navigator supports user management

[adriaanm-da]

Add basic support for user management to navigator: log in as a user, act/read as its primary party.

When user management is supported & enabled, you can only log in as a user (and that user must have a primary party, which is what you'll actually be acting/reading as).

This behavior is enabled by default, but there's a feature flag you can use to disable it (--feature-user-management).

See #12020

Pull Request Checklist

• Read and understand the contribution guidelines
• Include appropriate tests
• Set a descriptive title and thorough description
• Add a reference to the issue this PR will solve, if appropriate
• Include changelog additions in one or more commit message bodies between the CHANGELOG_BEGIN and CHANGELOG_END tags
• Normal production system change, include purpose of change in description
• If you mean to change the status of a component, please make sure you keep the Component Status page up to date.

NOTE: CI is not automatically run on non-members pull-requests for security
reasons. The reviewer will have to comment with /AzurePipelines run to
trigger the build.

[cocreature]

Looks very plausible. Have you considered how this interacts with the Navigator config? Do we just stick to not handling user management there and only support party ids & human readable names?

As for tests, you could add some integration tests in https://github.com/digital-asset/daml/blob/main/navigator/backend/src/test/scala/com/digitalasset/navigator/backend/IntegrationTest.scala

[adriaanm-da]

I think this is now mostly complete. I need to factor out a few changes from this PR, but I think it's worth taking a look -- @stefanobaghino-da?

One thing I can offer for bikeshedding is "--disable-user-management" (this PR) vs. "--feature-user-management" (#12420)

[adriaanm-da]

The test I added is failing on CI, while it passes on my mac. It's a connection error, and it looks like it's not retrying. I'll try to debug tomorrow.

[cocreature]

The test I added is failing on CI, while it passes on my mac. It's a connection error, and it looks like it's not retrying. I'll try to debug tomorrow.

You can use --runs_per_test=10 or something like that as an argument to bazel test which is usually good enough to reprodue flakes locally.

The test here seems just racy, there is no fundamental reason why we should instantly connect to the ledger. Just wrapping it in an eventually with a reasonable timeout fixes the flakes for me locally.

[stefanobaghino-da]

Looks good so far. 🙇🏻‍♂️

[adriaanm-da]

I've factored out the underlying refactorings to separate PRs (#12724, #12725). Once those are merged, I'll rebase this PR.

For now, I've only roughly squashed commits in this PR to simplify potential re-reviews. Eventually, they will all be squashed together anyway.

[adriaanm-da]

Windows test failure seems unrelated. Linux passes.

//daml-lf/engine:test-min-version                                        FAILED in 131.9s
  C:/users/u/_bazel_u/vvgx3zjt/execroot/com_github_digital_asset_daml/bazel-out/x64_windows-opt/testlogs/daml-lf/engine/test-min-version/test.log

Executed 35 out of 598 tests: 597 tests pass and 1 fails locally.

[cocreature]

Windows test failure seems unrelated. Linux passes.

thx we’ll take a look.

[adriaanm-da]

Added a commit to catch up with #12610. TODO: actually deal with user pagination...

[stefanobaghino-da]

Looks good. Unfortunately at the moment we don't have full UI tests (with Selenium or something along those lines). Have you been able to test the UI manually?

[stefanobaghino-da]

Perhaps @rautenrieth-da (who will have a chance to have a look at this on Tuesday, so not urgent) can provide some historical context.

[rautenrieth-da]

In Navigator config, you can assign "roles" to use "users" (see example below). The role is an arbitrary string chosen by the Navigator user. It can be used by the frontend config to customize the theme or custom views depending on the "role" (see here). There might have been other uses in the past, this is the one I know of.

Keep in mind that Navigator user handling was implemented long before we added authentication to the ledger API, which in turn was long before we started to think about the current ledger API user management.

users {
    OPERATOR {          // display name in Navigator
        party=OPERATOR  // Daml party for the ledger API
        role=operator   // metadata for Navigator frontend
    }
    BANK1 {
        party=BANK1
        role=bank
    }
    BANK2 {
        party=BANK2
        role=bank
    }
}

[adriaanm-da]

Thanks, Robert!

[adriaanm-da]

Have you been able to test the UI manually?

Yes, I could log in as Alice, Charlie and Bob, and saw User:User and User:Alias templates floating about, but I'm not sure how to test more fully in the UI -- the integration tests do mimic pretty closely what happens in the back-end during normal UI actions, AFAICT.

Happy to do more manual testing, but perhaps this is enough to get this into the hands of actual testers?

[stefanobaghino-da]

Have you been able to test the UI manually?

Yes, I could log in as Alice, Charlie and Bob, and saw User:User and User:Alias templates floating about, but I'm not sure how to test more fully in the UI -- the integration tests do mimic pretty closely what happens in the back-end during normal UI actions, AFAICT.

Happy to do more manual testing, but perhaps this is enough to get this into the hands of actual testers?

I think so, yes, thanks, that level of manual testing is good enough for now and we can put it in the hand of users I believe.

[rautenrieth-da]

Unfortunately at the moment we don't have full UI tests (with Selenium or something along those lines)

Some more historical context, we have Selenium based tests here, but they haven't been built or run in ages. I suspect we'd have to rewrite large parts of it to get it to run again. They also depend on the BrowserStack service, which we do not use anymore.

One idea that we had in the past was to replace BrowserStack by a headless chrome browser, so that these tests can easily run locally and in CI. This would not catch regressions on non-Chrome browsers (e.g., if you broke the CSS on Firefox), but it would catch functional regressions (e.g., if you broke the GraphQL API such that the frontend doesn't display any data).

[rautenrieth-da]

This is not new behavior, but mentioning it nevertheless: This starts an actor for each discovered party. Each actor uses its own in-memory database to store a complete copy of the whole transaction stream from ledger begin. This means Navigator backend will blow up unless the ledger is "small".

[adriaanm-da]

Thanks again, this is super helpful!