-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(neptune): introduce cluster grant method for granular actions #21926
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good for the most part. I'd like to see the new grant functions used in integration tests somewhere.
c954ae6
to
6fddb0c
Compare
Pull request has been modified.
Let's do that after the other PR is merged to avoid conflicts in integ tests. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just two very minor things inline.
if (this.enableIamAuthentication === false) { | ||
throw new Error('Cannot grant connect when IAM authentication is disabled'); | ||
throw new Error('Cannot grant actions as IAM authentication is not enabled'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
throw new Error('Cannot grant actions as IAM authentication is not enabled'); | |
throw new Error('Cannot grant permissions when IAM authentication is not enabled'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Quick question here, the README says:
const cluster = new neptune.DatabaseCluster(this, 'Cluster', {
vpc,
instanceType: neptune.InstanceType.R5_LARGE,
iamAuthentication: true, // Optional - will be automatically set if you call grantConnect().
});
It seems that this sort of contradicts that. Can you add a clarifying line that explicitly setting this to false and trying to grant permissions will throw an error?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tbh, I found the existing implementation of grantConnect
and its side effect of possibly enabling iam auth, and how enabling iamAuth is handled a bit surprising!
In terms of the error message, now that I look at it, I think the older version that uses "disabled" actually makes more sense and is more consistent with the implemented behaviour which
- Defaults to disabled (I think a cloudformation default rather than a cdk default)
- Requires one to explicitly disable iam auth if they don't want it and want grant methods to throw such exceptions
I get that grant
enabling iam auth might be a convenience, but it's a bit twisted IMHO!
So, for this PR, how about
- change the error message to
Cannot grant permissions when IAM authentication is disabled
- update the README to say
// Optional - will be automatically set if you call grant() or grantConnect()
Pull request has been modified.
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
…ws#21926) - neptune engine version 1.2.0.0 introduced more granular access control https://docs.aws.amazon.com/neptune/latest/userguide/iam-dp-actions.html - introduce grant method to facilitate working with different actions aws#21877 ---- This PR is split from aws#21908 as per the discussion with @TheRealAmazonKendra ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
#21877
This PR is split from #21908 as per the discussion with @TheRealAmazonKendra
All Submissions:
Adding new Unconventional Dependencies:
New Features
yarn integ
to deploy the infrastructure and generate the snapshot (i.e.yarn integ
without--dry-run
)?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license