feat(core): add service scoped database clients #647

jrschumacher · 2024-04-23T17:10:52Z

This PR introduces a significant change to how we perceive database clients within the platform. The original implementation has a concept of a single database client which services could use. As work was being executed, it became clear that the policy service was one (if not only) service which required a database client.

Recently, we learned that downstream projects that wrap OpenTDF required access to a database client, but this posed a couple concerns:

Downstream clients need the ability to add migrations and have those bound to the migration CLI tool as well as the auto-migration feature
We need to ensure a bad actor cannot poison a PEP and thus have easy access to mutate the policy outside an audited and authenticated flow
We need to ensure PEPs are interacting with services via contracts and not by direct database access, which could slow down development

Supported features

create a new database client for each service / PEP
- this sets us up to support limiting scope in the future by giving theoretical access to managing multiple DB user identities per instance of the platform
scope the database client to a schema scoped to the service namespace
- this will give us theoretical control over limiting the access of the database user
- this might need to change to a database per service depending on the access controls needed
add support for service based migrations
- having all services use the same migrations directory is brittle since clients are scoped to schemas we can support multiple migration directories
- additionally, when deploying a policy service apart from another PEP we don't want to automatically migrate a schema that won't be used
migration commands now support service and/or --all
- this enables developers to migrate up and down as they are exploring the process of supporting a new feature
- this gives us the opportunity to enhance the tool to support migrations for services that are currently "enabled"

Unsupported features

robust support for service auto-migration based on server registration
rigorous performance testing
DX review

…issue559

service/kas/access/accessPdp.go

service/pkg/server/services.go

🤖 I have created a release *beep* *boop* --- ## [0.3.0](service/v0.2.0...service/v0.3.0) (2024-04-29) ### Features * **core:** add service scoped database clients ([#647](#647)) ([019a3bf](019a3bf)) ### Bug Fixes * **config:** update docs for enforce dpop config and clean up markdown tables ([#697](#697)) ([983ce71](983ce71)) * **policy:** normalize FQN lookup to lower case ([#668](#668)) ([cd8a875](cd8a875)), closes [#669](#669) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>

🤖 I have created a release *beep* *boop* --- ## [0.3.0](opentdf/platform@service/v0.2.0...service/v0.3.0) (2024-04-29) ### Features * **core:** add service scoped database clients ([#647](opentdf/platform#647)) ([019a3bf](opentdf/platform@019a3bf)) ### Bug Fixes * **config:** update docs for enforce dpop config and clean up markdown tables ([#697](opentdf/platform#697)) ([983ce71](opentdf/platform@983ce71)) * **policy:** normalize FQN lookup to lower case ([#668](opentdf/platform#668)) ([cd8a875](opentdf/platform@cd8a875)), closes [#669](opentdf/platform#669) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>

jrschumacher added 4 commits April 19, 2024 09:04

feat(core): enable service db migrations

d2e5510

WIP

fef7b45

WIP

e96df95

Finish implementation

80df9f0

jrschumacher requested review from a team as code owners April 23, 2024 17:10

jrschumacher added 3 commits April 23, 2024 12:14

Fix proto relocation

0e2b319

generate protos

ad16d76

Fix protocol gen locations

fa02327

jrschumacher requested a review from a team as a code owner April 23, 2024 18:51

jrschumacher added 3 commits April 23, 2024 14:17

fix log issues

840fdba

Merge branch 'main' of github.com:opentdf/platform into jrschumacher/…

309c1fe

…issue559

Fix lint issues

194be10

jrschumacher requested a review from a team as a code owner April 24, 2024 00:14

jrschumacher linked an issue Apr 24, 2024 that may be closed by this pull request

ADR: downstream PEP database integration #559

Closed

jrschumacher commented Apr 24, 2024

View reviewed changes

service/kas/access/accessPdp.go Show resolved Hide resolved

jrschumacher added 4 commits April 23, 2024 19:46

fix redefine close builtin

d27e553

fix context use

ad9012c

fix lint issue with registering service

0e64d8c

fix comments

eb14ca1

strantalis reviewed Apr 24, 2024

View reviewed changes

service/pkg/server/services.go Outdated Show resolved Hide resolved

jrschumacher added 7 commits April 26, 2024 07:09

Add tests

a36194e

fix

55e3827

resolve lint errors

6a817f0

fix list issue

70a59cc

fix list issue

2795668

fix cog complexity

bcf8809

fix missing context from commands

8c70380

jakedoublev mentioned this pull request Apr 26, 2024

fix(policy): normalize FQN lookup to lower case #668

Merged

add test suites

b519d67

jrschumacher mentioned this pull request Apr 27, 2024

Reevaluate use of Goose for migrations #675

Open

jrschumacher added 2 commits April 27, 2024 09:36

fix tests

09b28e2

Merge branch 'main' into jrschumacher/issue559

8f7eade

jrschumacher requested review from strantalis and jakedoublev April 28, 2024 23:40

jakedoublev reviewed Apr 29, 2024

View reviewed changes

service/pkg/server/services.go Show resolved Hide resolved

jakedoublev approved these changes Apr 29, 2024

View reviewed changes

jrschumacher mentioned this pull request Apr 29, 2024

Enhance scoped DB logic to ensure that service / PEP developers can have separate or shared pools depending on the client and database connection #681

Open

strantalis approved these changes Apr 29, 2024

View reviewed changes

jrschumacher added this pull request to the merge queue Apr 29, 2024

Merged via the queue into main with commit 019a3bf Apr 29, 2024
16 checks passed

jrschumacher deleted the jrschumacher/issue559 branch April 29, 2024 17:15

opentdf-automation bot mentioned this pull request Apr 29, 2024

chore(main): release service 0.3.0 #687

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(core): add service scoped database clients #647

feat(core): add service scoped database clients #647

jrschumacher commented Apr 23, 2024 •

edited

feat(core): add service scoped database clients #647

feat(core): add service scoped database clients #647

Conversation

jrschumacher commented Apr 23, 2024 • edited

Supported features

Unsupported features

jrschumacher commented Apr 23, 2024 •

edited