Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecate some policy commands #18102

Merged
merged 4 commits into from
Feb 5, 2018
Merged

Conversation

simo5
Copy link
Contributor

@simo5 simo5 commented Jan 12, 2018

Fixes: #18096

@openshift-ci-robot openshift-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Jan 12, 2018
@simo5
Copy link
Contributor Author

simo5 commented Jan 12, 2018

@enj @bparees PTAL

@bparees
Copy link
Contributor

bparees commented Jan 12, 2018

fox is guarding the hen house on this one, but needs @openshift/cli-review

@@ -71,6 +71,7 @@ func NewCmdCanI(name, fullName string, f *clientcmd.Factory, out io.Writer) *cob
os.Exit(2)
}
},
Deprecated: fmt.Sprintf("Use oc auth can-i"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@simo5 Mind adding single quotes around the new oc command?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you also use the moved function where these commands are specifed, similarly to this. This way when you invoke oc policy these deprecated commands will be appropriately marked as well.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@simo5 Mind adding single quotes around the new oc command?

@juanvallejo why? I don't recall seeing oc in quotes anywhere

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more thing, use lowercase, since this gets appended to the following sentence Command xyz is deprecated, <here goes your string>

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I looked into cobra (see here) and that's why it does make sense to be it lowercase.

@juanvallejo
Copy link
Contributor

One comment, but otherwise, merge at will after it's addressed

@simo5
Copy link
Contributor Author

simo5 commented Jan 12, 2018

/hold
@bparees @juanvallejo please take a look at the comments I added on the issue.

@simo5 simo5 closed this Jan 12, 2018
@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 12, 2018
@simo5 simo5 reopened this Jan 12, 2018
@@ -80,6 +80,7 @@ func NewCmdAddRoleToGroup(name, fullName string, f *clientcmd.Factory, out io.Wr
printSuccessForCommand(options.RoleName, true, "group", options.Targets, true, options.DryRun, out)
}
},
Deprecated: fmt.Sprintf("Use oc edit rolebinding"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why all the unnecessary calls to fmt.Sprintf?

@@ -71,6 +71,7 @@ func NewCmdCanI(name, fullName string, f *clientcmd.Factory, out io.Writer) *cob
os.Exit(2)
}
},
Deprecated: fmt.Sprintf("Use oc auth can-i"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you also use the moved function where these commands are specifed, similarly to this. This way when you invoke oc policy these deprecated commands will be appropriately marked as well.

@@ -71,6 +71,7 @@ func NewCmdCanI(name, fullName string, f *clientcmd.Factory, out io.Writer) *cob
os.Exit(2)
}
},
Deprecated: fmt.Sprintf("Use oc auth can-i"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@simo5 Mind adding single quotes around the new oc command?

@juanvallejo why? I don't recall seeing oc in quotes anywhere

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 20, 2018
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 26, 2018
@openshift-ci-robot openshift-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jan 26, 2018
@openshift-ci-robot openshift-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jan 26, 2018
@simo5
Copy link
Contributor Author

simo5 commented Jan 27, 2018

/retest

@simo5
Copy link
Contributor Author

simo5 commented Jan 30, 2018

/hold cancel
/retest
@enj @soltysh @juanvallejo PTAL

@openshift-ci-robot openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 30, 2018
@simo5
Copy link
Contributor Author

simo5 commented Jan 31, 2018

/retest

Copy link
Contributor

@soltysh soltysh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few nits and one question.

@@ -71,6 +71,7 @@ func NewCmdCanI(name, fullName string, f *clientcmd.Factory, out io.Writer) *cob
os.Exit(2)
}
},
Deprecated: fmt.Sprintf("use 'oc auth can-i'"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need for fmt.Sprintf

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right, forgot, will rebase and fix this

@@ -104,6 +104,7 @@ func NewCmdReconcileClusterRoleBindings(name, fullName string, f *clientcmd.Fact
kcmdutil.CheckErr(err)
}
},
Deprecated: fmt.Sprintf("use 'oc auth reconcile'"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ditto.

@@ -50,22 +50,21 @@ os::cmd::expect_failure_and_text 'oc policy add-role-to-user' 'you must specify
os::cmd::expect_failure_and_text 'oc policy add-role-to-user -z NamespaceWithoutRole' 'you must specify a role'
os::cmd::expect_failure_and_text 'oc policy add-role-to-user view' 'you must specify at least one user or service account'

os::cmd::expect_success_and_text 'oc policy add-role-to-group cluster-admin system:unauthenticated' 'role "cluster-admin" added: "system:unauthenticated"'
os::cmd::expect_success_and_text 'oc policy add-role-to-user cluster-admin system:no-user' 'role "cluster-admin" added: "system:no-user"'
os::cmd::expect_success_and_text 'oc policy add-role-to-group cluster-admin --rolebinding-name cluster-admin system:unauthenticated' 'role "cluster-admin" added: "system:unauthenticated"'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there any backwards compatible implications in changing this, or this is just cosmetics for stability of tests?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No real backwards incompatibility, just tests were making assumptions that are not true "in real life" about which rolebindings were going to be used by the test.

Because the commands was picking the first rolebinding it would find you can never be certain of what rolebinding was used. By changing the command to always pick a new rolebinding we may cause some incorrect expectations to "fail early", so that people will end up fixing latent bugs that were always there.

As you can see by tests being all green, luckily this faulty assumption seem to not have been relied upon anywhere in our code base except for the tests testing the feature itself.

Push people to use native RBAC commands where reasonable
equivalents exist, or where the replacement command will
lead to better practices.

Signed-off-by: Simo Sorce <[email protected]>
Instead of deprecating add/remove-role commands, change them to
behave better.
On add: do not add to a random rolebinding, always create a new
rolebinding if none was specified explicitly.
On Remove: if a rolebinding name is specified remove only from it.

Signed-off-by: Simo Sorce <[email protected]>
Copy link
Contributor

@soltysh soltysh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Feb 5, 2018
@openshift-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: simo5, soltysh

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 5, 2018
@openshift-merge-robot
Copy link
Contributor

Automatic merge from submit-queue (batch tested with PRs 18415, 18419, 18268, 18102, 18440).

@openshift-merge-robot
Copy link
Contributor

/test all [submit-queue is verifying that this PR is safe to merge]

@openshift-merge-robot openshift-merge-robot merged commit dc275c5 into openshift:master Feb 5, 2018
simo5 added a commit to simo5/origin that referenced this pull request Feb 9, 2018
simo5 added a commit to simo5/origin that referenced this pull request Feb 9, 2018
simo5 added a commit to simo5/origin that referenced this pull request Feb 9, 2018
var roleBindings []*authorizationapi.RoleBinding
var err error
if len(o.RoleBindingName) > 0 {
existingRoleBinding, err := o.RoleBindingAccessor.GetRoleBinding(o.RoleBindingName)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is missing the role check like getUserSpecifiedBinding:

// Check that we update the rolebinding for the intended role.
if roleBinding.RoleRef.Name != o.RoleName || roleBinding.RoleRef.Namespace != o.RoleNamespace {
	return nil, false, fmt.Errorf("rolebinding %s found for role %s, not %s", roleBinding.Name, roleBinding.RoleRef.Name, o.RoleName)
}

This should error instead of doing the wrong thing:

$ oc new-project lol3
Now using project "lol3" on server "https://10.10.10.35:8443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git

to build a new example application in Ruby.


$ oc policy add-role-to-user edit foo
role "edit" added: "foo"


$ oc policy add-role-to-user admin foo
role "admin" added: "foo"


$ oc get rolebinding
NAME                    ROLE                    USERS          GROUPS                        SERVICE ACCOUNTS   SUBJECTS
admin                   /admin                  system:admin                                                    
admin-0                 /admin                  foo                                                             
edit                    /edit                   foo                                                             
system:deployers        /system:deployer                                                     deployer           
system:image-builders   /system:image-builder                                                builder            
system:image-pullers    /system:image-puller                   system:serviceaccounts:lol3                      


$ oc policy remove-role-from-user admin foo --rolebinding-name=edit
role "admin" removed: "foo"


$ oc get rolebinding
NAME                    ROLE                    USERS          GROUPS                        SERVICE ACCOUNTS   SUBJECTS
admin                   /admin                  system:admin                                                    
admin-0                 /admin                  foo                                                             
system:deployers        /system:deployer                                                     deployer           
system:image-builders   /system:image-builder                                                builder            
system:image-pullers    /system:image-puller                   system:serviceaccounts:lol3                      

simo5 added a commit to simo5/origin that referenced this pull request Feb 12, 2018
luksa pushed a commit to luksa/openshift-origin that referenced this pull request Feb 14, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants