Add authz to hosts endpoints #1617
Conversation
tylerwowen
force-pushed
the
spr/master/ef160c01
branch
from
8b5c249
to
2eeadfd
Compare
tylerwowen
force-pushed
the
spr/master/0e28cb39
branch
from
f8fe3f5
to
900e65b
Compare
tylerwowen
force-pushed
the
spr/master/ef160c01
branch
from
2eeadfd
to
b8d3198
Compare
tylerwowen
force-pushed
the
spr/master/ef160c01
branch
from
b8d3198
to
456a1b7
Compare
deploy-service/common/src/main/java/com/pinterest/deployservice/db/DBHostAgentDAOImpl.java
Outdated
Show resolved
Hide resolved
deploy-service/common/src/main/java/com/pinterest/deployservice/db/DBHostAgentDAOImpl.java
Outdated
Show resolved
Hide resolved
tylerwowen
force-pushed
the
spr/master/ef160c01
branch
2 times, most recently
from
ee4f20a
to
3dead2a
Compare
|
Previous description for record Introduced a host extractor that can map hosts to their corresponding environment. Specifically, a host's main environment is determined by joining the tables Access matrixThe following tables illustrate both the resource based and environment based access for different users. Resource basedThis is the proposed change in this PR. Access of the mainEnv user
Access of the xEnv user
Access of the envoy sidecar userThe envoy sidecar user cannot reset an individual environment, but the user can invoke
Environment basedCurrent implementation without this PR. Access of the mainEnv user
Access of the xEnv user
Access of the envoy sidecar user
|
commit-id:ef160c01
tylerwowen
force-pushed
the
spr/master/ef160c01
branch
from
3dead2a
to
839868a
Compare
|
After deploying to dev1, I discovered an issue. If a host's agent has never pinged Teletraan, there will be no record in the hosts_and_agents table. To remedy that, the Besides, patched the @osoriano can you please review again? Thanks. |
| " FROM hosts_and_agents ha " + | ||
| " JOIN environs e ON ha.auto_scaling_group = e.cluster_name " + | ||
| " WHERE ha.host_id = ? )" + | ||
| "ORDER BY h.create_date ASC LIMIT 1)"; |
There was a problem hiding this comment.
Should there be a LIMIT 1 on the outer query as well? or do extra rows just get ignored so it does not matter?
Also, I'm thinking the subquery could be removed if we had an outer LIMIT 1 and the first select was ordered before the second select. Might not make much difference.
LGTM overall
There was a problem hiding this comment.
The NOT EXISTS clause that checks whether the first query returns any results. If the first query returns results, the NOT EXISTS clause will be false, and the second query will not return any results. If the first query does not return any results, the NOT EXISTS clause will be true, and the second query will return its results.
We use BeanHandler so it will take the first result. Although we don't have unique key constraint on the cluster_name column, we don't have meaningful duplications
select cluster_name from environs GROUP BY cluster_name having count(*) > 1;
+--------------+
| cluster_name |
+--------------+
| NULL |
| |
+--------------+
2 rows in set (0.00 sec)
Introduced a host extractor that can map hosts to their corresponding environment. This enables host level access control.
Specifically, a host's main environment is determined by joining the tables
hosts_and_agentsandenvironson the common field cluster.After deploying to dev1, I discovered an issue. If a host's agent has never pinged Teletraan, there will be no record in the hosts_and_agents table. To remedy that, the group_name in the hosts table is used to join with cluster_name in the environs table.
Besides, patched the stopServiceOnHost API so that every hosts is validated before terminating.