Skip to content

ROX-13326: Use UUID columns for roles, permissionsets and simpleaccessscopes (PermissionSet and SimpleAccessScope identifiers) in postgres mode.#3725

Merged
rhybrillou merged 10 commits intoyann/ROX-13326-use_uuids_for_role_internalsfrom
yann/ROX-13326-role_ids_as_uuids
Nov 17, 2022
Merged

ROX-13326: Use UUID columns for roles, permissionsets and simpleaccessscopes (PermissionSet and SimpleAccessScope identifiers) in postgres mode.#3725
rhybrillou merged 10 commits intoyann/ROX-13326-use_uuids_for_role_internalsfrom
yann/ROX-13326-role_ids_as_uuids

Conversation

@rhybrillou
Copy link
Contributor

@rhybrillou rhybrillou commented Nov 7, 2022
edited
Loading

Description

The relation between roles and the associated permission sets as well as access scopes used to be done relying on decorated UUIDs (generated UUIDs prefixed with human-readable strings).
These object are candidate to conversion to UUIDs.

Some of the UUID base work is needed for this change to work (PRs #3679 and #3681 ).

PR stack:
#3802 (server support code)
+- #3725 (data migration)
... +- #3818 (UI code)

Checklist

  • Investigated and inspected CI test results
  • Unit test and regression tests added
    - [ ] Evaluated and added CHANGELOG entry if required
    - [ ] Determined and documented upgrade steps
    - [ ] Documented user facing changes (create PR based on openshift/openshift-docs and merge into rhacs-docs)

If any of these don't apply, please comment below.

Testing Performed

CI is a good first step.

Manual testing performed:

  • deploy central in non-postgres mode.
  • check the existing roles, permission sets and access scopes.
  • create a sample permission set, a sample access scopes, and roles covering the possible combinations of default and created permission sets and access scopes.
  • open the existing roles, permission sets and access scopes and keep trace of their identifiers.
  • deploy postgres central-db.
  • switch central to postgres mode.
  • monitor for migration steps. These should include migration 148 to 149, 157 to 158 and 163 to 164 (currently latest rocks migration sequence number is 111, and the altered migrations are postgres 37 to 38, 46 to 47 and 52 to 53).
  • open the UI
  • check the new identifiers. They should all be UUIDs. The identifiers that were prefixed UUIDs before the migration should be the same UUID without prefix.
  • check that the inter-object relations are kept (roles referencing permission sets and access scopes as well as referenced permission sets and access scopes).
  • connect to the postgres DB
  • check the table datamodel (id columns for permission_sets and simple_access_scopes should be UUIDs).

One observation during the manual test was that the Unrestricted access scope page failed to open. A pull request has been opened in order to fix the UI part as a consequence (#3818).

@rhybrillou rhybrillou requested a review from a team November 7, 2022 16:37
@openshift-ci
Copy link

openshift-ci bot commented Nov 7, 2022

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@rhybrillou rhybrillou force-pushed the yann/ROX-13326-role_ids_as_uuids branch from c696624 to caab356 Compare November 7, 2022 16:40
@rhybrillou
Copy link
Contributor Author

rhybrillou commented Nov 7, 2022

/test all

@rhybrillou
Copy link
Contributor Author

rhybrillou commented Nov 7, 2022

/test all

@ghost
Copy link

ghost commented Nov 7, 2022
edited by ghost
Loading

Images are ready for the commit at 1d580ea.

To use with deploy scripts, first export MAIN_IMAGE_TAG=3.72.x-621-g1d580ea402.

@rhybrillou rhybrillou force-pushed the yann/ROX-13326-role_ids_as_uuids branch from 5e750b0 to ce4d71b Compare November 7, 2022 17:51
@rhybrillou rhybrillou force-pushed the yann/ROX-13326-role_ids_as_uuids branch from ce4d71b to 51d2029 Compare November 7, 2022 17:53
@rhybrillou
Copy link
Contributor Author

rhybrillou commented Nov 7, 2022

/test all

@dhaus67 dhaus67 self-requested a review November 7, 2022 18:05
@rhybrillou
Copy link
Contributor Author

rhybrillou commented Nov 7, 2022

/test all

dhaus67
dhaus67 reviewed Nov 7, 2022
View reviewed changes
pkg/search/postgres/common.go
for _, pk := range q.Schema.PrimaryKeys() {
primaryKeyPaths = append(primaryKeyPaths, qualifyColumn(pk.Schema.Table, pk.ColumnName))
var cast string
if pk.SQLType == "uuid" {
Copy link
Contributor

@dhaus67 dhaus67 Nov 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about re-using postgres/walker/types.go here instead of using the string representation?
I haven't looked too deep into it, but I saw that you already import postgres/walker, so I would assume that we do not end up in a circular dependency.
However, if it's not possible, we should create an unexported const for this within this file.

pkg/search/postgres/common.go
switch subBQ := q.GetBaseQuery().Query.(type) {
case *v1.BaseQuery_DocIdQuery:
cast := "::text[]"
if schema.ID().SQLType == "uuid" {
Copy link
Contributor

@dhaus67 dhaus67 Nov 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we not mapping it to text[] here in case of uuid?

pkg/search/postgres/query/uuid_query.go
Comment on lines +51 to +53
if queryModifiers[0] == pkgSearch.AtLeastOne {
panic("I dont think this is used")
}
Copy link
Contributor

@dhaus67 dhaus67 Nov 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we handle this more graceful instead of this panic and return an error here?

I'm not sure whether this is a pattern within the postgres code, I certainly know it's not for the rest of the stackrox code 😛

pkg/search/postgres/query/uuid_query.go
Comment on lines +105 to +102
err := fmt.Errorf("unknown query modifier: %s", queryModifiers[0])
utils.Should(err)
Copy link
Contributor

@dhaus67 dhaus67 Nov 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we already use the switch case, let's use this within a default case.

Suggested change
err := fmt.Errorf("unknown query modifier: %s", queryModifiers[0])
utils.Should(err)
default:
err := fmt.Errorf("unknown query modifier: %s", queryModifiers[0])
utils.Should(err)
return WhereClause{}, err

Copy link
Contributor

@dhaus67 dhaus67 Nov 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I recently learned that we should use utils.Should only in case or programatic errors that are not tied to user input. In this case, I'm not sure we should use it (since its bound on the query modifier parameter from the consumer of the function) - so it might be just sufficient enough to log within the default case and return an error here instead of using utils.Should.

@rhybrillou rhybrillou force-pushed the yann/ROX-13326-role_ids_as_uuids branch from f025c70 to 05cff82 Compare November 8, 2022 08:57
@rhybrillou
Copy link
Contributor Author

rhybrillou commented Nov 8, 2022

/test all

1 similar comment
@rhybrillou
Copy link
Contributor Author

rhybrillou commented Nov 8, 2022

/test all

@rhybrillou rhybrillou marked this pull request as ready for review November 8, 2022 13:38
@rhybrillou rhybrillou force-pushed the yann/ROX-13326-role_ids_as_uuids branch 4 times, most recently from 6a1cbb9 to 1da346c Compare November 14, 2022 23:32
@rhybrillou rhybrillou force-pushed the yann/ROX-13326-role_ids_as_uuids branch from 534473b to 85c6d50 Compare November 15, 2022 01:16
@rhybrillou
Copy link
Contributor Author

rhybrillou commented Nov 15, 2022

/retest

@rhybrillou
Copy link
Contributor Author

rhybrillou commented Nov 15, 2022

/test gke-postgres-nongroovy-e2e-tests

@rhybrillou
Copy link
Contributor Author

rhybrillou commented Nov 15, 2022

/test gke-postgres-qa-e2e-tests

@rhybrillou rhybrillou changed the base branch from master to yann/ROX-13326-use_uuids_for_role_internals November 16, 2022 08:49
@rhybrillou rhybrillou mentioned this pull request Nov 16, 2022
Merged
1 task
@rhybrillou rhybrillou requested a review from janisz November 17, 2022 14:31
dashrews78
dashrews78 reviewed Nov 17, 2022
View reviewed changes
central/role/accessscope_ids.go Outdated
// The values are UUIDs taken in descending order from ffffffff-ffff-fff4-f5ff-ffffffffffff
// Next ID: ffffffff-ffff-fff4-f5ff-fffffffffffd
const (
denyAllAccessScopeID = "ffffffff-ffff-fff4-f5ff-fffffffffffe"
Copy link
Contributor

@dashrews78 dashrews78 Nov 17, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: would it make sense to order these in descending order like was done with permission sets?

@rhybrillou rhybrillou merged commit 4bcd8f0 into yann/ROX-13326-use_uuids_for_role_internals Nov 17, 2022
@rhybrillou rhybrillou deleted the yann/ROX-13326-role_ids_as_uuids branch November 17, 2022 17:08
rhybrillou added a commit that referenced this pull request Nov 18, 2022
@rhybrillou
ROX-13326: Use UUID columns for roles, permissionsets and simpleacces…
500a3c9 
…sscopes (PermissionSet and SimpleAccessScope identifiers) in postgres mode. (#3725)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@janisz janisz janisz approved these changes

@c-du c-du c-du approved these changes

@dashrews78 dashrews78 dashrews78 approved these changes

@mtodor mtodor Awaiting requested review from mtodor

@dhaus67 dhaus67 Awaiting requested review from dhaus67

Assignees

No one assigned

Labels

area/auth area/central area/helm area/operator area/postgres area/roxctl area/sensor area/ui ci-all-qa-tests Tells CI to run all API tests (not just BAT).

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@rhybrillou @janisz @mtodor @c-du @dhaus67 @dashrews78