ROX-11101: Remove deprecated resources by rhybrillou · Pull Request #3036 · stackrox/stackrox

rhybrillou · 2022-09-09T17:25:49Z

Description

The set resources used for access control is being simplified. A number of resources has been deprecated.

The goal here is to get rid of the deprecated resources, both in the database and in the codebase (UI, QA, central, DB). This PR focuses on the database content cleanup. Full PR chain:
#3036
#3115
#3116
#3428

Checklist

Investigated and inspected CI test results
Unit test and regression tests added
Evaluated and added CHANGELOG entry if required
~~- [ ] Determined and documented upgrade steps~~
~~- [ ] Documented user facing changes (create PR based on openshift/openshift-docs and merge into rhacs-docs)~~

If any of these don't apply, please comment below.

Testing Performed

Added automated tests for the migration.

Manual testing

Deploy locally a 3.72.0 central in RocksDB mode.
Manually create permission sets using the UI.
Create permission sets using the API.
example:

curl --insecure -XPOST -u admin:$admin_password https://localhost:8000/v1/permissionsets \
--data '{"id":"","name":"OneAccessSubAPIPermissionSet", "description":"", "resourceToAccess":{"AuthProvider": "READ_ACCESS"}}'

Check in the UI all created permission sets are present and contain the expected resource access.
Check using the API that the created permission sets are present and contain the expected resource access.
example:

curl --insecure -XGET -u admin:$admin_password https://localhost:8000/v1/permissionsets

Update the image tag in the deployment to 3.72.x-533-g1614bca3ad.
Check the migrator run in the central deployment logs, make sure the migration from sequence number 110 to 111 happened, and that the database sequence number at the end is at least 111.

% kubectl logs -n stackrox deploy/central
No certificates found in /usr/local/share/ca-certificates
No certificates found in /etc/pki/injected-ca-trust
Migrator: 2022/11/07 12:44:40.057224 log.go:13: Info: In migrator.run()
pkg/migrations: 2022/11/07 12:44:40.077194 migration_version.go:58: Info: Migration version of database at /var/lib/stackrox/current: &{/var/lib/stackrox/current 3.72.1 108 0001-01-01 00:00:00 +0000 UTC}
clone/rocksdb: 2022/11/07 12:44:40.077311 db_clone_manager_impl.go:66: Info: Found clone current -> .db-init
clone/rocksdb: 2022/11/07 12:44:40.077364 db_clone_manager_impl.go:124: Info: Database clones:
clone/rocksdb: 2022/11/07 12:44:40.077387 db_clone_manager_impl.go:126: Info: current -> &{/var/lib/stackrox/current 3.72.1 108 0001-01-01 00:00:00 +0000 UTC}
clone/rocksdb: 2022/11/07 12:44:40.077523 db_clone_manager_impl.go:302: Info: Central has space to create backup for rollback: true, required: 39846073, available: 105016770560 with 0.200000 margin
clone/rocksdb: 2022/11/07 12:44:40.077560 db_clone_manager_impl.go:179: Info: Database rollback enabled. Copying database files and migrate it to current version.
pkg/migrations: 2022/11/07 12:44:40.530951 migration_version.go:58: Info: Migration version of database at /var/lib/stackrox/.db-411092ad-89a8-401a-837e-a55584fbcf75: &{/var/lib/stackrox/.db-411092ad-89a8-401a-837e-a55584fbcf75 3.72.1 108 0001-01-01 00:00:00 +0000 UTC}
Migrator: 2022/11/07 12:44:40.531016 log.go:18: Info: Clone to Migrate "temp", ""
Migrator: 2022/11/07 12:44:40.531033 log.go:13: Info: starting DB compaction
Migrator: 2022/11/07 12:44:40.531106 log.go:18: Info: Free fraction of 0.0938 (24576/262144) is < 0.7500. Will not compact
Migrator: 2022/11/07 12:44:41.056613 log.go:18: Info: In runner.Run
Migrator: 2022/11/07 12:44:41.057388 log.go:18: Info: Found DB at version 108, which is less than what we expect (111). Running migrations...
Migrator: 2022/11/07 12:44:41.067179 log.go:18: Info: Successfully updated DB from version 108 to 109
Migrator: 2022/11/07 12:44:41.073678 log.go:18: Info: Successfully updated DB from version 109 to 110
Migrator: 2022/11/07 12:44:41.075925 log.go:18: Info: Successfully updated DB from version 110 to 111
clone/rocksdb: 2022/11/07 12:44:41.076798 db_clone_manager_impl.go:212: Info: Persisting upgraded clone: temp
pkg/mtls/certwatch: 2022/11/07 12:44:41.328036 certwatch.go:61: Info: TLS certificate loaded, using the following cert for HTTPS: (SerialNumber: 424012542049970283456843807461678417531196, Subject: CN=*.demo.stackrox.com, DNSNames, [*.demo.stackrox.com]), watch dir: "/run/secrets/stackrox.io/default-tls-cert"
main: 2022/11/07 12:44:41.391397 main.go:247: Info: Running StackRox Version: 3.72.x-533-g1614bca3ad
version: 2022/11/07 12:44:41.413072 ensure.go:55: Info: Version found in the DB was current. We're good to go!
...

% kubectl exec -n stackrox deploy/central -- cat /var/lib/stackrox/current/migration_version.yaml
image: 3.72.x-533-g1614bca3ad
database: 111
lastpersisted: 0001-01-01T00:00:00Z

After the migration, check that all the default and created permission sets still exist.
After the migration, check the content of permission sets. The replaced permissions should not be there anymore, the replacing permissions should have the lowest access level across the replaced permissions.
After the migration, check that roles can reference the permission sets in the UI.
After the migration, check that roles can reference the permission sets using the API.

openshift-ci · 2022-09-09T17:26:03Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

rukletsov · 2022-09-20T21:20:10Z

migrator/migrations/m_108_to_m_109_replace_deprecated_resources/migration.go

+)
+
+var (
+	migration = types.Migration{


You also need to register a migration in init():

func init() { migrations.MustRegisterMigration(migration) }

migrator/migrations/m_108_to_m_109_replace_deprecated_resources/migration.go

rukletsov · 2022-09-20T21:34:52Z

migrator/migrations/m_108_to_m_109_replace_deprecated_resources/migration.go

+			return errors.Wrap(err, "unable to unmarshal permission set")
+		}
+		// Copy the permission set, removing the deprecated resource permissions, and keeping the
+		// highest access level between that of deprecated resource and their replacement


I think as a security product we should choose lowest (and call this out in the changelog).

rukletsov · 2022-09-20T21:40:39Z

migrator/migrations/m_108_to_m_109_replace_deprecated_resources/migration.go

+		newPermissionSet := &storage.PermissionSet{}
+		newPermissionSet.Id = permissions.GetId()
+		newPermissionSet.Name = permissions.GetName()
+		newPermissionSet.Description = permissions.GetDescription()
+		if len(permissions.GetResourceToAccess()) > 0 {
+			newPermissionSet.ResourceToAccess = make(map[string]storage.Access)
+		}


Suggested change

newPermissionSet := &storage.PermissionSet{}

newPermissionSet.Id = permissions.GetId()

newPermissionSet.Name = permissions.GetName()

newPermissionSet.Description = permissions.GetDescription()

if len(permissions.GetResourceToAccess()) > 0 {

newPermissionSet.ResourceToAccess = make(map[string]storage.Access)

}

newPermissionSet := &storage.PermissionSet{

Id: permissions.GetId(),

Name: permissions.GetName(),

Description: permissions.GetDescription(),

ResourceToAccess: make(map[string]storage.Access, len(permissions.GetResourceToAccess())),

}

rukletsov · 2022-09-20T21:49:36Z

migrator/migrations/m_108_to_m_109_replace_deprecated_resources/migration.go

+	writeOpts = gorocksdb.NewDefaultWriteOptions()
+)
+
+func propagatePermission(resource string, accessLevel storage.Access, permissions map[string]storage.Access) {


Instead of modifying permissions (side effect), let's return updated storage.Access.

rhybrillou · 2022-09-21T12:53:42Z

/test all

ghost · 2022-09-21T13:18:40Z

Images are ready for the commit at efa8528.

To use with deploy scripts, first export MAIN_IMAGE_TAG=3.72.x-534-gefa85282b0.

rhybrillou · 2022-10-17T08:23:24Z

/test all

rhybrillou · 2022-10-17T12:05:11Z

/test all

rhybrillou · 2022-10-17T13:26:25Z

/test all

rhybrillou · 2022-10-18T13:22:27Z

/test all

dhaus67

Since we are adding a migration, please add proper test description for which manual steps you have run to ensure that the migration works as expected on a running system (as a shameless plug, you can see #2066 as an example of what we should have there for the manual test steps of a migration).

dhaus67 · 2022-10-19T12:10:46Z

CHANGELOG.md

+### Deprecated Features
+- ROX-11101: Similar to what was announced in 3.71.0 for ROX-8520, more permissions for permission sets will be grouped for simplification. As a result, the following permissions will be deprecated in favor of a new permission:
+  - New permission `Administration` will deprecate the permissions `AllComments, ComplianceRunSchedule, Config, DebugLogs, NetworkGraphConfig, ProbeUpload, ScannerBundle, ScannerDefinitions, SensorUpgradeConfig, ServiceIdentity`.
+  - The permission `Compliance` will deprecate the permission `ComplianceRuns`.
+### Technical Changes
+- ROX-11101: As announced in 3.71.0 (ROX-8520), some permissions for permissionsets are being grouped for simplification. The deprecation process will remove and replace the deprecated permissions with the replacing permission as listed below. The access level granted to the replacing permission will be the lowest of its defined access level if any and the defined access levels for all the permissions it replaces.  
+  - Permission `Access` deprecates and replaces the permissions `AuthPlugin, AuthProvider, Group, Licenses, User`.
+  - Permission `DeploymentExtension` deprecates and replaces the permissions `Indicator, NetworkBaseline, ProcessWhitelist, Risk`.
+  - Permission `Integration` deprecates and replaces the permissions `APIToken, BackupPlugins, ImageIntegration, Notifier, SignatureIntegration`.
+  - Permission `Image` deprecates and replaces the permission `ImageComponent`.
+  - Note: the `Role` permission, previously announced as being grouped under `Access` remains a standalone permission.
+


We now have those sections defined, so should merge them with the existing one.

dhaus67 · 2022-10-19T12:22:09Z

migrator/migrations/m_109_to_m_110_replace_deprecated_resources/migration.go

+	migrations.MustRegisterMigration(migration)
+}
+
+func propagatePermission(resource string, accessLevel storage.Access, permissions map[string]storage.Access) storage.Access {


nit: The naming of this function is a bit confusing to me, we talk about permission but actually determine the new access. Might be relevant to say propagateAccess the least?

dhaus67 · 2022-10-19T12:22:53Z

migrator/migrations/m_109_to_m_110_replace_deprecated_resources/migration.go

+	if _, found := permissions[resource]; !found {
+		return accessLevel
+	}
+	oldLevel := permissions[resource]


Suggested change

if _, found := permissions[resource]; !found {

return accessLevel

}

oldLevel := permissions[resource]

oldLevel, found := permissions[resource]

if !found {

return accessLevel

}

dhaus67 · 2022-10-19T12:27:44Z

migrator/migrations/m_109_to_m_110_replace_deprecated_resources/migration.go

+	if accessLevel > oldLevel {
+		return oldLevel
+	}
+	return accessLevel


General question on this: have we decided that this is the way to go? If we keep as-is, this could potentially break existing customer's permission sets after migration.

Say customer has a permission set with write to AuthProvider and read to User, we will have after migration read to Access, which would break his access to AuthProvider (which he seemingly required, since he set it to begin with).

Is this something that we have decided is OK for customers / will there be a special announcement and we expect them to manually change this afterwards?

I might miss context, but haven't found anything in the related slack channel.

We have no clue, including product. Yann tried to ask product but not much luck. Basically, we have two aggregation options:

min, which is how it's done now and how I convinced Yann to do it

max, what Yann had originally.

My thinking is that for a security product it's easier to explain angry customers why we narrowed the permissions.

Hm, I see.
I would have gone for max due to it probably not resulting in directly visible breaking changes (i.e. receiving a support case due to user X not being able to create image integrations), but min is also fine since its a breaking change either way.
My point of emphasis would be to specifically highlight this change, in order for us to not get too many support cases beginning with the next release.

My point of emphasis would be to specifically highlight this change, in order for us to not get too many support cases beginning with the next release.

This is fair, Daniel.

dhaus67 · 2022-10-19T12:33:21Z

migrator/migrations/m_109_to_m_110_replace_deprecated_resources/migration.go

+	return accessLevel
+}
+
+func migatePermissionSets(db *gorocksdb.DB) error {


nit: can we be a bit more explicit regarding what exactly we are migrating here? Something such as migrateReplacedResources.

dhaus67 · 2022-10-19T12:40:50Z

migrator/migrations/m_109_to_m_110_replace_deprecated_resources/migration.go

+			newResource := resource
+			if _, found := replacements[resource]; found {
+				newResource = replacements[resource]
+			}
+			newPermissionSet.ResourceToAccess[newResource] =
+				propagatePermission(newResource, accessLevel, newPermissionSet.ResourceToAccess)


nit: I find the usage of newResource and resource a bit confusing when reading through the function, so maybe reduce the cognitive overhead and just keep resource.

Suggested change

newResource := resource

if _, found := replacements[resource]; found {

newResource = replacements[resource]

}

newPermissionSet.ResourceToAccess[newResource] =

propagatePermission(newResource, accessLevel, newPermissionSet.ResourceToAccess)

if _, found := replacements[resource]; found {

resource = replacements[resource]

}

newPermissionSet.ResourceToAccess[resource] =

propagatePermission(resource, accessLevel, newPermissionSet.ResourceToAccess)

dhaus67 · 2022-10-19T12:45:22Z

migrator/migrations/m_109_to_m_110_replace_deprecated_resources/migration_test.go

+		suite.NoError(err)
+
+		key := rocksdbmigration.GetPrefixedKey(prefix, []byte(initial.GetId()))
+		suite.NoError(suite.db.Put(writeOpts, key, data))


nit: we might want to stop doing anything afterwards if an error occurred here.

Suggested change

suite.NoError(suite.db.Put(writeOpts, key, data))

suite.Require().NoError(suite.db.Put(writeOpts, key, data))

dhaus67 · 2022-10-19T12:46:33Z

migrator/migrations/m_109_to_m_110_replace_deprecated_resources/migration_test.go

+		RocksDB: suite.db.DB,
+	}
+
+	suite.NoError(migration.Run(dbs))


nit: we might want to stop doing anything afterwards if an error occurred here.

Suggested change

suite.NoError(migration.Run(dbs))

suite.Require().NoError(migration.Run(dbs))

dhaus67 · 2022-10-19T12:47:51Z

migrator/migrations/m_109_to_m_110_replace_deprecated_resources/migration_test.go

+	var expectedPSsAfterMigration []*storage.PermissionSet
+	expectedPSsAfterMigration = append(expectedPSsAfterMigration, MigratedPermissionSets...)


why not just expectedPSsAfterMigration := MigratedPermissionSets ?

rukletsov

Looks good to me modulo comments from Daniel and a pending manual test.

rukletsov · 2022-10-27T09:11:03Z

CHANGELOG.md

+  - Permission `DeploymentExtension` deprecates and replaces the permissions `Indicator, NetworkBaseline, ProcessWhitelist, Risk`.
+  - Permission `Integration` deprecates and replaces the permissions `APIToken, BackupPlugins, ImageIntegration, Notifier, SignatureIntegration`.
+  - Permission `Image` deprecates and replaces the permission `ImageComponent`.
+  - Note: the `Role` permission, previously announced as being grouped under `Access` remains a standalone permission.


Suggested change

- Note: the `Role` permission, previously announced as being grouped under `Access` remains a standalone permission.

- Note: the `Role` permission, previously announced as being grouped under `Access` remains a standalone permission for now and will be grouped with `Access` in the future.

rukletsov · 2022-10-27T09:11:53Z

CHANGELOG.md

 - The service account "central", which is used by the central deployment, will now include `get and list` access to the pod resource in the namespace
  where central is deployed to. This fixes an issue when generating diagnostic bundles to now correctly include all logs within the namespace of central.

+### Removed Features


This section should be merged with the same one above.

rukletsov · 2022-10-27T09:16:36Z

CHANGELOG.md

+  - New permission `Administration` will deprecate the permissions `AllComments, ComplianceRunSchedule, Config, DebugLogs, NetworkGraphConfig, ProbeUpload, ScannerBundle, ScannerDefinitions, SensorUpgradeConfig, ServiceIdentity`.
+  - The permission `Compliance` will deprecate the permission `ComplianceRuns`.
+### Technical Changes
+- ROX-11101: As announced in 3.71.0 (ROX-8520), some permissions for permissionsets are being grouped for simplification. The deprecation process will remove and replace the deprecated permissions with the replacing permission as listed below. The access level granted to the replacing permission will be the lowest of its defined access level if any and the defined access levels for all the permissions it replaces.  


Suggested change

- ROX-11101: As announced in 3.71.0 (ROX-8520), some permissions for permissionsets are being grouped for simplification. The deprecation process will remove and replace the deprecated permissions with the replacing permission as listed below. The access level granted to the replacing permission will be the lowest of its defined access level if any and the defined access levels for all the permissions it replaces.

- ROX-11101: As announced in 3.71.0 (ROX-8520), some permissions for permission sets are being grouped for simplification. The deprecation process will remove and replace the deprecated permissions with the replacing permission as listed below. The access level granted to the replacing permission will be the lowest among all access levels of the replaced permissions.

rukletsov · 2022-10-27T17:07:17Z

migrator/migrations/m_109_to_m_110_replace_deprecated_resources/migration.go

+	if accessLevel > oldLevel {
+		return oldLevel
+	}
+	return accessLevel


We have no clue, including product. Yann tried to ask product but not much luck. Basically, we have two aggregation options:

min, which is how it's done now and how I convinced Yann to do it

max, what Yann had originally.

My thinking is that for a security product it's easier to explain angry customers why we narrowed the permissions.

md2119 · 2022-10-31T16:56:47Z

CHANGELOG.md

 - The service account "central", which is used by the central deployment, will now include `get and list` access to the pod resource in the namespace
  where central is deployed to. This fixes an issue when generating diagnostic bundles to now correctly include all logs within the namespace of central.

+### Removed Features


md2119 · 2022-10-31T16:58:20Z

CHANGELOG.md


+### Removed Features
+### Deprecated Features
+- ROX-11101: Similar to what was announced in 3.71.0 for ROX-8520, more permissions for permission sets will be grouped for simplification. As a result, the following permissions will be deprecated in favor of a new permission:


Similar to what was announced in 3.71.0 for ROX-8520, more permissions for permission sets will be grouped for simplification. is confusing.
Maybe something like As first announced in 3.71.0, we continue to simplify access control management by grouping some permissions in permission sets. As a results...

md2119 · 2022-10-31T17:16:18Z

CHANGELOG.md

+  - The permission `Compliance` will deprecate the permission `ComplianceRuns`.
+### Technical Changes
+- ROX-11101: As announced in 3.71.0 (ROX-8520), some permissions for permissionsets are being grouped for simplification. The deprecation process will remove and replace the deprecated permissions with the replacing permission as listed below. The access level granted to the replacing permission will be the lowest of its defined access level if any and the defined access levels for all the permissions it replaces.  
+  - Permission `Access` deprecates and replaces the permissions `AuthPlugin, AuthProvider, Group, Licenses, User`.


deprecates and replaces seems not right since in the deprecation phase we continue to support the feature that is being deprecated. Although this announcement sounds like a technical change, I feel this should go into Removed Features section since we are removing some permission and adding new ones.

md2119 · 2022-10-31T17:21:54Z

Are we planning a 1 (shorter) or 2 (standard) release cycle deprecation?

md2119 · 2022-10-31T17:44:15Z

CHANGELOG.md

+  - The permission `Compliance` will deprecate the permission `ComplianceRuns`.
+### Technical Changes
+- ROX-11101: As announced in 3.71.0 (ROX-8520), some permissions for permissionsets are being grouped for simplification. The deprecation process will remove and replace the deprecated permissions with the replacing permission as listed below. The access level granted to the replacing permission will be the lowest of its defined access level if any and the defined access levels for all the permissions it replaces.  
+  - Permission `Access` deprecates and replaces the permissions `AuthPlugin, AuthProvider, Group, Licenses, User`.


Seems like AuthPlugin was already removed in 3.71.0 and is not relevant to this initiative.

md2119 · 2022-10-31T17:50:49Z

migrator/migrations/m_109_to_m_110_replace_deprecated_resources/migration.go

+		newPermissionSet := &storage.PermissionSet{
+			Id:               permissions.GetId(),
+			Name:             permissions.GetName(),
+			Description:      permissions.GetDescription(),
+			ResourceToAccess: make(map[string]storage.Access, len(permissions.GetResourceToAccess())),
+		}


Suggested change

newPermissionSet := &storage.PermissionSet{

Id: permissions.GetId(),

Name: permissions.GetName(),

Description: permissions.GetDescription(),

ResourceToAccess: make(map[string]storage.Access, len(permissions.GetResourceToAccess())),

}

newPermissionSet := permissions.Clone()

rhybrillou · 2022-11-06T18:47:11Z

/retest

…g permission sets

…ermissions from the migration.

…or that group yet.

rhybrillou · 2022-11-07T14:37:32Z

/retest

md2119 · 2022-11-08T00:43:51Z

CHANGELOG.md

 - ROX-13034: Central reaches out to scanner `scanner.<namespace>.svc` now to respect OpenShift's `NO_PROXY` configuration.

 ### Deprecated Features
+- ROX-11101: As first announced in 3.71.0 for ROX-8250, we continue to simplify access control management by grouping some permissions in permission sets. As a result:


ClusterCVE

md2119

"Simplicity is a prerequisite for reliability." - Edsger Dijkstra

7ffc6be ROX-13368: Skip failing nongroovy tests on PG (#3721) bbdd7a0 Bump github.com/gofrs/uuid from 4.3.0+incompatible to 4.3.1+incompatible (#3642) 1f253f2 Bump github.com/google/certificate-transparency-go from 1.1.3 to 1.1.4 (#3543) d434c8d [ROX-13030] : Add delete collection API endpoint and service implementation (#3648) f062c21 Dashrews/ROX-13253 wait for central-db to come back after bounce and allow FATAL connection lost error (#3537) edc1174 CI: Fill the gaps for https://testgrid.k8s.io/ (#3715) 86d7c54 ROX-13231: use passed context when non-postgres (#3540) 9093195 Add less specific type for BE collection response string (#3728) 5abb652 Only enable ROX_OBJECT_COLLECTIONS feature flag during gke-postgres-ui-e2e job (#3727) 4f64cd1 Add centralDBOnly mode in render (#3707) d67bbe5 Dashrews/ROX-13082 UUID searcher and common updates to set allow use of postgres UUID PR 1 of 4 (#3679) 6f829d5 ROX-13259: graphInit called during init time (#3705) f3bc50d ROX-13380: Conditional rendering edges for deployments and namespaces (#3641) 3764476 ROX-12319: implement smoke test step with groovy test filter (#3220) f202fd4 ROX-11826: Disable kernel support package uploads for managed central (#3661) 61f03dc ROX-11101: Remove deprecated resources from central (#3115) e6aa6d7 ROX-11101: Restore Role permission in UI (#3428) 3203e04 ROX-11101: Remove deprecated resources (#3036) a35f41e Bump golang.org/x/sys from 0.1.0 to 0.2.0 (#3733) 4120524 Bump snakeyaml from 1.29 to 1.33 in /qa-tests-backend (#3732) e1785c0 Bump github.com/coreos/go-systemd/v22 from 22.4.0 to 22.5.0 (#3724) 870df4a Bump google.golang.org/api from 0.101.0 to 0.102.0 (#3723) 721454c Generalize User-Agent setup (#3672) 6a11bf0 Bumps collector version to 3.11.x-145-gc345f72f5e (#3736) ec5d343 [ROX-12923] Walk retries - remainder work (#3729) 40f3d43 ROX-13440: Replace ambiguous central with sensor in networkGraph integration test (#3730) 281ed22 Bump groovy-xml from 2.5.18 to 2.5.19 in /qa-tests-backend (#3741) 49d1651 Bump github.com/prometheus/client_golang from 1.13.1 to 1.14.0 (#3742) b5544aa Bump cloud.google.com/go/storage from 1.27.0 to 1.28.0 (#3743) 9c61e53 ensure CVSS is present for istio vulns (#3706) ae29d52 ROX-13452: don't always clobber scoped ctx when non-postgres (#3748) 517bf05 ROX-13261: DryRunUpdate on collection datastore (#3687) baf7654 ROX-13378: Group new resources with deprecated in UI (#3690) 569922f ROX-13421: Enable roxctl netpol generate and add tech-preview messages (#3740) 2465fc5 Dashrews/ROX-13082 UUID generator templates PR 2 of 4 (#3681) c093c68 Bump slack-api-client from 1.20.2 to 1.27.0 in /qa-tests-backend (#3752) 2c860bb Bump ubi8-micro from 8.6 to 8.7 in /operator (#3751) 80eb04c Make deploy.sh and deploy-local.sh pass shellcheck (#3582) 2182b43 Dashrews/ROX-13082 UUID test updates PR 3 of 4 (#3694) 6dc6ca5 [ROX-13403] : Fix node -> topVuln sub resolver bug when node cves is empty (#3689) 1b21361 Move integration tests for page title from general to specific containers (#3675) e1a9f31 Bump google.golang.org/api from 0.102.0 to 0.103.0 (#3773) a05ea31 Bump golang.org/x/crypto from 0.1.0 to 0.2.0 (#3772) 65ddf4f ROX-12824: Add roxctl commands to generate Central DB bundle (#3602) c3f1e2f Remove obsolete authProviders request for Integrations page (#3759) 7ccd54d Dashrews/ROX-13082 UUID protos generated PR 4 of 4 (#3698) 9ab5c8f cleanup image digest utilities (#3764) 187ed44 ROX-11931: Convert junit failure artifacts to Slack attachments (#3438) b5d8790 ROX-13432: leaning up unused code copied/pasted from topology demo (#3750) ab05bfc Refactor collection form page for better composition (#3744) c5562f7 Remove babel devDependencies in ui-components (#3761) 2b90b3a Extract collection form from drawer wrapper layout (#3745) a779fc9 [ROX-12625 + ROX-13032] : Add GetCollectionCount and UpdateCollection endpoints and services (#3749) e77f0da Upgrade cypress 11.0.0 devDependencies in ui (#3760) a3fba94 ROX-13068: Use real data for deployment details (#3688) 4c7d90e ROX-12617: Collection to search query converter (#3683) 3e98aec ROX-13067: fill out port configurations section of deployment details (#3714) a48de36 ROX-12835: Add support for NodeScanV2 to Sensor (#3533) 30c5dc7 ROX-13466: Fix deletion of groups with empty properties (#3756) 5cb2470 Add autocomplete for name selector dropdowns (#3676) b9a75ad ROX-13464 adding flows dropdown in NG (#3763) 3217a67 [ROX-13500] Perform type check for V1 CronJob (#3787) af3790d Remove bulk delete from collections table (#3776) dda123b Add more info in migration log (#3788) 179f0c9 ROX-13502: Remove the circular dependency between cluster datastore init and cscc notifier init (#3790) 029d584 Update SCANNER_VERSION (#3774) cbca57c Bump github.com/ckaznocha/protoc-gen-lint from 0.2.4 to 0.3.0 (#3783) 3613b56 Bump golang.org/x/tools from 0.2.0 to 0.3.0 (#3782) 5fc0a6a Bump github.com/google/go-containerregistry from 0.12.0 to 0.12.1 (#3781) 1d1c687 Bump controller-gen version to 0.10.0 (#3754) c3a5290 Untie documentation link from the product version (#3799) ed822aa use correct package for migration (#3784) 397a0b4 Validate that label keys are valid k8s labels and ensure correct key splitting (#3777) edd1050 Rename variable ScannerGRPCEndpoint to ScannerSlimGRPCEndpoint (#3657) 6662c9f ROX-13378: Access Control page permissions (#3720) b0e73c5 fix Operator reconciliation for external Central DB (#3796) b83bc1f ROX-13505: Fix error log scanning the postgres stat collection (#3795) ca660cb Prevent the collection being edited from displaying in its own embedded list (#3778) 3f7b3fc [ROX-13441][POSTGRES] Propagate context correctly in retries (#3793) e0cbc6f ROX-12839: Update changelog to announce removal of in-product docs (#3805) 696e8bc [ROX-12358] Follow up on vulnerability request proto change (#2851) c4b46d8 Change getCollectionCount endpoint and updateCollection request type 5f2efbc remove make proto-fmt (#3804) 0c75540 Remove os.Std* from roxctl/central (#3758) 25a90de Add ability to view embedded collections in a pop up modal (#3747) 5c1bf81 ROX-13240: fix scanner-slim updates when WebSockets are used (#3704) 1d98577 Add more context to jira notifier logging (#3812) da2fd28 ROX-13031: DryRun Collection API (#3766) 1c418d5 Test data migration code in postgres tests (#3803) ed95b37 Update UI Collection requests for BE compatibiltiy (#3762) 09cc188 ROX-11931: Fix junit-parse install in CI (#3811) d2b01e3 ROX-12814: Disable PolicyFieldsTest on openshift. (#3797) d10ce27 ROX-13345: disable 'missing required registry' aspect on openshift (#3798) 3d22396 Update collector to 3.12 (#3809) 1eb33fb ROX-13347: Modify scope queries to included quoted cluster and nameace names, to allow exact matches instead of erroneous and unintended prefix matches. (#3767) 3811a69 ROX-12621: list collection selectors api (#3806) f6d3f9d Add migration for groups with invalid values (#3789) cc21125 Bugfixes for collection autocomplete (#3816) 7623dec ROX-9350 Use fine-grained host paths for compliance mounts (#2479) b4bf5c2 Fix collector volumeMounts (#3826) 0e9be05 ROX-12953: figure out last 4 versions of sensor automatically (#3611) 459c7ae ROX-12814: Add proper todo for reenabling the test (#3817) 9ee40ff ROX-13523: add isEnabled enum to central db spec (#3815) 535bc72 Replace requestConfig with routeMatcherMap in helper functions for integration tests (#3686) 2b75b61 `gosec` G104: Add `ShouldErr(err)` that returns `err` (#3830) fb1b82f WIP: Introduce nodescan call 35f8a8f WIP: Prepare converter 716144b Moved and renamed fake nodescan tests 4748de7 Introduce real node scanner with conversion functions 5e6d9a8 wip: real scanner 0169868 wip: log results 1438d2c wip: Debug Analyze call b09894c wip: Debug Analyze call 3ceed72 wip: Update and improve debug logs d1669fd Remove copied lib, bump scanner version, add debug 14a3f73 Merge branch 'master' into mm/ROX-12967-real-nodescan fbd0450 Fix style issues 17ccb31 Debug: let both scans finish to see what they return

rhybrillou requested a review from a team September 9, 2022 17:25

openshift-ci bot added the do-not-merge/work-in-progress label Sep 9, 2022

rhybrillou requested a review from rukletsov September 19, 2022 15:54

rukletsov reviewed Sep 20, 2022

View reviewed changes

rukletsov requested a review from dhaus67 September 20, 2022 21:50

rhybrillou mentioned this pull request Sep 22, 2022

ROX-11101: Remove deprecated resources from central #3115

Merged

3 tasks

rhybrillou force-pushed the yann/ROX-11101-remove_deprecated_resources branch from 1c9c4b1 to 908325c Compare October 17, 2022 07:55

github-actions bot added the area/central label Oct 17, 2022

rhybrillou requested a review from rukletsov October 18, 2022 20:17

rhybrillou marked this pull request as ready for review October 18, 2022 20:17

openshift-ci bot removed the do-not-merge/work-in-progress label Oct 18, 2022

dhaus67 suggested changes Oct 19, 2022

View reviewed changes

rukletsov approved these changes Oct 27, 2022

View reviewed changes

This was referenced Oct 27, 2022

ROX-11101: Remove deprecated resources from QA tests #3116

Merged

ROX-11101: Restore Role permission in UI #3428

Merged

md2119 reviewed Oct 31, 2022

View reviewed changes

rhybrillou force-pushed the yann/ROX-11101-remove_deprecated_resources branch from dd6f645 to 59a9f08 Compare November 2, 2022 16:06

rhybrillou force-pushed the yann/ROX-11101-remove_deprecated_resources branch from 59a9f08 to e0b6d8a Compare November 7, 2022 09:18

ROX-11101: Remove deprecated resources - Step 1: migration of existin…

6c7a164

…g permission sets

rhybrillou added 12 commits November 7, 2022 11:48

Address review comments

cc9ac24

Style fix

3289b72

Annonce deprecation of further permissions and remove these further p…

93e2f76

…ermissions from the migration.

Split Role permission back out of Access

f0ba4dd

Shift migration versions to avoid conflict on rebase/merge

0e1c688

Debug commit to observe default permission sets

9cc7500

Fix

8f22474

Remove debug traces

b06c0ba

Adjust Administration computed level as not aggregating permissions f…

acc6dde

…or that group yet.

Address code review comments

4c68901

Avoid version conflict

01206d8

Address review comments

4ba8aa3

rhybrillou force-pushed the yann/ROX-11101-remove_deprecated_resources branch from e0b6d8a to 4ba8aa3 Compare November 7, 2022 10:49

Fix wrong type

1614bca

rhybrillou requested a review from dhaus67 November 7, 2022 13:20

dhaus67 approved these changes Nov 7, 2022

View reviewed changes

Enrich changelog

efa8528

md2119 reviewed Nov 8, 2022

View reviewed changes

md2119 approved these changes Nov 8, 2022

View reviewed changes

rhybrillou merged commit 3203e04 into master Nov 8, 2022

rhybrillou deleted the yann/ROX-11101-remove_deprecated_resources branch November 8, 2022 09:47

	suite.NoError(suite.db.Put(writeOpts, key, data))
	suite.Require().NoError(suite.db.Put(writeOpts, key, data))

	suite.NoError(migration.Run(dbs))
	suite.Require().NoError(migration.Run(dbs))

		var expectedPSsAfterMigration []*storage.PermissionSet
		expectedPSsAfterMigration = append(expectedPSsAfterMigration, MigratedPermissionSets...)

	- Note: the `Role` permission, previously announced as being grouped under `Access` remains a standalone permission.
	- Note: the `Role` permission, previously announced as being grouped under `Access` remains a standalone permission for now and will be grouped with `Access` in the future.

Conversation

rhybrillou commented Sep 9, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Checklist

Testing Performed

Uh oh!

openshift-ci bot commented Sep 9, 2022

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

rhybrillou commented Sep 21, 2022

Uh oh!

ghost commented Sep 21, 2022 • edited by ghost Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

rhybrillou commented Oct 17, 2022

Uh oh!

rhybrillou commented Oct 17, 2022

Uh oh!

rhybrillou commented Oct 17, 2022

Uh oh!

rhybrillou commented Oct 18, 2022

Uh oh!

dhaus67 left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

rukletsov left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

md2119 commented Oct 31, 2022

Uh oh!

Choose a reason for hiding this comment

rhybrillou commented Sep 9, 2022 •

edited

Loading

ghost commented Sep 21, 2022 •

edited by ghost

Loading