make username available for APB in the serviceInstance #832
Conversation
openshift-ci-robot
added
the
size/M
|
I think that if we are planning on passing this down to the APB we should pass it down for all methods, not just provision IMO. |
|
@shawn-hurley ok, I will update. I wasn't sure if it was necessary to do so for all methods, but I can make the changes. |
There was a problem hiding this comment.
I have one question for @eriknelson and @shawn-hurley , the rest looks goods.
pkg/handler/handler.go
Outdated
| @@ -274,6 +274,7 @@ func (h handler) provision(w http.ResponseWriter, r *http.Request, params map[st | |||
| return | |||
| } | |||
|
|
|||
| var username = "default" | |||
There was a problem hiding this comment.
this is a little weird. I would've left it empty and if it is still empty when we call the apb, we don't pass anything to the apb.
There was a problem hiding this comment.
I can update this...
pkg/apb/types.go
Outdated
| @@ -224,6 +224,8 @@ const ( | |||
| ClusterKey = "cluster" | |||
| // NamespaceKey parameter name passed to APBs | |||
| NamespaceKey = "namespace" | |||
| // UsernameKey parameter name passed to APBs | |||
| UsernameKey = "username" | |||
There was a problem hiding this comment.
@eriknelson @shawn-hurley is this supposed to be _apb_username or is username okay?
There was a problem hiding this comment.
@johnkim76 I think it's okay on the ServiceInstance, Since an instance should never have multiple users requesting it.
There was a problem hiding this comment.
Consider the scenario where the broker is set to auto_esclate UserA and UserB have enough access in the target namespace. UserA creates a service postgresql and then UserB creates a binding for that service. That would be two users requesting the same service instance.
I agree @johnkim76 that this key should be _apb_requesting_user and should behave similarly those that you posted above.
|
pkg/apb/types.go
Outdated
| @@ -224,6 +224,8 @@ const ( | |||
| ClusterKey = "cluster" | |||
| // NamespaceKey parameter name passed to APBs | |||
| NamespaceKey = "namespace" | |||
| // UsernameKey parameter name passed to APBs | |||
| UsernameKey = "username" | |||
There was a problem hiding this comment.
Consider the scenario where the broker is set to auto_esclate UserA and UserB have enough access in the target namespace. UserA creates a service postgresql and then UserB creates a binding for that service. That would be two users requesting the same service instance.
I agree @johnkim76 that this key should be _apb_requesting_user and should behave similarly those that you posted above.
pkg/broker/broker.go
Outdated
| @@ -485,7 +485,7 @@ func (a AnsibleBroker) Catalog() (*CatalogResponse, error) { | |||
| } | |||
|
|
|||
| // Provision - will provision a service | |||
| func (a AnsibleBroker) Provision(instanceUUID uuid.UUID, req *ProvisionRequest, async bool, | |||
| func (a AnsibleBroker) Provision(instanceUUID uuid.UUID, req *ProvisionRequest, async bool, username string, | |||
There was a problem hiding this comment.
You will need to do the same for all the other actions to truely pass this for every method.
@eriknelson @jmrodri What do you guys think of having him add the requesting user UserInfo to the provision request?
There was a problem hiding this comment.
@shawn-hurley ProvisionRequest sounds better, but it usually maps to the OSB ProvisionRequest. Unless we add it as part of the parameters, then I'd be okay with that.
pkg/handler/handler.go
Outdated
| @@ -289,11 +290,13 @@ func (h handler) provision(w http.ResponseWriter, r *http.Request, params map[st | |||
| writeResponse(w, status, broker.ErrorResponse{Description: err.Error()}) | |||
| return | |||
| } | |||
|
|
|||
| username = userInfo.Username | |||
There was a problem hiding this comment.
I would suggest that you may need to add logic because it could be the case that we do not have Username but UID from the UserInfo of the requesting user.
There was a problem hiding this comment.
I was just posting about how Username feels shoehorned into a ServiceInstance because it's really the only way to pass the data through to something like a ProvisionJob: https://github.com/openshift/ansible-service-broker/blob/master/pkg/broker/broker.go#L636
when I re-read the discussion and saw @shawn-hurley advocating for the _apb_requesting_user. I think that's the right way to go. I'm concerned about continuing to add fields to the ServiceInstance proper that maybe don't belong there, especially in light of bundle-lib when we are expecting these types to be generically used by bundle-lib consumers.
johnkim76
force-pushed
the
provide_apb_info
branch
from
d88f8e5
to
e89d5b7
Compare
johnkim76
force-pushed
the
provide_apb_info
branch
from
e89d5b7
to
5d6e261
Compare
| @@ -660,7 +663,7 @@ func (a AnsibleBroker) Provision(instanceUUID uuid.UUID, req *ProvisionRequest, | |||
|
|
|||
| // Deprovision - will deprovision a service. | |||
| func (a AnsibleBroker) Deprovision( | |||
| instance apb.ServiceInstance, planID string, skipApbExecution bool, async bool, | |||
| instance apb.ServiceInstance, planID string, skipApbExecution bool, async bool, userInfo UserInfo, | |||
There was a problem hiding this comment.
I don't see the update of the parameters[requestingUserKey] = getRequestingUser(userInfo) for Deprovision or Unbind or Update.
I think we need to do this be a separate user could request those actions and if we want to alert the APBs of the users that are interacting with them, I think that we should update it. I wonder if we should re-name this field then to _apb_last_requesting_user?
There was a problem hiding this comment.
I have updated as you advised, to override the userInfo in the Deprovision, Unbind, and Update
| @@ -646,8 +646,8 @@ func (h handler) unbind(w http.ResponseWriter, r *http.Request, params map[strin | |||
| return | |||
| } | |||
|
|
|||
| userInfo, ok := r.Context().Value(UserInfoContext).(broker.UserInfo) | |||
There was a problem hiding this comment.
We need to make sure it is clear that this could be empty. If the service catalog does not have the correct feature gate on we will not get this header. I think this should be fine but is a documentation on the service bundle contract.
openshift-ci-robot
added
size/L
johnkim76
force-pushed
the
provide_apb_info
branch
from
1ce8d65
to
d560b2c
Compare
docs/service-bundle.md
Outdated
|
|
||
| The requesting username of the [actions](#actions) _provision_, _deprovision_, _bind_, _unbind_, and _update_ will available in the `_apb_last_requesting_user` parameter. The parameter value will be the `UID` of the requesting user if the `username` is not available (e.g. auto escalation). Also, the user info of the latest request will always overwrite the existing value. | ||
|
|
||
| This feature will be available in v3.10 |
There was a problem hiding this comment.
I think this should be a broker version, right?
There was a problem hiding this comment.
As a nit-pick, I think it makes sense for these to be present-tense. "This field is new in version X.Y." Or even past tense: "This field was introduced in version X.Y."
Users aren't likely to care about this field or read about it until after its release.
There was a problem hiding this comment.
oh, ok, so I'll make those updates
There was a problem hiding this comment.
I think I'd go with just the version number rather than a branch name, but either way I think that's the best number to convey.
pkg/broker/broker.go
Outdated
| @@ -708,6 +711,13 @@ func (a AnsibleBroker) Deprovision( | |||
| instance.Parameters = ¶ms | |||
| } | |||
|
|
|||
| // Override the lastRequestingUserKey value in the instance.Parameters | |||
| if instance.Parameters != nil { | |||
| params := *instance.Parameters | |||
There was a problem hiding this comment.
So Parameters here is already a reference type, you don't have to deref and then copy the address back to Parameters. I'd update these on each to just be a one liner:
(*instance.Parameters)[lastRequestingUserKey] = getLastRequestingUser(userInfo)
https://play.golang.org/p/wG6632X68h7
There was a problem hiding this comment.
thanks, I will update
openshift-ci-robot
added
size/M
override userInfo for Deprovision, Update, Unbind
johnkim76
force-pushed
the
provide_apb_info
branch
from
92e3234
to
8d1f842
Compare
docs/service-bundle.md
Outdated
| @@ -127,12 +129,18 @@ Example of JSON document passed to __bind__: | |||
| provision action for this service instance. Details are below in the Output | |||
| section. | |||
|
|
|||
| #### Last Request User | |||
|
|
|||
| The requesting username of the [actions](#actions) _provision_, _deprovision_, _bind_, _unbind_, and _update_ is available in the `_apb_last_requesting_user` parameter. The parameter is set to the `UID` if the requesting `username` is empty (e.g. auto escalation). Also, the user info of the latest request will always overwrite the existing value. | |||
There was a problem hiding this comment.
I think we should note that this could be completely empty as it is not a requirement to send the requesting user.
Sorry @johnkim76 one more change?
There was a problem hiding this comment.
thanks, will update
There was a problem hiding this comment.
@johnkim76 Ah, I see why you were updating the params that way, we were just doing in other places as well.
Ack, looks good 👍
Describe what this PR does and why we need it:
username information was requested to be available for APBs
Changes proposed in this pull request
Addresses the following Issue