Invalid V1 Local Team IDs

[tylercloke]

Problem

Note: The below only applies to LOCAL teams and not ldap or saml teams.

In IAM V1, team IDs did not conform to our alphaneumeric restrictions, so teams that are migrated will have some problems if they contain spaces or special characters.

Problems arise in both the API in the UI for teams that were migrated from V1 with characters that are now invalid.

curl -k -H "api-token: $TOK" https://a2-dev.test/apis/iam/v2/teams/unique team name! | jq 
<curl errors>
{
  "error": "no team found with id \"unique\"",
  "code": 5,
  "message": "no team found with id \"unique\"",
  "details": []
}

In the UI:

Solutions

This is a bit tricky to fix because if we want to completely automate fixing this issue for customers, we need to update invalid IDs in the policies as well. This would involve multiple services and cereal which is always a non-trivial amount of engineering effort.

Solution 1: Do nothing

This issue only affects local teams which are in general not very utilized compared to ldap and saml teams by customers (outside of the admins team which is not affected).

We could just note this issue in the changelog and move on, helping any customers that might encounter it fix their teams up. This issue will not affect new teams, but only existing v1 teams that have invalid characters.

Solution 2: Note the brokenness

If a user does have invalid teams, we could do a few things to let the user know with varying degrees of effort.

a. Low effort: Log the broken teams (either on migration or periodically). This will be not the most ideal UX but easy to implement.

b. Fairly low effort: Add a warning in the list view of the UI for affected teams. They would have to re-create the teams and the policies but that would be a higher visibility place to note what is up to the end users.

Solution 3: Partial Fix

Medium effort: Fix the team's IDs but not update the policies. We'd still want to note to them somehow that they need to go fix their policies. Just fixing up the IDs would be non-trivial but not a huge amount of work.

Solution 4: Automated Fix

Large effort: Update IDs to be valid and resolve any resulting name conflicts. We'd also need to then update the policies via cereal with the new IDs with logic for conflicting IDs. This would present a few challenges and would need to be maintained long term. This would be a pretty significant amount of engineering effort and some decent testing to get correct.

[susanev]

i support solution 1, or solution 2 a. considering time and priority of other work.
im pretty worried about the ux of solution 2 b. and 3.

[susanev]

we have decided on solution 1: do nothing.