-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[server] Read blocked repositories from database #11036
Conversation
Add the new BlockedRepository entity and its interface and implementation.
This was auto-generated by running: `docker run --rm --name some-mysql -e MYSQL_ROOT_PASSWORD=test -e MYSQL_DATABASE=gitpod -e MYSQL_USER=gitpod -e MYSQL_PASSWORD=test -p 3306:3306 -d mysql:5.7` `yarn typeorm migration:generate -n New` from the `gitpod-db` directory. And then removing everything but the new table. We should document a better way of doing this.
// TODO: not sure if we need this? | ||
// TODO: should have a default value of false? | ||
// This column triggers the db-sync deletion mechanism. It's not intended for public consumption. | ||
@Column() | ||
deleted: boolean; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As the comment suggests, I'm not sure if we need this field on the new table.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
boolean is mapped tinyint, which defaults to '0'. That's why we do not have explicit defaults throughout the code base. 👍
TODO: not sure if we need this?
If we want to be able to remove this entry from the DB cross-region then yes, we should have it. 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@andrew-farries For this DB table to be synced we also need an entry in tables.ts
. Happy to chat about how that needs to look like.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added an entry to tables.ts
in c4aebe3
To be able to land this, we also need to udpate all the runbooks and point to how to establish a DB connection so that on-call engineers can block dynamically. To make this less one-shot-change, can we first merge the config and the DB results when checking to enable gradual migration away? This would give us time to stage the change and communicate it. |
My plan (as described in #11030) was to allow the two mechanisms (reading from db and from config) to exist in parallel until we add the API and UI to interact with blocked repositories in the db. At that point we copy the blocked repos from config into the db. Until that point the blocked repository db table remains empty. This PR isn't intended to replace the mechanism we currently use to block repos, just be a step towards that. So we don't need to update any runbooks etc. |
Nice, sorry didn't click through into the parent issue. |
components/gitpod-protocol/src/blocked-repositories-protocol.ts
Outdated
Show resolved
Hide resolved
Answered by code review.
components/gitpod-db/src/typeorm/entity/db-blocked-repository.ts
Outdated
Show resolved
Hide resolved
Testing... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, looking forward to have this! 🚀
/hold We should remove this unused DB field.
/werft run with-clean-slate-deployment=true 👍 started the job as gitpod-build-af-admin-block-users.36 |
/unhold |
Description
Add a
d_b_blocked_repository
table to the application database and use it at workspace startup to check whether a workspace should be blocked. Also checks if the user should be blocked for attempting to start such a workspace and blocks the user as necessary.Related Issue(s)
Part of #11030
How to test
Get a kube context for the preview environment for this branch:
Port forward to the database (username and password is in the
server
environment):Using
mysql
client ormycli
(needsbrew install mycli
first) add an entry to thed_b_blocked_repository
table.Attempt to start a workspace from a github repository under your user.
Observe that the workspace fails to start.
Try to open another workspace and see that you are now blocked.
Unblock yourself by updating your entry in the
d_b_users
table:Experiment by inserting/deleting other combinations of
urlRegexp
andblockUser
in thed_b_blocked_repository
table.Release Notes
Werft options