Fix TO Go DSS GET endpoints to check tenancy

[rob05c]

What does this PR do?

Fixes #2978

Which TC components are affected by this PR?

• Documentation
• Grove
• Traffic Analytics
• Traffic Monitor
• Traffic Ops
• Traffic Ops ORT
• Traffic Portal
• Traffic Router
• Traffic Stats
• Traffic Vault
• Other _________

What is the best way to verify this PR?

With a Traffic Ops system and database set up with many delivery services, servers, and deliveryservice-server assignments:

Change your user's tenant to a tenant with fewer delivery services assigned, query the DSS read endpoints (deliveryservices/{xml_id}/servers and /deliveryserviceserver, verify only the DSes assigned to your user are returned.

Create a new tenant, with no delivery services assigned, change your user to that tenant, verify no DSes are returned.

Change your user to the root tenant, verify all delivery service server mappings are returned.

Check all that apply

• This PR includes tests
• This PR includes documentation updates
• This PR includes an update to CHANGELOG.md
• This PR includes all required license headers
• This PR includes a database migration (ensure that migration sequence is correct)
• This PR fixes a serious security flaw. Read more: www.apache.org/security

[rob05c]

I'm labelling this bug, because it didn't replicate Perl, and it's the intuitively expected behavior. But, I honestly don't think it ever makes sense for a user or script to use this endpoint, without being the root tenant. Which is to say, I don't think it's ever useful to use Tenancy to manage this endpoint, rather than Capabilities. See my comments on #2978. Nevertheless, it's easier to mimic Perl than rethink the design at the moment.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/2701/
Test PASSed.

[rob05c]

This was fixed in #3081 - closing.

[rob05c]

Ah, no it wasn't, my mistake. That PR fixed one endpoint, but not the other.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/3136/
Test PASSed.

[mitchell852]

@ocket8888 is going to review this PR

[ocket8888]

Seems to work perfectly

[rawlinp]

late to the party, but tenancy is always enabled by default now so this check is unnecessary

[ocket8888]

But can it be turned off?

[rob05c]

I think we decided to do that, but I don't think we actually did. The code still checks use_tenancy everywhere, and I think it's considered false if it doesn't exist.

I think this because the API Tests until recently broke horribly if you created that Parameter, suggesting Tenancy is disabled by default.

Also, I'm not opposed to making Tenancy "always on," but I do kind of think we should enable Capabilities at the same time (#2791). Tenancy isn't really useful without Capabilities to limit what users can do, and it could be deceptive, a CDN operator might think tenancy limits an admin/ops user, when it doesn't.

[ocket8888]

This has been my understanding, that tenancy is enabled by default, but still optional - though I have heard that the decision to make it not optional has been made (and not actually done yet).

[rawlinp]

It can be "turned off" by setting the parameter to false or deleting the parameter, but it is not really "turned off" at that point because we already have various places in the code that assume tenancy is always enabled (so they don't check the parameter). So "turning it off" doesn't completely turn it off, which is why we should really be preventing the deletion/update of the use_tenancy parameter to "turn off tenancy", since that really just leaves the system in an inconsistent state. Some things will check the tenancy parameter, whereas others already assume tenancy is always enabled.

We attempted to delete the use_tenancy parameter from the system but realized that there is too much existing code that depends on that parameter being there. The plan was to "fix" the existing code that checks the parameter by removing the parameter check and just assume that tenancy is always enabled. This was all discussed on the mailing list already; the decision to have it always enabled has already been made. Steps have already been made to enable it by default, but the existing code that checks the use_tenancy parameter has not been cleaned up yet.

tldr; tenancy should always be considered enabled, and existing code that checks the use_tenancy parameter needs to be fixed. Once all existing tenancy checks have been "fixed", the parameter can be deleted.

[ocket8888]

I definitely agree that should all be done, and the sooner the better. But until the use_tenancy parameter can actually be removed so that tenancy is a hard requirement of ATC it just seems safer to keep checking.

[rawlinp]

But until the use_tenancy parameter can actually be removed so that tenancy is a hard requirement of ATC it just seems safer to keep checking.

Then we should do our best to remove all the usages of the use_tenancy parameter from the codebase. I think the usage is fairly self-contained within helper functions, so maybe we can just change the helper functions to just return true. Then we can remove all the usages of the now-useless helper functions to clean up the code.