Since we have the activation id we should be able to set it to Failure from the server side itself instead of having the ansible-rulebook say that web socket connection closed. |
|
@Alex-Izquierdo There needs to be another check here for the token eda-server/src/aap_eda/tasks/ruleset.py Line 44 in ed74136 I think we need to figure out the token based on the user_id that created the activation since if multiple users create the activations we need to find on whose behalf the worker is running the activation. eda-server/src/aap_eda/wsapi/consumers.py Line 316 in ed74136 Maybe this function eda-server/src/aap_eda/wsapi/consumers.py Line 308 in ed74136 I think there are at least 3 places we need to block it
I think the UI also has code to ensure that only 1 token is created I think this PR is guarding on the backend so that a REST API call doesn't end up adding an extra token. |
|
Hi @mkanoor I totally agree with all that you say, we must fix the usage of the token. But it looks like that is out of the scope of this PR which its goal is to prevent to have more than one token. I propose to create a new issue or update some existing one (like this one ) and address all these issues in a different PR. |
| @@ -70,7 +71,7 @@ class NoControllerToken(APIException): | |||
| class TooManyControllerTokens(APIException): | |||
| status_code = 422 | |||
There was a problem hiding this comment.
Should we use this status.HTTP_422_UNPROCESSABLE_ENTITY instead of just hard-coded integer? Or we could inherit from Unprocessable class on line 48 and customize detail field since they fall under the same error code. Thoughts?
| @@ -109,7 +94,7 @@ def test_create_token_missing_field(client: APIClient, user: models.User): | |||
|
|
|||
|
|
|||
| @pytest.mark.django_db(transaction=True) | |||
| def test_create_token_duplicate_name(client: APIClient, user: models.User): | |||
| def test_create_token_to_many_tokens(client: APIClient, user: models.User): | |||
There was a problem hiding this comment.
Possibly a typo: _to_many_token ?
|
Except for the above minor comments, LGTM. Works as expected. |
|
This PR is on hold until a final decision is made on how to address this issue. |
Recreates the original PR #280, which for some reason it can not be reopened after the migration to a public repo.
Only grab the first token. So checking to make sure we have at least one token makes sense.
Jira: https://issues.redhat.com/browse/AAP-12376