add ability to create domain-scoped API keys #28493
Conversation
czue
added
the
product/all-users-all-environments
|
cc @dimagi/product |
czue
added
the
reindex/migration
Yep this was planned. I was imagining a second dropdown, and then when you choose a domain you can also (optionally) choose a role, where the roles are dynamically pulled based the domain. But to do that in the UI was more than I could bite off before disappearing. Then I was thinking of adding an assertion in the model that if the role is set then the domain must match the role (or we could require only one is set if that seems preferable - though setting the domain makes it a bit easier in the django admin and other places) |
| @@ -3022,4 +3023,6 @@ def role(self): | |||
| return UserRole.get(self.role_id) | |||
| except ResourceNotFound: | |||
| logging.exception('no role with id %s found in domain %s' % (self.role_id, self.domain)) | |||
| elif self.domain: | |||
| return CouchUser.from_django_user(self.user).get_domain_membership(self.domain).role | |||
There was a problem hiding this comment.
When enterprise permissions are on, this will grant access to both their domain and any controlled domain (so, COVID state-level users will have access to all county domains). That's probably what you want, just wanted to confirm.
There was a problem hiding this comment.
I didn't consider this use case and don't know much about how the enterprise permissions work to have an opinion. Do you think it's the right behavior given the expectations of those roles as they're being used by the team?
There was a problem hiding this comment.
Yes, I think the current behavior matches what the team will expect.
There was a problem hiding this comment.
Having said that, I might as well verify that assumption. I'll report back if the current behavior is not what they expect.
There was a problem hiding this comment.
Can you report back either way? Would feel better about having the loop closed.
There was a problem hiding this comment.
The current code is the correct behavior.
corehq/apps/settings/forms.py
Outdated
| super().__init__(*args, **kwargs) | ||
|
|
||
| user_domains = self.couch_user.get_domains() | ||
| all_domains = (self.ALL_DOMAINS, _('All Domains')) |
There was a problem hiding this comment.
Minor: user-facing content usually says "project" or "project space" instead of "domain."
corehq/apps/settings/forms.py
Outdated
| if self.cleaned_data['domain'] and self.cleaned_data['domain'] != self.ALL_DOMAINS: | ||
| domain = self.cleaned_data['domain'] | ||
| else: | ||
| domain = '' | ||
| new_key = HQApiKey.objects.create( | ||
| name=self.cleaned_data['name'], | ||
| ip_allowlist=self.cleaned_data['ip_allowlist'], | ||
| user=user, | ||
| domain=domain, |
There was a problem hiding this comment.
Nit: if line 266 was changed to ALL_DOMAINS = '' could this be changed to
| if self.cleaned_data['domain'] and self.cleaned_data['domain'] != self.ALL_DOMAINS: | |
| domain = self.cleaned_data['domain'] | |
| else: | |
| domain = '' | |
| new_key = HQApiKey.objects.create( | |
| name=self.cleaned_data['name'], | |
| ip_allowlist=self.cleaned_data['ip_allowlist'], | |
| user=user, | |
| domain=domain, | |
| new_key = HQApiKey.objects.create( | |
| name=self.cleaned_data['name'], | |
| ip_allowlist=self.cleaned_data['ip_allowlist'], | |
| user=user, | |
| domain=self.cleaned_data['domain'] or '', |
|
Is this going through QA? I'm nervous about our COVID projects being affected if this should go wrong given they all rely heavily on API integrations that cut across multiple domains. Is there a way we can confirm this won't break existing integrations and can we have a plan that when this is deployed we are able to actively monitor APIs in COVID domains to ensure nothing has gone wrong? |
I'm seconding this. I think we should be careful around APIs given recent issues |
If we want to put this through QA, someone else will need to run that process as I'm on leave.
I have high confidence in the test coverage to catch any issues at the API access level. Monitoring on deploy sounds good as an extra precaution. My opinion is that this change is quite low risk (but happy for others to make the call to do more work to get more confidence) |
|
@czue will a quick and easy rollback be possible if things go badly? Maybe it would make sense to split out the db migration into a separate PR (having ~no risk) from the API behavior change to make a rollback less risky? |
|
@millerdev you're saying we merge and deploy the migration first, then deploy the UI and api changes separately so the latter can be rolled back if there are issues? That sounds fine to me, though in a separate offline thread it sounds like the US team wants a more formal QA process to be run. Hopefully someone will be able to pick that up in my absence, else this PR might just get closed till I'm back in a few months. 😞 |
|
Apologies all! My Github login is my personal gmail and I wasn't on the lookout for work related items with this email address. I'll update this so that going forward, these kind of messages will be in my work email. Acknowledging that Cory will not be able to be the POC for any formal testing, I'd still be happy to take a pass on APIs on staging prior to release. We did something similar when Farid first unveiled the IP whitelist feature a few months back. When this is on staging, could someone please submit the QA request form (linked) and we can perform a review. Thanks all! https://docs.google.com/forms/d/e/1FAIpQLSdSNi4r1UAenewXBvhL6qcDOfR9KnYYzFJBQd8uz6LOHW6ptg/viewform |
#28388
Had this almost done prior to 👶 and wanted to get it out before the 🕸️ get too dusty...
SUMMARY
This adds a new "domain" option to API keys to scope the key to only have permission for that domain. All existing keys will be assigned to the "all domains" scope.
Here's the UI:
FEATURE FLAG
RISK ASSESSMENT / QA PLAN
I feel good about test coverage and local testing, though it could make sense to do a dry run on staging. I may ask to hand that off if someone wants to make the case for it given life circumstance.
There is also a minor, innocuous DB migration.
PRODUCT DESCRIPTION
See screenshot.