credentials validation #1156
credentials validation #1156
Conversation
openshift-ci-robot
added
do-not-merge/work-in-progress
joelddiaz
force-pushed
the
creds-validation
branch
2 times, most recently
from
cc3089f
to
85eb699
Compare
openshift-ci-robot
removed
the
needs-rebase
|
@abhinavdahiya @wking this is the direction i'm heading with this credential validation work. what do you think? |
| // EC2 related perms | ||
| "ec2:AllocateAddress", | ||
| "ec2:AssociateAddress", | ||
| "ec2:AssociateDhcpOptions", |
There was a problem hiding this comment.
Ugh :p. I think annotating our calls with something like 2658145 would be a more sustainable approach towards maintaining this slice. But hard-coding is fine in the short-term.
| logger := logrus.New() | ||
| awsClient, err := ccaws.NewClient([]byte(creds.AccessKeyID), []byte(creds.SecretAccessKey)) | ||
| if err != nil { | ||
| return fmt.Errorf("error building aws client to check credentials against: %v", err) |
There was a problem hiding this comment.
nit: we generally use errors.Errorf instead of fmt.Errorf.
| return fmt.Errorf("error checking whether we have enough permissions to install: %v", err) | ||
| } | ||
| if !canInstall { | ||
| return fmt.Errorf("current credentials insufficient for performing cluster installation") |
There was a problem hiding this comment.
nit: this doesn't need string formatting, so it should use errors.New.
| } | ||
|
|
||
| logger := logrus.New() | ||
| awsClient, err := ccaws.NewClient([]byte(creds.AccessKeyID), []byte(creds.SecretAccessKey)) |
There was a problem hiding this comment.
nit: client is probably sufficiently unique for validateAWSCreds.
joelddiaz
force-pushed
the
creds-validation
branch
from
85eb699
to
ec37101
Compare
|
@wking broke out the vendor into its own commit, and addressed the feedback |
| @@ -36,6 +36,7 @@ func (a *PlatformCredsCheck) Generate(dependencies asset.Parents) error { | |||
| switch platform { | |||
| case aws.Name: | |||
| _, err = awsconfig.GetSession() | |||
| err = awsconfig.ValidateAWSCreds() | |||
There was a problem hiding this comment.
This will swallow any error from the call to awsconfig.GetSession.
| ) | ||
|
|
||
| var installPermissionsAWS = []string{ |
There was a problem hiding this comment.
The AWS part of installPermissionsAWS is redundant with the package.
| // are sufficient to perform an installation, and that they can be used for cluster runtime | ||
| // as either capable of creating new credentials for components that interact with the cloud or | ||
| // being able to be passed through as-is to the components that need cloud credentials | ||
| func ValidateAWSCreds() error { |
There was a problem hiding this comment.
The AWS part of ValidateAWSCreds is redundant with the package.
| // as either capable of creating new credentials for components that interact with the cloud or | ||
| // being able to be passed through as-is to the components that need cloud credentials | ||
| func ValidateAWSCreds() error { | ||
| ssn, err := GetSession() |
There was a problem hiding this comment.
I think you should pass in the session as a parameter to ValidateAWSCreds. This will (1) fit in better with the long-term plans of getting the session from an asset in the store and (2) consolidate the 2 calls to GetSession in PlatformCredsChecker.Generate into a single call.
joelddiaz
force-pushed
the
creds-validation
branch
from
ec37101
to
1dcddc8
Compare
|
@staebler thanks for the review. i've fixed the swallowing of the err and made the other changes as requested |
|
|
||
| client, err := ccaws.NewClient([]byte(creds.AccessKeyID), []byte(creds.SecretAccessKey)) | ||
| if err != nil { | ||
| return fmt.Errorf("error building aws client to check credentials against: %v", err) |
There was a problem hiding this comment.
This should be errors.Errorf, and once you make that change you can drop the fmt import.
There was a problem hiding this comment.
Actually, no, you're adding context to an existing error. It should be:
return errors.Wrap(err, "initialize cloud-credentials client")The "to check credentials" bit should be addressed at the call-site in platformcredscheck.go, with something like:
ssn, err := awsconfig.GetSession()
if err != nil {
return err
}
err = awsconfig.ValidateCreds(ssn)
if err != nil {
return errors.Wrap(err, "validate AWS credentials")
}
| logger := logrus.New() | ||
| canInstall, err := credvalidator.CheckPermissionsAgainstActions(client, installPermissions, logger) | ||
| if err != nil { | ||
| return errors.Errorf("error checking whether we have enough permissions to install: %v", err) |
There was a problem hiding this comment.
Sorry for my poor earlier advice. When you have an error, you should use errors.Wrap (or Wrapf), not Errorf). See here. This applies to some of your other error-handling blocks as well.
| if err != nil { | ||
| return err | ||
| } | ||
| err = awsconfig.ValidateCreds(ssn) |
There was a problem hiding this comment.
This sets the err variable local to this case and not the err variable that is returned from the Generate function. In other words, errors from awsconfig.ValidateCreds will be ignored.
Personally, I would much rather see each of these cases check err and return when there is an error within the case block rather than fill out a shared err variable that is returned at the end of the function.
joelddiaz
force-pushed
the
creds-validation
branch
from
1dcddc8
to
170d41d
Compare
| func ValidateCreds(ssn *session.Session) error { | ||
| creds, err := ssn.Config.Credentials.Get() | ||
| if err != nil { | ||
| return err |
| _, err = awsconfig.GetSession() | ||
| ssn, err := awsconfig.GetSession() | ||
| if err != nil { | ||
| return err |
There was a problem hiding this comment.
Wrap this error, too, while we're here.
joelddiaz
force-pushed
the
creds-validation
branch
2 times, most recently
from
008dc44
to
f80230b
Compare
|
/retest |
|
@joelddiaz: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
openshift-ci-robot
added
the
needs-rebase
|
/test e2e-aws |
joelddiaz
force-pushed
the
creds-validation
branch
from
f80230b
to
9635bc6
Compare
openshift-ci-robot
added
needs-rebase
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
/hold |
openshift-ci-robot
added
the
do-not-merge/hold
will use pieces from the repo for credential validation put some dummy imports in pkg/asset/installconfig/aws/permissions.go then run: dep ensure (version 0.5.0)
do a pre-flight check of permissions using cloud-credentials-operator validation to do a check on the creds being used for installation
the initial list of permissions that gathers the AWS actions needed to perform an installation are taken verbatim from the IAM group permissions the hive team has been using to perform installation/uninstallation with (there absolutely could be some excess actions that used to be needed, but may no longer be needed)
note that the permissions checks are done with the assumption of IAM policies consisting of 'Resource: "*"'. so a list of ["ec2:CreateRoute", "ec2:CreateSubnet"] is evaluated as whether we can peform
`
{
"Statement": [
{
"Action": [
"ec2:CreateRoute",
"ec2:CreateSubnet"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
`
joelddiaz
force-pushed
the
creds-validation
branch
from
9635bc6
to
818b350
Compare
openshift-ci-robot
removed
the
needs-rebase
|
/hold cancel |
openshift-ci-robot
added
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: joelddiaz, staebler The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
do a pre-flight check of permissions using cloud-credentials-operator validation to do a check on the creds being used for installation
the initial list of permissions that gathers the AWS actions needed to perform an installation are taken verbatim from the IAM group permissions the hive team has been using to perform installation/uninstallation with (there absolutely could be some excess actions that used to be needed, but may no longer be needed)
note that the permissions checks are done with the assumption of IAM policies consisting of 'Resource: "*"'. so a list of ["ec2:CreateRoute", "ec2:CreateSubnet"] is evaluated as whether we can peform