Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add migrations for new permissions structure #21945

Merged
merged 24 commits into from
Apr 11, 2024
Merged

Add migrations for new permissions structure #21945

merged 24 commits into from
Apr 11, 2024

Conversation

rijkvanzanten
Copy link
Member

@rijkvanzanten rijkvanzanten commented Mar 21, 2024
edited

Scope

What's changed:

  • Adds new directus_policies table that's a 1-1 copy of the former directus_roles
  • Removes the access control fields from directus_roles
  • Updates directus_permissions to:
    • Be attached to policies instead of roles
    • Split up permissions/fields/validation/presets into individual rows based on a new type column

Potential Risks / Drawbacks

  • This will most likely not work during zero-downtime deployments, as we're changing the data model for permissions heavily. The old version can't run on the new structure and vice versa.

Review Notes / Questions

  • Wondering if there's a cleverer way to replace the previous permissions than a full truncate + insert
  • Todo's left are:
    • Heavy testing

@changeset-bot changeset-bot

This comment was marked as off-topic.

Sign in to view
@rijkvanzanten rijkvanzanten self-assigned this Mar 21, 2024
@km1230 km1230 mentioned this pull request Mar 24, 2024
Closed
@alexchopin alexchopin linked an issue Mar 25, 2024 that may be closed by this pull request
Roles data model #21760
Open
paescuj

This comment was marked as outdated.

Sign in to view

@rijkvanzanten

This comment was marked as outdated.

Sign in to view
This was linked to issues Mar 25, 2024
Write migrations to convert roles/permissions to policies #21774
Open
Many to many field for policies <-> users #21777
Open
Policy data model #21761
Open
Many to many field for policies <-> roles #21762
Open
@paescuj

This comment was marked as outdated.

Sign in to view
@rijkvanzanten rijkvanzanten marked this pull request as ready for review March 26, 2024 21:28
@rijkvanzanten rijkvanzanten added this to the Auditus milestone Mar 26, 2024
@rijkvanzanten

This comment was marked as outdated.

Sign in to view
This was unlinked from issues Mar 26, 2024
Many to many field for policies <-> roles #21762
Open
Many to many field for policies <-> users #21777
Open
@rijkvanzanten rijkvanzanten changed the title [WIP] Add migrations for new permissions structure Add migrations for new permissions structure Mar 29, 2024
paescuj
paescuj reviewed Apr 1, 2024
View reviewed changes
Copy link
Member

@paescuj paescuj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Getting the following error at the moment (same with other DB vendors):

[Error: INSERT INTO "_knex_temp_alter254" SELECT * FROM "directus_permissions"; - SQLITE_CONSTRAINT: NOT NULL constraint failed: _knex_temp_alter254.policy] {
  errno: 19,
  code: 'SQLITE_CONSTRAINT'
}

@rijkvanzanten
Copy link
Member Author

@paescuj Oh no here come the database specific bugs :| _knex_temp_alter254.policy sounds like the temporary copy of the table that knex generates during alter statements

@paescuj
Copy link
Member

paescuj commented Apr 1, 2024

@paescuj Oh no here come the database specific bugs :| _knex_temp_alter254.policy sounds like the temporary copy of the table that knex generates during alter statements

Oh yeah, how we love those 😅
Fortunately, it doesn't seem to be one of that kind in this case 😌

It happens for permissions assigned to the "Public" role (a.k.a. null role), which conflicts with

directus/api/src/database/migrations/20240328A-permissions-policies.ts

Line 60 in f1b4257

table.uuid('policy').notNullable().alter();

Not sure how we want to handle the "Public" role in the new policy system, so depending on that we either need to transform null values to something else in the migration or need to remove the NOT NULL constraint.

Example permission causing the issue (before ALTER statement):

  {
    id: 30,
    role: null,
    collection: 'test',
    action: 'create',
    permissions: null,
    validation: '{"_and":[{"id":{"_eq":"1"}}]}',
    presets: '{"id":1}',
    fields: 'id',
    policy: null
  }

@alexchopin alexchopin linked an issue Apr 2, 2024 that may be closed by this pull request
Many to many field for policies <-> roles #21762
Open
@DanielBiegler DanielBiegler self-requested a review April 10, 2024 16:02
@DanielBiegler DanielBiegler marked this pull request as draft April 10, 2024 16:41
rijkvanzanten and others added 5 commits April 10, 2024 12:53
@rijkvanzanten @DanielBiegler
Update packages/system-data/src/fields/index.ts
4c7d828 
Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com>
@rijkvanzanten @DanielBiegler
Update packages/system-data/src/fields/policies.yaml
93efe32 
Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com>
@rijkvanzanten
Add nested roles
9f20d13
@rijkvanzanten
Remove unused step
ab7b03c
@rijkvanzanten
Use two o2ms instead of m2a for attachments
a3bdef0
@rijkvanzanten rijkvanzanten marked this pull request as ready for review April 10, 2024 17:49
@rijkvanzanten
Copy link
Member Author

Please use Rebase and merge instead of Squash and merge below ⭐

DanielBiegler
DanielBiegler requested changes Apr 10, 2024
View reviewed changes
Copy link
Contributor

@DanielBiegler DanielBiegler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After running the migration I'm stuck when trying to open the app. Still gotta figure out why exactly but thought to comment here just in case. Will update when I find more.

api dev: [20:50:24.361] ERROR: select `ip_access` from `directus_roles` where `id` is null limit 1 - SQLITE_ERROR: no such column: ip_access
api dev:     err: {
api dev:       "type": "Error",
api dev:       "message": "select `ip_access` from `directus_roles` where `id` is null limit 1 - SQLITE_ERROR: no such column: ip_access",
api dev:       "stack":
api dev:           Error: select `ip_access` from `directus_roles` where `id` is null limit 1 - SQLITE_ERROR: no such column: ip_access
api dev:       "errno": 1,
api dev:       "code": "SQLITE_ERROR",
api dev:       "extensions": {
api dev:         "stack":
api dev:             Error: select `ip_access` from `directus_roles` where `id` is null limit 1 - SQLITE_ERROR: no such column: ip_access
api dev:       }
api dev:     }

@rijkvanzanten
Copy link
Member Author

@DanielBiegler That's fully expected! This PR is only the migrations for the database, but doesn't update anything else yet in the API or app 🙂

That's also why we're rebasing this into the auditus branch rather than the main branch 👍🏻

Just doing it in smaller PRs on top of auditus to make the review cycle easier as we can review each step of the way in isolation, which should hopefully mean that the final review of the whole project branch is going to go way smoother as every individual piece has already been reviewed 🚀

@DanielBiegler
Copy link
Contributor

That's fully expected!

Oh whoops sry @rijkvanzanten . I assumed it would work because I saw the merge commits from auditus into this branch by you and Pascal and thought those would include some fixes but alrighty then. 🤔

@rijkvanzanten
Copy link
Member Author

All good! Those updates are all to keep auditus up to date with the upstream main.

@DanielBiegler DanielBiegler merged commit 82102fd into auditus Apr 11, 2024
1 check passed
@DanielBiegler DanielBiegler deleted the auditus-21760 branch April 11, 2024 13:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paescuj paescuj paescuj left review comments

@licitdev licitdev licitdev left review comments

@DanielBiegler DanielBiegler DanielBiegler approved these changes

Assignees

@rijkvanzanten rijkvanzanten

Labels
🍰 Feature 📁 Access Control
Projects
Software Roadmap
Archived in project
Milestone
Project Auditus
4 participants
@rijkvanzanten @paescuj @DanielBiegler @licitdev