New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow role resolution errors in RARs #4809
Conversation
// EvaluationError is an indication that some error occurred during resolution, but partial results can still be returned. | ||
// It is entirely possible to get an error and be able to continue determine authorization status in spite of it. This is | ||
// most common when a bound role is missing, but enough roles are still present and bound to reason about the request. | ||
EvaluationError string `json:"evalutionError" description:"error occurred during resolution, but partial results can still be returned"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You need to define partial. Is partial "if I called this and I expected to get the full list, but I didn't, I can safely continue?" Or is partial "here's as much of the results as we can show"? If it's the latter, this needs to be a struct or something that conveys more data about it being a partial response (for one thing, people shouldn't be doing if len(e.EvaluationError) == 0 { // happy path }
)
The choice of what to do belongs to the caller. In some cases, the caller may decide that incomplete results are worthless and their work should fail. In other cases (project cache as a for instance), the caller may decide that partial results are better than no results and use them. |
What use case for partial can you describe that needs this? I don't like On Sep 26, 2015, at 8:16 AM, David Eads notifications@github.com wrote: You need to define partial. Is partial "if I called this and I expected to The choice of what to do belongs to the caller. In some cases, the caller — |
I think when determining which subjects have access to a project, if there is a role binding to an invalid role, we currently return an error rather than the subjects we could resolve. That makes project acl vulnerable to getting overly restrictive if a single role binding is invalid |
Ok, that's an excellent reason. So the next question is - if multiple On Sat, Sep 26, 2015 at 11:31 AM, Jordan Liggitt notifications@github.com
|
This is an RAR (SAR is a clearer answer: "you can or can't"). I don't think that the structure of a |
So you're building a UI that lets someone change roles. You make a rar as This is an unusual enough concept to be adding to the API (which we have no On Sep 27, 2015, at 11:15 AM, David Eads notifications@github.com wrote: Ok, that's an excellent reason. So the next question is - if multiple This is an RAR (SAR is a clearer answer: "you can or can't"). I don't think — |
At a certain point you're arguing for markers. I'd claim that markers more appropriately belong in some sort of |
I'm in favor of tolerating lookup errors and returning a (potentially) partial list… the trouble is, the lookup has no way of knowing if the list is actually partial or not. Not sure that a field on the RAR is the right place to surface that info |
Explain why it's improper to return structured errors? I'm not necessarily On Sep 28, 2015, at 1:16 AM, David Eads notifications@github.com wrote: At a certain point you're arguing for markers. I'd claim that markers more — |
// GetAllowedSubjects returns the subjects it knows can perform the action. | ||
// If we got an error, then the list of subjects may not be complete, but it does not contain any incorrect names. | ||
// This is done because policy rules are purely additive and policy determinations | ||
// can be made on the basis of those rules that are found. | ||
func (a *openshiftAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes AuthorizationAttributes) (util.StringSet, util.StringSet, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think that this code here should return back a []StatusError
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think that this code here should return back a []StatusError.
Would []error
be enough structure for you?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, it should just return error. But it should return an error that either satisfies Aggregate interface (sufficient for now) or we create a specific type of error that callers can check against. Returning an aggregate and not changing the signature is fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, it should just return error. But it should return an error that either satisfies Aggregate interface (sufficient for now) or we create a specific type of error that callers can check against. Returning an aggregate and not changing the signature is fine.
Ok, I think that's what I did: https://github.com/openshift/origin/pull/4809/files#diff-5654e020d459e05c8fcca57d5675ece4R87 .
I'm fine with everything except the evaluation error field on the response |
Ok. How would you indicate the partial failure to clients? I'd consider the string to be better than a bool. |
we don't know whether it's a partial failure... that's the point. the roles that couldn't be resolved may have nothing to do with the resource in question. flagging role binding reference errors doesn't feel like it should be part of this response |
if you're expecting a particular user/group to come back in that list, and they don't, I think there should be a more focused way to look at the rolebindings for that user/group, at which point any unresolved references would make more sense |
I don't disagree that should exist (probably oc status if you have view rights to the necessary resources), but given that these evaluation errors might have affected your results (we can't know for sure) and almost certainly indicate a failure of intent, it seems like a good idea to indicate that. I'll split into a separate pull to at least make us more tolerant for now. |
8aeb26c
to
abccdb9
Compare
Split #4847 to allow progress to be made while we decide what is and isn't user intent. |
LGTM |
abccdb9
to
accfd4a
Compare
[merge] |
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/3430/) (Image: devenv-fedora_2427) |
[Test]ing while waiting on the merge queue |
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin/5248/) |
accfd4a
to
e5214ae
Compare
Evaluated for origin test up to e5214ae |
Evaluated for origin merge up to e5214ae |
Merged by openshift-bot
Bug https://bugzilla.redhat.com/show_bug.cgi?id=1192310.
This allows role and rolebinding resolution problems during an RAR without failures. This is ok because we never return too broad a list.