-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RHCLOUD-37152] Add locks on Roles, CAR and groups in migrator #1441
Merged
Merged
Changes from all commits
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
9d30518
Lock group and cross account objects in migrator
lpichler 0366538
Use dual write handler for role in role migrator
lpichler 0840105
Extend scope for transaction for groups in migration and lock groups
lpichler 8ce5533
Add prepare prepare_for_update for role migration
lpichler ef37429
Don't require to run this in maintenance mode
lpichler 1190a98
Extend scope for transaction in group principal removals
lpichler 96f1562
Remove unnecessary condition
lpichler 1bcb905
Use primary keys for role and group queries
lpichler File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
""" | ||
Copyright 2019 Red Hat, Inc. | ||
|
||
This program is free software: you can redistribute it and/or modify | ||
it under the terms of the GNU Affero General Public License as | ||
published by the Free Software Foundation, either version 3 of the | ||
License, or (at your option) any later version. | ||
|
||
This program is distributed in the hope that it will be useful, | ||
but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
GNU Affero General Public License for more details. | ||
|
||
You should have received a copy of the GNU Affero General Public License | ||
along with this program. If not, see <https://www.gnu.org/licenses/>. | ||
""" | ||
|
||
from typing import Iterable | ||
|
||
from kessel.relations.v1beta1 import common_pb2 | ||
from management.role.model import BindingMapping, Role | ||
from management.workspace.model import Workspace | ||
from migration_tool.models import V2rolebinding | ||
from migration_tool.sharedSystemRolesReplicatedRoleBindings import v1_role_to_v2_bindings | ||
from migration_tool.utils import create_relationship | ||
|
||
|
||
def get_kessel_relation_tuples( | ||
v2_role_bindings: Iterable[V2rolebinding], | ||
default_workspace: Workspace, | ||
) -> list[common_pb2.Relationship]: | ||
"""Generate a set of relationships and BindingMappings for the given set of v2 role bindings.""" | ||
relationships: list[common_pb2.Relationship] = list() | ||
|
||
for v2_role_binding in v2_role_bindings: | ||
relationships.extend(v2_role_binding.as_tuples()) | ||
|
||
bound_resource = v2_role_binding.resource | ||
|
||
# Is this a workspace binding, but not to the root workspace? | ||
# If so, ensure this workspace is a child of the root workspace. | ||
# All other resource-resource or resource-workspace relations | ||
# which may be implied or necessary are intentionally ignored. | ||
# These should come from the apps that own the resource. | ||
if bound_resource.resource_type == ("rbac", "workspace") and not bound_resource.resource_id == str( | ||
default_workspace.id | ||
): | ||
# This is not strictly necessary here and the relation may be a duplicate. | ||
# Once we have more Workspace API / Inventory Group migration progress, | ||
# this block can and probably should be removed. | ||
# One of those APIs will add it themselves. | ||
relationships.append( | ||
create_relationship( | ||
bound_resource.resource_type, | ||
bound_resource.resource_id, | ||
("rbac", "workspace"), | ||
str(default_workspace.id), | ||
"parent", | ||
) | ||
) | ||
|
||
return relationships | ||
|
||
|
||
def migrate_role( | ||
role: Role, | ||
default_workspace: Workspace, | ||
current_bindings: Iterable[BindingMapping] = [], | ||
) -> tuple[list[common_pb2.Relationship], list[BindingMapping]]: | ||
""" | ||
Migrate a role from v1 to v2, returning the tuples and mappings. | ||
|
||
The mappings are returned so that we can reconstitute the corresponding tuples for a given role. | ||
This is needed so we can remove those tuples when the role changes if needed. | ||
""" | ||
v2_role_bindings = v1_role_to_v2_bindings(role, default_workspace, current_bindings) | ||
relationships = get_kessel_relation_tuples([m.get_role_binding() for m in v2_role_bindings], default_workspace) | ||
return relationships, v2_role_bindings |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is good I think. I can't think of a situation where this has a problem. When any CAR attribute changes (role, status, etc) it is locked, so those changes can't happen concurrently. The CAR used for replication is always the one queried with the lock, as is done here, so by the time a select returns, it will always be the latest state. So if dual write and migrator interleave, I don't think there should be a problem.
Looks good!