[part of 832]/add db id to statements #855
Conversation
susanev
added
automate-auth
WIP
auth-team
blakestier
force-pushed
the
blake/a2-865/add_db_id_statements
branch
4 times, most recently
from
aecd43b
to
c5e5c9e
Compare
blakestier
changed the title
blakestier
force-pushed
the
blake/a2-865/add_db_id_statements
branch
from
c5e5c9e
to
0fe7b88
Compare
| @@ -1,7 +1,6 @@ | |||
| BEGIN; | |||
|
|
|||
| SET CONSTRAINTS iam_policy_members_policy_id_fkey DEFERRED; | |||
| SET CONSTRAINTS iam_policy_statements_policy_id_fkey DEFERRED; | |||
There was a problem hiding this comment.
These are from the upgrade migrations-- not to be confused with those with which we cannot tamper
| DROP TABLE iam_policy_statements CASCADE; | ||
| ALTER TABLE iam_statement_projects | ||
| ADD UNIQUE (statement_id, project_id), | ||
| ADD CONSTRAINT iam_statement_projects_statement_id_fkey FOREIGN KEY (statement_id) REFERENCES iam_statements(id) ON DELETE CASCADE DEFERRABLE; |
There was a problem hiding this comment.
Replace constraint until db_id switch is complete to preserve cascade deletes
blakestier
force-pushed
the
blake/a2-865/add_db_id_statements
branch
from
f20073e
to
5e3a041
Compare
| LANGUAGE SQL; | ||
|
|
||
| CREATE OR REPLACE FUNCTION query_policy (_policy_id TEXT, _projects_filter TEXT[]) | ||
| RETURNS json |
There was a problem hiding this comment.
I wanted to go through the exercise of seeing what is involved in converting this style of query we had been using as a team into the newer style that @srenatus started in his recent PR (#878), and also figured I could save you some grunt work, @blakestier. So I tackled query_policy and I believe I've got it working. Can chat about it when you have time.
There was a problem hiding this comment.
I'd propose another round for this. Let's merge this, if we find it OK, instead of letting scope creep...
There was a problem hiding this comment.
@msorens That's awesome. Once we merge this I'll give you a heads up and we can get your change in before doing any more db work! 😅
components/authz-service/storage/postgres/migration/sql/55_add_db_id_statements.up.sql
Outdated
Show resolved
Hide resolved
| iam_policy_statements | ||
| WHERE | ||
| statement_id = iams.id); | ||
| DROP TABLE iam_policy_statements CASCADE; |
| COALESCE(json_agg(proj.id) FILTER (WHERE proj.id IS NOT NULL), | ||
| '[]') | ||
| FROM iam_statement_projects AS stmt_projs | ||
| LEFT OUTER JOIN iam_projects AS proj ON stmt_projs.statement_id = stmt.id WHERE stmt_projs.project_id = proj.id) AS projects |
There was a problem hiding this comment.
[nit] I believe LEFT implies OUTER:
The words INNER and OUTER are optional in all forms. INNER is the default; LEFT, RIGHT, and FULL imply an outer join.
From https://www.postgresql.org/docs/9.2/queries-table-expressions.html
| LEFT OUTER JOIN iam_projects AS proj ON stmt_projs.statement_id = stmt.id WHERE stmt_projs.project_id = proj.id) AS projects | |
| LEFT JOIN iam_projects AS proj ON stmt_projs.statement_id = stmt.id WHERE stmt_projs.project_id = proj.id) AS projects |
But I'm not sure it matters, or if this query in its current form is what we'd want anyways. 🤔 Now that this isn't n:m, I think some of this could perhaps be further simplified...
There was a problem hiding this comment.
....but OTOH this works 😄Not sure there's a simpler way at all...
There was a problem hiding this comment.
We've just been explicit about joins so far . . . 🤷♂ I'll leave this for now in light of Michael's potential clean-up, though. I'd like to believe there's a simpler way 🦄
components/authz-service/storage/postgres/migration/sql/README.md
Outdated
Show resolved
Hide resolved
components/authz-service/storage/postgres/migration/sql/55_add_db_id_statements.up.sql
Outdated
Show resolved
Hide resolved
| LANGUAGE SQL; | ||
|
|
||
| CREATE OR REPLACE FUNCTION query_policy (_policy_id TEXT, _projects_filter TEXT[]) | ||
| RETURNS json |
There was a problem hiding this comment.
I'd propose another round for this. Let's merge this, if we find it OK, instead of letting scope creep...
I'm on it. |
srenatus
force-pushed
the
blake/a2-865/add_db_id_statements
branch
from
5e3a041
to
47e9a01
Compare
|
|
Signed-off-by: Blake Johnson <bstier@chef.io>
Signed-off-by: Blake Johnson <bstier@chef.io>
blakestier
force-pushed
the
blake/a2-865/add_db_id_statements
branch
from
47e9a01
to
1c7c83a
Compare
blakestier
changed the title
🔩 Description
Adds
db_idandpolicy_id(db_id) to iam_statements, allowing the removal of the superfluousiam_policy_statementstable. Given that policy: statement is one: many, we didn't need the associations table.I've left adding the new statement db_id as the new foreign key to
iam_statement_projectsas the PR's tests (and a gnarly, unfortunate rebase) made this PR unwieldy.👍 Definition of Done
Tests pass.
👟 Demo Script / Repro Steps
Bring up hab studio, rebuild
components/authz-service, CURL to create, delete, update, get policies with statements:In ui, create new user coolbean, pw chefautomate
curl -XPOST -d '{"name":"test", "id":"newpolicy", "members":["user:local:coolbean"], "statements":[{"effect":"ALLOW", "actions":["*"] }]}' -H "api-token: $TOK" https://a2-dev.test/apis/iam/v2beta/policies --insecure(Logged in as coolbean, with legacy polices deleted, should see Users (and be able to create/update/delete them)
curl -H "api-token: $TOK" https://a2-dev.test/apis/iam/v2beta/policies/newpolicy --insecurecurl -XPUT -d '{"name":"test", "members":["user:local:coolbean"], "statements":[{"effect":"ALLOW", "actions":["*"] }, {"effect":"DENY", "actions":["iam:users:delete"]}]}' -H "api-token: $TOK" https://a2-dev.test/apis/iam/v2beta/policies --insecurecurl -H "api-token: $TOK" https://a2-dev.test/apis/iam/v2beta/policies/newpolicy --insecure(Coolbean should now not be able to delete users)
curl -XDELETE -H "api-token: $TOK" https://a2-dev.test/apis/iam/v2beta/policies/newpolicy --insecurecurl -H "api-token: $TOK" https://a2-dev.test/apis/iam/v2beta/policies/newpolicy --insecure (not found)(Coolbean can't do a darn thing)
⛓️ Related Resources
✅ Checklist