Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSH public keys #954

Merged
merged 17 commits into from
Apr 22, 2022
Merged

SSH public keys #954

merged 17 commits into from
Apr 22, 2022

Conversation

plotnick
Copy link
Contributor

@plotnick plotnick commented Apr 20, 2022
edited
Loading

Add SSH public keys as a new resource type under SiloUser.

The HTTP endpoint paths differ from those specified by RFD 44: the base path is /session/me/sshkeys, and specific keys are accessed by name rather than ID. The latter could be addressed as a follow-up by making the unauthorized test runner record IDs of created objects so they can be subsequently deleted.

Outstanding issues:

  • Some tests failing authz, probably because of improper Polar rules for SiloUser
  • Need more integration tests
  • Sync with RFD 44

@david-crespo
Copy link
Contributor

david-crespo commented Apr 20, 2022
edited
Loading

Yeah, I feel like neither /users/{userId}/sshkeys or /session/me/sshkeys is quite right. Session is the only auth method right now where you can auth as a particular user, but that probably won't be true forever, in which case maybe we'd want to change /session/me to /me or /users/me or something. /users/me/sshkeys + /users/{userId}/sshkeys has the advantage of a single pattern for getting it by user ID and for "me" (the latter I guess would 401 if the user is coming in with an auth method that isn't user-scoped).

@plotnick
Integration test for SSH public keys
9809417 
Also change pagination from by-ID to by-name.
davepacheco
davepacheco reviewed Apr 20, 2022
View reviewed changes
Copy link
Collaborator

@davepacheco davepacheco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Some misc thoughts below.

nexus/src/authz/omicron.polar Outdated Show resolved Hide resolved
nexus/src/authz/omicron.polar Outdated Show resolved Hide resolved
nexus/src/authz/omicron.polar Outdated Show resolved Hide resolved
nexus/src/db/datastore.rs Show resolved Hide resolved
nexus/src/db/datastore.rs Outdated Show resolved Hide resolved
nexus/src/db/datastore.rs Show resolved Hide resolved
nexus/src/db/lookup.rs Show resolved Hide resolved
nexus/src/db/lookup.rs Outdated Show resolved Hide resolved
nexus/src/nexus.rs Outdated Show resolved Hide resolved
nexus/tests/integration_tests/endpoints.rs Outdated Show resolved Hide resolved
jmpesp
jmpesp reviewed Apr 21, 2022
View reviewed changes
Copy link
Contributor

@jmpesp jmpesp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! A few comments, none blocking.

nexus/src/db/schema.rs Show resolved Hide resolved
nexus/src/nexus.rs Outdated Show resolved Hide resolved
nexus/src/external_api/params.rs Outdated Show resolved Hide resolved
davepacheco
davepacheco reviewed Apr 22, 2022
View reviewed changes
nexus/src/db/db-macros/src/lookup.rs Show resolved Hide resolved
nexus/tests/integration_tests/endpoints.rs Outdated Show resolved Hide resolved
nexus/src/authz/omicron.polar Outdated Show resolved Hide resolved
nexus/src/nexus.rs Outdated Show resolved Hide resolved
nexus/src/nexus.rs Outdated Show resolved Hide resolved
@plotnick plotnick marked this pull request as ready for review April 22, 2022 20:03
davepacheco
davepacheco approved these changes Apr 22, 2022
View reviewed changes
Copy link
Collaborator

@davepacheco davepacheco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Thanks for making all those changes.

Regarding the endpoints: I think @david-crespo is right that we will want to reconsider this at some point, maybe soonish. But I think that's somewhat dependent on what the URLs look like after we add Silo users (see #849). Rather than block this now on that work, I think we should go ahead and land this, knowing that we might move the endpoints around a bit. I'm hopeful that it won't be too much work to adjust move them under "/users" or something (but it's not as simple as "/users/me", because "me" is a valid username and we don't control those).

@plotnick plotnick merged commit d4c11d2 into main Apr 22, 2022
@plotnick plotnick deleted the ssh-keys branch April 22, 2022 22:09
@davepacheco davepacheco mentioned this pull request May 5, 2022
Closed
69 tasks
@plotnick plotnick mentioned this pull request Jun 23, 2022
Closed
leftwo pushed a commit that referenced this pull request Oct 4, 2023
Update Propolis and Crucible to latest
096873a 
Crucible updates
    all Crucible connections should set TCP_NODELAY (#983)
    Use a fixed size for tag and nonce (#957)
    Log crucible opts on start, order crutest options (#974)
    Lock the Downstairs less (#966)
    Cache dirty flag locally, reducing SQLite operations (#970)
    Make stats mutex synchronous (#961)
    Optimize requeue during flow control conditions (#962)
    Update Rust crate base64 to 0.21.4 (#950)
    Do less in control (#949)
    Fix --flush-per-blocks (#959)
    Fast dependency checking (#916)
    Update actions/checkout action to v4 (#960)
    Use `cargo hakari` for better workspace deps (#956)
    Update actions/checkout digest to 8ade135 (#939)
    Cache block size in Guest (#947)
    Update Rust crate ringbuffer to 0.15.0 (#954)
    Update Rust crate toml to 0.8 (#955)
    Update Rust crate reedline to 0.24.0 (#953)
    Update Rust crate libc to 0.2.148 (#952)
    Update Rust crate indicatif to 0.17.7 (#951)
    Remove unused async (#943)
    Use a synchronous mutex for bw/iop_tokens (#946)
    Make flush ID non-locking (#945)
    Use `oneshot` channels instead of `mpsc` for notification (#918)
    Use a strong type for upstairs negotiation (#941)
    Add a "dynamometer" option to crucible-downstairs (#931)
    Get new work and active count in one lock (#938)
    A bunch of misc test cleanup stuff (#937)
    Wait for a snapshot to finish on all downstairs (#920)
    dsc and clippy cleanup. (#935)
    No need to sort ackable_work (#934)
    Use a strong type for repair ID (#928)
    Keep new jobs sorted (#929)
    Remove state_count function on Downstairs (#927)
    Small cleanup to IOStateCount (#932)
    let cmon and IOStateCount use ClientId (#930)
    Fast return for zero length IOs (#926)
    Use a strong type for client ID (#925)
    A few Crucible Agent fixes (#922)
    Use a newtype for `JobId` (#919)
    Don't pass MutexGuard into functions (#917)
    Crutest updates, rename tests, new options (#911)

Propolis updates
    Update tungstenite crates to 0.20
    Use `strum` crate for enum-related utilities
    Wire up bits for CPUID customization
    PHD: improve artifact store (#529)
    Revert abort-on-panic in 'dev' cargo profile
@leftwo leftwo mentioned this pull request Oct 4, 2023
Merged
leftwo added a commit that referenced this pull request Oct 5, 2023
@leftwo
Update Propolis and Crucible to latest (#4195)
bb4e0cc 
Crucible updates
    all Crucible connections should set TCP_NODELAY (#983)
    Use a fixed size for tag and nonce (#957)
    Log crucible opts on start, order crutest options (#974)
    Lock the Downstairs less (#966)
    Cache dirty flag locally, reducing SQLite operations (#970)
    Make stats mutex synchronous (#961)
    Optimize requeue during flow control conditions (#962)
    Update Rust crate base64 to 0.21.4 (#950)
    Do less in control (#949)
    Fix --flush-per-blocks (#959)
    Fast dependency checking (#916)
    Update actions/checkout action to v4 (#960)
    Use `cargo hakari` for better workspace deps (#956)
    Update actions/checkout digest to 8ade135 (#939)
    Cache block size in Guest (#947)
    Update Rust crate ringbuffer to 0.15.0 (#954)
    Update Rust crate toml to 0.8 (#955)
    Update Rust crate reedline to 0.24.0 (#953)
    Update Rust crate libc to 0.2.148 (#952)
    Update Rust crate indicatif to 0.17.7 (#951)
    Remove unused async (#943)
    Use a synchronous mutex for bw/iop_tokens (#946)
    Make flush ID non-locking (#945)
    Use `oneshot` channels instead of `mpsc` for notification (#918)
    Use a strong type for upstairs negotiation (#941)
    Add a "dynamometer" option to crucible-downstairs (#931)
    Get new work and active count in one lock (#938)
    A bunch of misc test cleanup stuff (#937)
    Wait for a snapshot to finish on all downstairs (#920)
    dsc and clippy cleanup. (#935)
    No need to sort ackable_work (#934)
    Use a strong type for repair ID (#928)
    Keep new jobs sorted (#929)
    Remove state_count function on Downstairs (#927)
    Small cleanup to IOStateCount (#932)
    let cmon and IOStateCount use ClientId (#930)
    Fast return for zero length IOs (#926)
    Use a strong type for client ID (#925)
    A few Crucible Agent fixes (#922)
    Use a newtype for `JobId` (#919)
    Don't pass MutexGuard into functions (#917)
    Crutest updates, rename tests, new options (#911)

Propolis updates
    Update tungstenite crates to 0.20
    Use `strum` crate for enum-related utilities
    Wire up bits for CPUID customization
    PHD: improve artifact store (#529)
    Revert abort-on-panic in 'dev' cargo profile

---------

Co-authored-by: Alan Hanson <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jmpesp jmpesp jmpesp left review comments

@davepacheco davepacheco davepacheco approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@plotnick @david-crespo @davepacheco @jmpesp