-
Notifications
You must be signed in to change notification settings - Fork 552
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RBAC: Enable the role store to survive a controller snapshot #17562
Conversation
new failures in https://buildkite.com/redpanda/redpanda/builds/47252#018ea170-f5b9-4602-aefa-32803461f2db:
new failures in https://buildkite.com/redpanda/redpanda/builds/47252#018ea170-f5b0-40c5-91f0-510401a699b0:
new failures in https://buildkite.com/redpanda/redpanda/builds/47252#018ea177-5fec-46b5-8e89-d46c63b91ce8:
new failures in https://buildkite.com/redpanda/redpanda/builds/47252#018ea177-5ff4-4c27-bf95-e18fb54c6341:
new failures in https://buildkite.com/redpanda/redpanda/builds/47252#018ea177-5ff1-4485-a228-2c99e985aee3:
new failures in https://buildkite.com/redpanda/redpanda/builds/47252#018ea177-5fef-468c-9d8f-e57ae1dd174d:
|
ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/47252#018ea170-f5b0-40c5-91f0-510401a699b0 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/47323#018ea56c-6f5a-4162-ab20-9a183dfbc662 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/47323#018ea56c-6f55-424d-b117-9e437d4d639e |
d8092e7
to
6c69046
Compare
force push for |
6c69046
to
22cccb1
Compare
force push improve test |
@@ -166,6 +189,10 @@ security_t::serde_async_read(iobuf_parser& in, serde::header const h) { | |||
in, h._bytes_left_limit); | |||
acls = co_await read_vector_async_nested<decltype(acls)>( | |||
in, h._bytes_left_limit); | |||
if (h._version > 0) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice
tag_t<write_tag>, | ||
iobuf& out, | ||
cluster::controller_snapshot_parts::security_t::named_role t) { | ||
write(out, std::move(t.name)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: I figured it wasn't worth versioning the key by making named_role
an envelope.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, this seems sensible to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, when you put it that way...may as well just knock it out while we still can
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for (const auto& role : roles) { | ||
security::role_name name{role}; | ||
snapshot.roles.emplace_back(name, *_roles.local().get(name)); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: Intentionally without ss::maybe_yield
, roles is a view.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Incidentally, I did recently make role_store::range
return a full container (frag vec) to clean up the header, but the items are are string_views.
tests/rptest/tests/rbac_test.py
Outdated
@@ -907,6 +927,8 @@ def test_role_survives_restart(self): | |||
|
|||
assert r.name == rand_role | |||
|
|||
self._wait_for_everything_snapshotted(self.redpanda.nodes, admin) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if it's possible for the snapshot to sneak in between the last command update_role_members
and this line. Maybe this should go above the wait on 922?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm, yeah I'll play with it a bit locally
/ci-repeat 3 |
Signed-off-by: Ben Pope <ben@redpanda.com> Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
As a spot check that the role store has been properly integrated into controller snapshot machinery. Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
22cccb1
to
11627d3
Compare
force push to tweak the test slightly |
Snapshot machinery for roles was missing previously.
Updates a ducktape test to ensure that a controller snapshot occurs before restarting the cluster.
Validator (test should fail absent these changes): #17560
Backports Required
Release Notes